Written by: Martin Orr

Allow LVM to create semaphores: needed for LVM 2.02.64
Allow LVM to request modules: needed for cryptsetup

In the case of using pmount for encrypted volumes, things are more
complicated.  This results in pmount running cryptsetup, which previously
happened with no domain transition.  But then cryptsetup creates the semaphore
as unconfined_t and dmsetup (run by udev as lvm_t) can't access it.
I have let unconfined domain transition to lvm_t to solve this, but this is not
ideal.  It means that lvm needs to read home files to read the passphrase.
This also brought in the fs_getattr_tmpfs - I am not sure why.

The main create semaphore permission was merged upstream in 57835f44 (2011-02-06)

Index: policy/modules/system/lvm.te
===================================================================
--- policy/modules/system/lvm.te.orig
+++ policy/modules/system/lvm.te
@@ -226,6 +226,7 @@
 kernel_dontaudit_getattr_core_if(lvm_t)
 kernel_use_fds(lvm_t)
 kernel_search_debugfs(lvm_t)
+kernel_request_load_module(lvm_t)
 
 corecmd_exec_bin(lvm_t)
 corecmd_exec_shell(lvm_t)
@@ -264,6 +265,7 @@
 
 fs_getattr_xattr_fs(lvm_t)
 fs_search_auto_mountpoints(lvm_t)
+fs_getattr_tmpfs(lvm_t)
 fs_list_tmpfs(lvm_t)
 fs_read_tmpfs_symlinks(lvm_t)
 fs_dontaudit_read_removable_files(lvm_t)
@@ -357,6 +359,11 @@
 ')
 
 optional_policy(`
+	unconfined_read_home_content_files(lvm_t)
+	unconfined_run_to(lvm_t, lvm_exec_t)
+')
+
+optional_policy(`
 	virt_manage_images(lvm_t)
 ')