From: Guido Trentalancia <guido@trentalancia.com>
To: selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH v2] Add sigrok contrib module
Date: Fri, 04 Jan 2019 00:22:21 +0100 [thread overview]
Message-ID: <1546557741.4968.3.camel@trentalancia.com> (raw)
In-Reply-To: <bddaadc8-88f0-5c55-38a6-7aeb1073ef08@ieee.org>
Yes, my fault, thanks for telling me ! Revised patch (v3) posted.
On Thu, 03/01/2019 at 17.33 -0500, Chris PeBenito wrote:
> On 1/3/19 5:17 AM, Guido Trentalancia wrote:
> > Add a SELinux Reference Policy module for the sigrok
> > signal analysis software suite (command-line interface).
>
> Sorry, I missed this, but there's no longer a contrib directory, so
> this
> should be added to apps.
>
> > Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
> > ---
> > policy/modules/contrib/sigrok.fc | 1
> > policy/modules/contrib/sigrok.if | 37
> > +++++++++++++++++++++++++++++++++++
> > policy/modules/contrib/sigrok.te | 39
> > +++++++++++++++++++++++++++++++++++++
> > policy/modules/roles/unprivuser.te | 4 +++
> > 4 files changed, 81 insertions(+)
> >
> > diff -pruN a/policy/modules/contrib/sigrok.fc
> > b/policy/modules/contrib/sigrok.fc
> > --- a/policy/modules/contrib/sigrok.fc 1970-01-01
> > 01:00:00.000000000 +0100
> > +++ b/policy/modules/contrib/sigrok.fc 2018-12-25
> > 21:33:17.512518983 +0100
> > @@ -0,0 +1 @@
> > +/usr/bin/sigrok-cli -- gen_context(system_u:object_r
> > :sigrok_exec_t,s0)
> > diff -pruN a/policy/modules/contrib/sigrok.if
> > b/policy/modules/contrib/sigrok.if
> > --- a/policy/modules/contrib/sigrok.if 1970-01-01
> > 01:00:00.000000000 +0100
> > +++ b/policy/modules/contrib/sigrok.if 2018-12-29
> > 14:52:30.771773190 +0100
> > @@ -0,0 +1,37 @@
> > +## <summary>sigrok signal analysis software suite.</summary>
> > +
> > +########################################
> > +## <summary>
> > +## Execute sigrok in its domain.
> > +## </summary>
> > +## <param name="role">
> > +## <summary>
> > +## Role allowed access.
> > +## </summary>
> > +## </param>
> > +## <param name="domain">
> > +## <summary>
> > +## User domain for the role.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`sigrok_run',`
> > + gen_require(`
> > + type sigrok_t, sigrok_exec_t;
> > + attribute_role sigrok_roles;
> > + ')
> > +
> > + ########################################
> > + #
> > + # Declarations
> > + #
> > +
> > + roleattribute $1 sigrok_roles;
> > +
> > + ########################################
> > + #
> > + # Policy
> > + #
> > +
> > + domtrans_pattern($2, sigrok_exec_t, sigrok_t)
> > +')
> > diff -pruN a/policy/modules/contrib/sigrok.te
> > b/policy/modules/contrib/sigrok.te
> > --- a/policy/modules/contrib/sigrok.te 1970-01-01
> > 01:00:00.000000000 +0100
> > +++ b/policy/modules/contrib/sigrok.te 2018-12-29
> > 16:25:21.851742375 +0100
> > @@ -0,0 +1,39 @@
> > +policy_module(sigrok, 1.0.0)
> > +
> > +########################################
> > +#
> > +# Declarations
> > +#
> > +
> > +attribute_role sigrok_roles;
> > +roleattribute system_r sigrok_roles;
> > +
> > +type sigrok_t;
> > +type sigrok_exec_t;
> > +userdom_user_application_domain(sigrok_t, sigrok_exec_t)
> > +role sigrok_roles types sigrok_t;
> > +
> > +########################################
> > +#
> > +# Local policy
> > +#
> > +
> > +allow sigrok_t self:fifo_file rw_fifo_file_perms;
> > +allow sigrok_t self:netlink_kobject_uevent_socket
> > create_socket_perms;
> > +allow sigrok_t self:tcp_socket create_socket_perms;
> > +
> > +corenet_tcp_connect_all_unreserved_ports(sigrok_t)
> > +
> > +dev_getattr_sysfs_dirs(sigrok_t)
> > +dev_read_sysfs(sigrok_t)
> > +dev_rw_generic_usb_dev(sigrok_t)
> > +
> > +files_read_etc_files(sigrok_t)
> > +
> > +term_use_unallocated_ttys(sigrok_t)
> > +
> > +userdom_use_user_ptys(sigrok_t)
> > +
> > +optional_policy(`
> > + udev_read_pid_files(sigrok_t)
> > +')
> > diff -pruN a/policy/modules/roles/unprivuser.te
> > b/policy/modules/roles/unprivuser.te
> > --- a/policy/modules/roles/unprivuser.te 2017-05-13
> > 21:22:22.837046352 +0200
> > +++ b/policy/modules/roles/unprivuser.te 2018-12-28
> > 20:07:33.588429238 +0100
> > @@ -146,6 +146,10 @@ ifndef(`distro_redhat',`
> > ')
> >
> > optional_policy(`
> > + sigrok_run(user_r, user_t)
> > + ')
> > +
> > + optional_policy(`
> > spamassassin_role(user_r, user_t)
> > ')
> >
> >
>
>
--
Guido Trentalancia <guido@trentalancia.com>
PGP key: http://pgp.trentalancia.com
prev parent reply other threads:[~2019-01-03 23:22 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-29 15:40 [PATCH] Add sigrok contrib module Guido Trentalancia
2019-01-02 23:47 ` Chris PeBenito
2019-01-03 0:52 ` Guido Trentalancia
2019-01-03 10:17 ` [PATCH v2] " Guido Trentalancia
2019-01-03 22:33 ` Chris PeBenito
2019-01-03 23:20 ` [PATCH v3] " Guido Trentalancia
2019-01-04 1:52 ` Chris PeBenito
2019-01-03 23:22 ` Guido Trentalancia [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1546557741.4968.3.camel@trentalancia.com \
--to=guido@trentalancia.com \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).