From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 58D8F138331 for ; Mon, 3 Oct 2016 06:20:57 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 5AA5921C072; Mon, 3 Oct 2016 06:20:55 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 3C95CE0A84 for ; Mon, 3 Oct 2016 06:20:55 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 8A39A340E02 for ; Mon, 3 Oct 2016 06:20:53 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 7E5B1248E for ; Mon, 3 Oct 2016 06:20:51 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1475474661.f36491e2fcb14f581c49e1a5a41e1b9f9159c585.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/lvm.te X-VCS-Directories: policy/modules/system/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: f36491e2fcb14f581c49e1a5a41e1b9f9159c585 X-VCS-Branch: master Date: Mon, 3 Oct 2016 06:20:51 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: afd4bc97-73ee-4b89-870b-9207f096c340 X-Archives-Hash: c250897f359059476993b4426c1cb6f5 commit: f36491e2fcb14f581c49e1a5a41e1b9f9159c585 Author: Guido Trentalancia trentalancia net> AuthorDate: Mon Sep 5 17:09:37 2016 +0000 Commit: Jason Zaman gentoo org> CommitDate: Mon Oct 3 06:04:21 2016 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f36491e2 Update the lvm module Update the lvm module to add a permission needed by cryptsetup. At the moment the SELinux kernel code is not able yet to distinguish the sockets in the AF_ALG namespace that are used for interfacing to the kernel Crypto API. In the future the SELinux kernel code will be updated to distinguish the new socket class and so this permission will change its class from the generic "socket" to the new socket (e.g. "alg_socket"). Signed-off-by: Guido Trentalancia trentalancia.net> policy/modules/system/lvm.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index 2ebfe0c..c8831c6 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -179,6 +179,8 @@ allow lvm_t self:fifo_file manage_fifo_file_perms; allow lvm_t self:unix_dgram_socket create_socket_perms; allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms; allow lvm_t self:sem create_sem_perms; +# gt: the following is for sockets in the AF_ALG namespace (userspace interface to the kernel Crypto API) +allow lvm_t self:socket create_stream_socket_perms; allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms }; @@ -253,6 +255,8 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) +# the following one is needed by cryptsetup +dev_getattr_fs(lvm_t) domain_use_interactive_fds(lvm_t) domain_read_all_domains_state(lvm_t)