From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 21 Apr 2014 09:17:10 -0400
Subject: [refpolicy] [PATCH] Allow lvm_t to use unconfined_t SysV
semaphores
In-Reply-To: <1397506706-10699-1-git-send-email-nicolas.iooss@m4x.org>
References: <1397506706-10699-1-git-send-email-nicolas.iooss@m4x.org>
Message-ID: <53551A56.9060105@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On 04/14/2014 04:18 PM, Nicolas Iooss wrote:
> When an unconfined user uses truecrypt to mount an encrypted file, following
> logs appears in audit.log:
>
> type=AVC msg=audit(1397491934.868:164): avc: denied { associate } for pid=3695 comm="dmsetup" key=223198474 scontext=system_u:system_r:lvm_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=sem
> type=AVC msg=audit(1397491934.868:165): avc: denied { unix_read } for pid=3695 comm="dmsetup" key=223198474 scontext=system_u:system_r:lvm_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=sem
> type=AVC msg=audit(1397491934.868:165): avc: denied { read } for pid=3695 comm="dmsetup" key=223198474 scontext=system_u:system_r:lvm_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=sem
> type=AVC msg=audit(1397491934.868:166): avc: denied { unix_write } for pid=3695 comm="dmsetup" key=223198474 scontext=system_u:system_r:lvm_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=sem
> type=AVC msg=audit(1397491934.868:166): avc: denied { write } for pid=3695 comm="dmsetup" key=223198474 scontext=system_u:system_r:lvm_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=sem
>
> audit2allow gives:
>
> allow lvm_t unconfined_t:sem { unix_read read write unix_write associate };
>
> Allowing this access requires a new interface in unconfined.if.
It might make more sense to add this access to lvm_run(), since any user than can run lvm could potentially need this. It also warrants a comment in the policy about Truecrypt.
> ---
> policy/modules/system/lvm.te | 4 ++++
> policy/modules/system/unconfined.if | 37 +++++++++++++++++++++++++++++++++++++
> 2 files changed, 41 insertions(+)
>
> diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
> index 3dac9a5..a407c18 100644
> --- a/policy/modules/system/lvm.te
> +++ b/policy/modules/system/lvm.te
> @@ -347,6 +347,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + unconfined_rw_semaphores(lvm_t)
> +')
> +
> +optional_policy(`
> virt_manage_images(lvm_t)
> ')
>
> diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
> index 5ca20a9..59a519e 100644
> --- a/policy/modules/system/unconfined.if
> +++ b/policy/modules/system/unconfined.if
> @@ -463,6 +463,43 @@ interface(`unconfined_dontaudit_rw_pipes',`
>
> ########################################
> ##
> +## Read and write unconfined domain SysV semaphores.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`unconfined_rw_semaphores',`
> + gen_require(`
> + type unconfined_t;
> + ')
> +
> + allow $1 unconfined_t:sem rw_sem_perms;
> +')
> +
> +########################################
> +##
> +## Do not audit attempts to read and write
> +## unconfined domain SysV semaphores.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`unconfined_dontaudit_rw_semaphores',`
> + gen_require(`
> + type unconfined_t;
> + ')
> +
> + dontaudit $1 unconfined_t:sem rw_sem_perms;
> +')
> +
> +########################################
> +##
> ## Connect to the unconfined domain using
> ## a unix domain stream socket.
> ##
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com