2018-12-29 15:54:02

by Guido Trentalancia

[permalink] [raw]
Subject: [PATCH] Add sigrok contrib module

Add a SELinux Reference Policy module for the sigrok
signal analysis software suite (command-line interface).

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/sigrok.fc | 1
policy/modules/contrib/sigrok.if | 37 +++++++++++++++++++++++++++++++++++
policy/modules/contrib/sigrok.te | 39 +++++++++++++++++++++++++++++++++++++
policy/modules/roles/unprivuser.te | 4 +++
4 files changed, 81 insertions(+)

diff -pruN a/policy/modules/contrib/sigrok.fc b/policy/modules/contrib/sigrok.fc
--- a/policy/modules/contrib/sigrok.fc 1970-01-01 01:00:00.000000000 +0100
+++ b/policy/modules/contrib/sigrok.fc 2018-12-25 21:33:17.512518983 +0100
@@ -0,0 +1 @@
+/usr/bin/sigrok-cli -- gen_context(system_u:object_r:sigrok_exec_t,s0)
diff -pruN a/policy/modules/contrib/sigrok.if b/policy/modules/contrib/sigrok.if
--- a/policy/modules/contrib/sigrok.if 1970-01-01 01:00:00.000000000 +0100
+++ b/policy/modules/contrib/sigrok.if 2018-12-29 14:52:30.771773190 +0100
@@ -0,0 +1,37 @@
+## <summary>sigrok signal analysis software suite.</summary>
+
+########################################
+## <summary>
+## Role access for sigrok.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`sigrok_role',`
+ gen_require(`
+ type sigrok_t, sigrok_exec_t;
+ attribute_role sigrok_roles;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ roleattribute $1 sigrok_roles;
+
+ ########################################
+ #
+ # Policy
+ #
+
+ domtrans_pattern($2, sigrok_exec_t, sigrok_t)
+')
diff -pruN a/policy/modules/contrib/sigrok.te b/policy/modules/contrib/sigrok.te
--- a/policy/modules/contrib/sigrok.te 1970-01-01 01:00:00.000000000 +0100
+++ b/policy/modules/contrib/sigrok.te 2018-12-29 16:25:21.851742375 +0100
@@ -0,0 +1,39 @@
+policy_module(sigrok, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role sigrok_roles;
+roleattribute system_r sigrok_roles;
+
+type sigrok_t;
+type sigrok_exec_t;
+userdom_user_application_domain(sigrok_t, sigrok_exec_t)
+role sigrok_roles types sigrok_t;
+
+########################################
+#
+# Local policy
+#
+
+allow sigrok_t self:fifo_file rw_fifo_file_perms;
+allow sigrok_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow sigrok_t self:tcp_socket create_socket_perms;
+
+corenet_tcp_connect_all_unreserved_ports(sigrok_t)
+
+dev_getattr_sysfs_dirs(sigrok_t)
+dev_read_sysfs(sigrok_t)
+dev_rw_generic_usb_dev(sigrok_t)
+
+files_read_etc_files(sigrok_t)
+
+term_use_unallocated_ttys(sigrok_t)
+
+userdom_use_user_ptys(sigrok_t)
+
+optional_policy(`
+ udev_read_pid_files(sigrok_t)
+')
diff -pruN a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
--- a/policy/modules/roles/unprivuser.te 2017-05-13 21:22:22.837046352 +0200
+++ b/policy/modules/roles/unprivuser.te 2018-12-28 20:07:33.588429238 +0100
@@ -146,6 +146,10 @@ ifndef(`distro_redhat',`
')

optional_policy(`
+ sigrok_role(user_r, user_t)
+ ')
+
+ optional_policy(`
spamassassin_role(user_r, user_t)
')



2019-01-03 00:27:49

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH] Add sigrok contrib module

