SELinux-Refpolicy Archive on lore.kernel.org
 help / Atom feed
* [PATCH] Add sigrok contrib module
@ 2018-12-29 15:40 Guido Trentalancia
  2019-01-02 23:47 ` Chris PeBenito
  0 siblings, 1 reply; 8+ messages in thread
From: Guido Trentalancia @ 2018-12-29 15:40 UTC (permalink / raw)
  To: selinux-refpolicy

Add a SELinux Reference Policy module for the sigrok
signal analysis software suite (command-line interface).

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/contrib/sigrok.fc   |    1 
 policy/modules/contrib/sigrok.if   |   37 +++++++++++++++++++++++++++++++++++
 policy/modules/contrib/sigrok.te   |   39 +++++++++++++++++++++++++++++++++++++
 policy/modules/roles/unprivuser.te |    4 +++
 4 files changed, 81 insertions(+)

diff -pruN a/policy/modules/contrib/sigrok.fc b/policy/modules/contrib/sigrok.fc
--- a/policy/modules/contrib/sigrok.fc	1970-01-01 01:00:00.000000000 +0100
+++ b/policy/modules/contrib/sigrok.fc	2018-12-25 21:33:17.512518983 +0100
@@ -0,0 +1 @@
+/usr/bin/sigrok-cli	--	gen_context(system_u:object_r:sigrok_exec_t,s0)
diff -pruN a/policy/modules/contrib/sigrok.if b/policy/modules/contrib/sigrok.if
--- a/policy/modules/contrib/sigrok.if	1970-01-01 01:00:00.000000000 +0100
+++ b/policy/modules/contrib/sigrok.if	2018-12-29 14:52:30.771773190 +0100
@@ -0,0 +1,37 @@
+## <summary>sigrok signal analysis software suite.</summary>
+
+########################################
+## <summary>
+##	Role access for sigrok.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role.
+##	</summary>
+## </param>
+#
+interface(`sigrok_role',`
+	gen_require(`
+		type sigrok_t, sigrok_exec_t;
+		attribute_role sigrok_roles;
+	')
+
+	########################################
+	#
+	# Declarations
+	#
+
+	roleattribute $1 sigrok_roles;
+
+	########################################
+	#
+	# Policy
+	#
+
+	domtrans_pattern($2, sigrok_exec_t, sigrok_t)
+')
diff -pruN a/policy/modules/contrib/sigrok.te b/policy/modules/contrib/sigrok.te
--- a/policy/modules/contrib/sigrok.te	1970-01-01 01:00:00.000000000 +0100
+++ b/policy/modules/contrib/sigrok.te	2018-12-29 16:25:21.851742375 +0100
@@ -0,0 +1,39 @@
+policy_module(sigrok, 1.0.0)
+  
+########################################
+#
+# Declarations
+#
+
+attribute_role sigrok_roles;
+roleattribute system_r sigrok_roles;
+
+type sigrok_t;
+type sigrok_exec_t;
+userdom_user_application_domain(sigrok_t, sigrok_exec_t)
+role sigrok_roles types sigrok_t;
+
+########################################
+#
+# Local policy
+#
+
+allow sigrok_t self:fifo_file rw_fifo_file_perms;
+allow sigrok_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow sigrok_t self:tcp_socket create_socket_perms;
+
+corenet_tcp_connect_all_unreserved_ports(sigrok_t)
+
+dev_getattr_sysfs_dirs(sigrok_t)
+dev_read_sysfs(sigrok_t)
+dev_rw_generic_usb_dev(sigrok_t)
+
+files_read_etc_files(sigrok_t)
+
+term_use_unallocated_ttys(sigrok_t)
+
+userdom_use_user_ptys(sigrok_t)
+
+optional_policy(`
+	udev_read_pid_files(sigrok_t)
+')
diff -pruN a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
--- a/policy/modules/roles/unprivuser.te	2017-05-13 21:22:22.837046352 +0200
+++ b/policy/modules/roles/unprivuser.te	2018-12-28 20:07:33.588429238 +0100
@@ -146,6 +146,10 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
+		sigrok_role(user_r, user_t)
+	')
+
+	optional_policy(`
 		spamassassin_role(user_r, user_t)
 	')
 

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] Add sigrok contrib module
  2018-12-29 15:40 [PATCH] Add sigrok contrib module Guido Trentalancia
@ 2019-01-02 23:47 ` Chris PeBenito
  2019-01-03  0:52   ` Guido Trentalancia
  0 siblings, 1 reply; 8+ messages in thread
From: Chris PeBenito @ 2019-01-02 23:47 UTC (permalink / raw)
  To: Guido Trentalancia, selinux-refpolicy

