On Tue, 20 Apr 2004 12:50, Valdis.Kletnieks@xxxxxx wrote:
> Running the fedora-devel code as of 0419.. hitting some issues
> with installing a new kernel due to mkinitrd failing.
>
> System has 1 disk, using LVM for the root filesystem - the bigger error
> seems to be LVM-specific (looks like bootloader_t needs to be able to do
> stuff with lvm_exec_t and lvm_etc_t).
Regarding the issue of search access to the current directory. One
work-around is that if you are writing a program that launches such a fussy
program then you can have it do "cd /" before the exec.
I have attached a patch for lvm that cleans up a few things (and also has some
non-LVM changes that won't cause any harm), and a patch for bootloader.te
which will hopefully fix this issue.
Please apply both patches, relabel /etc/lvm, and let me know how it goes.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
#DESC LVM - Linux Volume Manager
#
# Author: Michael Kaufman <walker@xxxxxxxxxxxx>
# X-Debian-Packages: lvm10 lvm2 lvm-common
#
#################################
#
# Rules for the lvm_t domain.
#
# lvm_t is the domain for LVM administration.
# lvm_exec_t is the type of the corresponding programs.
# lvm_etc_t is for read-only LVM configuration files.
# lvm_metadata_t is the type of LVM metadata files in /etc that are
# modified at runtime.
#
type lvm_vg_t, file_type, sysadmfile;
type lvm_metadata_t, file_type, sysadmfile;
type lvm_control_t, file_type, device_type;
etcdir_domain(lvm)
typealias lvm_etc_t alias etc_lvm_t;
lock_domain(lvm)
daemon_base_domain(lvm, `, fs_domain')
role sysadm_r types lvm_t;
# LVM will complain a lot if it cannot set its priority.
allow lvm_t self:process { setsched };
allow lvm_t self:fifo_file rw_file_perms;
r_dir_file(lvm_t, proc_t)
allow lvm_t self:file r_file_perms;
# Read system variables in /proc/sys
allow lvm_t sysctl_kernel_t:file r_file_perms;
allow lvm_t sysctl_kernel_t:dir r_dir_perms;
# Read /sys/block. Device mapper metadata is kept there.
r_dir_file(lvm_t, sysfs_t)
# Read configuration files in /etc.
allow lvm_t { etc_t etc_runtime_t }:file { getattr read };
# LVM creates block devices in /dev/mapper or /dev/<vg>
# depending on its version
file_type_auto_trans(lvm_t, device_t, fixed_disk_device_t, blk_file)
# LVM(2) needs to create directores (/dev/mapper, /dev/<vg>)
# and links from /dev/<vg> to /dev/mapper/<vg>-<lv>
allow lvm_t device_t:dir create_dir_perms;
allow lvm_t device_t:lnk_file create_file_perms;
# /lib/lvm-<version> holds the actual LVM binaries (and symlinks)
allow lvm_t lvm_exec_t:dir search;
allow lvm_t lvm_exec_t:{ file lnk_file } r_file_perms;
tmp_domain(lvm)
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
allow lvm_t self:capability { dac_override mknod sys_admin };
# Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
file_type_auto_trans(lvm_t, etc_t, lvm_etc_t, dir)
file_type_auto_trans(lvm_t, { etc_t lvm_etc_t }, lvm_metadata_t, file)
# Inherit and use descriptors from init.
allow lvm_t init_t:fd use;
# LVM is split into many individual binaries
can_exec(lvm_t, lvm_exec_t)
# Access disk devices.
allow lvm_t fixed_disk_device_t:chr_file create_file_perms;
# Access terminals.
allow lvm_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow lvm_t sysadm_gph_t:fd use;')
allow lvm_t privfd:fd use;
allow lvm_t devpts_t:dir getattr;
read_locale(lvm_t)
# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
dontaudit lvm_t device_type:{ chr_file blk_file } getattr;
diff -ru pol/domains/program/bootloader.te pol.new/domains/program/bootloader.te
--- pol/domains/program/bootloader.te 2004-04-18 10:49:28.000000000 +1000
+++ pol.new/domains/program/bootloader.te 2004-04-21 00:20:30.000000000 +1000
@@ -49,13 +49,15 @@
# LVM2 / Device Mapper's /dev/mapper/control
# maybe we should change the labeling for this
ifdef(`lvm.te', `
-allow bootloader_t fixed_disk_device_t:chr_file rw_file_perms;
+allow bootloader_t lvm_control_t:chr_file rw_file_perms;
+domain_auto_trans(bootloader_t, lvm_exec_t, lvm_t)
+r_dir_file(bootloader_t, lvm_etc_t)
')
# uncomment the following line if you use "lilo -p"
#file_type_auto_trans(bootloader_t, etc_t, bootloader_etc_t, file);
-can_exec(bootloader_t, { bootloader_exec_t shell_exec_t bin_t sbin_t })
+can_exec(bootloader_t, { bootloader_exec_t shell_exec_t ls_exec_t bin_t sbin_t })
allow bootloader_t shell_exec_t:lnk_file read;
allow bootloader_t { bin_t sbin_t }:dir search;
allow bootloader_t { bin_t sbin_t }:lnk_file read;
@@ -75,7 +77,7 @@
dontaudit bootloader_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
-allow bootloader_t boot_t:dir rw_dir_perms;
+allow bootloader_t boot_t:dir { create rw_dir_perms };
allow bootloader_t boot_t:{ file lnk_file } create_file_perms;
allow bootloader_t load_policy_exec_t:file { getattr read };