On 12/29/18 10:40 AM, Guido Trentalancia wrote:
> Add a SELinux Reference Policy module for the sigrok
> signal analysis software suite (command-line interface).
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/sigrok.fc | 1
> policy/modules/contrib/sigrok.if | 37 +++++++++++++++++++++++++++++++++++
> policy/modules/contrib/sigrok.te | 39 +++++++++++++++++++++++++++++++++++++
> policy/modules/roles/unprivuser.te | 4 +++
> 4 files changed, 81 insertions(+)
>
> diff -pruN a/policy/modules/contrib/sigrok.fc b/policy/modules/contrib/sigrok.fc
> --- a/policy/modules/contrib/sigrok.fc 1970-01-01 01:00:00.000000000 +0100
> +++ b/policy/modules/contrib/sigrok.fc 2018-12-25 21:33:17.512518983 +0100
> @@ -0,0 +1 @@
> +/usr/bin/sigrok-cli -- gen_context(system_u:object_r:sigrok_exec_t,s0)
> diff -pruN a/policy/modules/contrib/sigrok.if b/policy/modules/contrib/sigrok.if
> --- a/policy/modules/contrib/sigrok.if 1970-01-01 01:00:00.000000000 +0100
> +++ b/policy/modules/contrib/sigrok.if 2018-12-29 14:52:30.771773190 +0100
> @@ -0,0 +1,37 @@
> +## <summary>sigrok signal analysis software suite.</summary>
> +
> +########################################
> +## <summary>
> +## Role access for sigrok.
> +## </summary>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## User domain for the role.
> +## </summary>
> +## </param>
> +#
> +interface(`sigrok_role',`
> + gen_require(`
> + type sigrok_t, sigrok_exec_t;
> + attribute_role sigrok_roles;
> + ')
> +
> + ########################################
> + #
> + # Declarations
> + #
> +
> + roleattribute $1 sigrok_roles;
> +
> + ########################################
> + #
> + # Policy
> + #
> +
> + domtrans_pattern($2, sigrok_exec_t, sigrok_t)
> +')

Is there going to be future content for this module, especially for this
interface? It is the equivalent of a "run" interface, which would make
more sense, unless there will be more content added in the future.


> diff -pruN a/policy/modules/contrib/sigrok.te b/policy/modules/contrib/sigrok.te
> --- a/policy/modules/contrib/sigrok.te 1970-01-01 01:00:00.000000000 +0100
> +++ b/policy/modules/contrib/sigrok.te 2018-12-29 16:25:21.851742375 +0100
> @@ -0,0 +1,39 @@
> +policy_module(sigrok, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +attribute_role sigrok_roles;
> +roleattribute system_r sigrok_roles;
> +
> +type sigrok_t;
> +type sigrok_exec_t;
> +userdom_user_application_domain(sigrok_t, sigrok_exec_t)
> +role sigrok_roles types sigrok_t;
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow sigrok_t self:fifo_file rw_fifo_file_perms;
> +allow sigrok_t self:netlink_kobject_uevent_socket create_socket_perms;
> +allow sigrok_t self:tcp_socket create_socket_perms;
> +
> +corenet_tcp_connect_all_unreserved_ports(sigrok_t)
> +
> +dev_getattr_sysfs_dirs(sigrok_t)
> +dev_read_sysfs(sigrok_t)
> +dev_rw_generic_usb_dev(sigrok_t)
> +
> +files_read_etc_files(sigrok_t)
> +
> +term_use_unallocated_ttys(sigrok_t)
> +
> +userdom_use_user_ptys(sigrok_t)
> +
> +optional_policy(`
> + udev_read_pid_files(sigrok_t)
> +')
> diff -pruN a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
> --- a/policy/modules/roles/unprivuser.te 2017-05-13 21:22:22.837046352 +0200
> +++ b/policy/modules/roles/unprivuser.te 2018-12-28 20:07:33.588429238 +0100
> @@ -146,6 +146,10 @@ ifndef(`distro_redhat',`
> ')
>
> optional_policy(`
> + sigrok_role(user_r, user_t)
> + ')
> +
> + optional_policy(`
> spamassassin_role(user_r, user_t)
> ')
>
>


--
Chris PeBenito

2019-01-03 00:52:59

by Guido Trentalancia

[permalink] [raw]
Subject: Re: [PATCH] Add sigrok contrib module

Hello Chris.

There is no further content to be added for the command-line interface
application (sigrok-cli).

There are some chances that further content will be required by the
graphical user interface application (pulseview), in the sense that the
same permissions should be granted to such graphical application: in
that case, I suppose, the pulseview binary can be simply labeled as
sigrok_exec_t similarly to sigrok-cli.

In short, we shall probably assume that there is no further content to
be added.

Can you manually amend the interface name, as you suggested, if you
like?

