This is the contrib part of the policy needed to support libmtp (an
Initiator implementation of the Media Transfer Protocol).
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/libmtp.fc | 3 +
policy/modules/contrib/libmtp.if | 30 +++++++++++++++++++
policy/modules/contrib/libmtp.te | 61 +++++++++++++++++++++++++++++++++++++++
3 files changed, 94 insertions(+)
--- a/policy/modules/contrib/libmtp.fc 1970-01-01 01:00:00.000000000 +0100
+++ b/policy/modules/contrib/libmtp.fc 2017-05-13 21:37:57.529042530 +0200
@@ -0,0 +1,3 @@
+HOME_DIR/\.mtpz-data -- gen_context(system_u:object_r:libmtp_home_t,s0)
+
+/usr/bin/mtp-(.*)? -- gen_context(system_u:object_r:libmtp_exec_t,s0)
--- a/policy/modules/contrib/libmtp.if 1970-01-01 01:00:00.000000000 +0100
+++ b/policy/modules/contrib/libmtp.if 2017-05-13 21:21:58.102046453 +0200
@@ -0,0 +1,30 @@
+## <summary>libmtp: An Initiatior implementation of the Media Transfer Protocol (MTP).</summary>
+
+###########################################################
+## <summary>
+## Role access for libmtp.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`libmtp_role',`
+ gen_require(`
+ attribute_role libmtp_roles;
+ type libmtp_t, libmtp_exec_t;
+ ')
+
+ roleattribute $1 libmtp_roles;
+
+ domtrans_pattern($2, libmtp_exec_t, libmtp_t)
+
+ allow $2 libmtp_t:process { ptrace signal_perms };
+ ps_process_pattern($2, libmtp_t)
+')
--- a/policy/modules/contrib/libmtp.te 1970-01-01 01:00:00.000000000 +0100
+++ b/policy/modules/contrib/libmtp.te 2017-05-13 23:05:11.151021134 +0200
@@ -0,0 +1,61 @@
+policy_module(libmtp, 1.0.0)
+
+##############################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether libmtp can
+## manage the user home directories
+## and files.
+## </p>
+## </desc>
+gen_tunable(libmtp_enable_home_dirs, false)
+
+attribute_role libmtp_roles;
+
+type libmtp_t;
+type libmtp_exec_t;
+userdom_user_application_domain(libmtp_t, libmtp_exec_t)
+role libmtp_roles types libmtp_t;
+
+type libmtp_home_t;
+userdom_user_home_content(libmtp_home_t)
+
+##############################
+#
+# libmtp local policy
+#
+
+allow libmtp_t self:capability2 wake_alarm;
+
+allow libmtp_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow libmtp_t self:fifo_file rw_fifo_file_perms;
+
+allow libmtp_t libmtp_home_t:dir manage_dir_perms;
+allow libmtp_t libmtp_home_t:file manage_file_perms;
+allow libmtp_t libmtp_home_t:lnk_file manage_lnk_file_perms;
+userdom_user_home_dir_filetrans(libmtp_t, libmtp_home_t, file, ".mtpz-data")
+
+dev_read_sysfs(libmtp_t)
+dev_rw_generic_usb_dev(libmtp_t)
+
+files_read_etc_files(libmtp_t)
+
+locallogin_use_fds(libmtp_t)
+
+miscfiles_read_localization(libmtp_t)
+
+userdom_use_user_terminals(libmtp_t)
+
+tunable_policy(`libmtp_enable_home_dirs',`
+ userdom_manage_user_home_content_dirs(libmtp_t)
+ userdom_manage_user_home_content_files(libmtp_t)
+ userdom_user_home_dir_filetrans_user_home_content(libmtp_t, { dir file lnk_file })
+')
+
+optional_policy(`
+ udev_read_pid_files(libmtp_t)
+')
2017-05-13 23:15 GMT+02:00 Guido Trentalancia via refpolicy
<[email protected]>:
> This is the contrib part of the policy needed to support libmtp (an
> Initiator implementation of the Media Transfer Protocol).
