From: guido@trentalancia.net (Guido Trentalancia) Date: Sat, 13 May 2017 23:15:43 +0200 Subject: [refpolicy] [PATCH 2/2] contrib: new libmtp module Message-ID: <1494710143.22209.3.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This is the contrib part of the policy needed to support libmtp (an Initiator implementation of the Media Transfer Protocol). Signed-off-by: Guido Trentalancia --- policy/modules/contrib/libmtp.fc | 3 + policy/modules/contrib/libmtp.if | 30 +++++++++++++++++++ policy/modules/contrib/libmtp.te | 61 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 94 insertions(+) --- a/policy/modules/contrib/libmtp.fc 1970-01-01 01:00:00.000000000 +0100 +++ b/policy/modules/contrib/libmtp.fc 2017-05-13 21:37:57.529042530 +0200 @@ -0,0 +1,3 @@ +HOME_DIR/\.mtpz-data -- gen_context(system_u:object_r:libmtp_home_t,s0) + +/usr/bin/mtp-(.*)? -- gen_context(system_u:object_r:libmtp_exec_t,s0) --- a/policy/modules/contrib/libmtp.if 1970-01-01 01:00:00.000000000 +0100 +++ b/policy/modules/contrib/libmtp.if 2017-05-13 21:21:58.102046453 +0200 @@ -0,0 +1,30 @@ +## libmtp: An Initiatior implementation of the Media Transfer Protocol (MTP). + +########################################################### +## +## Role access for libmtp. +## +## +## +## Role allowed access. +## +## +## +## +## User domain for the role. +## +## +# +interface(`libmtp_role',` + gen_require(` + attribute_role libmtp_roles; + type libmtp_t, libmtp_exec_t; + ') + + roleattribute $1 libmtp_roles; + + domtrans_pattern($2, libmtp_exec_t, libmtp_t) + + allow $2 libmtp_t:process { ptrace signal_perms }; + ps_process_pattern($2, libmtp_t) +') --- a/policy/modules/contrib/libmtp.te 1970-01-01 01:00:00.000000000 +0100 +++ b/policy/modules/contrib/libmtp.te 2017-05-13 23:05:11.151021134 +0200 @@ -0,0 +1,61 @@ +policy_module(libmtp, 1.0.0) + +############################## +# +# Declarations +# + +## +##

+## Determine whether libmtp can +## manage the user home directories +## and files. +##

+##
+gen_tunable(libmtp_enable_home_dirs, false) + +attribute_role libmtp_roles; + +type libmtp_t; +type libmtp_exec_t; +userdom_user_application_domain(libmtp_t, libmtp_exec_t) +role libmtp_roles types libmtp_t; + +type libmtp_home_t; +userdom_user_home_content(libmtp_home_t) + +############################## +# +# libmtp local policy +# + +allow libmtp_t self:capability2 wake_alarm; + +allow libmtp_t self:netlink_kobject_uevent_socket create_socket_perms; +allow libmtp_t self:fifo_file rw_fifo_file_perms; + +allow libmtp_t libmtp_home_t:dir manage_dir_perms; +allow libmtp_t libmtp_home_t:file manage_file_perms; +allow libmtp_t libmtp_home_t:lnk_file manage_lnk_file_perms; +userdom_user_home_dir_filetrans(libmtp_t, libmtp_home_t, file, ".mtpz-data") + +dev_read_sysfs(libmtp_t) +dev_rw_generic_usb_dev(libmtp_t) + +files_read_etc_files(libmtp_t) + +locallogin_use_fds(libmtp_t) + +miscfiles_read_localization(libmtp_t) + +userdom_use_user_terminals(libmtp_t) + +tunable_policy(`libmtp_enable_home_dirs',` + userdom_manage_user_home_content_dirs(libmtp_t) + userdom_manage_user_home_content_files(libmtp_t) + userdom_user_home_dir_filetrans_user_home_content(libmtp_t, { dir file lnk_file }) +') + +optional_policy(` + udev_read_pid_files(libmtp_t) +')