From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 09 Feb 2011 09:43:02 -0500 Subject: [refpolicy] [PATCH 1/1] LVM uses systemwide semaphores for activities such as vgchange -ay In-Reply-To: <20110206143622.GA11519@siphos.be> References: <20110206143622.GA11519@siphos.be> Message-ID: <4D52A7F6.8010209@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 2/6/2011 9:36 AM, Sven Vermeulen wrote: > The LVM subsystem uses system-wide semaphores for various activities. > > Although the system boots properly without these (apart from the AVC denials > of course), I would assume that they are here to ensure no corruption of any > kind happens in case of concurrent execution / race conditions. > > As such, I rather enable it explicitly in the security policy. Merged. > Signed-off-by: Sven Vermeulen > --- > policy/modules/system/lvm.te | 2 ++ > 1 files changed, 2 insertions(+), 0 deletions(-) > > diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te > index 74e38b4..5e8e5aa 100644 > --- a/policy/modules/system/lvm.te > +++ b/policy/modules/system/lvm.te > @@ -174,6 +174,7 @@ allow lvm_t self:file rw_file_perms; > allow lvm_t self:fifo_file manage_fifo_file_perms; > allow lvm_t self:unix_dgram_socket create_socket_perms; > allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms; > +allow lvm_t self:sem create_sem_perms; > > allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms }; > allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms }; > @@ -210,6 +211,7 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file) > files_etc_filetrans(lvm_t, lvm_metadata_t, file) > files_search_mnt(lvm_t) > > +kernel_get_sysvipc_info(lvm_t) > kernel_read_system_state(lvm_t) > # Read system variables in /proc/sys > kernel_read_kernel_sysctls(lvm_t) -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com