module local-usbmount 1.0;

require {
    type unconfined_mount_t;
    type devicekit_disk_t;
    type removable_t;
    type policykit_t;
    type policykit_auth_t;
    type devpts_t;
    type user_devpts_t;
    type fixed_disk_device_t;
    type chkpwd_exec_t;
    type chkpwd_t;
    class dir { create write add_name search remove_name };
    class blk_file { open read write ioctl getattr };
    class chr_file getattr;
    class filesystem getattr;
    class capability net_admin;
    class file execute_no_trans;
    class process2 nnp_transition;

}

# allow creating mount directories under /run/media
allow unconfined_mount_t removable_t:dir { create write add_name remove_name search };
allow devicekit_disk_t removable_t:dir { create add_name write remove_name search };

# allow accessing the USB block device
allow unconfined_mount_t fixed_disk_device_t:blk_file { open read write ioctl getattr };

#============= policykit_t ==============
allow policykit_t devpts_t:filesystem getattr;
allow policykit_t user_devpts_t:chr_file getattr;

#============= policykit_auth_t ==============
allow policykit_auth_t chkpwd_exec_t:file execute_no_trans;
allow policykit_auth_t chkpwd_t:process2 nnp_transition;
allow policykit_auth_t self:capability net_admin;