commit: e8f4cf7abd48e3f49d693d944cb3c60845398904 Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org> AuthorDate: Sat May 10 14:45:24 2014 +0000 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> CommitDate: Fri May 16 18:42:54 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e8f4cf7a
Make unconfined user run lvm programs in confined domain When an unconfined user uses truecrypt to mount an encrypted file, dmsetup is called to setup a new device. This program works with udev to configure the new device and uses SysV semaphores to synchronize states. As udev runs dmsetup in lvm_t domain, the first dmsetup process needs to create lvm_t semaphores (not unconfined_t) and hence needs to run in lvm_t domain. More details are available in the archives on the ML: http://oss.tresys.com/pipermail/refpolicy/2014-May/007111.html --- policy/modules/system/unconfined.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index 9742a34..28df819 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -108,6 +108,10 @@ optional_policy(` ') optional_policy(` + lvm_run(unconfined_t, unconfined_r) +') + +optional_policy(` modutils_run_update_mods(unconfined_t, unconfined_r) ')
