From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 13 May 2014 08:46:12 -0400
Subject: [refpolicy] [PATCH] Make unconfined user run lvm programs in
 confined domain
In-Reply-To: <1399733124-10693-1-git-send-email-nicolas.iooss@m4x.org>
References: <1399733124-10693-1-git-send-email-nicolas.iooss@m4x.org>
Message-ID: <53721414.508@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 05/10/2014 10:45 AM, Nicolas Iooss wrote:
> When an unconfined user uses truecrypt to mount an encrypted file, dmsetup is
> called to setup a new device.  This program works with udev to configure the
> new device and uses SysV semaphores to synchronize states.  As udev runs
> dmsetup in lvm_t domain, the first dmsetup process needs to create lvm_t
> semaphores (not unconfined_t) and hence needs to run in lvm_t domain.
> 
> More details are available in the archives on the ML:
> http://oss.tresys.com/pipermail/refpolicy/2014-May/007111.html
> ---
>  policy/modules/system/unconfined.te | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
> index 472a39e..79f2909 100644
> --- a/policy/modules/system/unconfined.te
> +++ b/policy/modules/system/unconfined.te
> @@ -108,6 +108,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	lvm_run(unconfined_t, unconfined_r)
> +')
> +
> +optional_policy(`
>  	modutils_run_update_mods(unconfined_t, unconfined_r)
>  ')

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com