[refpolicy] [PATCH 2/2] contrib: new libmtp module

Guido Trentalancia guido at trentalancia.net
Sat May 13 21:15:43 UTC 2017


This is the contrib part of the policy needed to support libmtp (an
Initiator implementation of the Media Transfer Protocol).

Signed-off-by: Guido Trentalancia <guido at trentalancia.net>
---
 policy/modules/contrib/libmtp.fc |    3 +
 policy/modules/contrib/libmtp.if |   30 +++++++++++++++++++
 policy/modules/contrib/libmtp.te |   61 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 94 insertions(+)

--- a/policy/modules/contrib/libmtp.fc	1970-01-01 01:00:00.000000000 +0100
+++ b/policy/modules/contrib/libmtp.fc	2017-05-13 21:37:57.529042530 +0200
@@ -0,0 +1,3 @@
+HOME_DIR/\.mtpz-data	--	gen_context(system_u:object_r:libmtp_home_t,s0)
+
+/usr/bin/mtp-(.*)?	--	gen_context(system_u:object_r:libmtp_exec_t,s0)
--- a/policy/modules/contrib/libmtp.if	1970-01-01 01:00:00.000000000 +0100
+++ b/policy/modules/contrib/libmtp.if	2017-05-13 21:21:58.102046453 +0200
@@ -0,0 +1,30 @@
+## <summary>libmtp: An Initiatior implementation of the Media Transfer Protocol (MTP).</summary>
+
+###########################################################
+## <summary>
+##	Role access for libmtp.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role.
+##	</summary>
+## </param>
+#
+interface(`libmtp_role',`
+	gen_require(`
+		attribute_role libmtp_roles;
+		type libmtp_t, libmtp_exec_t;
+	')
+
+	roleattribute $1 libmtp_roles;
+
+	domtrans_pattern($2, libmtp_exec_t, libmtp_t)
+
+	allow $2 libmtp_t:process { ptrace signal_perms };
+	ps_process_pattern($2, libmtp_t)
+')
--- a/policy/modules/contrib/libmtp.te	1970-01-01 01:00:00.000000000 +0100
+++ b/policy/modules/contrib/libmtp.te	2017-05-13 23:05:11.151021134 +0200
@@ -0,0 +1,61 @@
+policy_module(libmtp, 1.0.0)
+
+##############################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Determine whether libmtp can
+##	manage the user home directories
+##	and files.
+##	</p>
+## </desc>
+gen_tunable(libmtp_enable_home_dirs, false)
+
+attribute_role libmtp_roles;
+
+type libmtp_t;
+type libmtp_exec_t;
+userdom_user_application_domain(libmtp_t, libmtp_exec_t)
+role libmtp_roles types libmtp_t;
+
+type libmtp_home_t;
+userdom_user_home_content(libmtp_home_t)
+
+##############################
+#
+# libmtp local policy
+#
+
+allow libmtp_t self:capability2 wake_alarm;
+
+allow libmtp_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow libmtp_t self:fifo_file rw_fifo_file_perms;
+
+allow libmtp_t libmtp_home_t:dir manage_dir_perms;
+allow libmtp_t libmtp_home_t:file manage_file_perms;
+allow libmtp_t libmtp_home_t:lnk_file manage_lnk_file_perms;
+userdom_user_home_dir_filetrans(libmtp_t, libmtp_home_t, file, ".mtpz-data")
+
+dev_read_sysfs(libmtp_t)
+dev_rw_generic_usb_dev(libmtp_t)
+
+files_read_etc_files(libmtp_t)
+
+locallogin_use_fds(libmtp_t)
+
+miscfiles_read_localization(libmtp_t)
+
+userdom_use_user_terminals(libmtp_t)
+
+tunable_policy(`libmtp_enable_home_dirs',`
+	userdom_manage_user_home_content_dirs(libmtp_t)
+	userdom_manage_user_home_content_files(libmtp_t)
+	userdom_user_home_dir_filetrans_user_home_content(libmtp_t, { dir file lnk_file })
+')
+
+optional_policy(`
+	udev_read_pid_files(libmtp_t)
+')


More information about the refpolicy mailing list