[selinux-policy: 1190/3172] remove lvm_vg_t
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:47:49 UTC 2010
commit 017bab0575eb5df69478c2c77d7b9064686896e2
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Feb 3 16:21:06 2006 +0000
remove lvm_vg_t
refpolicy/Changelog | 1 +
refpolicy/policy/modules/kernel/storage.if | 48 +--------------------------
refpolicy/policy/modules/kernel/storage.te | 13 +-------
3 files changed, 4 insertions(+), 58 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 4fca63c..35ef9b1 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,4 @@
+- Remove unused lvm_vg_t.
- Many interface renames to improve naming consistency.
- Merge xdm into xserver.
- Remove kernel module reversed interfaces.
diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if
index 395cd8f..2fd6bf0 100644
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@@ -244,50 +244,6 @@ interface(`storage_swapon_fixed_disk',`
########################################
## <summary>
-## Allow the caller to directly read from a logical volume.
-## This is extremly dangerous as it can bypass the
-## SELinux protections for filesystem objects, and
-## should only be used by trusted domains.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`storage_raw_read_lvm_volume',`
- gen_require(`
- attribute fixed_disk_raw_read;
- type lvm_vg_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 lvm_vg_t:blk_file r_file_perms;
- typeattribute $1 fixed_disk_raw_read;
-')
-
-########################################
-## <summary>
-## Allow the caller to directly read from a logical volume.
-## This is extremly dangerous as it can bypass the
-## SELinux protections for filesystem objects, and
-## should only be used by trusted domains.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`storage_raw_write_lvm_volume',`
- gen_require(`
- attribute fixed_disk_raw_write;
- type lvm_vg_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 lvm_vg_t:blk_file { getattr write ioctl };
- typeattribute $1 fixed_disk_raw_write;
-')
-
-########################################
-## <summary>
## Allow the caller to get the attributes of
## the generic SCSI interface device nodes.
## </summary>
@@ -648,12 +604,12 @@ interface(`storage_setattr_tape_dev',`
interface(`storage_unconfined',`
gen_require(`
type fixed_disk_device_t, removable_device_t;
- type lvm_vg_t, scsi_generic_device_t, tape_device_t;
+ type scsi_generic_device_t, tape_device_t;
attribute fixed_disk_raw_read, fixed_disk_raw_write;
attribute scsi_generic_read, scsi_generic_write;
')
- allow $1 { fixed_disk_device_t removable_device_t lvm_vg_t }:blk_file *;
+ allow $1 { fixed_disk_device_t removable_device_t }:blk_file *;
allow $1 { scsi_generic_device_t tape_device_t }:chr_file *;
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
diff --git a/refpolicy/policy/modules/kernel/storage.te b/refpolicy/policy/modules/kernel/storage.te
index 0f1b9e1..f4bf61d 100644
--- a/refpolicy/policy/modules/kernel/storage.te
+++ b/refpolicy/policy/modules/kernel/storage.te
@@ -15,24 +15,13 @@ attribute scsi_generic_write;
# fixed_disk_device_t is the type of
# /dev/hd* and /dev/sd*.
#
-type fixed_disk_device_t;
+type fixed_disk_device_t alias lvm_vg_t;
dev_node(fixed_disk_device_t)
neverallow ~fixed_disk_raw_read fixed_disk_device_t:{ chr_file blk_file } read;
neverallow ~fixed_disk_raw_write fixed_disk_device_t:{ chr_file blk_file } { append write };
#
-# lvm_vg_t is the type of logical volume groups
-#
-type lvm_vg_t;
-dev_node(lvm_vg_t)
-
-# from the subject's point of view, same as read/writing a regular
-# fixed disk, so use the same assertions as above
-neverallow ~fixed_disk_raw_read lvm_vg_t:{ chr_file blk_file } read;
-neverallow ~fixed_disk_raw_write lvm_vg_t:{ chr_file blk_file } { append write };
-
-#
# scsi_generic_device_t is the type of /dev/sg*
# it gives access to ALL SCSI devices (both fixed and removable)
#
More information about the scm-commits
mailing list