Re: [PATCH v2] Add sigrok contrib module

From: Guido Trentalancia <guido@trentalancia.com>
To: selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH v2] Add sigrok contrib module
Date: Fri, 04 Jan 2019 00:22:21 +0100	[thread overview]
Message-ID: <1546557741.4968.3.camel@trentalancia.com> (raw)
In-Reply-To: <bddaadc8-88f0-5c55-38a6-7aeb1073ef08@ieee.org>

Yes, my fault, thanks for telling me ! Revised patch (v3) posted.

On Thu, 03/01/2019 at 17.33 -0500, Chris PeBenito wrote:
> On 1/3/19 5:17 AM, Guido Trentalancia wrote:
> > Add a SELinux Reference Policy module for the sigrok
> > signal analysis software suite (command-line interface).
> 
> Sorry, I missed this, but there's no longer a contrib directory, so
> this 
> should be added to apps.
> 
> > Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
> > ---
> >   policy/modules/contrib/sigrok.fc   |    1
> >   policy/modules/contrib/sigrok.if   |   37
> > +++++++++++++++++++++++++++++++++++
> >   policy/modules/contrib/sigrok.te   |   39
> > +++++++++++++++++++++++++++++++++++++
> >   policy/modules/roles/unprivuser.te |    4 +++
> >   4 files changed, 81 insertions(+)
> > 
> > diff -pruN a/policy/modules/contrib/sigrok.fc
> > b/policy/modules/contrib/sigrok.fc
> > --- a/policy/modules/contrib/sigrok.fc	1970-01-01
> > 01:00:00.000000000 +0100
> > +++ b/policy/modules/contrib/sigrok.fc	2018-12-25
> > 21:33:17.512518983 +0100
> > @@ -0,0 +1 @@
> > +/usr/bin/sigrok-cli	--	gen_context(system_u:object_r
> > :sigrok_exec_t,s0)
> > diff -pruN a/policy/modules/contrib/sigrok.if
> > b/policy/modules/contrib/sigrok.if
> > --- a/policy/modules/contrib/sigrok.if	1970-01-01
> > 01:00:00.000000000 +0100
> > +++ b/policy/modules/contrib/sigrok.if	2018-12-29
> > 14:52:30.771773190 +0100
> > @@ -0,0 +1,37 @@
> > +## <summary>sigrok signal analysis software suite.</summary>
> > +
> > +########################################
> > +## <summary>
> > +##	Execute sigrok in its domain.
> > +## </summary>
> > +## <param name="role">
> > +##	<summary>
> > +##	Role allowed access.
> > +##	</summary>
> > +## </param>
> > +## <param name="domain">
> > +##	<summary>
> > +##	User domain for the role.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`sigrok_run',`
> > +	gen_require(`
> > +		type sigrok_t, sigrok_exec_t;
> > +		attribute_role sigrok_roles;
> > +	')
> > +
> > +	########################################
> > +	#
> > +	# Declarations
> > +	#
> > +
> > +	roleattribute $1 sigrok_roles;
> > +
> > +	########################################
> > +	#
> > +	# Policy
> > +	#
> > +
> > +	domtrans_pattern($2, sigrok_exec_t, sigrok_t)
> > +')
> > diff -pruN a/policy/modules/contrib/sigrok.te
> > b/policy/modules/contrib/sigrok.te
> > --- a/policy/modules/contrib/sigrok.te	1970-01-01
> > 01:00:00.000000000 +0100
> > +++ b/policy/modules/contrib/sigrok.te	2018-12-29
> > 16:25:21.851742375 +0100
> > @@ -0,0 +1,39 @@
> > +policy_module(sigrok, 1.0.0)
> > +
> > +########################################
> > +#
> > +# Declarations
> > +#
> > +
> > +attribute_role sigrok_roles;
> > +roleattribute system_r sigrok_roles;
> > +
> > +type sigrok_t;
> > +type sigrok_exec_t;
> > +userdom_user_application_domain(sigrok_t, sigrok_exec_t)
> > +role sigrok_roles types sigrok_t;
> > +
> > +########################################
> > +#
> > +# Local policy
> > +#
> > +
> > +allow sigrok_t self:fifo_file rw_fifo_file_perms;
> > +allow sigrok_t self:netlink_kobject_uevent_socket
> > create_socket_perms;
> > +allow sigrok_t self:tcp_socket create_socket_perms;
> > +
> > +corenet_tcp_connect_all_unreserved_ports(sigrok_t)
> > +
> > +dev_getattr_sysfs_dirs(sigrok_t)
> > +dev_read_sysfs(sigrok_t)
> > +dev_rw_generic_usb_dev(sigrok_t)
> > +
> > +files_read_etc_files(sigrok_t)
> > +
> > +term_use_unallocated_ttys(sigrok_t)
> > +
> > +userdom_use_user_ptys(sigrok_t)
> > +
> > +optional_policy(`
> > +	udev_read_pid_files(sigrok_t)
> > +')
> > diff -pruN a/policy/modules/roles/unprivuser.te
> > b/policy/modules/roles/unprivuser.te
> > --- a/policy/modules/roles/unprivuser.te	2017-05-13
> > 21:22:22.837046352 +0200
> > +++ b/policy/modules/roles/unprivuser.te	2018-12-28
> > 20:07:33.588429238 +0100
> > @@ -146,6 +146,10 @@ ifndef(`distro_redhat',`
> >   	')
> >   
> >   	optional_policy(`
> > +		sigrok_run(user_r, user_t)
> > +	')
> > +
> > +	optional_policy(`
> >   		spamassassin_role(user_r, user_t)
> >   	')
> >   
> > 
> 
> 
-- 
Guido Trentalancia <guido@trentalancia.com>
PGP key: http://pgp.trentalancia.com