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/libmtp.fc | 3 +
> policy/modules/contrib/libmtp.if | 30 +++++++++++++++++++
> policy/modules/contrib/libmtp.te | 61 +++++++++++++++++++++++++++++++++++++++
> 3 files changed, 94 insertions(+)
>
> --- a/policy/modules/contrib/libmtp.fc 1970-01-01 01:00:00.000000000 +0100
> +++ b/policy/modules/contrib/libmtp.fc 2017-05-13 21:37:57.529042530 +0200
> @@ -0,0 +1,3 @@
> +HOME_DIR/\.mtpz-data -- gen_context(system_u:object_r:libmtp_home_t,s0)
> +
> +/usr/bin/mtp-(.*)? -- gen_context(system_u:object_r:libmtp_exec_t,s0)
This regex seems a bit odd to me.
Maybe "/usr/bin/mtp-[^/]+" or "/usr/bin/mtp(-.+)?"
> --- a/policy/modules/contrib/libmtp.if 1970-01-01 01:00:00.000000000 +0100
> +++ b/policy/modules/contrib/libmtp.if 2017-05-13 21:21:58.102046453 +0200
> @@ -0,0 +1,30 @@
> +## <summary>libmtp: An Initiatior implementation of the Media Transfer Protocol (MTP).</summary>
> +
> +###########################################################
> +## <summary>
> +## Role access for libmtp.
> +## </summary>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## User domain for the role.
> +## </summary>
> +## </param>
> +#
> +interface(`libmtp_role',`
> + gen_require(`
> + attribute_role libmtp_roles;
> + type libmtp_t, libmtp_exec_t;
> + ')
> +
> + roleattribute $1 libmtp_roles;
> +
> + domtrans_pattern($2, libmtp_exec_t, libmtp_t)
> +
> + allow $2 libmtp_t:process { ptrace signal_perms };
> + ps_process_pattern($2, libmtp_t)
admin_process_pattern
> +')
> --- a/policy/modules/contrib/libmtp.te 1970-01-01 01:00:00.000000000 +0100
> +++ b/policy/modules/contrib/libmtp.te 2017-05-13 23:05:11.151021134 +0200
> @@ -0,0 +1,61 @@
> +policy_module(libmtp, 1.0.0)
> +
> +##############################
> +#
> +# Declarations
> +#
> +
> +## <desc>
> +## <p>
> +## Determine whether libmtp can
> +## manage the user home directories
> +## and files.
> +## </p>
> +## </desc>
> +gen_tunable(libmtp_enable_home_dirs, false)
> +
> +attribute_role libmtp_roles;
> +
> +type libmtp_t;
> +type libmtp_exec_t;
> +userdom_user_application_domain(libmtp_t, libmtp_exec_t)
> +role libmtp_roles types libmtp_t;
> +
> +type libmtp_home_t;
> +userdom_user_home_content(libmtp_home_t)
> +
> +##############################
> +#
> +# libmtp local policy
> +#
> +
> +allow libmtp_t self:capability2 wake_alarm;
curious question: does the application really need this or might this
be related to https://github.com/SELinuxProject/selinux-kernel/issues/28
> +
> +allow libmtp_t self:netlink_kobject_uevent_socket create_socket_perms;
> +allow libmtp_t self:fifo_file rw_fifo_file_perms;
> +
> +allow libmtp_t libmtp_home_t:dir manage_dir_perms;
> +allow libmtp_t libmtp_home_t:file manage_file_perms;
> +allow libmtp_t libmtp_home_t:lnk_file manage_lnk_file_perms;
> +userdom_user_home_dir_filetrans(libmtp_t, libmtp_home_t, file, ".mtpz-data")
> +
> +dev_read_sysfs(libmtp_t)
> +dev_rw_generic_usb_dev(libmtp_t)
> +
> +files_read_etc_files(libmtp_t)
> +
> +locallogin_use_fds(libmtp_t)
for console applications, I am using domain_use_interactive_fds to
include newrole_t and others
> +
> +miscfiles_read_localization(libmtp_t)
> +
> +userdom_use_user_terminals(libmtp_t)
userdom_use_inherited_user_terminlas ?
