From 02516a2eec51c649e3e36e1bea79a85a4dea5a0d Mon Sep 17 00:00:00 2001
From: Sam Hadow <sam.hadow@inbox.lv>
Date: Sat, 28 Feb 2026 16:18:03 +0100
Subject: [PATCH] usb mount unprivileged user

---
 local-usbmount.te | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 local-usbmount.te

diff --git a/local-usbmount.te b/local-usbmount.te
new file mode 100644
index 0000000..ed369ae
--- /dev/null
+++ b/local-usbmount.te
@@ -0,0 +1,39 @@
+module local-usbmount 1.0;
+
+require {
+    type unconfined_mount_t;
+    type devicekit_disk_t;
+    type removable_t;
+    type policykit_t;
+    type policykit_auth_t;
+    type devpts_t;
+    type user_devpts_t;
+    type fixed_disk_device_t;
+    type chkpwd_exec_t;
+    type chkpwd_t;
+    class dir { create write add_name search remove_name };
+    class blk_file { open read write ioctl getattr };
+    class chr_file getattr;
+    class filesystem getattr;
+    class capability net_admin;
+    class file execute_no_trans;
+    class process2 nnp_transition;
+
+}
+
+# allow creating mount directories under /run/media
+allow unconfined_mount_t removable_t:dir { create write add_name remove_name search };
+allow devicekit_disk_t removable_t:dir { create add_name write remove_name search };
+
+# allow accessing the USB block device
+allow unconfined_mount_t fixed_disk_device_t:blk_file { open read write ioctl getattr };
+
+#============= policykit_t ==============
+allow policykit_t devpts_t:filesystem getattr;
+allow policykit_t user_devpts_t:chr_file getattr;
+
+#============= policykit_auth_t ==============
+allow policykit_auth_t chkpwd_exec_t:file execute_no_trans;
+allow policykit_auth_t chkpwd_t:process2 nnp_transition;
+allow policykit_auth_t self:capability net_admin;
+