Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 80128C43387 for ; Thu, 3 Jan 2019 23:22:26 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 53A12208E3 for ; Thu, 3 Jan 2019 23:22:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726669AbfACXW0 (ORCPT ); Thu, 3 Jan 2019 18:22:26 -0500 Received: from authsmtp31.register.it ([81.88.54.72]:46709 "EHLO authsmtp.register.it" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725931AbfACXW0 (ORCPT ); Thu, 3 Jan 2019 18:22:26 -0500 Received: from [192.168.1.1] ([93.41.32.9]) by cmsmtp with ESMTPSA id fCJigkAWg2hKBfCJigCAZU; Fri, 04 Jan 2019 00:22:22 +0100 X-Rid: guido@trentalancia.com@93.41.32.9 Message-ID: <1546557741.4968.3.camel@trentalancia.com> Subject: Re: [PATCH v2] Add sigrok contrib module From: Guido Trentalancia To: selinux-refpolicy@vger.kernel.org Date: Fri, 04 Jan 2019 00:22:21 +0100 In-Reply-To: References: <1546098044.20582.6.camel@trentalancia.com> <1546476773.4654.4.camel@trentalancia.com> <1546510654.6418.2.camel@trentalancia.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.26.2 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-CMAE-Envelope: MS4wfBde4VgnBrendPeQRooCJ6n5pJpE0yoPjsxu4mPY96xAApbjR4YOhnZvHUB9KErv6OBOyEc5SnYxaL8z9cHADUlhIAJ0dTD46a8iIqJg2625DfpgSlWg cYNhxsZWrFZwwjVpi1GU/LS3KjS8s7500RGK8GFKvngS6iftCPCRA9mvgR9j929THyFf3fte5JMmsA== Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Yes, my fault, thanks for telling me ! Revised patch (v3) posted. On Thu, 03/01/2019 at 17.33 -0500, Chris PeBenito wrote: > On 1/3/19 5:17 AM, Guido Trentalancia wrote: > > Add a SELinux Reference Policy module for the sigrok > > signal analysis software suite (command-line interface). > > Sorry, I missed this, but there's no longer a contrib directory, so > this > should be added to apps. > > > Signed-off-by: Guido Trentalancia > > --- > > policy/modules/contrib/sigrok.fc | 1 > > policy/modules/contrib/sigrok.if | 37 > > +++++++++++++++++++++++++++++++++++ > > policy/modules/contrib/sigrok.te | 39 > > +++++++++++++++++++++++++++++++++++++ > > policy/modules/roles/unprivuser.te | 4 +++ > > 4 files changed, 81 insertions(+) > > > > diff -pruN a/policy/modules/contrib/sigrok.fc > > b/policy/modules/contrib/sigrok.fc > > --- a/policy/modules/contrib/sigrok.fc 1970-01-01 > > 01:00:00.000000000 +0100 > > +++ b/policy/modules/contrib/sigrok.fc 2018-12-25 > > 21:33:17.512518983 +0100 > > @@ -0,0 +1 @@ > > +/usr/bin/sigrok-cli -- gen_context(system_u:object_r > > :sigrok_exec_t,s0) > > diff -pruN a/policy/modules/contrib/sigrok.if > > b/policy/modules/contrib/sigrok.if > > --- a/policy/modules/contrib/sigrok.if 1970-01-01 > > 01:00:00.000000000 +0100 > > +++ b/policy/modules/contrib/sigrok.if 2018-12-29 > > 14:52:30.771773190 +0100 > > @@ -0,0 +1,37 @@ > > +## sigrok signal analysis software suite. > > + > > +######################################## > > +## > > +## Execute sigrok in its domain. > > +## > > +## > > +## > > +## Role allowed access. > > +## > > +## > > +## > > +## > > +## User domain for the role. > > +## > > +## > > +# > > +interface(`sigrok_run',` > > + gen_require(` > > + type sigrok_t, sigrok_exec_t; > > + attribute_role sigrok_roles; > > + ') > > + > > + ######################################## > > + # > > + # Declarations > > + # > > + > > + roleattribute $1 sigrok_roles; > > + > > + ######################################## > > + # > > + # Policy > > + # > > + > > + domtrans_pattern($2, sigrok_exec_t, sigrok_t) > > +') > > diff -pruN a/policy/modules/contrib/sigrok.te > > b/policy/modules/contrib/sigrok.te > > --- a/policy/modules/contrib/sigrok.te 1970-01-01 > > 01:00:00.000000000 +0100 > > +++ b/policy/modules/contrib/sigrok.te 2018-12-29 > > 16:25:21.851742375 +0100 > > @@ -0,0 +1,39 @@ > > +policy_module(sigrok, 1.0.0) > > + > > +######################################## > > +# > > +# Declarations > > +# > > + > > +attribute_role sigrok_roles; > > +roleattribute system_r sigrok_roles; > > + > > +type sigrok_t; > > +type sigrok_exec_t; > > +userdom_user_application_domain(sigrok_t, sigrok_exec_t) > > +role sigrok_roles types sigrok_t; > > + > > +######################################## > > +# > > +# Local policy > > +# > > + > > +allow sigrok_t self:fifo_file rw_fifo_file_perms; > > +allow sigrok_t self:netlink_kobject_uevent_socket > > create_socket_perms; > > +allow sigrok_t self:tcp_socket create_socket_perms; > > + > > +corenet_tcp_connect_all_unreserved_ports(sigrok_t) > > + > > +dev_getattr_sysfs_dirs(sigrok_t) > > +dev_read_sysfs(sigrok_t) > > +dev_rw_generic_usb_dev(sigrok_t) > > + > > +files_read_etc_files(sigrok_t) > > + > > +term_use_unallocated_ttys(sigrok_t) > > + > > +userdom_use_user_ptys(sigrok_t) > > + > > +optional_policy(` > > + udev_read_pid_files(sigrok_t) > > +') > > diff -pruN a/policy/modules/roles/unprivuser.te > > b/policy/modules/roles/unprivuser.te > > --- a/policy/modules/roles/unprivuser.te 2017-05-13 > > 21:22:22.837046352 +0200 > > +++ b/policy/modules/roles/unprivuser.te 2018-12-28 > > 20:07:33.588429238 +0100 > > @@ -146,6 +146,10 @@ ifndef(`distro_redhat',` > > ') > > > > optional_policy(` > > + sigrok_run(user_r, user_t) > > + ') > > + > > + optional_policy(` > > spamassassin_role(user_r, user_t) > > ') > > > > > > -- Guido Trentalancia PGP key: http://pgp.trentalancia.com