Regards,

Guido

On Wed, 02/01/2019 at 18.47 -0500, Chris PeBenito wrote:
> On 12/29/18 10:40 AM, Guido Trentalancia wrote:
> > Add a SELinux Reference Policy module for the sigrok
> > signal analysis software suite (command-line interface).
> >
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > policy/modules/contrib/sigrok.fc | 1
> > policy/modules/contrib/sigrok.if | 37
> > +++++++++++++++++++++++++++++++++++
> > policy/modules/contrib/sigrok.te | 39
> > +++++++++++++++++++++++++++++++++++++
> > policy/modules/roles/unprivuser.te | 4 +++
> > 4 files changed, 81 insertions(+)
> >
> > diff -pruN a/policy/modules/contrib/sigrok.fc
> > b/policy/modules/contrib/sigrok.fc
> > --- a/policy/modules/contrib/sigrok.fc 1970-01-01
> > 01:00:00.000000000 +0100
> > +++ b/policy/modules/contrib/sigrok.fc 2018-12-25
> > 21:33:17.512518983 +0100
> > @@ -0,0 +1 @@
> > +/usr/bin/sigrok-cli -- gen_context(system_u:object_r
> > :sigrok_exec_t,s0)
> > diff -pruN a/policy/modules/contrib/sigrok.if
> > b/policy/modules/contrib/sigrok.if
> > --- a/policy/modules/contrib/sigrok.if 1970-01-01
> > 01:00:00.000000000 +0100
> > +++ b/policy/modules/contrib/sigrok.if 2018-12-29
> > 14:52:30.771773190 +0100
> > @@ -0,0 +1,37 @@
> > +## <summary>sigrok signal analysis software suite.</summary>
> > +
> > +########################################
> > +## <summary>
> > +## Role access for sigrok.
> > +## </summary>
> > +## <param name="role">
> > +## <summary>
> > +## Role allowed access.
> > +## </summary>
> > +## </param>
> > +## <param name="domain">
> > +## <summary>
> > +## User domain for the role.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`sigrok_role',`
> > + gen_require(`
> > + type sigrok_t, sigrok_exec_t;
> > + attribute_role sigrok_roles;
> > + ')
> > +
> > + ########################################
> > + #
> > + # Declarations
> > + #
> > +
> > + roleattribute $1 sigrok_roles;
> > +
> > + ########################################
> > + #
> > + # Policy
> > + #
> > +
> > + domtrans_pattern($2, sigrok_exec_t, sigrok_t)
> > +')
>
> Is there going to be future content for this module, especially for
> this
> interface? It is the equivalent of a "run" interface, which would
> make
> more sense, unless there will be more content added in the future.
>
>
> > diff -pruN a/policy/modules/contrib/sigrok.te
> > b/policy/modules/contrib/sigrok.te
> > --- a/policy/modules/contrib/sigrok.te 1970-01-01
> > 01:00:00.000000000 +0100
> > +++ b/policy/modules/contrib/sigrok.te 2018-12-29
> > 16:25:21.851742375 +0100
> > @@ -0,0 +1,39 @@
> > +policy_module(sigrok, 1.0.0)
> > +
> > +########################################
> > +#
> > +# Declarations
> > +#
> > +
> > +attribute_role sigrok_roles;
> > +roleattribute system_r sigrok_roles;
> > +
> > +type sigrok_t;
> > +type sigrok_exec_t;
> > +userdom_user_application_domain(sigrok_t, sigrok_exec_t)
> > +role sigrok_roles types sigrok_t;
> > +
> > +########################################
> > +#
> > +# Local policy
> > +#
> > +
> > +allow sigrok_t self:fifo_file rw_fifo_file_perms;
> > +allow sigrok_t self:netlink_kobject_uevent_socket
> > create_socket_perms;
> > +allow sigrok_t self:tcp_socket create_socket_perms;
> > +
> > +corenet_tcp_connect_all_unreserved_ports(sigrok_t)
> > +
> > +dev_getattr_sysfs_dirs(sigrok_t)
> > +dev_read_sysfs(sigrok_t)
> > +dev_rw_generic_usb_dev(sigrok_t)
> > +
> > +files_read_etc_files(sigrok_t)
> > +
> > +term_use_unallocated_ttys(sigrok_t)
> > +
> > +userdom_use_user_ptys(sigrok_t)
> > +
> > +optional_policy(`
> > + udev_read_pid_files(sigrok_t)
> > +')
> > diff -pruN a/policy/modules/roles/unprivuser.te
> > b/policy/modules/roles/unprivuser.te
> > --- a/policy/modules/roles/unprivuser.te 2017-05-13
> > 21:22:22.837046352 +0200
> > +++ b/policy/modules/roles/unprivuser.te 2018-12-28
> > 20:07:33.588429238 +0100
> > @@ -146,6 +146,10 @@ ifndef(`distro_redhat',`
> > ')
> >
> > optional_policy(`
> > + sigrok_role(user_r, user_t)
> > + ')
> > +
> > + optional_policy(`
> > spamassassin_role(user_r, user_t)
> > ')
> >
> >
>
>