> +
> +tunable_policy(`libmtp_enable_home_dirs',`
> + userdom_manage_user_home_content_dirs(libmtp_t)
> + userdom_manage_user_home_content_files(libmtp_t)
> + userdom_user_home_dir_filetrans_user_home_content(libmtp_t, { dir file lnk_file })
> +')
> +
> +optional_policy(`
> + udev_read_pid_files(libmtp_t)
> +')
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
Ack. I will introduce the Improvements that you suggested as soon as possible, hopefully tomorrow. Thanks for your advice!
As for the wake_alarm issue, it is possible that it is related to the bug that you mentioned. Let's drop that for the time being...
Regards,
Guido Trentalancia
On the 14th of May 2017 00:46:21 CEST, "Christian G?ttsche" <[email protected]> wrote:
>2017-05-13 23:15 GMT+02:00 Guido Trentalancia via refpolicy
><[email protected]>:
>> This is the contrib part of the policy needed to support libmtp (an
>> Initiator implementation of the Media Transfer Protocol).
>>
>> Signed-off-by: Guido Trentalancia <[email protected]>
>> ---
>> policy/modules/contrib/libmtp.fc | 3 +
>> policy/modules/contrib/libmtp.if | 30 +++++++++++++++++++
>> policy/modules/contrib/libmtp.te | 61
>+++++++++++++++++++++++++++++++++++++++
>> 3 files changed, 94 insertions(+)
>>
>> --- a/policy/modules/contrib/libmtp.fc 1970-01-01 01:00:00.000000000
>+0100
>> +++ b/policy/modules/contrib/libmtp.fc 2017-05-13 21:37:57.529042530
>+0200
>> @@ -0,0 +1,3 @@
>> +HOME_DIR/\.mtpz-data --
>gen_context(system_u:object_r:libmtp_home_t,s0)
>> +
>> +/usr/bin/mtp-(.*)? --
>gen_context(system_u:object_r:libmtp_exec_t,s0)
>
>This regex seems a bit odd to me.
>Maybe "/usr/bin/mtp-[^/]+" or "/usr/bin/mtp(-.+)?"
>
>> --- a/policy/modules/contrib/libmtp.if 1970-01-01 01:00:00.000000000
>+0100
>> +++ b/policy/modules/contrib/libmtp.if 2017-05-13 21:21:58.102046453
>+0200
>> @@ -0,0 +1,30 @@
>> +## <summary>libmtp: An Initiatior implementation of the Media
>Transfer Protocol (MTP).</summary>
>> +
>> +###########################################################
>> +## <summary>
>> +## Role access for libmtp.
>> +## </summary>
>> +## <param name="role">
>> +## <summary>
>> +## Role allowed access.
>> +## </summary>
>> +## </param>
>> +## <param name="domain">
>> +## <summary>
>> +## User domain for the role.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`libmtp_role',`
>> + gen_require(`
>> + attribute_role libmtp_roles;
>> + type libmtp_t, libmtp_exec_t;
>> + ')
>> +
>> + roleattribute $1 libmtp_roles;
>> +
>> + domtrans_pattern($2, libmtp_exec_t, libmtp_t)
>> +
>> + allow $2 libmtp_t:process { ptrace signal_perms };
>> + ps_process_pattern($2, libmtp_t)
>
>admin_process_pattern
>
>> +')
>> --- a/policy/modules/contrib/libmtp.te 1970-01-01 01:00:00.000000000
>+0100
>> +++ b/policy/modules/contrib/libmtp.te 2017-05-13 23:05:11.151021134
>+0200
>> @@ -0,0 +1,61 @@
>> +policy_module(libmtp, 1.0.0)
>> +
>> +##############################
>> +#
>> +# Declarations
>> +#
>> +
>> +## <desc>
>> +## <p>
>> +## Determine whether libmtp can
>> +## manage the user home directories
>> +## and files.
