[refpolicy] [PATCH] Allow lvm_t to use unconfined_t SysV semaphores

[cpebenito@tresys.com (Christopher J. PeBenito)]

On 05/08/2014 05:52 AM, Nicolas Iooss wrote:
> 2014-04-21 15:17 GMT+02:00 Christopher J. PeBenito <cpebenito@tresys.com>:
>> On 04/14/2014 04:18 PM, Nicolas Iooss wrote:
>>> When an unconfined user uses truecrypt to mount an encrypted file, following
>>> logs appears in audit.log:
>>>
>>>     type=AVC msg=audit(1397491934.868:164): avc:  denied  { associate } for  pid=3695 comm="dmsetup" key=223198474  scontext=system_u:system_r:lvm_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=sem
>>>     type=AVC msg=audit(1397491934.868:165): avc:  denied  { unix_read } for  pid=3695 comm="dmsetup" key=223198474  scontext=system_u:system_r:lvm_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=sem
>>>     type=AVC msg=audit(1397491934.868:165): avc:  denied  { read } for  pid=3695 comm="dmsetup" key=223198474  scontext=system_u:system_r:lvm_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=sem
>>>     type=AVC msg=audit(1397491934.868:166): avc:  denied  { unix_write } for  pid=3695 comm="dmsetup" key=223198474  scontext=system_u:system_r:lvm_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=sem
>>>     type=AVC msg=audit(1397491934.868:166): avc:  denied  { write } for  pid=3695 comm="dmsetup" key=223198474  scontext=system_u:system_r:lvm_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=sem
>>>
>>> audit2allow gives:
>>>
>>>     allow lvm_t unconfined_t:sem { unix_read read write unix_write associate };
>>>
>>> Allowing this access requires a new interface in unconfined.if.
>>
>> It might make more sense to add this access to lvm_run(), since any user than can run lvm could potentially need this.  It also warrants a comment in the policy about Truecrypt.
> 
> Thanks for your answer. As code and policy are a bit difficult to
> understand here, I needed to take time to dig more and understand
> what's going on here.  Here is what I've found so far:
> 
> * unconfined_t doesn't use lvm_run().  More precisely, "sesearch -A -p
[...]
> * Moreover, "dmsetup create truecrypt1" uses SysV semaphores.  The
> code [1][2] shows that the semaphores are used to sync with udev
> notifications.
[...]
> when udev runs dmsetup, it is in lvm_t context.
[...]
> I'm quite new to SELinux but this kind of scenario where a resource
> (here a semaphore) is shared between a confined daemon (udev) and an
> unconfined user (who uses truecrypt) might have occurred in the past
> and a kind of general solution may exist.  There are at least two
> solutions: to allow the restricted daemon to access unconfined
> resources (ie. allow lvm_t to use unconfined_t semaphores), or to add
> a transition so that the user creates a confined resource (ie. add
> "lvm_run(unconfined_t)").  What is the best way to solve this issue?

Thanks for the very detailed investigation.  Based on your results, I'd say that these denials indicate that the semaphores have the wrong label, i.e. the semaphores should be labeled lvm_t, rather than unconfined_t.  To make that happen, the solution is to have unconfined_t transition to lvm_t.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com