From: nicolas.iooss@m4x.org (Nicolas Iooss)
Date: Mon, 14 Apr 2014 22:18:26 +0200
Subject: [refpolicy] [PATCH] Allow lvm_t to use unconfined_t SysV semaphores
Message-ID: <1397506706-10699-1-git-send-email-nicolas.iooss@m4x.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

When an unconfined user uses truecrypt to mount an encrypted file, following
logs appears in audit.log:

    type=AVC msg=audit(1397491934.868:164): avc:  denied  { associate } for  pid=3695 comm="dmsetup" key=223198474  scontext=system_u:system_r:lvm_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=sem
    type=AVC msg=audit(1397491934.868:165): avc:  denied  { unix_read } for  pid=3695 comm="dmsetup" key=223198474  scontext=system_u:system_r:lvm_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=sem
    type=AVC msg=audit(1397491934.868:165): avc:  denied  { read } for  pid=3695 comm="dmsetup" key=223198474  scontext=system_u:system_r:lvm_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=sem
    type=AVC msg=audit(1397491934.868:166): avc:  denied  { unix_write } for  pid=3695 comm="dmsetup" key=223198474  scontext=system_u:system_r:lvm_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=sem
    type=AVC msg=audit(1397491934.868:166): avc:  denied  { write } for  pid=3695 comm="dmsetup" key=223198474  scontext=system_u:system_r:lvm_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=sem

audit2allow gives:

    allow lvm_t unconfined_t:sem { unix_read read write unix_write associate };

Allowing this access requires a new interface in unconfined.if.
---
 policy/modules/system/lvm.te        |  4 ++++
 policy/modules/system/unconfined.if | 37 +++++++++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+)

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 3dac9a5..a407c18 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -347,6 +347,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	unconfined_rw_semaphores(lvm_t)
+')
+
+optional_policy(`
 	virt_manage_images(lvm_t)
 ')
 
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 5ca20a9..59a519e 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -463,6 +463,43 @@ interface(`unconfined_dontaudit_rw_pipes',`
 
 ########################################
 ## <summary>
+##	Read and write unconfined domain SysV semaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_rw_semaphores',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:sem rw_sem_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write
+##	unconfined domain SysV semaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_dontaudit_rw_semaphores',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	dontaudit $1 unconfined_t:sem rw_sem_perms;
+')
+
+########################################
+## <summary>
 ##	Connect to the unconfined domain using
 ##	a unix domain stream socket.
 ## </summary>
-- 
1.9.1