40 lines
1.2 KiB
Plaintext
40 lines
1.2 KiB
Plaintext
module local-usbmount 1.0;
|
|
|
|
require {
|
|
type unconfined_mount_t;
|
|
type devicekit_disk_t;
|
|
type removable_t;
|
|
type policykit_t;
|
|
type policykit_auth_t;
|
|
type devpts_t;
|
|
type user_devpts_t;
|
|
type fixed_disk_device_t;
|
|
type chkpwd_exec_t;
|
|
type chkpwd_t;
|
|
class dir { create write add_name search remove_name };
|
|
class blk_file { open read write ioctl getattr };
|
|
class chr_file getattr;
|
|
class filesystem getattr;
|
|
class capability net_admin;
|
|
class file execute_no_trans;
|
|
class process2 nnp_transition;
|
|
|
|
}
|
|
|
|
# allow creating mount directories under /run/media
|
|
allow unconfined_mount_t removable_t:dir { create write add_name remove_name search };
|
|
allow devicekit_disk_t removable_t:dir { create add_name write remove_name search };
|
|
|
|
# allow accessing the USB block device
|
|
allow unconfined_mount_t fixed_disk_device_t:blk_file { open read write ioctl getattr };
|
|
|
|
#============= policykit_t ==============
|
|
allow policykit_t devpts_t:filesystem getattr;
|
|
allow policykit_t user_devpts_t:chr_file getattr;
|
|
|
|
#============= policykit_auth_t ==============
|
|
allow policykit_auth_t chkpwd_exec_t:file execute_no_trans;
|
|
allow policykit_auth_t chkpwd_t:process2 nnp_transition;
|
|
allow policykit_auth_t self:capability net_admin;
|
|
|