On 12/29/18 10:40 AM, Guido Trentalancia wrote:
> Add a SELinux Reference Policy module for the sigrok
> signal analysis software suite (command-line interface).
> 
> Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
> ---
>   policy/modules/contrib/sigrok.fc   |    1
>   policy/modules/contrib/sigrok.if   |   37 +++++++++++++++++++++++++++++++++++
>   policy/modules/contrib/sigrok.te   |   39 +++++++++++++++++++++++++++++++++++++
>   policy/modules/roles/unprivuser.te |    4 +++
>   4 files changed, 81 insertions(+)
> 
> diff -pruN a/policy/modules/contrib/sigrok.fc b/policy/modules/contrib/sigrok.fc
> --- a/policy/modules/contrib/sigrok.fc	1970-01-01 01:00:00.000000000 +0100
> +++ b/policy/modules/contrib/sigrok.fc	2018-12-25 21:33:17.512518983 +0100
> @@ -0,0 +1 @@
> +/usr/bin/sigrok-cli	--	gen_context(system_u:object_r:sigrok_exec_t,s0)
> diff -pruN a/policy/modules/contrib/sigrok.if b/policy/modules/contrib/sigrok.if
> --- a/policy/modules/contrib/sigrok.if	1970-01-01 01:00:00.000000000 +0100
> +++ b/policy/modules/contrib/sigrok.if	2018-12-29 14:52:30.771773190 +0100
> @@ -0,0 +1,37 @@
> +## <summary>sigrok signal analysis software suite.</summary>
> +
> +########################################
> +## <summary>
> +##	Role access for sigrok.
> +## </summary>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +## </param>
> +## <param name="domain">
> +##	<summary>
> +##	User domain for the role.
> +##	</summary>
> +## </param>
> +#
> +interface(`sigrok_role',`
> +	gen_require(`
> +		type sigrok_t, sigrok_exec_t;
> +		attribute_role sigrok_roles;
> +	')
> +
> +	########################################
> +	#
> +	# Declarations
> +	#
> +
> +	roleattribute $1 sigrok_roles;
> +
> +	########################################
> +	#
> +	# Policy
> +	#
> +
> +	domtrans_pattern($2, sigrok_exec_t, sigrok_t)
> +')

Is there going to be future content for this module, especially for this 
interface?  It is the equivalent of a "run" interface, which would make 
more sense, unless there will be more content added in the future.


> diff -pruN a/policy/modules/contrib/sigrok.te b/policy/modules/contrib/sigrok.te
> --- a/policy/modules/contrib/sigrok.te	1970-01-01 01:00:00.000000000 +0100
> +++ b/policy/modules/contrib/sigrok.te	2018-12-29 16:25:21.851742375 +0100
> @@ -0,0 +1,39 @@
> +policy_module(sigrok, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +attribute_role sigrok_roles;
> +roleattribute system_r sigrok_roles;
> +
> +type sigrok_t;
> +type sigrok_exec_t;
> +userdom_user_application_domain(sigrok_t, sigrok_exec_t)
> +role sigrok_roles types sigrok_t;
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow sigrok_t self:fifo_file rw_fifo_file_perms;
> +allow sigrok_t self:netlink_kobject_uevent_socket create_socket_perms;
> +allow sigrok_t self:tcp_socket create_socket_perms;
> +
> +corenet_tcp_connect_all_unreserved_ports(sigrok_t)
> +
> +dev_getattr_sysfs_dirs(sigrok_t)
> +dev_read_sysfs(sigrok_t)
> +dev_rw_generic_usb_dev(sigrok_t)
> +
> +files_read_etc_files(sigrok_t)
> +
> +term_use_unallocated_ttys(sigrok_t)
> +
> +userdom_use_user_ptys(sigrok_t)
> +
> +optional_policy(`
> +	udev_read_pid_files(sigrok_t)
> +')
> diff -pruN a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
> --- a/policy/modules/roles/unprivuser.te	2017-05-13 21:22:22.837046352 +0200
> +++ b/policy/modules/roles/unprivuser.te	2018-12-28 20:07:33.588429238 +0100
> @@ -146,6 +146,10 @@ ifndef(`distro_redhat',`
>   	')
>   
>   	optional_policy(`
> +		sigrok_role(user_r, user_t)
> +	')
> +
> +	optional_policy(`
>   		spamassassin_role(user_r, user_t)
>   	')
>   
> 


-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] Add sigrok contrib module
  2019-01-02 23:47 ` Chris PeBenito
@ 2019-01-03  0:52   ` Guido Trentalancia
  2019-01-03 10:17     ` [PATCH v2] " Guido Trentalancia
  0 siblings, 1 reply; 8+ messages in thread
From: Guido Trentalancia @ 2019-01-03  0:52 UTC (permalink / raw)
  To: selinux-refpolicy

Hello Chris.

There is no further content to be added for the command-line interface
application (sigrok-cli).

There are some chances that further content will be required by the
graphical user interface application (pulseview), in the sense that the
same permissions should be granted to such graphical application: in
that case, I suppose, the pulseview binary can be simply labeled as
sigrok_exec_t similarly to sigrok-cli.

In short, we shall probably assume that there is no further content to
be added.

