[selinux-policy: 1190/3172] remove lvm_vg_t

Thu Oct 7 20:47:49 UTC 2010

commit 017bab0575eb5df69478c2c77d7b9064686896e2
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Feb 3 16:21:06 2006 +0000

    remove lvm_vg_t

 refpolicy/Changelog                        |    1 +
 refpolicy/policy/modules/kernel/storage.if |   48 +--------------------------
 refpolicy/policy/modules/kernel/storage.te |   13 +-------
 3 files changed, 4 insertions(+), 58 deletions(-)
---

diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 4fca63c..35ef9b1 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,4 @@
+- Remove unused lvm_vg_t.
 - Many interface renames to improve naming consistency.
 - Merge xdm into xserver.
 - Remove kernel module reversed interfaces.
diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if
index 395cd8f..2fd6bf0 100644
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@@ -244,50 +244,6 @@ interface(`storage_swapon_fixed_disk',`
 
 ########################################
 ## <summary>
-##	Allow the caller to directly read from a logical volume.
-##	This is extremly dangerous as it can bypass the
-##	SELinux protections for filesystem objects, and
-##	should only be used by trusted domains.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`storage_raw_read_lvm_volume',`
-	gen_require(`
-		attribute fixed_disk_raw_read;
-		type lvm_vg_t;
-	')
-
-	dev_list_all_dev_nodes($1)
-	allow $1 lvm_vg_t:blk_file r_file_perms;
-	typeattribute $1 fixed_disk_raw_read;
-')
-
-########################################
-## <summary>
-##	Allow the caller to directly read from a logical volume.
-##	This is extremly dangerous as it can bypass the
-##	SELinux protections for filesystem objects, and
-##	should only be used by trusted domains.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`storage_raw_write_lvm_volume',`
-	gen_require(`
-		attribute fixed_disk_raw_write;
-		type lvm_vg_t;
-	')
-
-	dev_list_all_dev_nodes($1)
-	allow $1 lvm_vg_t:blk_file { getattr write ioctl };
-	typeattribute $1 fixed_disk_raw_write;
-')
-
-########################################
-## <summary>
 ##	Allow the caller to get the attributes of
 ##	the generic SCSI interface device nodes.
 ## </summary>
@@ -648,12 +604,12 @@ interface(`storage_setattr_tape_dev',`
 interface(`storage_unconfined',`
 	gen_require(`
 		type fixed_disk_device_t, removable_device_t;
-		type lvm_vg_t, scsi_generic_device_t, tape_device_t;
+		type scsi_generic_device_t, tape_device_t;
 		attribute fixed_disk_raw_read, fixed_disk_raw_write;
 		attribute scsi_generic_read, scsi_generic_write;
 	')
 
-	allow $1 { fixed_disk_device_t removable_device_t lvm_vg_t }:blk_file *;
+	allow $1 { fixed_disk_device_t removable_device_t }:blk_file *;
 	allow $1 { scsi_generic_device_t tape_device_t }:chr_file *;
 
 	typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
diff --git a/refpolicy/policy/modules/kernel/storage.te b/refpolicy/policy/modules/kernel/storage.te
index 0f1b9e1..f4bf61d 100644
--- a/refpolicy/policy/modules/kernel/storage.te
+++ b/refpolicy/policy/modules/kernel/storage.te
@@ -15,24 +15,13 @@ attribute scsi_generic_write;
 # fixed_disk_device_t is the type of 
 # /dev/hd* and /dev/sd*.
 #
-type fixed_disk_device_t;
+type fixed_disk_device_t alias lvm_vg_t;
 dev_node(fixed_disk_device_t)
 
 neverallow ~fixed_disk_raw_read fixed_disk_device_t:{ chr_file blk_file } read;
 neverallow ~fixed_disk_raw_write fixed_disk_device_t:{ chr_file blk_file } { append write };
 
 #
-# lvm_vg_t is the type of logical volume groups
-#
-type lvm_vg_t;
-dev_node(lvm_vg_t)
-
-# from the subject's point of view, same as read/writing a regular
-# fixed disk, so use the same assertions as above
-neverallow ~fixed_disk_raw_read lvm_vg_t:{ chr_file blk_file } read;
-neverallow ~fixed_disk_raw_write lvm_vg_t:{ chr_file blk_file } { append write };
-
-#
 # scsi_generic_device_t is the type of /dev/sg*
 # it gives access to ALL SCSI devices (both fixed and removable)
 #
