1 |
commit: f36491e2fcb14f581c49e1a5a41e1b9f9159c585 |
2 |
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net> |
3 |
AuthorDate: Mon Sep 5 17:09:37 2016 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Oct 3 06:04:21 2016 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f36491e2 |
7 |
|
8 |
Update the lvm module |
9 |
|
10 |
Update the lvm module to add a permission needed by cryptsetup. |
11 |
|
12 |
At the moment the SELinux kernel code is not able yet to distinguish |
13 |
the sockets in the AF_ALG namespace that are used for interfacing to |
14 |
the kernel Crypto API. |
15 |
|
16 |
In the future the SELinux kernel code will be updated to distinguish |
17 |
the new socket class and so this permission will change its class |
18 |
from the generic "socket" to the new socket (e.g. "alg_socket"). |
19 |
|
20 |
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net> |
21 |
|
22 |
policy/modules/system/lvm.te | 4 ++++ |
23 |
1 file changed, 4 insertions(+) |
24 |
|
25 |
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te |
26 |
index 2ebfe0c..c8831c6 100644 |
27 |
--- a/policy/modules/system/lvm.te |
28 |
+++ b/policy/modules/system/lvm.te |
29 |
@@ -179,6 +179,8 @@ allow lvm_t self:fifo_file manage_fifo_file_perms; |
30 |
allow lvm_t self:unix_dgram_socket create_socket_perms; |
31 |
allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms; |
32 |
allow lvm_t self:sem create_sem_perms; |
33 |
+# gt: the following is for sockets in the AF_ALG namespace (userspace interface to the kernel Crypto API) |
34 |
+allow lvm_t self:socket create_stream_socket_perms; |
35 |
|
36 |
allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms }; |
37 |
allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms }; |
38 |
@@ -253,6 +255,8 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) |
39 |
dev_dontaudit_getattr_generic_blk_files(lvm_t) |
40 |
dev_dontaudit_getattr_generic_pipes(lvm_t) |
41 |
dev_create_generic_dirs(lvm_t) |
42 |
+# the following one is needed by cryptsetup |
43 |
+dev_getattr_fs(lvm_t) |
44 |
|
45 |
domain_use_interactive_fds(lvm_t) |
46 |
domain_read_all_domains_state(lvm_t) |