SELinux Type-Enforcement Rules
Reported by Michael Ansel | May 20th, 2009 @ 02:24 PM | in 1.4.0 Release
libiphone/iFuse don't currently have SELinux rules included.
Here is a basic set to start with, although they should probably be
tightened up a bit:
* only permit libiphone/iFuse to access usb_device_t instead of all
mount_t * don't write to ~/.config (admin_home_t) while mounting,
should only be done from unconfined_t * why is getsched being
called? Can it be eliminated too?
Thanks for writing such an awesome library/tool!
=== ifuse.te ===
module ifuse 1.0;
require {
type admin_home_t;
type mount_t;
type usb_device_t;
class process getsched;
class chr_file { read write ioctl };
class dir write;
}
#============= mount_t ==============
allow mount_t admin_home_t:dir write;
allow mount_t self:process getsched;
allow mount_t usb_device_t:chr_file { read write ioctl }
=== end ifuse.te ===
Comments and changes to this ticket
-
Martin S. July 1st, 2009 @ 12:23 PM
- State changed from “new” to “open”
- Milestone set to “1.2.0 Release”
Will try to dig into this once 1.0 is out of the box. Patches always welcome.
-
Martin S. May 28th, 2010 @ 10:44 AM
Hi, could you explain how this works and if you are still interested to add SELinux rules?
-
Martin S. June 9th, 2010 @ 10:23 AM
- Milestone changed from “1.2.0 Release” to “1.4.0 Release”
Moving to 1.4.0 milestone as we are approaching 1.2.0.
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
A project around supporting the iPhone in Linux.
See http://libimobiledevice.org
Martin S.
Michael Ansel