2019-01-03 10:17:43

by Guido Trentalancia

[permalink] [raw]
Subject: [PATCH v2] Add sigrok contrib module

Add a SELinux Reference Policy module for the sigrok
signal analysis software suite (command-line interface).

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/sigrok.fc | 1
policy/modules/contrib/sigrok.if | 37 +++++++++++++++++++++++++++++++++++
policy/modules/contrib/sigrok.te | 39 +++++++++++++++++++++++++++++++++++++
policy/modules/roles/unprivuser.te | 4 +++
4 files changed, 81 insertions(+)

diff -pruN a/policy/modules/contrib/sigrok.fc b/policy/modules/contrib/sigrok.fc
--- a/policy/modules/contrib/sigrok.fc 1970-01-01 01:00:00.000000000 +0100
+++ b/policy/modules/contrib/sigrok.fc 2018-12-25 21:33:17.512518983 +0100
@@ -0,0 +1 @@
+/usr/bin/sigrok-cli -- gen_context(system_u:object_r:sigrok_exec_t,s0)
diff -pruN a/policy/modules/contrib/sigrok.if b/policy/modules/contrib/sigrok.if
--- a/policy/modules/contrib/sigrok.if 1970-01-01 01:00:00.000000000 +0100
+++ b/policy/modules/contrib/sigrok.if 2018-12-29 14:52:30.771773190 +0100
@@ -0,0 +1,37 @@
+## <summary>sigrok signal analysis software suite.</summary>
+
+########################################
+## <summary>
+## Execute sigrok in its domain.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`sigrok_run',`
+ gen_require(`
+ type sigrok_t, sigrok_exec_t;
+ attribute_role sigrok_roles;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ roleattribute $1 sigrok_roles;
+
+ ########################################
+ #
+ # Policy
+ #
+
+ domtrans_pattern($2, sigrok_exec_t, sigrok_t)
+')
diff -pruN a/policy/modules/contrib/sigrok.te b/policy/modules/contrib/sigrok.te
--- a/policy/modules/contrib/sigrok.te 1970-01-01 01:00:00.000000000 +0100
+++ b/policy/modules/contrib/sigrok.te 2018-12-29 16:25:21.851742375 +0100
@@ -0,0 +1,39 @@
+policy_module(sigrok, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role sigrok_roles;
+roleattribute system_r sigrok_roles;
+
+type sigrok_t;
+type sigrok_exec_t;
+userdom_user_application_domain(sigrok_t, sigrok_exec_t)
+role sigrok_roles types sigrok_t;
+
+########################################
+#
+# Local policy
+#
+
+allow sigrok_t self:fifo_file rw_fifo_file_perms;
+allow sigrok_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow sigrok_t self:tcp_socket create_socket_perms;
+
+corenet_tcp_connect_all_unreserved_ports(sigrok_t)
+
+dev_getattr_sysfs_dirs(sigrok_t)
+dev_read_sysfs(sigrok_t)
+dev_rw_generic_usb_dev(sigrok_t)
+
+files_read_etc_files(sigrok_t)
+
+term_use_unallocated_ttys(sigrok_t)
+
+userdom_use_user_ptys(sigrok_t)
+
+optional_policy(`
+ udev_read_pid_files(sigrok_t)
+')
diff -pruN a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
--- a/policy/modules/roles/unprivuser.te 2017-05-13 21:22:22.837046352 +0200
+++ b/policy/modules/roles/unprivuser.te 2018-12-28 20:07:33.588429238 +0100
@@ -146,6 +146,10 @@ ifndef(`distro_redhat',`
')

optional_policy(`
+ sigrok_run(user_r, user_t)
+ ')
+
+ optional_policy(`
spamassassin_role(user_r, user_t)
')


2019-01-03 23:15:13

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH v2] Add sigrok contrib module

On 1/3/19 5:17 AM, Guido Trentalancia wrote:
> Add a SELinux Reference Policy module for the sigrok
> signal analysis software suite (command-line interface).

