[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/

Sat, 08 Mar 2025 15:55:18 -0800 

commit:     ef08b161fabd3126d57bd4fefa6510051929c05a
Author:     Tianjia Zhang <tianjia.zhang <AT> linux <DOT> alibaba <DOT> com>
AuthorDate: Sun Dec 29 15:37:01 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Mar  8 23:01:08 2025 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ef08b161

lvm: allow to grant capability and create alg_socket

solve the following avc log:

  897655:type=AVC msg=audit(1735486143.152:1314): avc: \
    denied  { dac_read_search } for  pid=7420 comm="cryptsetup" \
    capability=2  \
    scontext=sysadm_u:sysadm_r:lvm_t:s0-s15:c0.c1023 \
    tcontext=sysadm_u:sysadm_r:lvm_t:s0-s15:c0.c1023 \
    tclass=capability permissive=0
  897660:type=AVC msg=audit(1735486143.152:1315): avc: \
    denied  { create } for  pid=7420 comm="cryptsetup" \
    scontext=sysadm_u:sysadm_r:lvm_t:s0-s15:c0.c1023 \
    tcontext=sysadm_u:sysadm_r:lvm_t:s0-s15:c0.c1023 \
    tclass=alg_socket permissive=0

Signed-off-by: Tianjia Zhang <tianjia.zhang <AT> linux.alibaba.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/lvm.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 2b314ee95..0bcfa293e 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -49,7 +49,7 @@ files_type(lvm_var_lib_t)
 # DAC overrides and mknod for modifying /dev entries (vgmknodes)
 # rawio needed for dmraid
 # net_admin for multipath
-allow lvm_t self:capability { chown dac_override fowner ipc_lock mknod 
net_admin sys_admin sys_nice sys_rawio sys_resource };
+allow lvm_t self:capability { chown dac_override dac_read_search fowner 
ipc_lock mknod net_admin sys_admin sys_nice sys_rawio sys_resource };
 dontaudit lvm_t self:capability sys_tty_config;
 allow lvm_t self:process { setfscreate setrlimit sigchld sigkill signal 
signull sigstop };
 # LVM will complain a lot if it cannot set its priority.
@@ -65,6 +65,7 @@ allow lvm_t self:socket create_stream_socket_perms;
 allow lvm_t self:key { search write };
 
 allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow lvm_t self:alg_socket create_socket_perms;
 
 manage_dirs_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t)
 manage_files_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t)

Reply via email to