From: guido@trentalancia.net (Guido Trentalancia) Date: Sun, 14 May 2017 13:54:20 +0200 Subject: [refpolicy] [PATCH v2 2/2] contrib: new libmtp module In-Reply-To: <1494710143.22209.3.camel@trentalancia.net> References: <1494710143.22209.3.camel@trentalancia.net> Message-ID: <1494762860.4495.0.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This is the contrib part of the policy needed to support libmtp (an Initiator implementation of the Media Transfer Protocol). This is the second revised version of the patch. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/libmtp.fc | 3 + policy/modules/contrib/libmtp.if | 30 +++++++++++++++++++ policy/modules/contrib/libmtp.te | 59 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 92 insertions(+) --- a/policy/modules/contrib/libmtp.fc 1970-01-01 01:00:00.000000000 +0100 +++ b/policy/modules/contrib/libmtp.fc 2017-05-14 13:29:40.789242411 +0200 @@ -0,0 +1,3 @@ +HOME_DIR/\.mtpz-data -- gen_context(system_u:object_r:libmtp_home_t,s0) + +/usr/bin/mtp-.* -- gen_context(system_u:object_r:libmtp_exec_t,s0) --- a/policy/modules/contrib/libmtp.if 1970-01-01 01:00:00.000000000 +0100 +++ b/policy/modules/contrib/libmtp.if 2017-05-13 21:21:58.102046453 +0200 @@ -0,0 +1,30 @@ +## libmtp: An Initiatior implementation of the Media Transfer Protocol (MTP). + +########################################################### +## +## Role access for libmtp. +## +## +## +## Role allowed access. +## +## +## +## +## User domain for the role. +## +## +# +interface(`libmtp_role',` + gen_require(` + attribute_role libmtp_roles; + type libmtp_t, libmtp_exec_t; + ') + + roleattribute $1 libmtp_roles; + + domtrans_pattern($2, libmtp_exec_t, libmtp_t) + + allow $2 libmtp_t:process { ptrace signal_perms }; + ps_process_pattern($2, libmtp_t) +') --- a/policy/modules/contrib/libmtp.te 1970-01-01 01:00:00.000000000 +0100 +++ b/policy/modules/contrib/libmtp.te 2017-05-14 13:46:35.961238261 +0200 @@ -0,0 +1,59 @@ +policy_module(libmtp, 1.0.0) + +############################## +# +# Declarations +# + +## +##

+## Determine whether libmtp can +## manage the user home directories +## and files. +##

+## +gen_tunable(libmtp_enable_home_dirs, false) + +attribute_role libmtp_roles; + +type libmtp_t; +type libmtp_exec_t; +userdom_user_application_domain(libmtp_t, libmtp_exec_t) +role libmtp_roles types libmtp_t; + +type libmtp_home_t; +userdom_user_home_content(libmtp_home_t) + +############################## +# +# libmtp local policy +# + +allow libmtp_t self:capability sys_tty_config; +allow libmtp_t self:netlink_kobject_uevent_socket create_socket_perms; +allow libmtp_t self:fifo_file rw_fifo_file_perms; + +allow libmtp_t libmtp_home_t:file manage_file_perms; +userdom_user_home_dir_filetrans(libmtp_t, libmtp_home_t, file, ".mtpz-data") + +dev_read_sysfs(libmtp_t) +dev_rw_generic_usb_dev(libmtp_t) + +domain_use_interactive_fds(libmtp_t) + +files_read_etc_files(libmtp_t) + +miscfiles_read_localization(libmtp_t) + +term_use_unallocated_ttys(libmtp_t) + +userdom_use_inherited_user_terminals(libmtp_t) + +tunable_policy(`libmtp_enable_home_dirs',` + userdom_manage_user_home_content_files(libmtp_t) + userdom_user_home_dir_filetrans_user_home_content(libmtp_t, file ) +') + +optional_policy(` + udev_read_pid_files(libmtp_t) +')