zfs: allow zfs to write to exports

Needed by zfs-mount.service.

type=PROCTITLE msg=audit(1705092131.987:49): proctitle=2F7362696E2F7A6673007368617265002D61
type=SYSCALL msg=audit(1705092131.987:49): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=665f44189eba a2=80042 a3=180 items=0 ppid=1 pid=3082 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="zfs" exe="/usr/bin/zfs" subj=system_u:system_r:zfs_t:s0 key=(null)
type=AVC msg=audit(1705092131.987:49): avc:  denied  { write } for  pid=3082 comm="zfs" name="zfs.exports.lock" dev="dm-0" ino=1296 scontext=system_u:system_r:zfs_t:s0 tcontext=system_u:object_r:exports_t:s0 tclass=file permissive=0

Signed-off-by: Kenton Groombridge <concord@gentoo.org>

2 files changed, 21 insertions, 0 deletions

diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
index 6a1e15b4..dfc67a01 100644
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
@@ -52,6 +52,24 @@ template(`rpc_domain_template',`
 
 ########################################
 ## <summary>
+##	List export files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpc_list_exports',`
+	gen_require(`
+		type exports_t;
+	')
+
+	allow $1 exports_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to get
 ##	attributes of export files.
 ## </summary>
diff --git a/policy/modules/services/zfs.te b/policy/modules/services/zfs.te
index 8db6dfcc..57dbe058 100644
--- a/policy/modules/services/zfs.te
+++ b/policy/modules/services/zfs.te
@@ -144,7 +144,10 @@ optional_policy(`
 	kernel_rw_rpc_sysctls(zfs_t)
 
 	rpc_manage_nfs_state_data(zfs_t)
+	rpc_list_exports(zfs_t)
+	rpc_create_exports(zfs_t)
 	rpc_read_exports(zfs_t)
+	rpc_write_exports(zfs_t)
 ')
 
 #######################################