Can you manually amend the interface name, as you suggested, if you
like?

Regards,

Guido

On Wed, 02/01/2019 at 18.47 -0500, Chris PeBenito wrote:
> On 12/29/18 10:40 AM, Guido Trentalancia wrote:
> > Add a SELinux Reference Policy module for the sigrok
> > signal analysis software suite (command-line interface).
> > 
> > Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
> > ---
> >   policy/modules/contrib/sigrok.fc   |    1
> >   policy/modules/contrib/sigrok.if   |   37
> > +++++++++++++++++++++++++++++++++++
> >   policy/modules/contrib/sigrok.te   |   39
> > +++++++++++++++++++++++++++++++++++++
> >   policy/modules/roles/unprivuser.te |    4 +++
> >   4 files changed, 81 insertions(+)
> > 
> > diff -pruN a/policy/modules/contrib/sigrok.fc
> > b/policy/modules/contrib/sigrok.fc
> > --- a/policy/modules/contrib/sigrok.fc	1970-01-01
> > 01:00:00.000000000 +0100
> > +++ b/policy/modules/contrib/sigrok.fc	2018-12-25
> > 21:33:17.512518983 +0100
> > @@ -0,0 +1 @@
> > +/usr/bin/sigrok-cli	--	gen_context(system_u:object_r
> > :sigrok_exec_t,s0)
> > diff -pruN a/policy/modules/contrib/sigrok.if
> > b/policy/modules/contrib/sigrok.if
> > --- a/policy/modules/contrib/sigrok.if	1970-01-01
> > 01:00:00.000000000 +0100
> > +++ b/policy/modules/contrib/sigrok.if	2018-12-29
> > 14:52:30.771773190 +0100
> > @@ -0,0 +1,37 @@
> > +## <summary>sigrok signal analysis software suite.</summary>
> > +
> > +########################################
> > +## <summary>
> > +##	Role access for sigrok.
> > +## </summary>
> > +## <param name="role">
> > +##	<summary>
> > +##	Role allowed access.
> > +##	</summary>
> > +## </param>
> > +## <param name="domain">
> > +##	<summary>
> > +##	User domain for the role.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`sigrok_role',`
> > +	gen_require(`
> > +		type sigrok_t, sigrok_exec_t;
> > +		attribute_role sigrok_roles;
> > +	')
> > +
> > +	########################################
> > +	#
> > +	# Declarations
> > +	#
> > +
> > +	roleattribute $1 sigrok_roles;
> > +
> > +	########################################
> > +	#
> > +	# Policy
> > +	#
> > +
> > +	domtrans_pattern($2, sigrok_exec_t, sigrok_t)
> > +')
> 
> Is there going to be future content for this module, especially for
> this 
> interface?  It is the equivalent of a "run" interface, which would
> make 
> more sense, unless there will be more content added in the future.
> 
> 
> > diff -pruN a/policy/modules/contrib/sigrok.te
> > b/policy/modules/contrib/sigrok.te
> > --- a/policy/modules/contrib/sigrok.te	1970-01-01
> > 01:00:00.000000000 +0100
> > +++ b/policy/modules/contrib/sigrok.te	2018-12-29
> > 16:25:21.851742375 +0100
> > @@ -0,0 +1,39 @@
> > +policy_module(sigrok, 1.0.0)
> > +
> > +########################################
> > +#
> > +# Declarations
> > +#
> > +
> > +attribute_role sigrok_roles;
> > +roleattribute system_r sigrok_roles;
> > +
> > +type sigrok_t;
> > +type sigrok_exec_t;
> > +userdom_user_application_domain(sigrok_t, sigrok_exec_t)
> > +role sigrok_roles types sigrok_t;
> > +
> > +########################################
> > +#
> > +# Local policy
> > +#
> > +
> > +allow sigrok_t self:fifo_file rw_fifo_file_perms;
> > +allow sigrok_t self:netlink_kobject_uevent_socket
> > create_socket_perms;
> > +allow sigrok_t self:tcp_socket create_socket_perms;
> > +
> > +corenet_tcp_connect_all_unreserved_ports(sigrok_t)
> > +
> > +dev_getattr_sysfs_dirs(sigrok_t)
> > +dev_read_sysfs(sigrok_t)
> > +dev_rw_generic_usb_dev(sigrok_t)
> > +
> > +files_read_etc_files(sigrok_t)
> > +
> > +term_use_unallocated_ttys(sigrok_t)
> > +
> > +userdom_use_user_ptys(sigrok_t)
> > +
> > +optional_policy(`
> > +	udev_read_pid_files(sigrok_t)
> > +')
> > diff -pruN a/policy/modules/roles/unprivuser.te
> > b/policy/modules/roles/unprivuser.te
> > --- a/policy/modules/roles/unprivuser.te	2017-05-13
> > 21:22:22.837046352 +0200
> > +++ b/policy/modules/roles/unprivuser.te	2018-12-28
> > 20:07:33.588429238 +0100
> > @@ -146,6 +146,10 @@ ifndef(`distro_redhat',`
> >   	')
> >   
> >   	optional_policy(`
> > +		sigrok_role(user_r, user_t)
> > +	')
> > +
> > +	optional_policy(`
> >   		spamassassin_role(user_r, user_t)
> >   	')
> >   
> > 
> 
> 