>> +## </p>
>> +## </desc>
>> +gen_tunable(libmtp_enable_home_dirs, false)
>> +
>> +attribute_role libmtp_roles;
>> +
>> +type libmtp_t;
>> +type libmtp_exec_t;
>> +userdom_user_application_domain(libmtp_t, libmtp_exec_t)
>> +role libmtp_roles types libmtp_t;
>> +
>> +type libmtp_home_t;
>> +userdom_user_home_content(libmtp_home_t)
>> +
>> +##############################
>> +#
>> +# libmtp local policy
>> +#
>> +
>> +allow libmtp_t self:capability2 wake_alarm;
>
>curious question: does the application really need this or might this
>be related to
>https://github.com/SELinuxProject/selinux-kernel/issues/28
>
>> +
>> +allow libmtp_t self:netlink_kobject_uevent_socket
>create_socket_perms;
>> +allow libmtp_t self:fifo_file rw_fifo_file_perms;
>> +
>> +allow libmtp_t libmtp_home_t:dir manage_dir_perms;
>> +allow libmtp_t libmtp_home_t:file manage_file_perms;
>> +allow libmtp_t libmtp_home_t:lnk_file manage_lnk_file_perms;
>> +userdom_user_home_dir_filetrans(libmtp_t, libmtp_home_t, file,
>".mtpz-data")
>> +
>> +dev_read_sysfs(libmtp_t)
>> +dev_rw_generic_usb_dev(libmtp_t)
>> +
>> +files_read_etc_files(libmtp_t)
>> +
>> +locallogin_use_fds(libmtp_t)
>
>for console applications, I am using domain_use_interactive_fds to
>include newrole_t and others
>
>> +
>> +miscfiles_read_localization(libmtp_t)
>> +
>> +userdom_use_user_terminals(libmtp_t)
>
>userdom_use_inherited_user_terminlas ?
>
>> +
>> +tunable_policy(`libmtp_enable_home_dirs',`
>> + userdom_manage_user_home_content_dirs(libmtp_t)
>> + userdom_manage_user_home_content_files(libmtp_t)
>> + userdom_user_home_dir_filetrans_user_home_content(libmtp_t, {
>dir file lnk_file })
>> +')
>> +
>> +optional_policy(`
>> + udev_read_pid_files(libmtp_t)
>> +')
On Sun, May 14, 2017 at 12:46:21AM +0200, Christian G?ttsche via refpolicy wrote:
> 2017-05-13 23:15 GMT+02:00 Guido Trentalancia via refpolicy
> <[email protected]>:
> > This is the contrib part of the policy needed to support libmtp (an
> > Initiator implementation of the Media Transfer Protocol).
> >
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > policy/modules/contrib/libmtp.fc | 3 +
> > policy/modules/contrib/libmtp.if | 30 +++++++++++++++++++
> > policy/modules/contrib/libmtp.te | 61 +++++++++++++++++++++++++++++++++++++++
> > 3 files changed, 94 insertions(+)
> >
> > --- a/policy/modules/contrib/libmtp.fc 1970-01-01 01:00:00.000000000 +0100
> > +++ b/policy/modules/contrib/libmtp.fc 2017-05-13 21:37:57.529042530 +0200
> > @@ -0,0 +1,3 @@
> > +HOME_DIR/\.mtpz-data -- gen_context(system_u:object_r:libmtp_home_t,s0)
> > +
> > +/usr/bin/mtp-(.*)? -- gen_context(system_u:object_r:libmtp_exec_t,s0)
>
> This regex seems a bit odd to me.
> Maybe "/usr/bin/mtp-[^/]+" or "/usr/bin/mtp(-.+)?"
>
> > --- a/policy/modules/contrib/libmtp.if 1970-01-01 01:00:00.000000000 +0100
> > +++ b/policy/modules/contrib/libmtp.if 2017-05-13 21:21:58.102046453 +0200
> > @@ -0,0 +1,30 @@
> > +## <summary>libmtp: An Initiatior implementation of the Media Transfer Protocol (MTP).</summary>
> > +
> > +###########################################################
> > +## <summary>
> > +## Role access for libmtp.
> > +## </summary>
> > +## <param name="role">
> > +## <summary>
> > +## Role allowed access.
