From: nicolas.iooss@m4x.org (Nicolas Iooss)
Date: Mon, 14 Apr 2014 22:18:26 +0200
Subject: [refpolicy] [PATCH] Allow lvm_t to use unconfined_t SysV semaphores
Message-ID: <1397506706-10699-1-git-send-email-nicolas.iooss@m4x.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
When an unconfined user uses truecrypt to mount an encrypted file, following
logs appears in audit.log:
type=AVC msg=audit(1397491934.868:164): avc: denied { associate } for pid=3695 comm="dmsetup" key=223198474 scontext=system_u:system_r:lvm_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=sem
type=AVC msg=audit(1397491934.868:165): avc: denied { unix_read } for pid=3695 comm="dmsetup" key=223198474 scontext=system_u:system_r:lvm_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=sem
type=AVC msg=audit(1397491934.868:165): avc: denied { read } for pid=3695 comm="dmsetup" key=223198474 scontext=system_u:system_r:lvm_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=sem
type=AVC msg=audit(1397491934.868:166): avc: denied { unix_write } for pid=3695 comm="dmsetup" key=223198474 scontext=system_u:system_r:lvm_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=sem
type=AVC msg=audit(1397491934.868:166): avc: denied { write } for pid=3695 comm="dmsetup" key=223198474 scontext=system_u:system_r:lvm_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=sem
audit2allow gives:
allow lvm_t unconfined_t:sem { unix_read read write unix_write associate };
Allowing this access requires a new interface in unconfined.if.
---
policy/modules/system/lvm.te | 4 ++++
policy/modules/system/unconfined.if | 37 +++++++++++++++++++++++++++++++++++++
2 files changed, 41 insertions(+)
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 3dac9a5..a407c18 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -347,6 +347,10 @@ optional_policy(`
')
optional_policy(`
+ unconfined_rw_semaphores(lvm_t)
+')
+
+optional_policy(`
virt_manage_images(lvm_t)
')
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 5ca20a9..59a519e 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -463,6 +463,43 @@ interface(`unconfined_dontaudit_rw_pipes',`
########################################
##
+## Read and write unconfined domain SysV semaphores.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_rw_semaphores',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:sem rw_sem_perms;
+')
+
+########################################
+##
+## Do not audit attempts to read and write
+## unconfined domain SysV semaphores.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_dontaudit_rw_semaphores',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ dontaudit $1 unconfined_t:sem rw_sem_perms;
+')
+
+########################################
+##
## Connect to the unconfined domain using
## a unix domain stream socket.
##
--
1.9.1