> It might be worth submitting the policy to Fibocomm's github repo as a
> PR too.
>
Good idea! Might create a github account for that.
> I think that would be "audit2allow -a -R -m fibocomservices" and then
> you'll end up with a ".te" (type enforcement) file that you can put in
> the PR. It should look something like
> https://github.com/stefanberger/swtpm/blob/master/src/selinux/swtpm.te
>
> I'm a bit hazy on process of getting the .te file into something that
> can get shipped with a package; looking at some Fedora packages that
> ship SELinux policy looks more complicated than I recall.
>
> But the ".te" file is the start; would you be able to post that output
> here?
>
Sure, here are the contents of the .te file:
policy_module(fibocomservices, 1.0)
require {
type modemmanager_t;
type systemd_logind_t;
type init_t;
type user_home_t;
class file { execute execute_no_trans open read };
class msgq { associate create enqueue read unix_read unix_write write };
class msg { receive send };
class process setpgid;
}
#============= init_t ==============
allow init_t self:msg { receive send };
allow init_t self:msgq { associate create enqueue read unix_read unix_write
write };
allow init_t self:process setpgid;
allow init_t user_home_t:file { execute execute_no_trans open read };
unconfined_server_stream_connectto(init_t)
#============= modemmanager_t ==============
dmidecode_exec(modemmanager_t)
unconfined_server_stream_connectto(modemmanager_t)
#============= systemd_logind_t ==============
systemd_dbus_chat_logind(systemd_logind_t)
>
> Good work; thanks for sticking with it!
>
> Dan
>
Thanks, of course!
Jo