> > +## </summary>
> > +## </param>
> > +## <param name="domain">
> > +## <summary>
> > +## User domain for the role.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`libmtp_role',`
> > + gen_require(`
> > + attribute_role libmtp_roles;
> > + type libmtp_t, libmtp_exec_t;
> > + ')
> > +
> > + roleattribute $1 libmtp_roles;
> > +
> > + domtrans_pattern($2, libmtp_exec_t, libmtp_t)
> > +
> > + allow $2 libmtp_t:process { ptrace signal_perms };
> > + ps_process_pattern($2, libmtp_t)
>
> admin_process_pattern
>
> > +')
> > --- a/policy/modules/contrib/libmtp.te 1970-01-01 01:00:00.000000000 +0100
> > +++ b/policy/modules/contrib/libmtp.te 2017-05-13 23:05:11.151021134 +0200
> > @@ -0,0 +1,61 @@
> > +policy_module(libmtp, 1.0.0)
> > +
> > +##############################
> > +#
> > +# Declarations
> > +#
> > +
> > +## <desc>
> > +## <p>
> > +## Determine whether libmtp can
> > +## manage the user home directories
> > +## and files.
> > +## </p>
> > +## </desc>
> > +gen_tunable(libmtp_enable_home_dirs, false)
> > +
> > +attribute_role libmtp_roles;
> > +
> > +type libmtp_t;
> > +type libmtp_exec_t;
> > +userdom_user_application_domain(libmtp_t, libmtp_exec_t)
> > +role libmtp_roles types libmtp_t;
> > +
> > +type libmtp_home_t;
> > +userdom_user_home_content(libmtp_home_t)
> > +
> > +##############################
> > +#
> > +# libmtp local policy
> > +#
> > +
> > +allow libmtp_t self:capability2 wake_alarm;
>
> curious question: does the application really need this or might this
> be related to https://github.com/SELinuxProject/selinux-kernel/issues/28
>
> > +
> > +allow libmtp_t self:netlink_kobject_uevent_socket create_socket_perms;
> > +allow libmtp_t self:fifo_file rw_fifo_file_perms;
> > +
> > +allow libmtp_t libmtp_home_t:dir manage_dir_perms;
> > +allow libmtp_t libmtp_home_t:file manage_file_perms;
> > +allow libmtp_t libmtp_home_t:lnk_file manage_lnk_file_perms;
> > +userdom_user_home_dir_filetrans(libmtp_t, libmtp_home_t, file, ".mtpz-data")
everything indicates that it only creates a file , so why permit it to create dirs and lnk files as well?
> > +
> > +dev_read_sysfs(libmtp_t)
> > +dev_rw_generic_usb_dev(libmtp_t)
> > +
> > +files_read_etc_files(libmtp_t)
> > +
> > +locallogin_use_fds(libmtp_t)
>
> for console applications, I am using domain_use_interactive_fds to
> include newrole_t and others
>
> > +
> > +miscfiles_read_localization(libmtp_t)
> > +
> > +userdom_use_user_terminals(libmtp_t)
>
> userdom_use_inherited_user_terminlas ?
>
> > +
> > +tunable_policy(`libmtp_enable_home_dirs',`
> > + userdom_manage_user_home_content_dirs(libmtp_t)
> > + userdom_manage_user_home_content_files(libmtp_t)
> > + userdom_user_home_dir_filetrans_user_home_content(libmtp_t, { dir file lnk_file })
here youre specifying a type transition for a link file but libmtp_t is not allowed to create user home content lnk files
> > +')
> > +
> > +optional_policy(`
> > + udev_read_pid_files(libmtp_t)
> > +')
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170514/deb8e4df/attachment-0001.bin
This is the contrib part of the policy needed to support libmtp (an
Initiator implementation of the Media Transfer Protocol).
