From: pebenito@ieee.org (Chris PeBenito) Date: Mon, 22 May 2017 20:21:42 -0400 Subject: [refpolicy] [PATCH v2 2/2] contrib: new libmtp module In-Reply-To: <1494762860.4495.0.camel@trentalancia.net> References: <1494710143.22209.3.camel@trentalancia.net> <1494762860.4495.0.camel@trentalancia.net> Message-ID: <38c01fa9-16d3-62f9-5334-0a4e79edfc67@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 05/14/2017 07:54 AM, Guido Trentalancia via refpolicy wrote: > This is the contrib part of the policy needed to support libmtp (an > Initiator implementation of the Media Transfer Protocol). > > This is the second revised version of the patch. > > Signed-off-by: Guido Trentalancia > --- > policy/modules/contrib/libmtp.fc | 3 + > policy/modules/contrib/libmtp.if | 30 +++++++++++++++++++ > policy/modules/contrib/libmtp.te | 59 +++++++++++++++++++++++++++++++++++++++ > 3 files changed, 92 insertions(+) > > --- a/policy/modules/contrib/libmtp.fc 1970-01-01 01:00:00.000000000 +0100 > +++ b/policy/modules/contrib/libmtp.fc 2017-05-14 13:29:40.789242411 +0200 > @@ -0,0 +1,3 @@ > +HOME_DIR/\.mtpz-data -- gen_context(system_u:object_r:libmtp_home_t,s0) > + > +/usr/bin/mtp-.* -- gen_context(system_u:object_r:libmtp_exec_t,s0) > --- a/policy/modules/contrib/libmtp.if 1970-01-01 01:00:00.000000000 +0100 > +++ b/policy/modules/contrib/libmtp.if 2017-05-13 21:21:58.102046453 +0200 > @@ -0,0 +1,30 @@ > +## libmtp: An Initiatior implementation of the Media Transfer Protocol (MTP). > + > +########################################################### > +## > +## Role access for libmtp. > +## > +## > +## > +## Role allowed access. > +## > +## > +## > +## > +## User domain for the role. > +## > +## > +# > +interface(`libmtp_role',` > + gen_require(` > + attribute_role libmtp_roles; > + type libmtp_t, libmtp_exec_t; > + ') > + > + roleattribute $1 libmtp_roles; > + > + domtrans_pattern($2, libmtp_exec_t, libmtp_t) > + > + allow $2 libmtp_t:process { ptrace signal_perms }; > + ps_process_pattern($2, libmtp_t) > +') > --- a/policy/modules/contrib/libmtp.te 1970-01-01 01:00:00.000000000 +0100 > +++ b/policy/modules/contrib/libmtp.te 2017-05-14 13:46:35.961238261 +0200 > @@ -0,0 +1,59 @@ > +policy_module(libmtp, 1.0.0) > + > +############################## > +# > +# Declarations > +# > + > +## > +##

> +## Determine whether libmtp can > +## manage the user home directories > +## and files. > +##

> +##
> +gen_tunable(libmtp_enable_home_dirs, false) > + > +attribute_role libmtp_roles; > + > +type libmtp_t; > +type libmtp_exec_t; > +userdom_user_application_domain(libmtp_t, libmtp_exec_t) > +role libmtp_roles types libmtp_t; > + > +type libmtp_home_t; > +userdom_user_home_content(libmtp_home_t) > + > +############################## > +# > +# libmtp local policy > +# > + > +allow libmtp_t self:capability sys_tty_config; > +allow libmtp_t self:netlink_kobject_uevent_socket create_socket_perms; > +allow libmtp_t self:fifo_file rw_fifo_file_perms; > + > +allow libmtp_t libmtp_home_t:file manage_file_perms; > +userdom_user_home_dir_filetrans(libmtp_t, libmtp_home_t, file, ".mtpz-data") > + > +dev_read_sysfs(libmtp_t) > +dev_rw_generic_usb_dev(libmtp_t) > + > +domain_use_interactive_fds(libmtp_t) > + > +files_read_etc_files(libmtp_t) > + > +miscfiles_read_localization(libmtp_t) > + > +term_use_unallocated_ttys(libmtp_t) > + > +userdom_use_inherited_user_terminals(libmtp_t) > + > +tunable_policy(`libmtp_enable_home_dirs',` > + userdom_manage_user_home_content_files(libmtp_t) > + userdom_user_home_dir_filetrans_user_home_content(libmtp_t, file ) > +') > + > +optional_policy(` > + udev_read_pid_files(libmtp_t) > +') Merged. -- Chris PeBenito