lvm: Updates for multipath LVM.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2022-05-02 15:19:00 +00:00 · 2022-05-02 15:19:00 +00:00 · 3fe6f270e3
parent 05e386bcb3
commit 3fe6f270e3
4 changed files with 32 additions and 2 deletions
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@ -3250,6 +3250,24 @@ interface(`files_exec_etc_files',`
 	exec_files_pattern($1, etc_t, etc_t)
 ')

+########################################
+## <summary>
+##	Watch /etc files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_watch_etc_files', `
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:file watch;
+')
+
 ########################################
 ## <summary>
 ##	Get etc_t service status.
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@ -104,6 +104,7 @@
 /usr/sbin/lvresize		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/sbin/lvs			--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/sbin/lvscan		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/sbin/multipath             --      gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/sbin/multipathd		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/sbin/multipath\.static	--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/sbin/pvchange		--	gen_context(system_u:object_r:lvm_exec_t,s0)
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@ -51,7 +51,7 @@ files_type(lvm_var_lib_t)
 # net_admin for multipath
 allow lvm_t self:capability { chown dac_override fowner ipc_lock mknod net_admin sys_admin sys_nice sys_rawio sys_resource };
 dontaudit lvm_t self:capability sys_tty_config;
-allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate };
+allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate setrlimit };
 # LVM will complain a lot if it cannot set its priority.
 allow lvm_t self:process setsched;
 allow lvm_t self:file rw_file_perms;
@ -115,6 +115,7 @@ kernel_get_sysvipc_info(lvm_t)
 kernel_read_system_state(lvm_t)
 # Read system variables in /proc/sys
 kernel_read_kernel_sysctls(lvm_t)
+kernel_read_fs_sysctls(lvm_t)
 # for when /usr is not mounted:
 kernel_dontaudit_search_unlabeled(lvm_t)
 # it has no reason to need this
@ -123,6 +124,8 @@ kernel_use_fds(lvm_t)
 # for systemd-cryptsetup
 kernel_read_crypto_sysctls(lvm_t)
 kernel_search_debugfs(lvm_t)
+# multipath
+kernel_read_vm_overcommit_sysctl(lvm_t)

 corecmd_exec_bin(lvm_t)
 corecmd_exec_shell(lvm_t)
@ -159,6 +162,7 @@ domain_read_all_domains_state(lvm_t)

 files_read_usr_files(lvm_t)
 files_read_etc_files(lvm_t)
+files_watch_etc_files(lvm_t)
 files_read_etc_runtime_files(lvm_t)

 fs_getattr_xattr_fs(lvm_t)
@ -210,6 +214,10 @@ seutil_read_file_contexts(lvm_t)
 seutil_search_default_contexts(lvm_t)
 seutil_sigchld_newrole(lvm_t)

+# multipath
+sysnet_read_config(lvm_t)
+sysnet_write_config(lvm_t)
+
 userdom_use_inherited_user_terminals(lvm_t)

 ifdef(`init_systemd',`
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@ -51,6 +51,8 @@ allow udev_t self:unix_stream_socket connectto;
 allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow udev_t self:netlink_generic_socket create_socket_perms;
 allow udev_t self:rawip_socket create_socket_perms;
+# rdma_rename
+allow udev_t self:netlink_rdma_socket create_socket_perms;

 ifdef(`init_systemd',`
 	# systemd-vconsole-setup will be called by udev during virtual terminal initialization
@ -96,7 +98,8 @@ kernel_rw_unix_dgram_sockets(udev_t)
 kernel_signal(udev_t)
 kernel_search_debugfs(udev_t)
 kernel_search_key(udev_t)
-
+# kpartx:
+kernel_get_sysvipc_info(udev_t)
 #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
 kernel_rw_net_sysctls(udev_t)
 kernel_read_crypto_sysctls(udev_t)