Sorry, I missed this, but there's no longer a contrib directory, so this
should be added to apps.

> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/sigrok.fc | 1
> policy/modules/contrib/sigrok.if | 37 +++++++++++++++++++++++++++++++++++
> policy/modules/contrib/sigrok.te | 39 +++++++++++++++++++++++++++++++++++++
> policy/modules/roles/unprivuser.te | 4 +++
> 4 files changed, 81 insertions(+)
>
> diff -pruN a/policy/modules/contrib/sigrok.fc b/policy/modules/contrib/sigrok.fc
> --- a/policy/modules/contrib/sigrok.fc 1970-01-01 01:00:00.000000000 +0100
> +++ b/policy/modules/contrib/sigrok.fc 2018-12-25 21:33:17.512518983 +0100
> @@ -0,0 +1 @@
> +/usr/bin/sigrok-cli -- gen_context(system_u:object_r:sigrok_exec_t,s0)
> diff -pruN a/policy/modules/contrib/sigrok.if b/policy/modules/contrib/sigrok.if
> --- a/policy/modules/contrib/sigrok.if 1970-01-01 01:00:00.000000000 +0100
> +++ b/policy/modules/contrib/sigrok.if 2018-12-29 14:52:30.771773190 +0100
> @@ -0,0 +1,37 @@
> +## <summary>sigrok signal analysis software suite.</summary>
> +
> +########################################
> +## <summary>
> +## Execute sigrok in its domain.
> +## </summary>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## User domain for the role.
> +## </summary>
> +## </param>
> +#
> +interface(`sigrok_run',`
> + gen_require(`
> + type sigrok_t, sigrok_exec_t;
> + attribute_role sigrok_roles;
> + ')
> +
> + ########################################
> + #
> + # Declarations
> + #
> +
> + roleattribute $1 sigrok_roles;
> +
> + ########################################
> + #
> + # Policy
> + #
> +
> + domtrans_pattern($2, sigrok_exec_t, sigrok_t)
> +')
> diff -pruN a/policy/modules/contrib/sigrok.te b/policy/modules/contrib/sigrok.te
> --- a/policy/modules/contrib/sigrok.te 1970-01-01 01:00:00.000000000 +0100
> +++ b/policy/modules/contrib/sigrok.te 2018-12-29 16:25:21.851742375 +0100
> @@ -0,0 +1,39 @@
> +policy_module(sigrok, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +attribute_role sigrok_roles;
> +roleattribute system_r sigrok_roles;
> +
> +type sigrok_t;
> +type sigrok_exec_t;
> +userdom_user_application_domain(sigrok_t, sigrok_exec_t)
> +role sigrok_roles types sigrok_t;
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow sigrok_t self:fifo_file rw_fifo_file_perms;
> +allow sigrok_t self:netlink_kobject_uevent_socket create_socket_perms;
> +allow sigrok_t self:tcp_socket create_socket_perms;
> +
> +corenet_tcp_connect_all_unreserved_ports(sigrok_t)
> +
> +dev_getattr_sysfs_dirs(sigrok_t)
> +dev_read_sysfs(sigrok_t)
> +dev_rw_generic_usb_dev(sigrok_t)
> +
> +files_read_etc_files(sigrok_t)
> +
> +term_use_unallocated_ttys(sigrok_t)
> +
> +userdom_use_user_ptys(sigrok_t)
> +
> +optional_policy(`
> + udev_read_pid_files(sigrok_t)
> +')
> diff -pruN a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
> --- a/policy/modules/roles/unprivuser.te 2017-05-13 21:22:22.837046352 +0200
> +++ b/policy/modules/roles/unprivuser.te 2018-12-28 20:07:33.588429238 +0100
> @@ -146,6 +146,10 @@ ifndef(`distro_redhat',`
> ')
>
> optional_policy(`
> + sigrok_run(user_r, user_t)
> + ')
> +
> + optional_policy(`
> spamassassin_role(user_r, user_t)
> ')
>
>


--
Chris PeBenito

2019-01-03 23:20:18

by Guido Trentalancia

[permalink] [raw]
Subject: [PATCH v3] Add sigrok contrib module

Add a SELinux Reference Policy module for the sigrok
signal analysis software suite (command-line interface).