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH v2] Add sigrok contrib module
  2019-01-03  0:52   ` Guido Trentalancia
@ 2019-01-03 10:17     ` " Guido Trentalancia
  2019-01-03 22:33       ` Chris PeBenito
  0 siblings, 1 reply; 8+ messages in thread
From: Guido Trentalancia @ 2019-01-03 10:17 UTC (permalink / raw)
  To: selinux-refpolicy

Add a SELinux Reference Policy module for the sigrok
signal analysis software suite (command-line interface).

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/contrib/sigrok.fc   |    1 
 policy/modules/contrib/sigrok.if   |   37 +++++++++++++++++++++++++++++++++++
 policy/modules/contrib/sigrok.te   |   39 +++++++++++++++++++++++++++++++++++++
 policy/modules/roles/unprivuser.te |    4 +++
 4 files changed, 81 insertions(+)

diff -pruN a/policy/modules/contrib/sigrok.fc b/policy/modules/contrib/sigrok.fc
--- a/policy/modules/contrib/sigrok.fc	1970-01-01 01:00:00.000000000 +0100
+++ b/policy/modules/contrib/sigrok.fc	2018-12-25 21:33:17.512518983 +0100
@@ -0,0 +1 @@
+/usr/bin/sigrok-cli	--	gen_context(system_u:object_r:sigrok_exec_t,s0)
diff -pruN a/policy/modules/contrib/sigrok.if b/policy/modules/contrib/sigrok.if
--- a/policy/modules/contrib/sigrok.if	1970-01-01 01:00:00.000000000 +0100
+++ b/policy/modules/contrib/sigrok.if	2018-12-29 14:52:30.771773190 +0100
@@ -0,0 +1,37 @@
+## <summary>sigrok signal analysis software suite.</summary>
+
+########################################
+## <summary>
+##	Execute sigrok in its domain.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role.
+##	</summary>
+## </param>
+#
+interface(`sigrok_run',`
+	gen_require(`
+		type sigrok_t, sigrok_exec_t;
+		attribute_role sigrok_roles;
+	')
+
+	########################################
+	#
+	# Declarations
+	#
+
+	roleattribute $1 sigrok_roles;
+
+	########################################
+	#
+	# Policy
+	#
+
+	domtrans_pattern($2, sigrok_exec_t, sigrok_t)
+')
diff -pruN a/policy/modules/contrib/sigrok.te b/policy/modules/contrib/sigrok.te
--- a/policy/modules/contrib/sigrok.te	1970-01-01 01:00:00.000000000 +0100
+++ b/policy/modules/contrib/sigrok.te	2018-12-29 16:25:21.851742375 +0100
@@ -0,0 +1,39 @@
+policy_module(sigrok, 1.0.0)
+  
+########################################
+#
+# Declarations
+#
+
+attribute_role sigrok_roles;
+roleattribute system_r sigrok_roles;
+
+type sigrok_t;
+type sigrok_exec_t;
+userdom_user_application_domain(sigrok_t, sigrok_exec_t)
+role sigrok_roles types sigrok_t;
+
+########################################
+#
+# Local policy
+#
+
+allow sigrok_t self:fifo_file rw_fifo_file_perms;
+allow sigrok_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow sigrok_t self:tcp_socket create_socket_perms;
+
+corenet_tcp_connect_all_unreserved_ports(sigrok_t)
+
+dev_getattr_sysfs_dirs(sigrok_t)
+dev_read_sysfs(sigrok_t)
+dev_rw_generic_usb_dev(sigrok_t)
+
+files_read_etc_files(sigrok_t)
+
+term_use_unallocated_ttys(sigrok_t)
+
+userdom_use_user_ptys(sigrok_t)
+
+optional_policy(`
+	udev_read_pid_files(sigrok_t)
+')
diff -pruN a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
--- a/policy/modules/roles/unprivuser.te	2017-05-13 21:22:22.837046352 +0200
+++ b/policy/modules/roles/unprivuser.te	2018-12-28 20:07:33.588429238 +0100
@@ -146,6 +146,10 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
+		sigrok_run(user_r, user_t)
+	')
+
+	optional_policy(`
 		spamassassin_role(user_r, user_t)
 	')
 

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] Add sigrok contrib module
  2019-01-03 10:17     ` [PATCH v2] " Guido Trentalancia
@ 2019-01-03 22:33       ` Chris PeBenito
  2019-01-03 23:20         ` [PATCH v3] " Guido Trentalancia
  2019-01-03 23:22         ` [PATCH v2] " Guido Trentalancia
  0 siblings, 2 replies; 8+ messages in thread
From: Chris PeBenito @ 2019-01-03 22:33 UTC (permalink / raw)
  To: Guido Trentalancia, selinux-refpolicy

On 1/3/19 5:17 AM, Guido Trentalancia wrote:
> Add a SELinux Reference Policy module for the sigrok
> signal analysis software suite (command-line interface).

