diff --git a/refpolicy/policy/modules/kernel/devices.fc b/refpolicy/policy/modules/kernel/devices.fc index 9adcac7..7f5345e 100644 --- a/refpolicy/policy/modules/kernel/devices.fc +++ b/refpolicy/policy/modules/kernel/devices.fc @@ -68,6 +68,8 @@ ifdef(`distro_suse', ` /dev/input/mice -c system_u:object_r:mouse_device_t /dev/input/js.* -c system_u:object_r:mouse_device_t +/dev/mapper/control -c system_u:object_r:lvm_control_t + /dev/pts(/.*)? <> /dev/snd/.* -c system_u:object_r:sound_device_t diff --git a/refpolicy/policy/modules/kernel/storage.fc b/refpolicy/policy/modules/kernel/storage.fc index dabb2b4..b5b0068 100644 --- a/refpolicy/policy/modules/kernel/storage.fc +++ b/refpolicy/policy/modules/kernel/storage.fc @@ -22,6 +22,7 @@ /dev/jsfd -b system_u:object_r:fixed_disk_device_t /dev/jsflash -c system_u:object_r:fixed_disk_device_t /dev/loop.* -b system_u:object_r:fixed_disk_device_t +/dev/lvm -c system_u:object_r:fixed_disk_device_t /dev/mcdx? -b system_u:object_r:removable_device_t /dev/nb[^/]+ -b system_u:object_r:fixed_disk_device_t /dev/optcd -b system_u:object_r:removable_device_t @@ -51,6 +52,8 @@ ifdef(`distro_redhat', ` /dev/ida/[^/]* -b system_u:object_r:fixed_disk_device_t +/dev/mapper/.* -b system_u:object_r:fixed_disk_device_t + /dev/raw/raw[0-9]+ -c system_u:object_r:fixed_disk_device_t /dev/scramdisk/.* -b system_u:object_r:fixed_disk_device_t diff --git a/refpolicy/policy/modules/system/lvm.fc b/refpolicy/policy/modules/system/lvm.fc new file mode 100644 index 0000000..d31ccfe --- /dev/null +++ b/refpolicy/policy/modules/system/lvm.fc @@ -0,0 +1,91 @@ +# Copyright (C) 2005 Tresys Technology, LLC + +# LVM creates lock files in /var before /var is mounted +# configure LVM to put lockfiles in /etc/lvm/lock instead +# for this policy to work (unless you have no separate /var) + +# +# /etc +# +/etc/lvm(/.*)? system_u:object_r:lvm_etc_t +/etc/lvm/\.cache -- system_u:object_r:lvm_metadata_t + +/etc/lvm/archive(/.*)? system_u:object_r:lvm_metadata_t + +/etc/lvm/backup(/.*)? system_u:object_r:lvm_metadata_t + +/etc/lvm/lock(/.*)? system_u:object_r:lvm_lock_t + +/etc/lvmtab(/.*)? system_u:object_r:lvm_metadata_t + +/etc/lvmtab\.d(/.*)? system_u:object_r:lvm_metadata_t + +# +# /lib +# +/lib/lvm-10(/.*) -- system_u:object_r:lvm_exec_t + +/lib/lvm-200(/.*) -- system_u:object_r:lvm_exec_t + +# +# /sbin +# +/sbin/cryptsetup -- system_u:object_r:lvm_exec_t +/sbin/dmsetup -- system_u:object_r:lvm_exec_t +/sbin/dmsetup\.static -- system_u:object_r:lvm_exec_t +/sbin/e2fsadm -- system_u:object_r:lvm_exec_t +/sbin/lvchange -- system_u:object_r:lvm_exec_t +/sbin/lvcreate -- system_u:object_r:lvm_exec_t +/sbin/lvdisplay -- system_u:object_r:lvm_exec_t +/sbin/lvextend -- system_u:object_r:lvm_exec_t +/sbin/lvm -- system_u:object_r:lvm_exec_t +/sbin/lvm\.static -- system_u:object_r:lvm_exec_t +/sbin/lvmchange -- system_u:object_r:lvm_exec_t +/sbin/lvmdiskscan -- system_u:object_r:lvm_exec_t +/sbin/lvmiopversion -- system_u:object_r:lvm_exec_t +/sbin/lvmsadc -- system_u:object_r:lvm_exec_t +/sbin/lvmsar -- system_u:object_r:lvm_exec_t +/sbin/lvreduce -- system_u:object_r:lvm_exec_t +/sbin/lvremove -- system_u:object_r:lvm_exec_t +/sbin/lvrename -- system_u:object_r:lvm_exec_t +/sbin/lvresize -- system_u:object_r:lvm_exec_t +/sbin/lvs -- system_u:object_r:lvm_exec_t +/sbin/lvscan -- system_u:object_r:lvm_exec_t +/sbin/pvchange -- system_u:object_r:lvm_exec_t +/sbin/pvcreate -- system_u:object_r:lvm_exec_t +/sbin/pvdata -- system_u:object_r:lvm_exec_t +/sbin/pvdisplay -- system_u:object_r:lvm_exec_t +/sbin/pvmove -- system_u:object_r:lvm_exec_t +/sbin/pvremove -- system_u:object_r:lvm_exec_t +/sbin/pvs -- system_u:object_r:lvm_exec_t +/sbin/pvscan -- system_u:object_r:lvm_exec_t +/sbin/vgcfgbackup -- system_u:object_r:lvm_exec_t +/sbin/vgcfgrestore -- system_u:object_r:lvm_exec_t +/sbin/vgchange -- system_u:object_r:lvm_exec_t +/sbin/vgchange\.static -- system_u:object_r:lvm_exec_t +/sbin/vgck -- system_u:object_r:lvm_exec_t +/sbin/vgcreate -- system_u:object_r:lvm_exec_t +/sbin/vgdisplay -- system_u:object_r:lvm_exec_t +/sbin/vgexport -- system_u:object_r:lvm_exec_t +/sbin/vgextend -- system_u:object_r:lvm_exec_t +/sbin/vgimport -- system_u:object_r:lvm_exec_t +/sbin/vgmerge -- system_u:object_r:lvm_exec_t +/sbin/vgmknodes -- system_u:object_r:lvm_exec_t +/sbin/vgreduce -- system_u:object_r:lvm_exec_t +/sbin/vgremove -- system_u:object_r:lvm_exec_t +/sbin/vgrename -- system_u:object_r:lvm_exec_t +/sbin/vgs -- system_u:object_r:lvm_exec_t +/sbin/vgscan -- system_u:object_r:lvm_exec_t +/sbin/vgscan\.static -- system_u:object_r:lvm_exec_t +/sbin/vgsplit -- system_u:object_r:lvm_exec_t +/sbin/vgwrapper -- system_u:object_r:lvm_exec_t + +# +# /usr +# +/usr/sbin/lvm -- system_u:object_r:lvm_exec_t + +# +# /var +# +/var/lock/lvm(/.*)? system_u:object_r:lvm_lock_t