LVM uses systemwide semaphores for activities such as vgchange -ay

The LVM subsystem uses system-wide semaphores for various activities.

Although the system boots properly without these (apart from the AVC denials
of course), I would assume that they are here to ensure no corruption of any
kind happens in case of concurrent execution / race conditions.

As such, I rather enable it explicitly in the security policy.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
This commit is contained in:
Sven Vermeulen 2011-02-06 15:36:23 +01:00 committed by Chris PeBenito
parent 2998ef21c2
commit 57835f4453
1 changed files with 2 additions and 0 deletions

View File

@ -174,6 +174,7 @@ allow lvm_t self:file rw_file_perms;
allow lvm_t self:fifo_file manage_fifo_file_perms; allow lvm_t self:fifo_file manage_fifo_file_perms;
allow lvm_t self:unix_dgram_socket create_socket_perms; allow lvm_t self:unix_dgram_socket create_socket_perms;
allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms; allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
allow lvm_t self:sem create_sem_perms;
allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms }; allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms };
@ -210,6 +211,7 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file)
files_etc_filetrans(lvm_t, lvm_metadata_t, file) files_etc_filetrans(lvm_t, lvm_metadata_t, file)
files_search_mnt(lvm_t) files_search_mnt(lvm_t)
kernel_get_sysvipc_info(lvm_t)
kernel_read_system_state(lvm_t) kernel_read_system_state(lvm_t)
# Read system variables in /proc/sys # Read system variables in /proc/sys
kernel_read_kernel_sysctls(lvm_t) kernel_read_kernel_sysctls(lvm_t)