Sorry, I missed this, but there's no longer a contrib directory, so this 
should be added to apps.

> Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
> ---
>   policy/modules/contrib/sigrok.fc   |    1
>   policy/modules/contrib/sigrok.if   |   37 +++++++++++++++++++++++++++++++++++
>   policy/modules/contrib/sigrok.te   |   39 +++++++++++++++++++++++++++++++++++++
>   policy/modules/roles/unprivuser.te |    4 +++
>   4 files changed, 81 insertions(+)
> 
> diff -pruN a/policy/modules/contrib/sigrok.fc b/policy/modules/contrib/sigrok.fc
> --- a/policy/modules/contrib/sigrok.fc	1970-01-01 01:00:00.000000000 +0100
> +++ b/policy/modules/contrib/sigrok.fc	2018-12-25 21:33:17.512518983 +0100
> @@ -0,0 +1 @@
> +/usr/bin/sigrok-cli	--	gen_context(system_u:object_r:sigrok_exec_t,s0)
> diff -pruN a/policy/modules/contrib/sigrok.if b/policy/modules/contrib/sigrok.if
> --- a/policy/modules/contrib/sigrok.if	1970-01-01 01:00:00.000000000 +0100
> +++ b/policy/modules/contrib/sigrok.if	2018-12-29 14:52:30.771773190 +0100
> @@ -0,0 +1,37 @@
> +## <summary>sigrok signal analysis software suite.</summary>
> +
> +########################################
> +## <summary>
> +##	Execute sigrok in its domain.
> +## </summary>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +## </param>
> +## <param name="domain">
> +##	<summary>
> +##	User domain for the role.
> +##	</summary>
> +## </param>
> +#
> +interface(`sigrok_run',`
> +	gen_require(`
> +		type sigrok_t, sigrok_exec_t;
> +		attribute_role sigrok_roles;
> +	')
> +
> +	########################################
> +	#
> +	# Declarations
> +	#
> +
> +	roleattribute $1 sigrok_roles;
> +
> +	########################################
> +	#
> +	# Policy
> +	#
> +
> +	domtrans_pattern($2, sigrok_exec_t, sigrok_t)
> +')
> diff -pruN a/policy/modules/contrib/sigrok.te b/policy/modules/contrib/sigrok.te
> --- a/policy/modules/contrib/sigrok.te	1970-01-01 01:00:00.000000000 +0100
> +++ b/policy/modules/contrib/sigrok.te	2018-12-29 16:25:21.851742375 +0100
> @@ -0,0 +1,39 @@
> +policy_module(sigrok, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +attribute_role sigrok_roles;
> +roleattribute system_r sigrok_roles;
> +
> +type sigrok_t;
> +type sigrok_exec_t;
> +userdom_user_application_domain(sigrok_t, sigrok_exec_t)
> +role sigrok_roles types sigrok_t;
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow sigrok_t self:fifo_file rw_fifo_file_perms;
> +allow sigrok_t self:netlink_kobject_uevent_socket create_socket_perms;
> +allow sigrok_t self:tcp_socket create_socket_perms;
> +
> +corenet_tcp_connect_all_unreserved_ports(sigrok_t)
> +
> +dev_getattr_sysfs_dirs(sigrok_t)
> +dev_read_sysfs(sigrok_t)
> +dev_rw_generic_usb_dev(sigrok_t)
> +
> +files_read_etc_files(sigrok_t)
> +
> +term_use_unallocated_ttys(sigrok_t)
> +
> +userdom_use_user_ptys(sigrok_t)
> +
> +optional_policy(`
> +	udev_read_pid_files(sigrok_t)
> +')
> diff -pruN a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
> --- a/policy/modules/roles/unprivuser.te	2017-05-13 21:22:22.837046352 +0200
> +++ b/policy/modules/roles/unprivuser.te	2018-12-28 20:07:33.588429238 +0100
> @@ -146,6 +146,10 @@ ifndef(`distro_redhat',`
>   	')
>   
>   	optional_policy(`
> +		sigrok_run(user_r, user_t)
> +	')
> +
> +	optional_policy(`
>   		spamassassin_role(user_r, user_t)
>   	')
>   
> 


-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH v3] Add sigrok contrib module
  2019-01-03 22:33       ` Chris PeBenito
@ 2019-01-03 23:20         ` " Guido Trentalancia
  2019-01-04  1:52           ` Chris PeBenito
  2019-01-03 23:22         ` [PATCH v2] " Guido Trentalancia
  1 sibling, 1 reply; 8+ messages in thread
From: Guido Trentalancia @ 2019-01-03 23:20 UTC (permalink / raw)
  To: selinux-refpolicy

Add a SELinux Reference Policy module for the sigrok
signal analysis software suite (command-line interface).

