When an unconfined user uses truecrypt to mount an encrypted file, dmsetup is
called to setup a new device. This program works with udev to configure the
new device and uses SysV semaphores to synchronize states. As udev runs
dmsetup in lvm_t domain, the first dmsetup process needs to create lvm_t
semaphores (not unconfined_t) and hence needs to run in lvm_t domain.
More details are available in the archives on the ML:
http://oss.tresys.com/pipermail/refpolicy/2014-May/007111.html
---
policy/modules/system/unconfined.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 472a39e..79f2909 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -108,6 +108,10 @@ optional_policy(`
')
optional_policy(`
+ lvm_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
modutils_run_update_mods(unconfined_t, unconfined_r)
')
--
1.9.2
On 05/10/2014 10:45 AM, Nicolas Iooss wrote:
> When an unconfined user uses truecrypt to mount an encrypted file, dmsetup is
> called to setup a new device. This program works with udev to configure the
> new device and uses SysV semaphores to synchronize states. As udev runs
> dmsetup in lvm_t domain, the first dmsetup process needs to create lvm_t
> semaphores (not unconfined_t) and hence needs to run in lvm_t domain.
>
> More details are available in the archives on the ML:
> http://oss.tresys.com/pipermail/refpolicy/2014-May/007111.html
> ---
> policy/modules/system/unconfined.te | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
> index 472a39e..79f2909 100644
> --- a/policy/modules/system/unconfined.te
> +++ b/policy/modules/system/unconfined.te
> @@ -108,6 +108,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + lvm_run(unconfined_t, unconfined_r)
> +')
> +
> +optional_policy(`
> modutils_run_update_mods(unconfined_t, unconfined_r)
> ')
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 05/13/2014 08:46 AM, Christopher J. PeBenito wrote:
> On 05/10/2014 10:45 AM, Nicolas Iooss wrote:
>> When an unconfined user uses truecrypt to mount an encrypted file, dmsetup is
>> called to setup a new device. This program works with udev to configure the
>> new device and uses SysV semaphores to synchronize states. As udev runs
>> dmsetup in lvm_t domain, the first dmsetup process needs to create lvm_t
>> semaphores (not unconfined_t) and hence needs to run in lvm_t domain.
>>
>> More details are available in the archives on the ML:
>> http://oss.tresys.com/pipermail/refpolicy/2014-May/007111.html
>> ---
>> policy/modules/system/unconfined.te | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
>> index 472a39e..79f2909 100644
>> --- a/policy/modules/system/unconfined.te
>> +++ b/policy/modules/system/unconfined.te
>> @@ -108,6 +108,10 @@ optional_policy(`
>> ')
>>
>> optional_policy(`
>> + lvm_run(unconfined_t, unconfined_r)
>> +')
>> +
>> +optional_policy(`
>> modutils_run_update_mods(unconfined_t, unconfined_r)
>> ')
> Merged.
>
Why would we add a confinement to the unconfined domain? I believe
unconfined_t should stay unconfined as much as possible.
I wrote a blog about this.
https://danwalsh.livejournal.com/30084.html
The only reason to do this in the past was for correct labeling, but
with file name transition rules, I believe almost all transitions from
unconfined_t should be eliminated.
On 05/13/2014 09:55 AM, Daniel J Walsh wrote:
>
> On 05/13/2014 08:46 AM, Christopher J. PeBenito wrote:
>> On 05/10/2014 10:45 AM, Nicolas Iooss wrote:
>>> When an unconfined user uses truecrypt to mount an encrypted file, dmsetup is
>>> called to setup a new device. This program works with udev to configure the
>>> new device and uses SysV semaphores to synchronize states. As udev runs
>>> dmsetup in lvm_t domain, the first dmsetup process needs to create lvm_t
>>> semaphores (not unconfined_t) and hence needs to run in lvm_t domain.
>>>
>>> More details are available in the archives on the ML:
>>> http://oss.tresys.com/pipermail/refpolicy/2014-May/007111.html
>>> ---
>>> policy/modules/system/unconfined.te | 4 ++++
>>> 1 file changed, 4 insertions(+)
>>>
>>> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
>>> index 472a39e..79f2909 100644
>>> --- a/policy/modules/system/unconfined.te
>>> +++ b/policy/modules/system/unconfined.te
>>> @@ -108,6 +108,10 @@ optional_policy(`
>>> ')
>>>
>>> optional_policy(`
>>> + lvm_run(unconfined_t, unconfined_r)
>>> +')
>>> +
>>> +optional_policy(`
>>> modutils_run_update_mods(unconfined_t, unconfined_r)
>>> ')
>> Merged.
>>
> Why would we add a confinement to the unconfined domain? I believe
> unconfined_t should stay unconfined as much as possible.
>
> I wrote a blog about this.
>
> https://danwalsh.livejournal.com/30084.html
>
> The only reason to do this in the past was for correct labeling, but
> with file name transition rules, I believe almost all transitions from
> unconfined_t should be eliminated.
The file name transitions don't apply, as we're concerned about SysV semaphores in this case.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com