From: guido@trentalancia.net (Guido Trentalancia) Date: Sun, 14 May 2017 00:59:52 +0200 Subject: [refpolicy] [PATCH 2/2] contrib: new libmtp module In-Reply-To: References: <1494710143.22209.3.camel@trentalancia.net> Message-ID: <6416CE35-0F3D-4223-8E8A-A7B704346951@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Ack. I will introduce the Improvements that you suggested as soon as possible, hopefully tomorrow. Thanks for your advice! As for the wake_alarm issue, it is possible that it is related to the bug that you mentioned. Let's drop that for the time being... Regards, Guido Trentalancia On the 14th of May 2017 00:46:21 CEST, "Christian G?ttsche" wrote: >2017-05-13 23:15 GMT+02:00 Guido Trentalancia via refpolicy >: >> This is the contrib part of the policy needed to support libmtp (an >> Initiator implementation of the Media Transfer Protocol). >> >> Signed-off-by: Guido Trentalancia >> --- >> policy/modules/contrib/libmtp.fc | 3 + >> policy/modules/contrib/libmtp.if | 30 +++++++++++++++++++ >> policy/modules/contrib/libmtp.te | 61 >+++++++++++++++++++++++++++++++++++++++ >> 3 files changed, 94 insertions(+) >> >> --- a/policy/modules/contrib/libmtp.fc 1970-01-01 01:00:00.000000000 >+0100 >> +++ b/policy/modules/contrib/libmtp.fc 2017-05-13 21:37:57.529042530 >+0200 >> @@ -0,0 +1,3 @@ >> +HOME_DIR/\.mtpz-data -- >gen_context(system_u:object_r:libmtp_home_t,s0) >> + >> +/usr/bin/mtp-(.*)? -- >gen_context(system_u:object_r:libmtp_exec_t,s0) > >This regex seems a bit odd to me. >Maybe "/usr/bin/mtp-[^/]+" or "/usr/bin/mtp(-.+)?" > >> --- a/policy/modules/contrib/libmtp.if 1970-01-01 01:00:00.000000000 >+0100 >> +++ b/policy/modules/contrib/libmtp.if 2017-05-13 21:21:58.102046453 >+0200 >> @@ -0,0 +1,30 @@ >> +## libmtp: An Initiatior implementation of the Media >Transfer Protocol (MTP). >> + >> +########################################################### >> +## >> +## Role access for libmtp. >> +## >> +## >> +## >> +## Role allowed access. >> +## >> +## >> +## >> +## >> +## User domain for the role. >> +## >> +## >> +# >> +interface(`libmtp_role',` >> + gen_require(` >> + attribute_role libmtp_roles; >> + type libmtp_t, libmtp_exec_t; >> + ') >> + >> + roleattribute $1 libmtp_roles; >> + >> + domtrans_pattern($2, libmtp_exec_t, libmtp_t) >> + >> + allow $2 libmtp_t:process { ptrace signal_perms }; >> + ps_process_pattern($2, libmtp_t) > >admin_process_pattern > >> +') >> --- a/policy/modules/contrib/libmtp.te 1970-01-01 01:00:00.000000000 >+0100 >> +++ b/policy/modules/contrib/libmtp.te 2017-05-13 23:05:11.151021134 >+0200 >> @@ -0,0 +1,61 @@ >> +policy_module(libmtp, 1.0.0) >> + >> +############################## >> +# >> +# Declarations >> +# >> + >> +## >> +##

>> +## Determine whether libmtp can >> +## manage the user home directories >> +## and files. >> +##

>> +##
>> +gen_tunable(libmtp_enable_home_dirs, false) >> + >> +attribute_role libmtp_roles; >> + >> +type libmtp_t; >> +type libmtp_exec_t; >> +userdom_user_application_domain(libmtp_t, libmtp_exec_t) >> +role libmtp_roles types libmtp_t; >> + >> +type libmtp_home_t; >> +userdom_user_home_content(libmtp_home_t) >> + >> +############################## >> +# >> +# libmtp local policy >> +# >> + >> +allow libmtp_t self:capability2 wake_alarm; > >curious question: does the application really need this or might this >be related to >https://github.com/SELinuxProject/selinux-kernel/issues/28 > >> + >> +allow libmtp_t self:netlink_kobject_uevent_socket >create_socket_perms; >> +allow libmtp_t self:fifo_file rw_fifo_file_perms; >> + >> +allow libmtp_t libmtp_home_t:dir manage_dir_perms; >> +allow libmtp_t libmtp_home_t:file manage_file_perms; >> +allow libmtp_t libmtp_home_t:lnk_file manage_lnk_file_perms; >> +userdom_user_home_dir_filetrans(libmtp_t, libmtp_home_t, file, >".mtpz-data") >> + >> +dev_read_sysfs(libmtp_t) >> +dev_rw_generic_usb_dev(libmtp_t) >> + >> +files_read_etc_files(libmtp_t) >> + >> +locallogin_use_fds(libmtp_t) > >for console applications, I am using domain_use_interactive_fds to >include newrole_t and others > >> + >> +miscfiles_read_localization(libmtp_t) >> + >> +userdom_use_user_terminals(libmtp_t) > >userdom_use_inherited_user_terminlas ? > >> + >> +tunable_policy(`libmtp_enable_home_dirs',` >> + userdom_manage_user_home_content_dirs(libmtp_t) >> + userdom_manage_user_home_content_files(libmtp_t) >> + userdom_user_home_dir_filetrans_user_home_content(libmtp_t, { >dir file lnk_file }) >> +') >> + >> +optional_policy(` >> + udev_read_pid_files(libmtp_t) >> +')