diff --git a/Changelog b/Changelog
index 3fae5336..fef189c0 100644
--- a/Changelog
+++ b/Changelog
@@ -13,6 +13,7 @@
- Remove node definitions and change node usage to generic nodes.
- Add kernel_service access vectors, from Stephen Smalley.
- Added modules:
+ certmaster (Dan Walsh)
git (Dan Walsh)
guest (Dan Walsh)
ifplugd (Dan Walsh)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 205b5f4f..aa2e9dd8 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
-policy_module(corenetwork, 1.11.5)
+policy_module(corenetwork, 1.11.6)
########################################
#
@@ -79,6 +79,7 @@ network_port(audit, tcp,60,s0)
network_port(auth, tcp,113,s0)
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
+network_port(certmaster, tcp,51235,s0)
network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
@@ -145,6 +146,7 @@ network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tc
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postgresql, tcp,5432,s0)
network_port(postgrey, tcp,60000,s0)
+network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pxe, udp,4011,s0)
diff --git a/policy/modules/services/certmaster.fc b/policy/modules/services/certmaster.fc
new file mode 100644
index 00000000..914a1841
--- /dev/null
+++ b/policy/modules/services/certmaster.fc
@@ -0,0 +1,7 @@
+/etc/certmaster(/.*)? gen_context(system_u:object_r:certmaster_etc_rw_t,s0)
+/etc/rc\.d/init\.d/certmaster -- gen_context(system_u:object_r:certmaster_initrc_exec_t,s0)
+
+/usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0)
+
+/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0)
+/var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0)
diff --git a/policy/modules/services/certmaster.if b/policy/modules/services/certmaster.if
new file mode 100644
index 00000000..5198bc81
--- /dev/null
+++ b/policy/modules/services/certmaster.if
@@ -0,0 +1,126 @@
+## Certmaster SSL certificate distribution service
+
+########################################
+##
+## Execute a domain transition to run certmaster.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`certmaster_domtrans',`
+ gen_require(`
+ type certmaster_t, certmaster_exec_t;
+ ')
+
+ domtrans_pattern($1, certmaster_exec_t, certmaster_t)
+')
+
+#######################################
+##
+## read certmaster logs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`certmaster_read_log',`
+ gen_require(`
+ type certmaster_var_log_t;
+ ')
+
+ read_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
+ logging_search_logs($1)
+')
+
+#######################################
+##
+## Append to certmaster logs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`certmaster_append_log',`
+ gen_require(`
+ type certmaster_var_log_t;
+ ')
+
+ append_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
+ logging_search_logs($1)
+')
+
+#######################################
+##
+## Create, read, write, and delete
+## certmaster logs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`certmaster_manage_log',`
+ gen_require(`
+ type certmaster_var_log_t;
+ ')
+
+ manage_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
+ manage_lnk_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
+ logging_search_logs($1)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an snort environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the syslog domain.
+##
+##
+##
+#
+interface(`certmaster_admin',`
+ gen_require(`
+ type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
+ type certmaster_etc_rw_t, certmaster_var_log_t;
+ type certmaster_initrc_exec_t;
+ ')
+
+ allow $1 certmaster_t:process { ptrace signal_perms };
+ ps_process_pattern($1, certmaster_t)
+
+ init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 certmaster_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ miscfiles_manage_cert_dirs($1)
+ miscfiles_manage_cert_files($1)
+
+ admin_pattern($1, certmaster_etc_rw_t)
+
+ files_list_pids($1)
+ admin_pattern($1, certmaster_var_run_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, certmaster_var_log_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, certmaster_var_lib_t)
+')
diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te
new file mode 100644
index 00000000..d72a9979
--- /dev/null
+++ b/policy/modules/services/certmaster.te
@@ -0,0 +1,72 @@
+
+policy_module(certmaster, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type certmaster_t;
+type certmaster_exec_t;
+init_daemon_domain(certmaster_t, certmaster_exec_t)
+
+type certmaster_initrc_exec_t;
+init_script_file(certmaster_initrc_exec_t)
+
+type certmaster_etc_rw_t;
+files_type(certmaster_etc_rw_t)
+
+type certmaster_var_lib_t;
+files_type(certmaster_var_lib_t)
+
+type certmaster_var_log_t;
+logging_log_file(certmaster_var_log_t)
+
+type certmaster_var_run_t;
+files_pid_file(certmaster_var_run_t)
+
+###########################################
+#
+# certmaster local policy
+#
+
+allow certmaster_t self:capability sys_tty_config;
+allow certmaster_t self:tcp_socket create_stream_socket_perms;
+
+# config files
+list_dirs_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t)
+manage_files_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t)
+
+# var/lib files for certmaster
+manage_files_pattern(certmaster_t, certmaster_var_lib_t, certmaster_var_lib_t)
+manage_dirs_pattern(certmaster_t, certmaster_var_lib_t, certmaster_var_lib_t)
+files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir })
+
+# log files
+manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t)
+logging_log_filetrans(certmaster_t, certmaster_var_log_t, file )
+
+# pid file
+manage_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t)
+manage_sock_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t)
+files_pid_filetrans(certmaster_t ,certmaster_var_run_t, { file sock_file })
+
+# read meminfo
+kernel_read_system_state(certmaster_t)
+
+corecmd_search_bin(certmaster_t)
+corecmd_getattr_bin_files(certmaster_t)
+
+corenet_tcp_bind_generic_node(certmaster_t)
+corenet_tcp_bind_certmaster_port(certmaster_t)
+
+files_search_etc(certmaster_t)
+files_list_var(certmaster_t)
+files_search_var_lib(certmaster_t)
+
+auth_use_nsswitch(certmaster_t)
+
+miscfiles_read_localization(certmaster_t)
+
+miscfiles_manage_cert_dirs(certmaster_t)
+miscfiles_manage_cert_files(certmaster_t)
diff --git a/policy/modules/services/mysql.fc b/policy/modules/services/mysql.fc
index 6123df50..4b567dfe 100644
--- a/policy/modules/services/mysql.fc
+++ b/policy/modules/services/mysql.fc
@@ -10,6 +10,8 @@
#
# /usr
#
+/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
+
/usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
index 0ca54a8b..51556e93 100644
--- a/policy/modules/services/mysql.if
+++ b/policy/modules/services/mysql.if
@@ -140,6 +140,63 @@ interface(`mysql_manage_db_dirs',`
allow $1 mysqld_db_t:dir manage_dir_perms;
')
+#######################################
+##
+## Append to the MySQL database directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mysql_append_db_files',`
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_search_var_lib($1)
+ append_files_pattern($1, mysqld_db_t, mysqld_db_t)
+')
+
+#######################################
+##
+## Read and write to the MySQL database directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mysql_rw_db_files',`
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_search_var_lib($1)
+ rw_files_pattern($1, mysqld_db_t, mysqld_db_t)
+')
+
+#######################################
+##
+## Create, read, write, and delete MySQL database files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mysql_manage_db_files',`
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, mysqld_db_t, mysqld_db_t)
+')
+
########################################
##
## Read and write to the MySQL database
@@ -180,6 +237,25 @@ interface(`mysql_write_log',`
allow $1 mysqld_log_t:file { write_file_perms setattr };
')
+#####################################
+##
+## Search MySQL PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`mysql_search_pid_files',`
+ gen_require(`
+ type mysqld_var_run_t;
+ ')
+
+ search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
+')
+
########################################
##
## All of the rules required to administrate an mysql environment
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index 86fe1b7f..6180428d 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -1,5 +1,5 @@
-policy_module(mysql, 1.10.3)
+policy_module(mysql, 1.10.4)
########################################
#
@@ -10,6 +10,10 @@ type mysqld_t;
type mysqld_exec_t;
init_daemon_domain(mysqld_t, mysqld_exec_t)
+type mysqld_safe_t;
+type mysqld_safe_exec_t;
+init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t)
+
type mysqld_var_run_t;
files_pid_file(mysqld_var_run_t)
@@ -121,3 +125,34 @@ optional_policy(`
optional_policy(`
udev_read_db(mysqld_t)
')
+
+#######################################
+#
+# Local mysqld_safe policy
+#
+
+allow mysqld_safe_t self:capability { dac_override fowner chown };
+allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
+
+domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
+
+allow mysqld_safe_t mysqld_log_t:file manage_file_perms;
+logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
+
+kernel_read_system_state(mysqld_safe_t)
+
+dev_list_sysfs(mysqld_safe_t)
+
+files_read_etc_files(mysqld_safe_t)
+files_read_usr_files(mysqld_safe_t)
+
+corecmd_exec_bin(mysqld_safe_t)
+
+hostname_exec(mysqld_safe_t)
+
+miscfiles_read_localization(mysqld_safe_t)
+
+mysql_append_db_files(mysqld_safe_t)
+mysql_read_config(mysqld_safe_t)
+mysql_search_pid_files(mysqld_safe_t)
+mysql_write_log(mysqld_safe_t)
diff --git a/policy/modules/services/squid.fc b/policy/modules/services/squid.fc
index 80e894b5..98c7728e 100644
--- a/policy/modules/services/squid.fc
+++ b/policy/modules/services/squid.fc
@@ -8,5 +8,7 @@
/var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
/var/log/squid(/.*)? gen_context(system_u:object_r:squid_log_t,s0)
+/var/log/squidGuard(/.*)? gen_context(system_u:object_r:squid_log_t,s0)
/var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0)
/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
+/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
\ No newline at end of file
diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if
index e7ea6069..0ae57d73 100644
--- a/policy/modules/services/squid.if
+++ b/policy/modules/services/squid.if
@@ -19,6 +19,24 @@ interface(`squid_domtrans',`
domtrans_pattern($1, squid_exec_t, squid_t)
')
+########################################
+##
+## Execute squid
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`squid_exec',`
+ gen_require(`
+ type squid_exec_t;
+ ')
+
+ can_exec($1, squid_exec_t)
+')
