From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] Make unconfined user run lvm programs in confined domain
Date: Wed, 14 May 2014 09:32:13 -0400 [thread overview]
Message-ID: <5373705D.1090404@tresys.com> (raw)
In-Reply-To: <53722440.7070000@redhat.com>
On 05/13/2014 09:55 AM, Daniel J Walsh wrote:
>
> On 05/13/2014 08:46 AM, Christopher J. PeBenito wrote:
>> On 05/10/2014 10:45 AM, Nicolas Iooss wrote:
>>> When an unconfined user uses truecrypt to mount an encrypted file, dmsetup is
>>> called to setup a new device. This program works with udev to configure the
>>> new device and uses SysV semaphores to synchronize states. As udev runs
>>> dmsetup in lvm_t domain, the first dmsetup process needs to create lvm_t
>>> semaphores (not unconfined_t) and hence needs to run in lvm_t domain.
>>>
>>> More details are available in the archives on the ML:
>>> http://oss.tresys.com/pipermail/refpolicy/2014-May/007111.html
>>> ---
>>> policy/modules/system/unconfined.te | 4 ++++
>>> 1 file changed, 4 insertions(+)
>>>
>>> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
>>> index 472a39e..79f2909 100644
>>> --- a/policy/modules/system/unconfined.te
>>> +++ b/policy/modules/system/unconfined.te
>>> @@ -108,6 +108,10 @@ optional_policy(`
>>> ')
>>>
>>> optional_policy(`
>>> + lvm_run(unconfined_t, unconfined_r)
>>> +')
>>> +
>>> +optional_policy(`
>>> modutils_run_update_mods(unconfined_t, unconfined_r)
>>> ')
>> Merged.
>>
> Why would we add a confinement to the unconfined domain? I believe
> unconfined_t should stay unconfined as much as possible.
>
> I wrote a blog about this.
>
> https://danwalsh.livejournal.com/30084.html
>
> The only reason to do this in the past was for correct labeling, but
> with file name transition rules, I believe almost all transitions from
> unconfined_t should be eliminated.
The file name transitions don't apply, as we're concerned about SysV semaphores in this case.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
prev parent reply other threads:[~2014-05-14 13:32 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-10 14:45 [refpolicy] [PATCH] Make unconfined user run lvm programs in confined domain Nicolas Iooss
2014-05-13 12:46 ` Christopher J. PeBenito
2014-05-13 13:55 ` Daniel J Walsh
2014-05-14 13:32 ` Christopher J. PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5373705D.1090404@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.