This is the second revised version of the patch.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/libmtp.fc | 3 +
policy/modules/contrib/libmtp.if | 30 +++++++++++++++++++
policy/modules/contrib/libmtp.te | 59 +++++++++++++++++++++++++++++++++++++++
3 files changed, 92 insertions(+)
--- a/policy/modules/contrib/libmtp.fc 1970-01-01 01:00:00.000000000 +0100
+++ b/policy/modules/contrib/libmtp.fc 2017-05-14 13:29:40.789242411 +0200
@@ -0,0 +1,3 @@
+HOME_DIR/\.mtpz-data -- gen_context(system_u:object_r:libmtp_home_t,s0)
+
+/usr/bin/mtp-.* -- gen_context(system_u:object_r:libmtp_exec_t,s0)
--- a/policy/modules/contrib/libmtp.if 1970-01-01 01:00:00.000000000 +0100
+++ b/policy/modules/contrib/libmtp.if 2017-05-13 21:21:58.102046453 +0200
@@ -0,0 +1,30 @@
+## <summary>libmtp: An Initiatior implementation of the Media Transfer Protocol (MTP).</summary>
+
+###########################################################
+## <summary>
+## Role access for libmtp.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`libmtp_role',`
+ gen_require(`
+ attribute_role libmtp_roles;
+ type libmtp_t, libmtp_exec_t;
+ ')
+
+ roleattribute $1 libmtp_roles;
+
+ domtrans_pattern($2, libmtp_exec_t, libmtp_t)
+
+ allow $2 libmtp_t:process { ptrace signal_perms };
+ ps_process_pattern($2, libmtp_t)
+')
--- a/policy/modules/contrib/libmtp.te 1970-01-01 01:00:00.000000000 +0100
+++ b/policy/modules/contrib/libmtp.te 2017-05-14 13:46:35.961238261 +0200
@@ -0,0 +1,59 @@
+policy_module(libmtp, 1.0.0)
+
+##############################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether libmtp can
+## manage the user home directories
+## and files.
+## </p>
+## </desc>
+gen_tunable(libmtp_enable_home_dirs, false)
+
+attribute_role libmtp_roles;
+
+type libmtp_t;
+type libmtp_exec_t;
+userdom_user_application_domain(libmtp_t, libmtp_exec_t)
+role libmtp_roles types libmtp_t;
+
+type libmtp_home_t;
+userdom_user_home_content(libmtp_home_t)
+
+##############################
+#
+# libmtp local policy
+#
+
+allow libmtp_t self:capability sys_tty_config;
+allow libmtp_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow libmtp_t self:fifo_file rw_fifo_file_perms;
+
+allow libmtp_t libmtp_home_t:file manage_file_perms;
+userdom_user_home_dir_filetrans(libmtp_t, libmtp_home_t, file, ".mtpz-data")
+
+dev_read_sysfs(libmtp_t)
+dev_rw_generic_usb_dev(libmtp_t)
+
+domain_use_interactive_fds(libmtp_t)
+
+files_read_etc_files(libmtp_t)
+
+miscfiles_read_localization(libmtp_t)
+
+term_use_unallocated_ttys(libmtp_t)
+
+userdom_use_inherited_user_terminals(libmtp_t)
+
+tunable_policy(`libmtp_enable_home_dirs',`
+ userdom_manage_user_home_content_files(libmtp_t)
+ userdom_user_home_dir_filetrans_user_home_content(libmtp_t, file )
+')
+
+optional_policy(`
+ udev_read_pid_files(libmtp_t)
+')
Hello Christopher,
do you have any feedback on this 2 parts patch to introduce support for libmtp?
Regards,
Guido
On the 14th of May 2017 13:54:20 CEST, Guido Trentalancia via refpolicy <[email protected]> wrote:
>This is the contrib part of the policy needed to support libmtp (an
>Initiator implementation of the Media Transfer Protocol).
>
>This is the second revised version of the patch.
