From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 14 May 2014 09:32:13 -0400 Subject: [refpolicy] [PATCH] Make unconfined user run lvm programs in confined domain In-Reply-To: <53722440.7070000@redhat.com> References: <1399733124-10693-1-git-send-email-nicolas.iooss@m4x.org> <53721414.508@tresys.com> <53722440.7070000@redhat.com> Message-ID: <5373705D.1090404@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 05/13/2014 09:55 AM, Daniel J Walsh wrote: > > On 05/13/2014 08:46 AM, Christopher J. PeBenito wrote: >> On 05/10/2014 10:45 AM, Nicolas Iooss wrote: >>> When an unconfined user uses truecrypt to mount an encrypted file, dmsetup is >>> called to setup a new device. This program works with udev to configure the >>> new device and uses SysV semaphores to synchronize states. As udev runs >>> dmsetup in lvm_t domain, the first dmsetup process needs to create lvm_t >>> semaphores (not unconfined_t) and hence needs to run in lvm_t domain. >>> >>> More details are available in the archives on the ML: >>> http://oss.tresys.com/pipermail/refpolicy/2014-May/007111.html >>> --- >>> policy/modules/system/unconfined.te | 4 ++++ >>> 1 file changed, 4 insertions(+) >>> >>> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te >>> index 472a39e..79f2909 100644 >>> --- a/policy/modules/system/unconfined.te >>> +++ b/policy/modules/system/unconfined.te >>> @@ -108,6 +108,10 @@ optional_policy(` >>> ') >>> >>> optional_policy(` >>> + lvm_run(unconfined_t, unconfined_r) >>> +') >>> + >>> +optional_policy(` >>> modutils_run_update_mods(unconfined_t, unconfined_r) >>> ') >> Merged. >> > Why would we add a confinement to the unconfined domain? I believe > unconfined_t should stay unconfined as much as possible. > > I wrote a blog about this. > > https://danwalsh.livejournal.com/30084.html > > The only reason to do this in the past was for correct labeling, but > with file name transition rules, I believe almost all transitions from > unconfined_t should be eliminated. The file name transitions don't apply, as we're concerned about SysV semaphores in this case. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com