From 57835f4453a97023ad69fc26e13b97838eb3124b Mon Sep 17 00:00:00 2001 From: Sven Vermeulen Date: Sun, 6 Feb 2011 15:36:23 +0100 Subject: [PATCH] LVM uses systemwide semaphores for activities such as vgchange -ay The LVM subsystem uses system-wide semaphores for various activities. Although the system boots properly without these (apart from the AVC denials of course), I would assume that they are here to ensure no corruption of any kind happens in case of concurrent execution / race conditions. As such, I rather enable it explicitly in the security policy. Signed-off-by: Sven Vermeulen --- policy/modules/system/lvm.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index 74e38b416..5e8e5aab1 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -174,6 +174,7 @@ allow lvm_t self:file rw_file_perms; allow lvm_t self:fifo_file manage_fifo_file_perms; allow lvm_t self:unix_dgram_socket create_socket_perms; allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms; +allow lvm_t self:sem create_sem_perms; allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms }; @@ -210,6 +211,7 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file) files_etc_filetrans(lvm_t, lvm_metadata_t, file) files_search_mnt(lvm_t) +kernel_get_sysvipc_info(lvm_t) kernel_read_system_state(lvm_t) # Read system variables in /proc/sys kernel_read_kernel_sysctls(lvm_t)