Set of updates related to lvm operations.
Sven Vermeulen (4):
lvscan creates the /run/lock/lvm directory if nonexisting
Allow lvtools to create cache folder
lvm needs read access to the event queue of udev
Allow udev the block_suspend capability
policy/modules/system/lvm.te | 4 ++++
policy/modules/system/udev.te | 1 +
2 files changed, 5 insertions(+), 0 deletions(-)
--
1.7.8.6
If the /run/lock/lvm directory doesn't exist yet, running any of the LVM tools
(like lvscan) will create this directory. Introduce a named file transition for
the lock location when a directory named "lvm" is created.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/lvm.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index f8eeecd..0814f4c 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -193,6 +193,7 @@ can_exec(lvm_t, lvm_exec_t)
# Creating lock files
manage_files_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
files_lock_filetrans(lvm_t, lvm_lock_t, file)
+files_lock_filetrans(lvm_t, lvm_lock_t, dir, "lvm")
manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
--
1.7.8.6
The lvscan application will create the /etc/lvm/cache folder if it doesn't exist
yet.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/lvm.te | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 0814f4c..8c8c6b7 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -207,8 +207,10 @@ files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file })
read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
# Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
+create_dirs_pattern(lvm_t, lvm_etc_t, lvm_metadata_t)
manage_files_pattern(lvm_t, lvm_metadata_t, lvm_metadata_t)
filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file)
+filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, dir, "cache")
files_etc_filetrans(lvm_t, lvm_metadata_t, file)
files_search_mnt(lvm_t)
--
1.7.8.6
The udev event queue (queue.bin file) is located in the /run/udev folder and
labeled udev_var_run_t. Hence, allow the lvm_t domain read access on this file.
Without this access, LVM operations that manipulate the volumes (like creating
an additional logical volume) results in failures like the following:
/dev/vg/test: not found: device not cleared
Aborting. Failed to wipe start of new LV.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/lvm.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 8c8c6b7..e2c4705 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -343,6 +343,7 @@ optional_policy(`
optional_policy(`
udev_read_db(lvm_t)
+ udev_read_pid_files(lvm_t)
')
optional_policy(`
--
1.7.8.6
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/udev.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index a2a4167..8bcd402 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -39,6 +39,7 @@ ifdef(`enable_mcs',`
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
dontaudit udev_t self:capability sys_tty_config;
+allow udev_t self:capability2 block_suspend;
allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
--
1.7.8.6
On 11/10/12 12:35, Sven Vermeulen wrote:
> If the /run/lock/lvm directory doesn't exist yet, running any of the LVM tools
> (like lvscan) will create this directory. Introduce a named file transition for
> the lock location when a directory named "lvm" is created.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/system/lvm.te | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
> index f8eeecd..0814f4c 100644
> --- a/policy/modules/system/lvm.te
> +++ b/policy/modules/system/lvm.te
> @@ -193,6 +193,7 @@ can_exec(lvm_t, lvm_exec_t)
> # Creating lock files
> manage_files_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
> files_lock_filetrans(lvm_t, lvm_lock_t, file)
> +files_lock_filetrans(lvm_t, lvm_lock_t, dir, "lvm")
>
> manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
> manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
It looks like the permission to actually create the dirs is missing.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com