From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 21 Apr 2014 09:17:10 -0400
Subject: [refpolicy] [PATCH] Allow lvm_t to use unconfined_t SysV
	semaphores
In-Reply-To: <1397506706-10699-1-git-send-email-nicolas.iooss@m4x.org>
References: <1397506706-10699-1-git-send-email-nicolas.iooss@m4x.org>
Message-ID: <53551A56.9060105@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 04/14/2014 04:18 PM, Nicolas Iooss wrote:
> When an unconfined user uses truecrypt to mount an encrypted file, following
> logs appears in audit.log:
> 
>     type=AVC msg=audit(1397491934.868:164): avc:  denied  { associate } for  pid=3695 comm="dmsetup" key=223198474  scontext=system_u:system_r:lvm_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=sem
>     type=AVC msg=audit(1397491934.868:165): avc:  denied  { unix_read } for  pid=3695 comm="dmsetup" key=223198474  scontext=system_u:system_r:lvm_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=sem
>     type=AVC msg=audit(1397491934.868:165): avc:  denied  { read } for  pid=3695 comm="dmsetup" key=223198474  scontext=system_u:system_r:lvm_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=sem
>     type=AVC msg=audit(1397491934.868:166): avc:  denied  { unix_write } for  pid=3695 comm="dmsetup" key=223198474  scontext=system_u:system_r:lvm_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=sem
>     type=AVC msg=audit(1397491934.868:166): avc:  denied  { write } for  pid=3695 comm="dmsetup" key=223198474  scontext=system_u:system_r:lvm_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=sem
> 
> audit2allow gives:
> 
>     allow lvm_t unconfined_t:sem { unix_read read write unix_write associate };
> 
> Allowing this access requires a new interface in unconfined.if.

It might make more sense to add this access to lvm_run(), since any user than can run lvm could potentially need this.  It also warrants a comment in the policy about Truecrypt.



> ---
>  policy/modules/system/lvm.te        |  4 ++++
>  policy/modules/system/unconfined.if | 37 +++++++++++++++++++++++++++++++++++++
>  2 files changed, 41 insertions(+)
> 
> diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
> index 3dac9a5..a407c18 100644
> --- a/policy/modules/system/lvm.te
> +++ b/policy/modules/system/lvm.te
> @@ -347,6 +347,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	unconfined_rw_semaphores(lvm_t)
> +')
> +
> +optional_policy(`
>  	virt_manage_images(lvm_t)
>  ')
>  
> diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
> index 5ca20a9..59a519e 100644
> --- a/policy/modules/system/unconfined.if
> +++ b/policy/modules/system/unconfined.if
> @@ -463,6 +463,43 @@ interface(`unconfined_dontaudit_rw_pipes',`
>  
>  ########################################
>  ## <summary>
> +##	Read and write unconfined domain SysV semaphores.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`unconfined_rw_semaphores',`
> +	gen_require(`
> +		type unconfined_t;
> +	')
> +
> +	allow $1 unconfined_t:sem rw_sem_perms;
> +')
> +
> +########################################
> +## <summary>
> +##	Do not audit attempts to read and write
> +##	unconfined domain SysV semaphores.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`unconfined_dontaudit_rw_semaphores',`
> +	gen_require(`
> +		type unconfined_t;
> +	')
> +
> +	dontaudit $1 unconfined_t:sem rw_sem_perms;
> +')
> +
> +########################################
> +## <summary>
>  ##	Connect to the unconfined domain using
>  ##	a unix domain stream socket.
>  ## </summary>
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com