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/apps/sigrok.fc   |    1 
 policy/modules/apps/sigrok.if   |   37 +++++++++++++++++++++++++++++++++++
 policy/modules/apps/sigrok.te   |   39 +++++++++++++++++++++++++++++++++++++
 policy/modules/roles/unprivuser.te |    4 +++
 4 files changed, 81 insertions(+)

diff -pruN a/policy/modules/apps/sigrok.fc b/policy/modules/apps/sigrok.fc
--- a/policy/modules/apps/sigrok.fc	1970-01-01 01:00:00.000000000 +0100
+++ b/policy/modules/apps/sigrok.fc	2018-12-25 21:33:17.512518983 +0100
@@ -0,0 +1 @@
+/usr/bin/sigrok-cli	--	gen_context(system_u:object_r:sigrok_exec_t,s0)
diff -pruN a/policy/modules/apps/sigrok.if b/policy/modules/apps/sigrok.if
--- a/policy/modules/apps/sigrok.if	1970-01-01 01:00:00.000000000 +0100
+++ b/policy/modules/apps/sigrok.if	2018-12-29 14:52:30.771773190 +0100
@@ -0,0 +1,37 @@
+## <summary>sigrok signal analysis software suite.</summary>
+
+########################################
+## <summary>
+##	Execute sigrok in its domain.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role.
+##	</summary>
+## </param>
+#
+interface(`sigrok_run',`
+	gen_require(`
+		type sigrok_t, sigrok_exec_t;
+		attribute_role sigrok_roles;
+	')
+
+	########################################
+	#
+	# Declarations
+	#
+
+	roleattribute $1 sigrok_roles;
+
+	########################################
+	#
+	# Policy
+	#
+
+	domtrans_pattern($2, sigrok_exec_t, sigrok_t)
+')
diff -pruN a/policy/modules/apps/sigrok.te b/policy/modules/apps/sigrok.te
--- a/policy/modules/apps/sigrok.te	1970-01-01 01:00:00.000000000 +0100
+++ b/policy/modules/apps/sigrok.te	2018-12-29 16:25:21.851742375 +0100
@@ -0,0 +1,39 @@
+policy_module(sigrok, 1.0.0)
+  
+########################################
+#
+# Declarations
+#
+
+attribute_role sigrok_roles;
+roleattribute system_r sigrok_roles;
+
+type sigrok_t;
+type sigrok_exec_t;
+userdom_user_application_domain(sigrok_t, sigrok_exec_t)
+role sigrok_roles types sigrok_t;
+
+########################################
+#
+# Local policy
+#
+
+allow sigrok_t self:fifo_file rw_fifo_file_perms;
+allow sigrok_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow sigrok_t self:tcp_socket create_socket_perms;
+
+corenet_tcp_connect_all_unreserved_ports(sigrok_t)
+
+dev_getattr_sysfs_dirs(sigrok_t)
+dev_read_sysfs(sigrok_t)
+dev_rw_generic_usb_dev(sigrok_t)
+
+files_read_etc_files(sigrok_t)
+
+term_use_unallocated_ttys(sigrok_t)
+
+userdom_use_user_ptys(sigrok_t)
+
+optional_policy(`
+	udev_read_pid_files(sigrok_t)
+')
diff -pruN a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
--- a/policy/modules/roles/unprivuser.te	2017-05-13 21:22:22.837046352 +0200
+++ b/policy/modules/roles/unprivuser.te	2018-12-28 20:07:33.588429238 +0100
@@ -146,6 +146,10 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
+		sigrok_run(user_r, user_t)
+	')
+
+	optional_policy(`
 		spamassassin_role(user_r, user_t)
 	')
 

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] Add sigrok contrib module
  2019-01-03 22:33       ` Chris PeBenito
  2019-01-03 23:20         ` [PATCH v3] " Guido Trentalancia
@ 2019-01-03 23:22         ` " Guido Trentalancia
  1 sibling, 0 replies; 8+ messages in thread
From: Guido Trentalancia @ 2019-01-03 23:22 UTC (permalink / raw)
  To: selinux-refpolicy

Yes, my fault, thanks for telling me ! Revised patch (v3) posted.

