From fa32b44c916748abd34719860dd9ba96f5eb5089 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Fri, 29 Sep 2023 17:02:35 +0200
Subject: [PATCH] Allow kernel_generic_helper_t to execute mount(1)

ZFS executes `/usr/bin/env [u]mount <...>` as a usermode helper, so
allow kernel_generic_helper_t to execute mount_exec_t with a transition
to mount_t to make it work.

Fixes #1878

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/modules/kernel/kernel.te | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 873660504a..bc1a41e4e3 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -364,6 +364,13 @@ corecmd_bin_domtrans(kernel_t, kernel_generic_helper_t)
 
 allow kernel_generic_helper_t kernel_t:fifo_file read_inherited_fifo_file_perms;
 
+# Enable running `/usr/bin/env [u]mount ...` to support ZFS automounting.
+# See the module/os/linux/zfs/zfs_ctldir.c file in
+# https://github.com/openzfs/zfs/ for the usermode helper calls.
+optional_policy(`
+	mount_domtrans(kernel_generic_helper_t)
+')
+
 domain_use_all_fds(kernel_t)
 domain_signal_all_domains(kernel_t)
 domain_search_all_domains_state(kernel_t)