From: pebenito@ieee.org (Chris PeBenito)
Date: Wed, 7 Sep 2016 17:50:06 -0400
Subject: [refpolicy] [PATCH v2] Update the lvm module
In-Reply-To: <1473095377.29119.6.camel@trentalancia.net>
References: <1426268394.997176.1471208149952.JavaMail.open-xchange@popper06.register.it>
	<39ff9127-65f4-6c38-3ac3-a413f1ae2edc@ieee.org>
	<1471535328.14586.11.camel@trentalancia.net>
	<4319fa30-c6ef-652b-13df-c46a484b8ef5@ieee.org>
	<1472903649.15198.7.camel@trentalancia.net>
	<6e0eed68-6b95-d9e6-ba8d-979767649e4d@ieee.org>
	<1473095377.29119.6.camel@trentalancia.net>
Message-ID: <8ee1a315-9699-eb52-b3f8-7b384c26db10@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/05/16 13:09, Guido Trentalancia wrote:
> Update the lvm module to add a permission needed by cryptsetup.
>
> At the moment the SELinux kernel code is not able yet to distinguish
> the sockets in the AF_ALG namespace that are used for interfacing to
> the kernel Crypto API.
>
> In the future the SELinux kernel code will be updated to distinguish
> the new socket class and so this permission will change its class
> from the generic "socket" to the new socket (e.g. "alg_socket").
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/system/lvm.te |    4 ++++
>  1 file changed, 4 insertions(+)
>
> --- refpolicy-git-06082016-orig/policy/modules/system/lvm.te	2016-08-06 21:26:43.305774396 +0200
> +++ refpolicy-git-06082016-new/policy/modules/system/lvm.te	2016-09-05 19:01:46.798218649 +0200
> @@ -179,6 +179,8 @@ allow lvm_t self:fifo_file manage_fifo_f
>  allow lvm_t self:unix_dgram_socket create_socket_perms;
>  allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
>  allow lvm_t self:sem create_sem_perms;
> +# gt: the following is for sockets in the AF_ALG namespace (userspace interface to the kernel Crypto API)
> +allow lvm_t self:socket create_stream_socket_perms;
>
>  allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms };
>  allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms };
> @@ -253,6 +255,8 @@ dev_dontaudit_getattr_generic_chr_files(
>  dev_dontaudit_getattr_generic_blk_files(lvm_t)
>  dev_dontaudit_getattr_generic_pipes(lvm_t)
>  dev_create_generic_dirs(lvm_t)
> +# the following one is needed by cryptsetup
> +dev_getattr_fs(lvm_t)
>
>  domain_use_interactive_fds(lvm_t)
>  domain_read_all_domains_state(lvm_t)

Merged.

-- 
Chris PeBenito