#45 open
Michael Ansel

SELinux Type-Enforcement Rules

Reported by Michael Ansel | May 20th, 2009 @ 02:24 PM | in 1.4.0 Release

libiphone/iFuse don't currently have SELinux rules included. Here is a basic set to start with, although they should probably be tightened up a bit:
* only permit libiphone/iFuse to access usb_device_t instead of all mount_t * don't write to ~/.config (admin_home_t) while mounting, should only be done from unconfined_t * why is getsched being called? Can it be eliminated too?

Thanks for writing such an awesome library/tool!

=== ifuse.te ===

module ifuse 1.0;

require {
        type admin_home_t;
        type mount_t;
        type usb_device_t;
        class process getsched;
        class chr_file { read write ioctl };
        class dir write;
}

#============= mount_t ==============
allow mount_t admin_home_t:dir write;
allow mount_t self:process getsched;
allow mount_t usb_device_t:chr_file { read write ioctl }

=== end ifuse.te ===

Comments and changes to this ticket

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

A project around supporting the iPhone in Linux.

See http://libimobiledevice.org

People watching this ticket

Pages