Written by:  Martin Orr

Domain transitions for lvm, udev and dpkg
Allow dpkg to run lvm programs in correct domain
update-initramfs trigger runs dmsetup
Allow lvm to run udevadm
Allow dpkg to run udevd in correct domain

Aug 13 19:32:54 caligula kernel: type=1400 audit(1218652374.370:4): avc:  denied  { getattr } for  pid=4743 comm="dmsetup" path="/dev/mapper/control" dev=tmpfs ino=1905 scontext=system_u:system_r:dpkg_t:s0tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
Nov 13 22:29:20 caligula kernel: type=1400 audit(1226615349.670:4): avc:  denied  { execute } for  pid=1988 comm="sh" name="udevadm" dev=dm-0 ino=32592 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file
Dec 16 21:56:05 caligula kernel: type=1400 audit(1229464565.386:5): avc:  denied  { create } for  pid=3814 comm="udevd" scontext=system_u:system_r:dpkg_t:s0 tcontext=system_u:system_r:dpkg_t:s0 tclass=netlink_kobject_uevent_socket

Index: policy/modules/admin/dpkg.te
===================================================================
--- policy/modules/admin/dpkg.te.orig
+++ policy/modules/admin/dpkg.te
@@ -179,10 +179,18 @@
 #')
 
 optional_policy(`
+	lvm_domtrans(dpkg_t)
+')
+
+optional_policy(`
 	nis_use_ypbind(dpkg_t)
 ')
 
 optional_policy(`
+	udev_domtrans(dpkg_t)
+')
+
+optional_policy(`
 	unconfined_domain(dpkg_t)
 ')
 
Index: policy/modules/system/lvm.te
===================================================================
--- policy/modules/system/lvm.te.orig
+++ policy/modules/system/lvm.te
@@ -340,6 +340,7 @@
 
 optional_policy(`
 	udev_read_db(lvm_t)
+	udev_domtrans(lvm_t)
 ')
 
 optional_policy(`