Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 70718C43387 for ; Thu, 3 Jan 2019 00:52:59 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 46F6420815 for ; Thu, 3 Jan 2019 00:52:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726058AbfACAw6 (ORCPT ); Wed, 2 Jan 2019 19:52:58 -0500 Received: from authsmtp44.register.it ([81.88.55.107]:53469 "EHLO authsmtp.register.it" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726056AbfACAw6 (ORCPT ); Wed, 2 Jan 2019 19:52:58 -0500 Received: from [192.168.1.1] ([93.41.32.9]) by cmsmtp with ESMTPSA id erFlgIsT6aREXerFlgfrL3; Thu, 03 Jan 2019 01:52:53 +0100 X-Rid: guido@trentalancia.com@93.41.32.9 Message-ID: <1546476773.4654.4.camel@trentalancia.com> Subject: Re: [PATCH] Add sigrok contrib module From: Guido Trentalancia To: selinux-refpolicy@vger.kernel.org Date: Thu, 03 Jan 2019 01:52:53 +0100 In-Reply-To: References: <1546098044.20582.6.camel@trentalancia.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.26.2 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-CMAE-Envelope: MS4wfHdaezP+uW7h1J00gNZMlC8uDiKD4F+MGMaFbk1IJlspWsLL8oFXjTsDfWITttXlxT/M4eP5v+0G3GNpI9giKSoThVeRlzJwA8aFVuBqo3KkHpOCIW1P 9DHep0S2B7RDivS0+UsH1Ar1uiZRVnCqmax6eGCfGbdvId77kJDfzdfrZvyOey4IMEFeSU6Osox+Sw== Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Hello Chris. There is no further content to be added for the command-line interface application (sigrok-cli). There are some chances that further content will be required by the graphical user interface application (pulseview), in the sense that the same permissions should be granted to such graphical application: in that case, I suppose, the pulseview binary can be simply labeled as sigrok_exec_t similarly to sigrok-cli. In short, we shall probably assume that there is no further content to be added. Can you manually amend the interface name, as you suggested, if you like? Regards, Guido On Wed, 02/01/2019 at 18.47 -0500, Chris PeBenito wrote: > On 12/29/18 10:40 AM, Guido Trentalancia wrote: > > Add a SELinux Reference Policy module for the sigrok > > signal analysis software suite (command-line interface). > > > > Signed-off-by: Guido Trentalancia > > --- > > policy/modules/contrib/sigrok.fc | 1 > > policy/modules/contrib/sigrok.if | 37 > > +++++++++++++++++++++++++++++++++++ > > policy/modules/contrib/sigrok.te | 39 > > +++++++++++++++++++++++++++++++++++++ > > policy/modules/roles/unprivuser.te | 4 +++ > > 4 files changed, 81 insertions(+) > > > > diff -pruN a/policy/modules/contrib/sigrok.fc > > b/policy/modules/contrib/sigrok.fc > > --- a/policy/modules/contrib/sigrok.fc 1970-01-01 > > 01:00:00.000000000 +0100 > > +++ b/policy/modules/contrib/sigrok.fc 2018-12-25 > > 21:33:17.512518983 +0100 > > @@ -0,0 +1 @@ > > +/usr/bin/sigrok-cli -- gen_context(system_u:object_r > > :sigrok_exec_t,s0) > > diff -pruN a/policy/modules/contrib/sigrok.if > > b/policy/modules/contrib/sigrok.if > > --- a/policy/modules/contrib/sigrok.if 1970-01-01 > > 01:00:00.000000000 +0100 > > +++ b/policy/modules/contrib/sigrok.if 2018-12-29 > > 14:52:30.771773190 +0100 > > @@ -0,0 +1,37 @@ > > +## sigrok signal analysis software suite. > > + > > +######################################## > > +## > > +## Role access for sigrok. > > +## > > +## > > +## > > +## Role allowed access. > > +## > > +## > > +## > > +## > > +## User domain for the role. > > +## > > +## > > +# > > +interface(`sigrok_role',` > > + gen_require(` > > + type sigrok_t, sigrok_exec_t; > > + attribute_role sigrok_roles; > > + ') > > + > > + ######################################## > > + # > > + # Declarations > > + # > > + > > + roleattribute $1 sigrok_roles; > > + > > + ######################################## > > + # > > + # Policy > > + # > > + > > + domtrans_pattern($2, sigrok_exec_t, sigrok_t) > > +') > > Is there going to be future content for this module, especially for > this > interface? It is the equivalent of a "run" interface, which would > make > more sense, unless there will be more content added in the future. > > > > diff -pruN a/policy/modules/contrib/sigrok.te > > b/policy/modules/contrib/sigrok.te > > --- a/policy/modules/contrib/sigrok.te 1970-01-01 > > 01:00:00.000000000 +0100 > > +++ b/policy/modules/contrib/sigrok.te 2018-12-29 > > 16:25:21.851742375 +0100 > > @@ -0,0 +1,39 @@ > > +policy_module(sigrok, 1.0.0) > > + > > +######################################## > > +# > > +# Declarations > > +# > > + > > +attribute_role sigrok_roles; > > +roleattribute system_r sigrok_roles; > > + > > +type sigrok_t; > > +type sigrok_exec_t; > > +userdom_user_application_domain(sigrok_t, sigrok_exec_t) > > +role sigrok_roles types sigrok_t; > > + > > +######################################## > > +# > > +# Local policy > > +# > > + > > +allow sigrok_t self:fifo_file rw_fifo_file_perms; > > +allow sigrok_t self:netlink_kobject_uevent_socket > > create_socket_perms; > > +allow sigrok_t self:tcp_socket create_socket_perms; > > + > > +corenet_tcp_connect_all_unreserved_ports(sigrok_t) > > + > > +dev_getattr_sysfs_dirs(sigrok_t) > > +dev_read_sysfs(sigrok_t) > > +dev_rw_generic_usb_dev(sigrok_t) > > + > > +files_read_etc_files(sigrok_t) > > + > > +term_use_unallocated_ttys(sigrok_t) > > + > > +userdom_use_user_ptys(sigrok_t) > > + > > +optional_policy(` > > + udev_read_pid_files(sigrok_t) > > +') > > diff -pruN a/policy/modules/roles/unprivuser.te > > b/policy/modules/roles/unprivuser.te > > --- a/policy/modules/roles/unprivuser.te 2017-05-13 > > 21:22:22.837046352 +0200 > > +++ b/policy/modules/roles/unprivuser.te 2018-12-28 > > 20:07:33.588429238 +0100 > > @@ -146,6 +146,10 @@ ifndef(`distro_redhat',` > > ') > > > > optional_policy(` > > + sigrok_role(user_r, user_t) > > + ') > > + > > + optional_policy(` > > spamassassin_role(user_r, user_t) > > ') > > > > > >