Chris PeBenito 0fbfa5
#DESC LVM - Linux Volume Manager
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Author:  Michael Kaufman <walker@screwage.com>
Chris PeBenito 0fbfa5
# X-Debian-Packages: lvm10 lvm2 lvm-common
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Rules for the lvm_t domain.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# lvm_t is the domain for LVM administration.
Chris PeBenito 0fbfa5
# lvm_exec_t is the type of the corresponding programs.
Chris PeBenito 0fbfa5
# lvm_etc_t is for read-only LVM configuration files.
Chris PeBenito 0fbfa5
# lvm_metadata_t is the type of LVM metadata files in /etc that are
Chris PeBenito 0fbfa5
# modified at runtime.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
type lvm_vg_t, file_type, sysadmfile;
Chris PeBenito 0fbfa5
type lvm_metadata_t, file_type, sysadmfile;
Chris PeBenito 0fbfa5
type lvm_control_t, device_type, dev_fs;
Chris PeBenito 0fbfa5
etcdir_domain(lvm)
Chris PeBenito 0fbfa5
lock_domain(lvm)
Chris PeBenito 0fbfa5
allow lvm_t lvm_lock_t:dir rw_dir_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# needs privowner because it assigns the identity system_u to device nodes
Chris PeBenito 0fbfa5
# but runs as the identity of the sysadmin
Chris PeBenito 0fbfa5
daemon_base_domain(lvm, `, fs_domain, privowner')
Chris PeBenito 0fbfa5
role sysadm_r types lvm_t;
Chris PeBenito 0fbfa5
domain_auto_trans(sysadm_t, lvm_exec_t, lvm_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# LVM will complain a lot if it cannot set its priority.
Chris PeBenito 0fbfa5
allow lvm_t self:process setsched;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow lvm_t self:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
allow lvm_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
r_dir_file(lvm_t, proc_t)
Chris PeBenito 0907bd
allow lvm_t self:file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Read system variables in /proc/sys
Chris PeBenito 0fbfa5
read_sysctl(lvm_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Read /sys/block. Device mapper metadata is kept there.
Chris PeBenito 0fbfa5
r_dir_file(lvm_t, sysfs_t) 
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow lvm_t fs_t:filesystem getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Read configuration files in /etc.
Chris PeBenito 0fbfa5
allow lvm_t { etc_t etc_runtime_t }:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# LVM creates block devices in /dev/mapper or /dev/<vg>
Chris PeBenito 0fbfa5
# depending on its version
Chris PeBenito 0fbfa5
file_type_auto_trans(lvm_t, device_t, fixed_disk_device_t, blk_file)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# LVM(2) needs to create directores (/dev/mapper, /dev/<vg>)
Chris PeBenito 0fbfa5
# and links from /dev/<vg> to /dev/mapper/<vg>-<lv>
Chris PeBenito 0fbfa5
allow lvm_t device_t:dir create_dir_perms;
Chris PeBenito 0fbfa5
allow lvm_t device_t:lnk_file create_lnk_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# /lib/lvm-<version> holds the actual LVM binaries (and symlinks)
Chris PeBenito 0fbfa5
allow lvm_t lvm_exec_t:dir search;
Chris PeBenito 0fbfa5
allow lvm_t lvm_exec_t:{ file lnk_file } r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
tmp_domain(lvm)
Chris PeBenito 0fbfa5
allow lvm_t { random_device_t urandom_device_t }:chr_file { getattr read ioctl };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
Chris PeBenito 0907bd
allow lvm_t self:capability { chown dac_override ipc_lock sys_admin sys_nice sys_resource mknod };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
Chris PeBenito 0fbfa5
file_type_auto_trans(lvm_t, { etc_t lvm_etc_t }, lvm_metadata_t, file)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow lvm_t lvm_metadata_t:dir rw_dir_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Inherit and use descriptors from init.
Chris PeBenito 0fbfa5
allow lvm_t init_t:fd use;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# LVM is split into many individual binaries
Chris PeBenito 0fbfa5
can_exec(lvm_t, lvm_exec_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Access raw devices and old /dev/lvm (c 109,0).  Is this needed?
Chris PeBenito 0fbfa5
allow lvm_t fixed_disk_device_t:chr_file create_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# relabel devices
Chris PeBenito 0fbfa5
allow lvm_t { default_context_t file_context_t }:dir search;
Chris PeBenito 0fbfa5
allow lvm_t file_context_t:file { getattr read };
Chris PeBenito 0fbfa5
can_getsecurity(lvm_t)
Chris PeBenito 0fbfa5
allow lvm_t fixed_disk_device_t:blk_file { relabelfrom relabelto };
Chris PeBenito 0fbfa5
allow lvm_t device_t:lnk_file { relabelfrom relabelto };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Access terminals.
Chris PeBenito 0fbfa5
allow lvm_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
allow lvm_t devtty_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
ifdef(`gnome-pty-helper.te', `allow lvm_t sysadm_gph_t:fd use;')
Chris PeBenito 0fbfa5
allow lvm_t privfd:fd use;
Chris PeBenito 0fbfa5
allow lvm_t devpts_t:dir { search getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
read_locale(lvm_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
Chris PeBenito 0fbfa5
dontaudit lvm_t device_type:{ chr_file blk_file } getattr;
Chris PeBenito 0fbfa5
dontaudit lvm_t ttyfile:chr_file getattr;
Chris PeBenito 0fbfa5
dontaudit lvm_t device_t:{ fifo_file dir chr_file blk_file } getattr;
Chris PeBenito 0fbfa5
dontaudit lvm_t devpts_t:dir { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`gpm.te', `
Chris PeBenito 0fbfa5
dontaudit lvm_t gpmctl_t:sock_file getattr;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
dontaudit lvm_t initctl_t:fifo_file getattr;
Chris PeBenito 0fbfa5
allow lvm_t sbin_t:dir search;
Chris PeBenito 0fbfa5
dontaudit lvm_t sbin_t:file getattr;
Chris PeBenito 0fbfa5
allow lvm_t lvm_control_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
allow initrc_t lvm_control_t:chr_file { getattr read unlink };
Chris PeBenito 0fbfa5
allow initrc_t device_t:chr_file create;
Chris PeBenito 0fbfa5
dontaudit lvm_t var_run_t:dir getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for when /usr is not mounted
Chris PeBenito 0fbfa5
dontaudit lvm_t file_t:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow lvm_t tmpfs_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
r_dir_file(lvm_t, selinux_config_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# it has no reason to need this
Chris PeBenito 0fbfa5
dontaudit lvm_t proc_kcore_t:file getattr;
Chris PeBenito cff75c
Chris PeBenito cff75c
# cluster LVM daemon
Chris PeBenito cff75c
daemon_domain(clvmd)
Chris PeBenito cff75c
can_network(clvmd_t)
Chris PeBenito cff75c
can_ypbind(clvmd_t)
Chris PeBenito cff75c
allow clvmd_t self:capability net_bind_service;
Chris PeBenito cff75c
allow clvmd_t self:socket create_socket_perms;
Chris PeBenito cff75c
allow clvmd_t self:fifo_file { read write };
Chris PeBenito cff75c
allow clvmd_t self:file { getattr read };
Chris PeBenito cff75c
allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
Chris PeBenito cff75c
allow clvmd_t reserved_port_t:tcp_socket name_bind;
Chris PeBenito cff75c
dontaudit clvmd_t reserved_port_type:tcp_socket name_bind;
Chris PeBenito cff75c
dontaudit clvmd_t selinux_config_t:dir search;