>
>Signed-off-by: Guido Trentalancia <[email protected]>
>---
> policy/modules/contrib/libmtp.fc | 3 +
> policy/modules/contrib/libmtp.if | 30 +++++++++++++++++++
>policy/modules/contrib/libmtp.te | 59
>+++++++++++++++++++++++++++++++++++++++
> 3 files changed, 92 insertions(+)
>
>--- a/policy/modules/contrib/libmtp.fc 1970-01-01 01:00:00.000000000
>+0100
>+++ b/policy/modules/contrib/libmtp.fc 2017-05-14 13:29:40.789242411
>+0200
>@@ -0,0 +1,3 @@
>+HOME_DIR/\.mtpz-data -- gen_context(system_u:object_r:libmtp_home_t,s0)
>+
>+/usr/bin/mtp-.* -- gen_context(system_u:object_r:libmtp_exec_t,s0)
>--- a/policy/modules/contrib/libmtp.if 1970-01-01 01:00:00.000000000
>+0100
>+++ b/policy/modules/contrib/libmtp.if 2017-05-13 21:21:58.102046453
>+0200
>@@ -0,0 +1,30 @@
>+## <summary>libmtp: An Initiatior implementation of the Media Transfer
>Protocol (MTP).</summary>
>+
>+###########################################################
>+## <summary>
>+## Role access for libmtp.
>+## </summary>
>+## <param name="role">
>+## <summary>
>+## Role allowed access.
>+## </summary>
>+## </param>
>+## <param name="domain">
>+## <summary>
>+## User domain for the role.
>+## </summary>
>+## </param>
>+#
>+interface(`libmtp_role',`
>+ gen_require(`
>+ attribute_role libmtp_roles;
>+ type libmtp_t, libmtp_exec_t;
>+ ')
>+
>+ roleattribute $1 libmtp_roles;
>+
>+ domtrans_pattern($2, libmtp_exec_t, libmtp_t)
>+
>+ allow $2 libmtp_t:process { ptrace signal_perms };
>+ ps_process_pattern($2, libmtp_t)
>+')
>--- a/policy/modules/contrib/libmtp.te 1970-01-01 01:00:00.000000000
>+0100
>+++ b/policy/modules/contrib/libmtp.te 2017-05-14 13:46:35.961238261
>+0200
>@@ -0,0 +1,59 @@
>+policy_module(libmtp, 1.0.0)
>+
>+##############################
>+#
>+# Declarations
>+#
>+
>+## <desc>
>+## <p>
>+## Determine whether libmtp can
>+## manage the user home directories
>+## and files.
>+## </p>
>+## </desc>
>+gen_tunable(libmtp_enable_home_dirs, false)
>+
>+attribute_role libmtp_roles;
>+
>+type libmtp_t;
>+type libmtp_exec_t;
>+userdom_user_application_domain(libmtp_t, libmtp_exec_t)
>+role libmtp_roles types libmtp_t;
>+
>+type libmtp_home_t;
>+userdom_user_home_content(libmtp_home_t)
>+
>+##############################
>+#
>+# libmtp local policy
>+#
>+
>+allow libmtp_t self:capability sys_tty_config;
>+allow libmtp_t self:netlink_kobject_uevent_socket create_socket_perms;
>+allow libmtp_t self:fifo_file rw_fifo_file_perms;
>+
>+allow libmtp_t libmtp_home_t:file manage_file_perms;
>+userdom_user_home_dir_filetrans(libmtp_t, libmtp_home_t, file,
>".mtpz-data")
>+
>+dev_read_sysfs(libmtp_t)
>+dev_rw_generic_usb_dev(libmtp_t)
>+
>+domain_use_interactive_fds(libmtp_t)
>+
>+files_read_etc_files(libmtp_t)
>+
>+miscfiles_read_localization(libmtp_t)
>+
>+term_use_unallocated_ttys(libmtp_t)
>+
>+userdom_use_inherited_user_terminals(libmtp_t)
>+
>+tunable_policy(`libmtp_enable_home_dirs',`
>+ userdom_manage_user_home_content_files(libmtp_t)
>+ userdom_user_home_dir_filetrans_user_home_content(libmtp_t, file )
>+')
>+
>+optional_policy(`
>+ udev_read_pid_files(libmtp_t)
>+')
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy
On 05/14/2017 07:54 AM, Guido Trentalancia via refpolicy wrote:
> This is the contrib part of the policy needed to support libmtp (an
> Initiator implementation of the Media Transfer Protocol).