On Thu, 03/01/2019 at 17.33 -0500, Chris PeBenito wrote:
> On 1/3/19 5:17 AM, Guido Trentalancia wrote:
> > Add a SELinux Reference Policy module for the sigrok
> > signal analysis software suite (command-line interface).
> 
> Sorry, I missed this, but there's no longer a contrib directory, so
> this 
> should be added to apps.
> 
> > Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
> > ---
> >   policy/modules/contrib/sigrok.fc   |    1
> >   policy/modules/contrib/sigrok.if   |   37
> > +++++++++++++++++++++++++++++++++++
> >   policy/modules/contrib/sigrok.te   |   39
> > +++++++++++++++++++++++++++++++++++++
> >   policy/modules/roles/unprivuser.te |    4 +++
> >   4 files changed, 81 insertions(+)
> > 
> > diff -pruN a/policy/modules/contrib/sigrok.fc
> > b/policy/modules/contrib/sigrok.fc
> > --- a/policy/modules/contrib/sigrok.fc	1970-01-01
> > 01:00:00.000000000 +0100
> > +++ b/policy/modules/contrib/sigrok.fc	2018-12-25
> > 21:33:17.512518983 +0100
> > @@ -0,0 +1 @@
> > +/usr/bin/sigrok-cli	--	gen_context(system_u:object_r
> > :sigrok_exec_t,s0)
> > diff -pruN a/policy/modules/contrib/sigrok.if
> > b/policy/modules/contrib/sigrok.if
> > --- a/policy/modules/contrib/sigrok.if	1970-01-01
> > 01:00:00.000000000 +0100
> > +++ b/policy/modules/contrib/sigrok.if	2018-12-29
> > 14:52:30.771773190 +0100
> > @@ -0,0 +1,37 @@
> > +## <summary>sigrok signal analysis software suite.</summary>
> > +
> > +########################################
> > +## <summary>
> > +##	Execute sigrok in its domain.
> > +## </summary>
> > +## <param name="role">
> > +##	<summary>
> > +##	Role allowed access.
> > +##	</summary>
> > +## </param>
> > +## <param name="domain">
> > +##	<summary>
> > +##	User domain for the role.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`sigrok_run',`
> > +	gen_require(`
> > +		type sigrok_t, sigrok_exec_t;
> > +		attribute_role sigrok_roles;
> > +	')
> > +
> > +	########################################
> > +	#
> > +	# Declarations
> > +	#
> > +
> > +	roleattribute $1 sigrok_roles;
> > +
> > +	########################################
> > +	#
> > +	# Policy
> > +	#
> > +
> > +	domtrans_pattern($2, sigrok_exec_t, sigrok_t)
> > +')
> > diff -pruN a/policy/modules/contrib/sigrok.te
> > b/policy/modules/contrib/sigrok.te
> > --- a/policy/modules/contrib/sigrok.te	1970-01-01
> > 01:00:00.000000000 +0100
> > +++ b/policy/modules/contrib/sigrok.te	2018-12-29
> > 16:25:21.851742375 +0100
> > @@ -0,0 +1,39 @@
> > +policy_module(sigrok, 1.0.0)
> > +
> > +########################################
> > +#
> > +# Declarations
> > +#
> > +
> > +attribute_role sigrok_roles;
> > +roleattribute system_r sigrok_roles;
> > +
> > +type sigrok_t;
> > +type sigrok_exec_t;
> > +userdom_user_application_domain(sigrok_t, sigrok_exec_t)
> > +role sigrok_roles types sigrok_t;
> > +
> > +########################################
> > +#
> > +# Local policy
> > +#
> > +
> > +allow sigrok_t self:fifo_file rw_fifo_file_perms;
> > +allow sigrok_t self:netlink_kobject_uevent_socket
> > create_socket_perms;
> > +allow sigrok_t self:tcp_socket create_socket_perms;
> > +
> > +corenet_tcp_connect_all_unreserved_ports(sigrok_t)
> > +
> > +dev_getattr_sysfs_dirs(sigrok_t)
> > +dev_read_sysfs(sigrok_t)
> > +dev_rw_generic_usb_dev(sigrok_t)
> > +
> > +files_read_etc_files(sigrok_t)
> > +
> > +term_use_unallocated_ttys(sigrok_t)
> > +
> > +userdom_use_user_ptys(sigrok_t)
> > +
> > +optional_policy(`
> > +	udev_read_pid_files(sigrok_t)
> > +')
> > diff -pruN a/policy/modules/roles/unprivuser.te
> > b/policy/modules/roles/unprivuser.te
> > --- a/policy/modules/roles/unprivuser.te	2017-05-13
> > 21:22:22.837046352 +0200
> > +++ b/policy/modules/roles/unprivuser.te	2018-12-28
> > 20:07:33.588429238 +0100
> > @@ -146,6 +146,10 @@ ifndef(`distro_redhat',`
> >   	')
> >   
> >   	optional_policy(`
> > +		sigrok_run(user_r, user_t)
> > +	')
> > +
> > +	optional_policy(`
> >   		spamassassin_role(user_r, user_t)
> >   	')
> >   
> > 
> 
> 
-- 
Guido Trentalancia <guido@trentalancia.com>
PGP key: http://pgp.trentalancia.com

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v3] Add sigrok contrib module
  2019-01-03 23:20         ` [PATCH v3] " Guido Trentalancia
@ 2019-01-04  1:52           ` Chris PeBenito
  0 siblings, 0 replies; 8+ messages in thread
From: Chris PeBenito @ 2019-01-04  1:52 UTC (permalink / raw)
  To: Guido Trentalancia, selinux-refpolicy