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/apps/sigrok.fc | 1
policy/modules/apps/sigrok.if | 37 +++++++++++++++++++++++++++++++++++
policy/modules/apps/sigrok.te | 39 +++++++++++++++++++++++++++++++++++++
policy/modules/roles/unprivuser.te | 4 +++
4 files changed, 81 insertions(+)

diff -pruN a/policy/modules/apps/sigrok.fc b/policy/modules/apps/sigrok.fc
--- a/policy/modules/apps/sigrok.fc 1970-01-01 01:00:00.000000000 +0100
+++ b/policy/modules/apps/sigrok.fc 2018-12-25 21:33:17.512518983 +0100
@@ -0,0 +1 @@
+/usr/bin/sigrok-cli -- gen_context(system_u:object_r:sigrok_exec_t,s0)
diff -pruN a/policy/modules/apps/sigrok.if b/policy/modules/apps/sigrok.if
--- a/policy/modules/apps/sigrok.if 1970-01-01 01:00:00.000000000 +0100
+++ b/policy/modules/apps/sigrok.if 2018-12-29 14:52:30.771773190 +0100
@@ -0,0 +1,37 @@
+## <summary>sigrok signal analysis software suite.</summary>
+
+########################################
+## <summary>
+## Execute sigrok in its domain.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`sigrok_run',`
+ gen_require(`
+ type sigrok_t, sigrok_exec_t;
+ attribute_role sigrok_roles;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ roleattribute $1 sigrok_roles;
+
+ ########################################
+ #
+ # Policy
+ #
+
+ domtrans_pattern($2, sigrok_exec_t, sigrok_t)
+')
diff -pruN a/policy/modules/apps/sigrok.te b/policy/modules/apps/sigrok.te
--- a/policy/modules/apps/sigrok.te 1970-01-01 01:00:00.000000000 +0100
+++ b/policy/modules/apps/sigrok.te 2018-12-29 16:25:21.851742375 +0100
@@ -0,0 +1,39 @@
+policy_module(sigrok, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role sigrok_roles;
+roleattribute system_r sigrok_roles;
+
+type sigrok_t;
+type sigrok_exec_t;
+userdom_user_application_domain(sigrok_t, sigrok_exec_t)
+role sigrok_roles types sigrok_t;
+
+########################################
+#
+# Local policy
+#
+
+allow sigrok_t self:fifo_file rw_fifo_file_perms;
+allow sigrok_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow sigrok_t self:tcp_socket create_socket_perms;
+
+corenet_tcp_connect_all_unreserved_ports(sigrok_t)
+
+dev_getattr_sysfs_dirs(sigrok_t)
+dev_read_sysfs(sigrok_t)
+dev_rw_generic_usb_dev(sigrok_t)
+
+files_read_etc_files(sigrok_t)
+
+term_use_unallocated_ttys(sigrok_t)
+
+userdom_use_user_ptys(sigrok_t)
+
+optional_policy(`
+ udev_read_pid_files(sigrok_t)
+')
diff -pruN a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
--- a/policy/modules/roles/unprivuser.te 2017-05-13 21:22:22.837046352 +0200
+++ b/policy/modules/roles/unprivuser.te 2018-12-28 20:07:33.588429238 +0100
@@ -146,6 +146,10 @@ ifndef(`distro_redhat',`
')

optional_policy(`
+ sigrok_run(user_r, user_t)
+ ')
+
+ optional_policy(`
spamassassin_role(user_r, user_t)
')


2019-01-03 23:22:26

by Guido Trentalancia

[permalink] [raw]
Subject: Re: [PATCH v2] Add sigrok contrib module

Yes, my fault, thanks for telling me ! Revised patch (v3) posted.

