#DESC LVM - Linux Volume Manager # # Author: Michael Kaufman # X-Debian-Packages: lvm10 lvm2 lvm-common # ################################# # # Rules for the lvm_t domain. # # lvm_t is the domain for LVM administration. # lvm_exec_t is the type of the corresponding programs. # lvm_etc_t is for read-only LVM configuration files. # lvm_metadata_t is the type of LVM metadata files in /etc that are # modified at runtime. # type lvm_vg_t, file_type, sysadmfile; type lvm_metadata_t, file_type, sysadmfile; type lvm_control_t, device_type, dev_fs; etcdir_domain(lvm) allow lvm_t var_t:dir search; lock_domain(lvm) allow lvm_t lvm_lock_t:dir rw_dir_perms; # needs privowner because it assigns the identity system_u to device nodes # but runs as the identity of the sysadmin daemon_base_domain(lvm, `, fs_domain, privowner') role sysadm_r types lvm_t; domain_auto_trans(sysadm_t, lvm_exec_t, lvm_t) # LVM will complain a lot if it cannot set its priority. allow lvm_t self:process setsched; allow lvm_t self:fifo_file rw_file_perms; allow lvm_t self:unix_dgram_socket create_socket_perms; r_dir_file(lvm_t, proc_t) allow lvm_t self:file r_file_perms; # Read system variables in /proc/sys read_sysctl(lvm_t) # Read /sys/block. Device mapper metadata is kept there. r_dir_file(lvm_t, sysfs_t) allow lvm_t fs_t:filesystem getattr; # Read configuration files in /etc. allow lvm_t { etc_t etc_runtime_t }:file { getattr read }; # LVM creates block devices in /dev/mapper or /dev/ # depending on its version file_type_auto_trans(lvm_t, device_t, fixed_disk_device_t, blk_file) # LVM(2) needs to create directores (/dev/mapper, /dev/) # and links from /dev/ to /dev/mapper/- allow lvm_t device_t:dir create_dir_perms; allow lvm_t device_t:lnk_file create_lnk_perms; # /lib/lvm- holds the actual LVM binaries (and symlinks) allow lvm_t lvm_exec_t:dir search; allow lvm_t lvm_exec_t:{ file lnk_file } r_file_perms; tmp_domain(lvm) allow lvm_t { random_device_t urandom_device_t }:chr_file { getattr read ioctl }; # DAC overrides and mknod for modifying /dev entries (vgmknodes) allow lvm_t self:capability { dac_override ipc_lock sys_admin sys_nice mknod }; # Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d file_type_auto_trans(lvm_t, { etc_t lvm_etc_t }, lvm_metadata_t, file) allow lvm_t lvm_metadata_t:dir rw_dir_perms; # Inherit and use descriptors from init. allow lvm_t init_t:fd use; # LVM is split into many individual binaries can_exec(lvm_t, lvm_exec_t) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? allow lvm_t fixed_disk_device_t:chr_file create_file_perms; # relabel devices allow lvm_t { default_context_t file_context_t }:dir search; allow lvm_t file_context_t:file { getattr read }; can_getsecurity(lvm_t) allow lvm_t fixed_disk_device_t:blk_file { relabelfrom relabelto }; allow lvm_t device_t:lnk_file { relabelfrom relabelto }; # Access terminals. allow lvm_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms; allow lvm_t devtty_t:chr_file rw_file_perms; ifdef(`gnome-pty-helper.te', `allow lvm_t sysadm_gph_t:fd use;') allow lvm_t privfd:fd use; allow lvm_t devpts_t:dir { search getattr read }; read_locale(lvm_t) # LVM (vgscan) scans for devices by stating every file in /dev and applying a regex... dontaudit lvm_t device_type:{ chr_file blk_file } getattr; dontaudit lvm_t ttyfile:chr_file getattr; dontaudit lvm_t device_t:{ fifo_file dir chr_file blk_file } getattr; dontaudit lvm_t devpts_t:dir { getattr read }; ifdef(`gpm.te', ` dontaudit lvm_t gpmctl_t:sock_file getattr; ') dontaudit lvm_t initctl_t:fifo_file getattr; allow lvm_t sbin_t:dir search; dontaudit lvm_t sbin_t:file getattr; allow lvm_t lvm_control_t:chr_file rw_file_perms; allow initrc_t lvm_control_t:chr_file { getattr read unlink }; allow initrc_t device_t:chr_file create; dontaudit lvm_t var_run_t:dir getattr; # for when /usr is not mounted dontaudit lvm_t file_t:dir search; allow lvm_t tmpfs_t:dir r_dir_perms; r_dir_file(lvm_t, selinux_config_t) # it has no reason to need this dontaudit lvm_t proc_kcore_t:file getattr;