[refpolicy] [PATCH v2 2/2] contrib: new libmtp module

Guido Trentalancia guido at trentalancia.net
Wed May 17 22:28:26 UTC 2017


Hello Christopher, 

do you have any feedback on this 2 parts patch to introduce support for libmtp? 

Regards, 

Guido 

On the 14th of May 2017 13:54:20 CEST, Guido Trentalancia via refpolicy <refpolicy at oss.tresys.com> wrote:
>This is the contrib part of the policy needed to support libmtp (an
>Initiator implementation of the Media Transfer Protocol).
>
>This is the second revised version of the patch.
>
>Signed-off-by: Guido Trentalancia <guido at trentalancia.net>
>---
> policy/modules/contrib/libmtp.fc |    3 +
> policy/modules/contrib/libmtp.if |   30 +++++++++++++++++++
>policy/modules/contrib/libmtp.te |   59
>+++++++++++++++++++++++++++++++++++++++
> 3 files changed, 92 insertions(+)
>
>--- a/policy/modules/contrib/libmtp.fc	1970-01-01 01:00:00.000000000
>+0100
>+++ b/policy/modules/contrib/libmtp.fc	2017-05-14 13:29:40.789242411
>+0200
>@@ -0,0 +1,3 @@
>+HOME_DIR/\.mtpz-data	--	gen_context(system_u:object_r:libmtp_home_t,s0)
>+
>+/usr/bin/mtp-.*	--	gen_context(system_u:object_r:libmtp_exec_t,s0)
>--- a/policy/modules/contrib/libmtp.if	1970-01-01 01:00:00.000000000
>+0100
>+++ b/policy/modules/contrib/libmtp.if	2017-05-13 21:21:58.102046453
>+0200
>@@ -0,0 +1,30 @@
>+## <summary>libmtp: An Initiatior implementation of the Media Transfer
>Protocol (MTP).</summary>
>+
>+###########################################################
>+## <summary>
>+##	Role access for libmtp.
>+## </summary>
>+## <param name="role">
>+##	<summary>
>+##	Role allowed access.
>+##	</summary>
>+## </param>
>+## <param name="domain">
>+##	<summary>
>+##	User domain for the role.
>+##	</summary>
>+## </param>
>+#
>+interface(`libmtp_role',`
>+	gen_require(`
>+		attribute_role libmtp_roles;
>+		type libmtp_t, libmtp_exec_t;
>+	')
>+
>+	roleattribute $1 libmtp_roles;
>+
>+	domtrans_pattern($2, libmtp_exec_t, libmtp_t)
>+
>+	allow $2 libmtp_t:process { ptrace signal_perms };
>+	ps_process_pattern($2, libmtp_t)
>+')
>--- a/policy/modules/contrib/libmtp.te	1970-01-01 01:00:00.000000000
>+0100
>+++ b/policy/modules/contrib/libmtp.te	2017-05-14 13:46:35.961238261
>+0200
>@@ -0,0 +1,59 @@
>+policy_module(libmtp, 1.0.0)
>+
>+##############################
>+#
>+# Declarations
>+#
>+
>+## <desc>
>+##	<p>
>+##	Determine whether libmtp can
>+##	manage the user home directories
>+##	and files.
>+##	</p>
>+## </desc>
>+gen_tunable(libmtp_enable_home_dirs, false)
>+
>+attribute_role libmtp_roles;
>+
>+type libmtp_t;
>+type libmtp_exec_t;
>+userdom_user_application_domain(libmtp_t, libmtp_exec_t)
>+role libmtp_roles types libmtp_t;
>+
>+type libmtp_home_t;
>+userdom_user_home_content(libmtp_home_t)
>+
>+##############################
>+#
>+# libmtp local policy
>+#
>+
>+allow libmtp_t self:capability sys_tty_config;
>+allow libmtp_t self:netlink_kobject_uevent_socket create_socket_perms;
>+allow libmtp_t self:fifo_file rw_fifo_file_perms;
>+
>+allow libmtp_t libmtp_home_t:file manage_file_perms;
>+userdom_user_home_dir_filetrans(libmtp_t, libmtp_home_t, file,
>".mtpz-data")
>+
>+dev_read_sysfs(libmtp_t)
>+dev_rw_generic_usb_dev(libmtp_t)
>+
>+domain_use_interactive_fds(libmtp_t)
>+
>+files_read_etc_files(libmtp_t)
>+
>+miscfiles_read_localization(libmtp_t)
>+
>+term_use_unallocated_ttys(libmtp_t)
>+
>+userdom_use_inherited_user_terminals(libmtp_t)
>+
>+tunable_policy(`libmtp_enable_home_dirs',`
>+	userdom_manage_user_home_content_files(libmtp_t)
>+	userdom_user_home_dir_filetrans_user_home_content(libmtp_t, file )
>+')
>+
>+optional_policy(`
>+	udev_read_pid_files(libmtp_t)
>+')
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy



More information about the refpolicy mailing list