sam.hadow/selinux-archlinux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

usb mount unprivileged user

Browse Source
This commit is contained in:
Sam Hadow
2026-02-28 16:18:03 +01:00
parent cc1a0051a8
commit 02516a2eec
1 changed files with 39 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
local-usbmount.te Normal file
View File

@@ -0,0 +1,39 @@
module local-usbmount 1.0;
require {
type unconfined_mount_t;
type devicekit_disk_t;
type removable_t;
type policykit_t;
type policykit_auth_t;
type devpts_t;
type user_devpts_t;
type fixed_disk_device_t;
type chkpwd_exec_t;
type chkpwd_t;
class dir { create write add_name search remove_name };
class blk_file { open read write ioctl getattr };
class chr_file getattr;
class filesystem getattr;
class capability net_admin;
class file execute_no_trans;
class process2 nnp_transition;
}
# allow creating mount directories under /run/media
allow unconfined_mount_t removable_t:dir { create write add_name remove_name search };
allow devicekit_disk_t removable_t:dir { create add_name write remove_name search };
# allow accessing the USB block device
allow unconfined_mount_t fixed_disk_device_t:blk_file { open read write ioctl getattr };
#============= policykit_t ==============
allow policykit_t devpts_t:filesystem getattr;
allow policykit_t user_devpts_t:chr_file getattr;
#============= policykit_auth_t ==============
allow policykit_auth_t chkpwd_exec_t:file execute_no_trans;
allow policykit_auth_t chkpwd_t:process2 nnp_transition;
allow policykit_auth_t self:capability net_admin;