+
########################################
##
## Send generic signals to squid.
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
index 6ce86fd6..f6df97ee 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -1,5 +1,5 @@
-policy_module(squid, 1.8.2)
+policy_module(squid, 1.8.3)
########################################
#
@@ -118,6 +118,7 @@ dev_read_urand(squid_t)
fs_getattr_all_fs(squid_t)
fs_search_auto_mountpoints(squid_t)
+fs_list_inotifyfs(squid_t)
selinux_dontaudit_getattr_dir(squid_t)
diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te
index 6e720f78..cd2af5c0 100644
--- a/policy/modules/services/tor.te
+++ b/policy/modules/services/tor.te
@@ -1,5 +1,5 @@
-policy_module(tor, 1.5.2)
+policy_module(tor, 1.5.3)
########################################
#
@@ -34,7 +34,7 @@ files_pid_file(tor_var_run_t)
# tor local policy
#
-allow tor_t self:capability { setgid setuid };
+allow tor_t self:capability { setgid setuid sys_tty_config };
allow tor_t self:fifo_file rw_fifo_file_perms;
allow tor_t self:unix_stream_socket create_stream_socket_perms;
allow tor_t self:netlink_route_socket r_netlink_socket_perms;
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
index 0048738c..879bb1e8 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -55,6 +55,7 @@ ifdef(`distro_gentoo',`
/sbin/lvs -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/multipathd -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/multipath\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/pvchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/pvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/pvdata -- gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -94,6 +95,7 @@ ifdef(`distro_gentoo',`
# /var
#
/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
+/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
/var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0)
-/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
+/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 8983ba68..bbe2c042 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -1,5 +1,5 @@
-policy_module(lvm, 1.10.2)
+policy_module(lvm, 1.10.3)
########################################
#
@@ -44,9 +44,9 @@ files_tmp_file(lvm_tmp_t)
# Cluster LVM daemon local policy
#
-allow clvmd_t self:capability { sys_admin mknod };
+allow clvmd_t self:capability { sys_nice chown ipc_lock sys_admin mknod };
dontaudit clvmd_t self:capability sys_tty_config;
-allow clvmd_t self:process signal_perms;
+allow clvmd_t self:process { signal_perms setsched };
dontaudit clvmd_t self:process ptrace;
allow clvmd_t self:socket create_socket_perms;
allow clvmd_t self:fifo_file rw_fifo_file_perms;
@@ -85,10 +85,15 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(clvmd_t)
corenet_sendrecv_generic_server_packets(clvmd_t)
dev_read_sysfs(clvmd_t)
+dev_manage_generic_symlinks(clvmd_t)
+dev_relabel_generic_dev_dirs(clvmd_t)
+dev_manage_generic_blk_files(clvmd_t)
dev_manage_generic_chr_files(clvmd_t)
dev_rw_lvm_control(clvmd_t)
dev_dontaudit_getattr_all_blk_files(clvmd_t)
dev_dontaudit_getattr_all_chr_files(clvmd_t)
+dev_create_generic_dirs(clvmd_t)
+dev_delete_generic_dirs(clvmd_t)
files_read_etc_files(clvmd_t)
files_list_usr(clvmd_t)
@@ -99,19 +104,26 @@ fs_dontaudit_list_tmpfs(clvmd_t)
