usb mount unprivileged user
This commit is contained in:
39
local-usbmount.te
Normal file
39
local-usbmount.te
Normal file
@@ -0,0 +1,39 @@
|
|||||||
|
module local-usbmount 1.0;
|
||||||
|
|
||||||
|
require {
|
||||||
|
type unconfined_mount_t;
|
||||||
|
type devicekit_disk_t;
|
||||||
|
type removable_t;
|
||||||
|
type policykit_t;
|
||||||
|
type policykit_auth_t;
|
||||||
|
type devpts_t;
|
||||||
|
type user_devpts_t;
|
||||||
|
type fixed_disk_device_t;
|
||||||
|
type chkpwd_exec_t;
|
||||||
|
type chkpwd_t;
|
||||||
|
class dir { create write add_name search remove_name };
|
||||||
|
class blk_file { open read write ioctl getattr };
|
||||||
|
class chr_file getattr;
|
||||||
|
class filesystem getattr;
|
||||||
|
class capability net_admin;
|
||||||
|
class file execute_no_trans;
|
||||||
|
class process2 nnp_transition;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
# allow creating mount directories under /run/media
|
||||||
|
allow unconfined_mount_t removable_t:dir { create write add_name remove_name search };
|
||||||
|
allow devicekit_disk_t removable_t:dir { create add_name write remove_name search };
|
||||||
|
|
||||||
|
# allow accessing the USB block device
|
||||||
|
allow unconfined_mount_t fixed_disk_device_t:blk_file { open read write ioctl getattr };
|
||||||
|
|
||||||
|
#============= policykit_t ==============
|
||||||
|
allow policykit_t devpts_t:filesystem getattr;
|
||||||
|
allow policykit_t user_devpts_t:chr_file getattr;
|
||||||
|
|
||||||
|
#============= policykit_auth_t ==============
|
||||||
|
allow policykit_auth_t chkpwd_exec_t:file execute_no_trans;
|
||||||
|
allow policykit_auth_t chkpwd_t:process2 nnp_transition;
|
||||||
|
allow policykit_auth_t self:capability net_admin;
|
||||||
|
|
||||||
Reference in New Issue
Block a user