On Thu, 03/01/2019 at 17.33 -0500, Chris PeBenito wrote:
> On 1/3/19 5:17 AM, Guido Trentalancia wrote:
> > Add a SELinux Reference Policy module for the sigrok
> > signal analysis software suite (command-line interface).
>
> Sorry, I missed this, but there's no longer a contrib directory, so
> this
> should be added to apps.
>
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > policy/modules/contrib/sigrok.fc | 1
> > policy/modules/contrib/sigrok.if | 37
> > +++++++++++++++++++++++++++++++++++
> > policy/modules/contrib/sigrok.te | 39
> > +++++++++++++++++++++++++++++++++++++
> > policy/modules/roles/unprivuser.te | 4 +++
> > 4 files changed, 81 insertions(+)
> >
> > diff -pruN a/policy/modules/contrib/sigrok.fc
> > b/policy/modules/contrib/sigrok.fc
> > --- a/policy/modules/contrib/sigrok.fc 1970-01-01
> > 01:00:00.000000000 +0100
> > +++ b/policy/modules/contrib/sigrok.fc 2018-12-25
> > 21:33:17.512518983 +0100
> > @@ -0,0 +1 @@
> > +/usr/bin/sigrok-cli -- gen_context(system_u:object_r
> > :sigrok_exec_t,s0)
> > diff -pruN a/policy/modules/contrib/sigrok.if
> > b/policy/modules/contrib/sigrok.if
> > --- a/policy/modules/contrib/sigrok.if 1970-01-01
> > 01:00:00.000000000 +0100
> > +++ b/policy/modules/contrib/sigrok.if 2018-12-29
> > 14:52:30.771773190 +0100
> > @@ -0,0 +1,37 @@
> > +## <summary>sigrok signal analysis software suite.</summary>
> > +
> > +########################################
> > +## <summary>
> > +## Execute sigrok in its domain.
> > +## </summary>
> > +## <param name="role">
> > +## <summary>
> > +## Role allowed access.
> > +## </summary>
> > +## </param>
> > +## <param name="domain">
> > +## <summary>
> > +## User domain for the role.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`sigrok_run',`
> > + gen_require(`
> > + type sigrok_t, sigrok_exec_t;
> > + attribute_role sigrok_roles;
> > + ')
> > +
> > + ########################################
> > + #
> > + # Declarations
> > + #
> > +
> > + roleattribute $1 sigrok_roles;
> > +
> > + ########################################
> > + #
> > + # Policy
> > + #
> > +
> > + domtrans_pattern($2, sigrok_exec_t, sigrok_t)
> > +')
> > diff -pruN a/policy/modules/contrib/sigrok.te
> > b/policy/modules/contrib/sigrok.te
> > --- a/policy/modules/contrib/sigrok.te 1970-01-01
> > 01:00:00.000000000 +0100
> > +++ b/policy/modules/contrib/sigrok.te 2018-12-29
> > 16:25:21.851742375 +0100
> > @@ -0,0 +1,39 @@
> > +policy_module(sigrok, 1.0.0)
> > +
> > +########################################
> > +#
> > +# Declarations
> > +#
> > +
> > +attribute_role sigrok_roles;
> > +roleattribute system_r sigrok_roles;
> > +
> > +type sigrok_t;
> > +type sigrok_exec_t;
> > +userdom_user_application_domain(sigrok_t, sigrok_exec_t)
> > +role sigrok_roles types sigrok_t;
> > +
> > +########################################
> > +#
> > +# Local policy
> > +#
> > +
> > +allow sigrok_t self:fifo_file rw_fifo_file_perms;
> > +allow sigrok_t self:netlink_kobject_uevent_socket
> > create_socket_perms;
> > +allow sigrok_t self:tcp_socket create_socket_perms;
> > +
> > +corenet_tcp_connect_all_unreserved_ports(sigrok_t)
> > +
> > +dev_getattr_sysfs_dirs(sigrok_t)
> > +dev_read_sysfs(sigrok_t)
> > +dev_rw_generic_usb_dev(sigrok_t)
> > +
> > +files_read_etc_files(sigrok_t)
> > +
> > +term_use_unallocated_ttys(sigrok_t)
> > +
> > +userdom_use_user_ptys(sigrok_t)
> > +
> > +optional_policy(`
> > + udev_read_pid_files(sigrok_t)
> > +')
> > diff -pruN a/policy/modules/roles/unprivuser.te
> > b/policy/modules/roles/unprivuser.te
> > --- a/policy/modules/roles/unprivuser.te 2017-05-13
> > 21:22:22.837046352 +0200
> > +++ b/policy/modules/roles/unprivuser.te 2018-12-28
> > 20:07:33.588429238 +0100
> > @@ -146,6 +146,10 @@ ifndef(`distro_redhat',`
> > ')
> >
> > optional_policy(`
> > + sigrok_run(user_r, user_t)
> > + ')
> > +
> > + optional_policy(`
> > spamassassin_role(user_r, user_t)
> > ')
> >
> >
>
>
--
Guido Trentalancia <[email protected]>
PGP key: http://pgp.trentalancia.com

2019-01-04 01:58:02

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH v3] Add sigrok contrib module

On 1/3/19 6:20 PM, Guido Trentalancia wrote:
> Add a SELinux Reference Policy module for the sigrok
> signal analysis software suite (command-line interface).
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/apps/sigrok.fc | 1
> policy/modules/apps/sigrok.if | 37 +++++++++++++++++++++++++++++++++++
> policy/modules/apps/sigrok.te | 39 +++++++++++++++++++++++++++++++++++++
> policy/modules/roles/unprivuser.te | 4 +++
> 4 files changed, 81 insertions(+)
>
> diff -pruN a/policy/modules/apps/sigrok.fc b/policy/modules/apps/sigrok.fc
> --- a/policy/modules/apps/sigrok.fc 1970-01-01 01:00:00.000000000 +0100
> +++ b/policy/modules/apps/sigrok.fc 2018-12-25 21:33:17.512518983 +0100
> @@ -0,0 +1 @@
> +/usr/bin/sigrok-cli -- gen_context(system_u:object_r:sigrok_exec_t,s0)
> diff -pruN a/policy/modules/apps/sigrok.if b/policy/modules/apps/sigrok.if
> --- a/policy/modules/apps/sigrok.if 1970-01-01 01:00:00.000000000 +0100
> +++ b/policy/modules/apps/sigrok.if 2018-12-29 14:52:30.771773190 +0100
> @@ -0,0 +1,37 @@
> +## <summary>sigrok signal analysis software suite.</summary>
> +
> +########################################
> +## <summary>
> +## Execute sigrok in its domain.
> +## </summary>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## User domain for the role.
> +## </summary>
> +## </param>
> +#
> +interface(`sigrok_run',`
> + gen_require(`
> + type sigrok_t, sigrok_exec_t;
> + attribute_role sigrok_roles;
> + ')
> +
> + ########################################
> + #
> + # Declarations
> + #
> +
> + roleattribute $1 sigrok_roles;
> +
> + ########################################
> + #
> + # Policy
> + #
> +
> + domtrans_pattern($2, sigrok_exec_t, sigrok_t)
> +')
> diff -pruN a/policy/modules/apps/sigrok.te b/policy/modules/apps/sigrok.te
> --- a/policy/modules/apps/sigrok.te 1970-01-01 01:00:00.000000000 +0100
> +++ b/policy/modules/apps/sigrok.te 2018-12-29 16:25:21.851742375 +0100
> @@ -0,0 +1,39 @@
> +policy_module(sigrok, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +attribute_role sigrok_roles;
> +roleattribute system_r sigrok_roles;
> +
> +type sigrok_t;
> +type sigrok_exec_t;
> +userdom_user_application_domain(sigrok_t, sigrok_exec_t)
> +role sigrok_roles types sigrok_t;
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow sigrok_t self:fifo_file rw_fifo_file_perms;
> +allow sigrok_t self:netlink_kobject_uevent_socket create_socket_perms;
> +allow sigrok_t self:tcp_socket create_socket_perms;
> +
> +corenet_tcp_connect_all_unreserved_ports(sigrok_t)
> +
> +dev_getattr_sysfs_dirs(sigrok_t)
> +dev_read_sysfs(sigrok_t)
> +dev_rw_generic_usb_dev(sigrok_t)
> +
> +files_read_etc_files(sigrok_t)
> +
> +term_use_unallocated_ttys(sigrok_t)
> +
> +userdom_use_user_ptys(sigrok_t)
> +
> +optional_policy(`
> + udev_read_pid_files(sigrok_t)
> +')
> diff -pruN a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
> --- a/policy/modules/roles/unprivuser.te 2017-05-13 21:22:22.837046352 +0200
> +++ b/policy/modules/roles/unprivuser.te 2018-12-28 20:07:33.588429238 +0100
> @@ -146,6 +146,10 @@ ifndef(`distro_redhat',`
> ')
>
> optional_policy(`
> + sigrok_run(user_r, user_t)
> + ')
> +
> + optional_policy(`
> spamassassin_role(user_r, user_t)
> ')

Merged.

--
Chris PeBenito