From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 18 May 2017 00:28:26 +0200 Subject: [refpolicy] [PATCH v2 2/2] contrib: new libmtp module In-Reply-To: <1494762860.4495.0.camel@trentalancia.net> References: <1494710143.22209.3.camel@trentalancia.net> <1494762860.4495.0.camel@trentalancia.net> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Christopher, do you have any feedback on this 2 parts patch to introduce support for libmtp? Regards, Guido On the 14th of May 2017 13:54:20 CEST, Guido Trentalancia via refpolicy wrote: >This is the contrib part of the policy needed to support libmtp (an >Initiator implementation of the Media Transfer Protocol). > >This is the second revised version of the patch. > >Signed-off-by: Guido Trentalancia >--- > policy/modules/contrib/libmtp.fc | 3 + > policy/modules/contrib/libmtp.if | 30 +++++++++++++++++++ >policy/modules/contrib/libmtp.te | 59 >+++++++++++++++++++++++++++++++++++++++ > 3 files changed, 92 insertions(+) > >--- a/policy/modules/contrib/libmtp.fc 1970-01-01 01:00:00.000000000 >+0100 >+++ b/policy/modules/contrib/libmtp.fc 2017-05-14 13:29:40.789242411 >+0200 >@@ -0,0 +1,3 @@ >+HOME_DIR/\.mtpz-data -- gen_context(system_u:object_r:libmtp_home_t,s0) >+ >+/usr/bin/mtp-.* -- gen_context(system_u:object_r:libmtp_exec_t,s0) >--- a/policy/modules/contrib/libmtp.if 1970-01-01 01:00:00.000000000 >+0100 >+++ b/policy/modules/contrib/libmtp.if 2017-05-13 21:21:58.102046453 >+0200 >@@ -0,0 +1,30 @@ >+## libmtp: An Initiatior implementation of the Media Transfer >Protocol (MTP). >+ >+########################################################### >+## >+## Role access for libmtp. >+## >+## >+## >+## Role allowed access. >+## >+## >+## >+## >+## User domain for the role. >+## >+## >+# >+interface(`libmtp_role',` >+ gen_require(` >+ attribute_role libmtp_roles; >+ type libmtp_t, libmtp_exec_t; >+ ') >+ >+ roleattribute $1 libmtp_roles; >+ >+ domtrans_pattern($2, libmtp_exec_t, libmtp_t) >+ >+ allow $2 libmtp_t:process { ptrace signal_perms }; >+ ps_process_pattern($2, libmtp_t) >+') >--- a/policy/modules/contrib/libmtp.te 1970-01-01 01:00:00.000000000 >+0100 >+++ b/policy/modules/contrib/libmtp.te 2017-05-14 13:46:35.961238261 >+0200 >@@ -0,0 +1,59 @@ >+policy_module(libmtp, 1.0.0) >+ >+############################## >+# >+# Declarations >+# >+ >+## >+##

>+## Determine whether libmtp can >+## manage the user home directories >+## and files. >+##

>+##
>+gen_tunable(libmtp_enable_home_dirs, false) >+ >+attribute_role libmtp_roles; >+ >+type libmtp_t; >+type libmtp_exec_t; >+userdom_user_application_domain(libmtp_t, libmtp_exec_t) >+role libmtp_roles types libmtp_t; >+ >+type libmtp_home_t; >+userdom_user_home_content(libmtp_home_t) >+ >+############################## >+# >+# libmtp local policy >+# >+ >+allow libmtp_t self:capability sys_tty_config; >+allow libmtp_t self:netlink_kobject_uevent_socket create_socket_perms; >+allow libmtp_t self:fifo_file rw_fifo_file_perms; >+ >+allow libmtp_t libmtp_home_t:file manage_file_perms; >+userdom_user_home_dir_filetrans(libmtp_t, libmtp_home_t, file, >".mtpz-data") >+ >+dev_read_sysfs(libmtp_t) >+dev_rw_generic_usb_dev(libmtp_t) >+ >+domain_use_interactive_fds(libmtp_t) >+ >+files_read_etc_files(libmtp_t) >+ >+miscfiles_read_localization(libmtp_t) >+ >+term_use_unallocated_ttys(libmtp_t) >+ >+userdom_use_inherited_user_terminals(libmtp_t) >+ >+tunable_policy(`libmtp_enable_home_dirs',` >+ userdom_manage_user_home_content_files(libmtp_t) >+ userdom_user_home_dir_filetrans_user_home_content(libmtp_t, file ) >+') >+ >+optional_policy(` >+ udev_read_pid_files(libmtp_t) >+') >_______________________________________________ >refpolicy mailing list >refpolicy at oss.tresys.com >http://oss.tresys.com/mailman/listinfo/refpolicy