From: cgzones@googlemail.com (=?UTF-8?Q?Christian_G=C3=B6ttsche?=)
Date: Sun, 14 May 2017 00:46:21 +0200
Subject: [refpolicy] [PATCH 2/2] contrib: new libmtp module
In-Reply-To: <1494710143.22209.3.camel@trentalancia.net>
References: <1494710143.22209.3.camel@trentalancia.net>
Message-ID: <CAJ2a_Deyv8rbR_4dEj-DXoNpK9zUHqQG-pGvY2wb5a=ucyh6Yw@mail.gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

2017-05-13 23:15 GMT+02:00 Guido Trentalancia via refpolicy
<refpolicy@oss.tresys.com>:
> This is the contrib part of the policy needed to support libmtp (an
> Initiator implementation of the Media Transfer Protocol).
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/contrib/libmtp.fc |    3 +
>  policy/modules/contrib/libmtp.if |   30 +++++++++++++++++++
>  policy/modules/contrib/libmtp.te |   61 +++++++++++++++++++++++++++++++++++++++
>  3 files changed, 94 insertions(+)
>
> --- a/policy/modules/contrib/libmtp.fc  1970-01-01 01:00:00.000000000 +0100
> +++ b/policy/modules/contrib/libmtp.fc  2017-05-13 21:37:57.529042530 +0200
> @@ -0,0 +1,3 @@
> +HOME_DIR/\.mtpz-data   --      gen_context(system_u:object_r:libmtp_home_t,s0)
> +
> +/usr/bin/mtp-(.*)?     --      gen_context(system_u:object_r:libmtp_exec_t,s0)

This regex seems a bit odd to me.
Maybe "/usr/bin/mtp-[^/]+" or "/usr/bin/mtp(-.+)?"

> --- a/policy/modules/contrib/libmtp.if  1970-01-01 01:00:00.000000000 +0100
> +++ b/policy/modules/contrib/libmtp.if  2017-05-13 21:21:58.102046453 +0200
> @@ -0,0 +1,30 @@
> +## <summary>libmtp: An Initiatior implementation of the Media Transfer Protocol (MTP).</summary>
> +
> +###########################################################
> +## <summary>
> +##     Role access for libmtp.
> +## </summary>
> +## <param name="role">
> +##     <summary>
> +##     Role allowed access.
> +##     </summary>
> +## </param>
> +## <param name="domain">
> +##     <summary>
> +##     User domain for the role.
> +##     </summary>
> +## </param>
> +#
> +interface(`libmtp_role',`
> +       gen_require(`
> +               attribute_role libmtp_roles;
> +               type libmtp_t, libmtp_exec_t;
> +       ')
> +
> +       roleattribute $1 libmtp_roles;
> +
> +       domtrans_pattern($2, libmtp_exec_t, libmtp_t)
> +
> +       allow $2 libmtp_t:process { ptrace signal_perms };
> +       ps_process_pattern($2, libmtp_t)

admin_process_pattern

> +')
> --- a/policy/modules/contrib/libmtp.te  1970-01-01 01:00:00.000000000 +0100
> +++ b/policy/modules/contrib/libmtp.te  2017-05-13 23:05:11.151021134 +0200
> @@ -0,0 +1,61 @@
> +policy_module(libmtp, 1.0.0)
> +
> +##############################
> +#
> +# Declarations
> +#
> +
> +## <desc>
> +##     <p>
> +##     Determine whether libmtp can
> +##     manage the user home directories
> +##     and files.
> +##     </p>
> +## </desc>
> +gen_tunable(libmtp_enable_home_dirs, false)
> +
> +attribute_role libmtp_roles;
> +
> +type libmtp_t;
> +type libmtp_exec_t;
> +userdom_user_application_domain(libmtp_t, libmtp_exec_t)
> +role libmtp_roles types libmtp_t;
> +
> +type libmtp_home_t;
> +userdom_user_home_content(libmtp_home_t)
> +
> +##############################
> +#
> +# libmtp local policy
> +#
> +
> +allow libmtp_t self:capability2 wake_alarm;

curious question: does the application really need this or might this
be related to https://github.com/SELinuxProject/selinux-kernel/issues/28

> +
> +allow libmtp_t self:netlink_kobject_uevent_socket create_socket_perms;
> +allow libmtp_t self:fifo_file rw_fifo_file_perms;
> +
> +allow libmtp_t libmtp_home_t:dir manage_dir_perms;
> +allow libmtp_t libmtp_home_t:file manage_file_perms;
> +allow libmtp_t libmtp_home_t:lnk_file manage_lnk_file_perms;
> +userdom_user_home_dir_filetrans(libmtp_t, libmtp_home_t, file, ".mtpz-data")
> +
> +dev_read_sysfs(libmtp_t)
> +dev_rw_generic_usb_dev(libmtp_t)
> +
> +files_read_etc_files(libmtp_t)
> +
> +locallogin_use_fds(libmtp_t)

for console applications, I am using domain_use_interactive_fds to
include newrole_t and others

> +
> +miscfiles_read_localization(libmtp_t)
> +
> +userdom_use_user_terminals(libmtp_t)

userdom_use_inherited_user_terminlas ?

> +
> +tunable_policy(`libmtp_enable_home_dirs',`
> +       userdom_manage_user_home_content_dirs(libmtp_t)
> +       userdom_manage_user_home_content_files(libmtp_t)
> +       userdom_user_home_dir_filetrans_user_home_content(libmtp_t, { dir file lnk_file })
> +')
> +
> +optional_policy(`
> +       udev_read_pid_files(libmtp_t)
> +')
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy