From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 27 Nov 2012 09:10:04 -0500
Subject: [refpolicy] [PATCH 1/4] lvscan creates the /run/lock/lvm
 directory if nonexisting
In-Reply-To: <1352568926-21328-2-git-send-email-sven.vermeulen@siphos.be>
References: <1352568926-21328-1-git-send-email-sven.vermeulen@siphos.be>
	<1352568926-21328-2-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <50B4C9BC.4030902@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 11/10/12 12:35, Sven Vermeulen wrote:
> If the /run/lock/lvm directory doesn't exist yet, running any of the LVM tools
> (like lvscan) will create this directory. Introduce a named file transition for
> the lock location when a directory named "lvm" is created.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/system/lvm.te |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
> index f8eeecd..0814f4c 100644
> --- a/policy/modules/system/lvm.te
> +++ b/policy/modules/system/lvm.te
> @@ -193,6 +193,7 @@ can_exec(lvm_t, lvm_exec_t)
>  # Creating lock files
>  manage_files_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
>  files_lock_filetrans(lvm_t, lvm_lock_t, file)
> +files_lock_filetrans(lvm_t, lvm_lock_t, dir, "lvm")
>  
>  manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
>  manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
 
It looks like the permission to actually create the dirs is missing.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com