Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Jason Zaman <perfinion@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
Date: Mon, 03 Oct 2016 06:20:57
Message-Id: 1475474661.f36491e2fcb14f581c49e1a5a41e1b9f9159c585.perfinion@gentoo
1 commit: f36491e2fcb14f581c49e1a5a41e1b9f9159c585
2 Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
3 AuthorDate: Mon Sep 5 17:09:37 2016 +0000
4 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5 CommitDate: Mon Oct 3 06:04:21 2016 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f36491e2
7
8 Update the lvm module
9
10 Update the lvm module to add a permission needed by cryptsetup.
11
12 At the moment the SELinux kernel code is not able yet to distinguish
13 the sockets in the AF_ALG namespace that are used for interfacing to
14 the kernel Crypto API.
15
16 In the future the SELinux kernel code will be updated to distinguish
17 the new socket class and so this permission will change its class
18 from the generic "socket" to the new socket (e.g. "alg_socket").
19
20 Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
21
22 policy/modules/system/lvm.te | 4 ++++
23 1 file changed, 4 insertions(+)
24
25 diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
26 index 2ebfe0c..c8831c6 100644
27 --- a/policy/modules/system/lvm.te
28 +++ b/policy/modules/system/lvm.te
29 @@ -179,6 +179,8 @@ allow lvm_t self:fifo_file manage_fifo_file_perms;
30 allow lvm_t self:unix_dgram_socket create_socket_perms;
31 allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
32 allow lvm_t self:sem create_sem_perms;
33 +# gt: the following is for sockets in the AF_ALG namespace (userspace interface to the kernel Crypto API)
34 +allow lvm_t self:socket create_stream_socket_perms;
35
36 allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms };
37 allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms };
38 @@ -253,6 +255,8 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
39 dev_dontaudit_getattr_generic_blk_files(lvm_t)
40 dev_dontaudit_getattr_generic_pipes(lvm_t)
41 dev_create_generic_dirs(lvm_t)
42 +# the following one is needed by cryptsetup
43 +dev_getattr_fs(lvm_t)
44
45 domain_use_interactive_fds(lvm_t)
46 domain_read_all_domains_state(lvm_t)
Report Message
Find on MARC Find on Google Groups