On 1/3/19 6:20 PM, Guido Trentalancia wrote:
> Add a SELinux Reference Policy module for the sigrok
> signal analysis software suite (command-line interface).
> 
> Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
> ---
>   policy/modules/apps/sigrok.fc   |    1
>   policy/modules/apps/sigrok.if   |   37 +++++++++++++++++++++++++++++++++++
>   policy/modules/apps/sigrok.te   |   39 +++++++++++++++++++++++++++++++++++++
>   policy/modules/roles/unprivuser.te |    4 +++
>   4 files changed, 81 insertions(+)
> 
> diff -pruN a/policy/modules/apps/sigrok.fc b/policy/modules/apps/sigrok.fc
> --- a/policy/modules/apps/sigrok.fc	1970-01-01 01:00:00.000000000 +0100
> +++ b/policy/modules/apps/sigrok.fc	2018-12-25 21:33:17.512518983 +0100
> @@ -0,0 +1 @@
> +/usr/bin/sigrok-cli	--	gen_context(system_u:object_r:sigrok_exec_t,s0)
> diff -pruN a/policy/modules/apps/sigrok.if b/policy/modules/apps/sigrok.if
> --- a/policy/modules/apps/sigrok.if	1970-01-01 01:00:00.000000000 +0100
> +++ b/policy/modules/apps/sigrok.if	2018-12-29 14:52:30.771773190 +0100
> @@ -0,0 +1,37 @@
> +## <summary>sigrok signal analysis software suite.</summary>
> +
> +########################################
> +## <summary>
> +##	Execute sigrok in its domain.
> +## </summary>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +## </param>
> +## <param name="domain">
> +##	<summary>
> +##	User domain for the role.
> +##	</summary>
> +## </param>
> +#
> +interface(`sigrok_run',`
> +	gen_require(`
> +		type sigrok_t, sigrok_exec_t;
> +		attribute_role sigrok_roles;
> +	')
> +
> +	########################################
> +	#
> +	# Declarations
> +	#
> +
> +	roleattribute $1 sigrok_roles;
> +
> +	########################################
> +	#
> +	# Policy
> +	#
> +
> +	domtrans_pattern($2, sigrok_exec_t, sigrok_t)
> +')
> diff -pruN a/policy/modules/apps/sigrok.te b/policy/modules/apps/sigrok.te
> --- a/policy/modules/apps/sigrok.te	1970-01-01 01:00:00.000000000 +0100
> +++ b/policy/modules/apps/sigrok.te	2018-12-29 16:25:21.851742375 +0100
> @@ -0,0 +1,39 @@
> +policy_module(sigrok, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +attribute_role sigrok_roles;
> +roleattribute system_r sigrok_roles;
> +
> +type sigrok_t;
> +type sigrok_exec_t;
> +userdom_user_application_domain(sigrok_t, sigrok_exec_t)
> +role sigrok_roles types sigrok_t;
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow sigrok_t self:fifo_file rw_fifo_file_perms;
> +allow sigrok_t self:netlink_kobject_uevent_socket create_socket_perms;
> +allow sigrok_t self:tcp_socket create_socket_perms;
> +
> +corenet_tcp_connect_all_unreserved_ports(sigrok_t)
> +
> +dev_getattr_sysfs_dirs(sigrok_t)
> +dev_read_sysfs(sigrok_t)
> +dev_rw_generic_usb_dev(sigrok_t)
> +
> +files_read_etc_files(sigrok_t)
> +
> +term_use_unallocated_ttys(sigrok_t)
> +
> +userdom_use_user_ptys(sigrok_t)
> +
> +optional_policy(`
> +	udev_read_pid_files(sigrok_t)
> +')
> diff -pruN a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
> --- a/policy/modules/roles/unprivuser.te	2017-05-13 21:22:22.837046352 +0200
> +++ b/policy/modules/roles/unprivuser.te	2018-12-28 20:07:33.588429238 +0100
> @@ -146,6 +146,10 @@ ifndef(`distro_redhat',`
>   	')
>   
>   	optional_policy(`
> +		sigrok_run(user_r, user_t)
> +	')
> +
> +	optional_policy(`
>   		spamassassin_role(user_r, user_t)
>   	')

Merged.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, back to index

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-12-29 15:40 [PATCH] Add sigrok contrib module Guido Trentalancia
2019-01-02 23:47 ` Chris PeBenito
2019-01-03  0:52   ` Guido Trentalancia
2019-01-03 10:17     ` [PATCH v2] " Guido Trentalancia
2019-01-03 22:33       ` Chris PeBenito
2019-01-03 23:20         ` [PATCH v3] " Guido Trentalancia
2019-01-04  1:52           ` Chris PeBenito
2019-01-03 23:22         ` [PATCH v2] " Guido Trentalancia

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable: git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox