Make unconfined user run lvm programs in confined domain

When an unconfined user uses truecrypt to mount an encrypted file, dmsetup is called to setup a new device. This program works with udev to configure the new device and uses SysV semaphores to synchronize states. As udev runs dmsetup in lvm_t domain, the first dmsetup process needs to create lvm_t semaphores (not unconfined_t) and hence needs to run in lvm_t domain. More details are available in the archives on the ML: http://oss.tresys.com/pipermail/refpolicy/2014-May/007111.html
2014-05-10 16:45:24 +02:00 · 2014-05-10 16:45:24 +02:00 · 7c356f97f5
parent 1c8c76c927
commit 7c356f97f5
1 changed files with 4 additions and 0 deletions
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@ -107,6 +107,10 @@ optional_policy(`
 	lpd_run_checkpc(unconfined_t, unconfined_r)
 ')

+optional_policy(`
+	lvm_run(unconfined_t, unconfined_r)
+')
+
 optional_policy(`
 	modutils_run_update_mods(unconfined_t, unconfined_r)
 ')