[refpolicy] [PATCH] Allow lvm_t to use unconfined_t SysV semaphores

All of lore.kernel.org
 help / color / mirror / Atom feed

From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] Allow lvm_t to use unconfined_t SysV semaphores
Date: Mon, 21 Apr 2014 09:17:10 -0400	[thread overview]
Message-ID: <53551A56.9060105@tresys.com> (raw)
In-Reply-To: <1397506706-10699-1-git-send-email-nicolas.iooss@m4x.org>

On 04/14/2014 04:18 PM, Nicolas Iooss wrote:
> When an unconfined user uses truecrypt to mount an encrypted file, following
> logs appears in audit.log:
> 
>     type=AVC msg=audit(1397491934.868:164): avc:  denied  { associate } for  pid=3695 comm="dmsetup" key=223198474  scontext=system_u:system_r:lvm_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=sem
>     type=AVC msg=audit(1397491934.868:165): avc:  denied  { unix_read } for  pid=3695 comm="dmsetup" key=223198474  scontext=system_u:system_r:lvm_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=sem
>     type=AVC msg=audit(1397491934.868:165): avc:  denied  { read } for  pid=3695 comm="dmsetup" key=223198474  scontext=system_u:system_r:lvm_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=sem
>     type=AVC msg=audit(1397491934.868:166): avc:  denied  { unix_write } for  pid=3695 comm="dmsetup" key=223198474  scontext=system_u:system_r:lvm_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=sem
>     type=AVC msg=audit(1397491934.868:166): avc:  denied  { write } for  pid=3695 comm="dmsetup" key=223198474  scontext=system_u:system_r:lvm_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=sem
> 
> audit2allow gives:
> 
>     allow lvm_t unconfined_t:sem { unix_read read write unix_write associate };
> 
> Allowing this access requires a new interface in unconfined.if.

It might make more sense to add this access to lvm_run(), since any user than can run lvm could potentially need this.  It also warrants a comment in the policy about Truecrypt.



> ---
>  policy/modules/system/lvm.te        |  4 ++++
>  policy/modules/system/unconfined.if | 37 +++++++++++++++++++++++++++++++++++++
>  2 files changed, 41 insertions(+)
> 
> diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
> index 3dac9a5..a407c18 100644
> --- a/policy/modules/system/lvm.te
> +++ b/policy/modules/system/lvm.te
> @@ -347,6 +347,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	unconfined_rw_semaphores(lvm_t)
> +')
> +
> +optional_policy(`
>  	virt_manage_images(lvm_t)
>  ')
>  
> diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
> index 5ca20a9..59a519e 100644
> --- a/policy/modules/system/unconfined.if
> +++ b/policy/modules/system/unconfined.if
> @@ -463,6 +463,43 @@ interface(`unconfined_dontaudit_rw_pipes',`
>  
>  ########################################
>  ## <summary>
> +##	Read and write unconfined domain SysV semaphores.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`unconfined_rw_semaphores',`
> +	gen_require(`
> +		type unconfined_t;
> +	')
> +
> +	allow $1 unconfined_t:sem rw_sem_perms;
> +')
> +
> +########################################
> +## <summary>
> +##	Do not audit attempts to read and write
> +##	unconfined domain SysV semaphores.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`unconfined_dontaudit_rw_semaphores',`
> +	gen_require(`
> +		type unconfined_t;
> +	')
> +
> +	dontaudit $1 unconfined_t:sem rw_sem_perms;
> +')
> +
> +########################################
> +## <summary>
>  ##	Connect to the unconfined domain using
>  ##	a unix domain stream socket.
>  ## </summary>
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

next prev parent reply	other threads:[~2014-04-21 13:17 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-04-14 20:18 [refpolicy] [PATCH] Allow lvm_t to use unconfined_t SysV semaphores Nicolas Iooss
2014-04-21 13:17 ` Christopher J. PeBenito [this message]
2014-05-08  9:52   ` Nicolas Iooss
2014-05-09 12:46     ` Christopher J. PeBenito

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=53551A56.9060105@tresys.com \
    --to=cpebenito@tresys.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.