>
> This is the second revised version of the patch.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/libmtp.fc | 3 +
> policy/modules/contrib/libmtp.if | 30 +++++++++++++++++++
> policy/modules/contrib/libmtp.te | 59 +++++++++++++++++++++++++++++++++++++++
> 3 files changed, 92 insertions(+)
>
> --- a/policy/modules/contrib/libmtp.fc 1970-01-01 01:00:00.000000000 +0100
> +++ b/policy/modules/contrib/libmtp.fc 2017-05-14 13:29:40.789242411 +0200
> @@ -0,0 +1,3 @@
> +HOME_DIR/\.mtpz-data -- gen_context(system_u:object_r:libmtp_home_t,s0)
> +
> +/usr/bin/mtp-.* -- gen_context(system_u:object_r:libmtp_exec_t,s0)
> --- a/policy/modules/contrib/libmtp.if 1970-01-01 01:00:00.000000000 +0100
> +++ b/policy/modules/contrib/libmtp.if 2017-05-13 21:21:58.102046453 +0200
> @@ -0,0 +1,30 @@
> +## <summary>libmtp: An Initiatior implementation of the Media Transfer Protocol (MTP).</summary>
> +
> +###########################################################
> +## <summary>
> +## Role access for libmtp.
> +## </summary>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## User domain for the role.
> +## </summary>
> +## </param>
> +#
> +interface(`libmtp_role',`
> + gen_require(`
> + attribute_role libmtp_roles;
> + type libmtp_t, libmtp_exec_t;
> + ')
> +
> + roleattribute $1 libmtp_roles;
> +
> + domtrans_pattern($2, libmtp_exec_t, libmtp_t)
> +
> + allow $2 libmtp_t:process { ptrace signal_perms };
> + ps_process_pattern($2, libmtp_t)
> +')
> --- a/policy/modules/contrib/libmtp.te 1970-01-01 01:00:00.000000000 +0100
> +++ b/policy/modules/contrib/libmtp.te 2017-05-14 13:46:35.961238261 +0200
> @@ -0,0 +1,59 @@
> +policy_module(libmtp, 1.0.0)
> +
> +##############################
> +#
> +# Declarations
> +#
> +
> +## <desc>
> +## <p>
> +## Determine whether libmtp can
> +## manage the user home directories
> +## and files.
> +## </p>
> +## </desc>
> +gen_tunable(libmtp_enable_home_dirs, false)
> +
> +attribute_role libmtp_roles;
> +
> +type libmtp_t;
> +type libmtp_exec_t;
> +userdom_user_application_domain(libmtp_t, libmtp_exec_t)
> +role libmtp_roles types libmtp_t;
> +
> +type libmtp_home_t;
> +userdom_user_home_content(libmtp_home_t)
> +
> +##############################
> +#
> +# libmtp local policy
> +#
> +
> +allow libmtp_t self:capability sys_tty_config;
> +allow libmtp_t self:netlink_kobject_uevent_socket create_socket_perms;
> +allow libmtp_t self:fifo_file rw_fifo_file_perms;
> +
> +allow libmtp_t libmtp_home_t:file manage_file_perms;
> +userdom_user_home_dir_filetrans(libmtp_t, libmtp_home_t, file, ".mtpz-data")
> +
> +dev_read_sysfs(libmtp_t)
> +dev_rw_generic_usb_dev(libmtp_t)
> +
> +domain_use_interactive_fds(libmtp_t)
> +
> +files_read_etc_files(libmtp_t)
> +
> +miscfiles_read_localization(libmtp_t)
> +
> +term_use_unallocated_ttys(libmtp_t)
> +
> +userdom_use_inherited_user_terminals(libmtp_t)
> +
> +tunable_policy(`libmtp_enable_home_dirs',`
> + userdom_manage_user_home_content_files(libmtp_t)
> + userdom_user_home_dir_filetrans_user_home_content(libmtp_t, file )
> +')
> +
> +optional_policy(`
> + udev_read_pid_files(libmtp_t)
> +')
Merged.
--
Chris PeBenito