LVM uses systemwide semaphores for activities such as vgchange -ay
The LVM subsystem uses system-wide semaphores for various activities. Although the system boots properly without these (apart from the AVC denials of course), I would assume that they are here to ensure no corruption of any kind happens in case of concurrent execution / race conditions. As such, I rather enable it explicitly in the security policy. Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
This commit is contained in:
parent
2998ef21c2
commit
57835f4453
|
@ -174,6 +174,7 @@ allow lvm_t self:file rw_file_perms;
|
||||||
allow lvm_t self:fifo_file manage_fifo_file_perms;
|
allow lvm_t self:fifo_file manage_fifo_file_perms;
|
||||||
allow lvm_t self:unix_dgram_socket create_socket_perms;
|
allow lvm_t self:unix_dgram_socket create_socket_perms;
|
||||||
allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
|
allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||||
|
allow lvm_t self:sem create_sem_perms;
|
||||||
|
|
||||||
allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||||
allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms };
|
allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms };
|
||||||
|
@ -210,6 +211,7 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file)
|
||||||
files_etc_filetrans(lvm_t, lvm_metadata_t, file)
|
files_etc_filetrans(lvm_t, lvm_metadata_t, file)
|
||||||
files_search_mnt(lvm_t)
|
files_search_mnt(lvm_t)
|
||||||
|
|
||||||
|
kernel_get_sysvipc_info(lvm_t)
|
||||||
kernel_read_system_state(lvm_t)
|
kernel_read_system_state(lvm_t)
|
||||||
# Read system variables in /proc/sys
|
# Read system variables in /proc/sys
|
||||||
kernel_read_kernel_sysctls(lvm_t)
|
kernel_read_kernel_sysctls(lvm_t)
|
||||||
|
|
Loading…
Reference in New Issue