fs_dontaudit_read_removable_files(clvmd_t)
storage_dontaudit_getattr_removable_dev(clvmd_t)
+storage_manage_fixed_disk(clvmd_t)
+storage_dev_filetrans_fixed_disk(clvmd_t)
+storage_relabel_fixed_disk(clvmd_t)
+storage_raw_read_fixed_disk(clvmd_t)
domain_use_interactive_fds(clvmd_t)
-storage_raw_read_fixed_disk(clvmd_t)
-
auth_use_nsswitch(clvmd_t)
+init_dontaudit_getattr_initctl(clvmd_t)
+
logging_send_syslog_msg(clvmd_t)
miscfiles_read_localization(clvmd_t)
seutil_dontaudit_search_config(clvmd_t)
seutil_sigchld_newrole(clvmd_t)
+seutil_read_config(clvmd_t)
+seutil_read_file_contexts(clvmd_t)
+seutil_search_default_contexts(clvmd_t)
userdom_dontaudit_use_unpriv_user_fds(clvmd_t)
userdom_dontaudit_search_user_home_dirs(clvmd_t)
@@ -119,6 +131,12 @@ userdom_dontaudit_search_user_home_dirs(clvmd_t)
lvm_domtrans(clvmd_t)
lvm_read_config(clvmd_t)
+ifdef(`distro_redhat',`
+ optional_policy(`
+ unconfined_domain(clvmd_t)
+ ')
+')
+
optional_policy(`
ccs_stream_connect(clvmd_t)
')
@@ -143,17 +161,19 @@ optional_policy(`
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
# rawio needed for dmraid
-allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio };
+# net_admin for multipath
+allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { sigchld sigkill sigstop signull signal };
# LVM will complain a lot if it cannot set its priority.
allow lvm_t self:process setsched;
allow lvm_t self:file rw_file_perms;
-allow lvm_t self:fifo_file rw_file_perms;
+allow lvm_t self:fifo_file rw_fifo_file_perms;
allow lvm_t self:unix_dgram_socket create_socket_perms;
allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow lvm_t clvmd_t:unix_stream_socket connectto;
+allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms };
manage_dirs_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t)
manage_files_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t)
@@ -185,6 +205,7 @@ read_lnk_files_pattern(lvm_t,lvm_etc_t,lvm_etc_t)
manage_files_pattern(lvm_t,lvm_metadata_t,lvm_metadata_t)
filetrans_pattern(lvm_t,lvm_etc_t,lvm_metadata_t,file)
files_etc_filetrans(lvm_t,lvm_metadata_t,file)
+files_search_mnt(lvm_t)
kernel_read_system_state(lvm_t)
kernel_read_kernel_sysctls(lvm_t)
@@ -192,6 +213,7 @@ kernel_read_kernel_sysctls(lvm_t)
kernel_read_kernel_sysctls(lvm_t)
# it has no reason to need this
kernel_dontaudit_getattr_core_if(lvm_t)
+kernel_use_fds(lvm_t)
selinux_get_fs_mount(lvm_t)
selinux_validate_context(lvm_t)
@@ -244,7 +266,9 @@ corecmd_exec_bin(lvm_t)
corecmd_exec_shell(lvm_t)
domain_use_interactive_fds(lvm_t)
+domain_read_all_domains_state(lvm_t)
+files_read_usr_files(lvm_t)
files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
@@ -268,6 +292,10 @@ userdom_use_user_terminals(lvm_t)
ifdef(`distro_redhat',`
# this is from the initrd:
files_rw_isid_type_dirs(lvm_t)
+
+ optional_policy(`
+ unconfined_domain(lvm_t)
+ ')
')
optional_policy(`
@@ -282,6 +310,25 @@ optional_policy(`
gpm_dontaudit_getattr_gpmctl(lvm_t)
')
+optional_policy(`
+ dbus_system_bus_client(lvm_t)
+
+ hal_dbus_chat(lvm_t)
+')
+
+optional_policy(`
+ modutils_domtrans_insmod(lvm_t)
+')
+
+optional_policy(`
+ rpm_manage_script_tmp_files(lvm_t)
+')
+
optional_policy(`
udev_read_db(lvm_t)
')
+
+optional_policy(`
+ xen_append_log(lvm_t)
+ xen_dontaudit_rw_unix_stream_sockets(lvm_t)
+')