[refpolicy] [PATCH 0/4] LVM related updates

[refpolicy] [PATCH 0/4] LVM related updates

[Sven Vermeulen]

Set of updates related to lvm operations.

Sven Vermeulen (4):
  lvscan creates the /run/lock/lvm directory if nonexisting
  Allow lvtools to create cache folder
  lvm needs read access to the event queue of udev
  Allow udev the block_suspend capability

 policy/modules/system/lvm.te  |    4 ++++
 policy/modules/system/udev.te |    1 +
 2 files changed, 5 insertions(+), 0 deletions(-)

-- 
1.7.8.6

[refpolicy] [PATCH 1/4] lvscan creates the /run/lock/lvm directory if nonexisting

[Sven Vermeulen]

If the /run/lock/lvm directory doesn't exist yet, running any of the LVM tools
(like lvscan) will create this directory. Introduce a named file transition for
the lock location when a directory named "lvm" is created.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/lvm.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index f8eeecd..0814f4c 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -193,6 +193,7 @@ can_exec(lvm_t, lvm_exec_t)
 # Creating lock files
 manage_files_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
 files_lock_filetrans(lvm_t, lvm_lock_t, file)
+files_lock_filetrans(lvm_t, lvm_lock_t, dir, "lvm")
 
 manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
 manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
-- 
1.7.8.6

[refpolicy] [PATCH 2/4] Allow lvtools to create cache folder

[Sven Vermeulen]

The lvscan application will create the /etc/lvm/cache folder if it doesn't exist
yet.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/lvm.te |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 0814f4c..8c8c6b7 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -207,8 +207,10 @@ files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file })
 read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
 read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
 # Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
+create_dirs_pattern(lvm_t, lvm_etc_t, lvm_metadata_t)
 manage_files_pattern(lvm_t, lvm_metadata_t, lvm_metadata_t)
 filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file)
+filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, dir, "cache")
 files_etc_filetrans(lvm_t, lvm_metadata_t, file)
 files_search_mnt(lvm_t)
 
-- 
1.7.8.6

[refpolicy] [PATCH 3/4] lvm needs read access to the event queue of udev

[Sven Vermeulen]

The udev event queue (queue.bin file) is located in the /run/udev folder and
labeled udev_var_run_t. Hence, allow the lvm_t domain read access on this file.

Without this access, LVM operations that manipulate the volumes (like creating
an additional logical volume) results in failures like the following:

  /dev/vg/test: not found: device not cleared
  Aborting. Failed to wipe start of new LV.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/lvm.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 8c8c6b7..e2c4705 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -343,6 +343,7 @@ optional_policy(`
 
 optional_policy(`
 	udev_read_db(lvm_t)
+	udev_read_pid_files(lvm_t)
 ')
 
 optional_policy(`
-- 
1.7.8.6

[refpolicy] [PATCH 4/4] Allow udev the block_suspend capability

[Sven Vermeulen]

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/udev.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index a2a4167..8bcd402 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -39,6 +39,7 @@ ifdef(`enable_mcs',`
 
 allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
 dontaudit udev_t self:capability sys_tty_config;
+allow udev_t self:capability2 block_suspend;
 allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow udev_t self:process { execmem setfscreate };
 allow udev_t self:fd use;
-- 
1.7.8.6

[refpolicy] [PATCH 1/4] lvscan creates the /run/lock/lvm directory if nonexisting

[Christopher J. PeBenito]

On 11/10/12 12:35, Sven Vermeulen wrote:
> If the /run/lock/lvm directory doesn't exist yet, running any of the LVM tools
> (like lvscan) will create this directory. Introduce a named file transition for
> the lock location when a directory named "lvm" is created.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/system/lvm.te |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
> index f8eeecd..0814f4c 100644
> --- a/policy/modules/system/lvm.te
> +++ b/policy/modules/system/lvm.te
> @@ -193,6 +193,7 @@ can_exec(lvm_t, lvm_exec_t)
>  # Creating lock files
>  manage_files_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
>  files_lock_filetrans(lvm_t, lvm_lock_t, file)
> +files_lock_filetrans(lvm_t, lvm_lock_t, dir, "lvm")
>  
>  manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
>  manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
 
It looks like the permission to actually create the dirs is missing.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com