Hello Chris. There is no further content to be added for the command-line interface application (sigrok-cli). There are some chances that further content will be required by the graphical user interface application (pulseview), in the sense that the same permissions should be granted to such graphical application: in that case, I suppose, the pulseview binary can be simply labeled as sigrok_exec_t similarly to sigrok-cli. In short, we shall probably assume that there is no further content to be added. Can you manually amend the interface name, as you suggested, if you like? Regards, Guido On Wed, 02/01/2019 at 18.47 -0500, Chris PeBenito wrote: > On 12/29/18 10:40 AM, Guido Trentalancia wrote: > > Add a SELinux Reference Policy module for the sigrok > > signal analysis software suite (command-line interface). > > > > Signed-off-by: Guido Trentalancia <guido@xxxxxxxxxxxxxxxx> > > --- > > policy/modules/contrib/sigrok.fc | 1 > > policy/modules/contrib/sigrok.if | 37 > > +++++++++++++++++++++++++++++++++++ > > policy/modules/contrib/sigrok.te | 39 > > +++++++++++++++++++++++++++++++++++++ > > policy/modules/roles/unprivuser.te | 4 +++ > > 4 files changed, 81 insertions(+) > > > > diff -pruN a/policy/modules/contrib/sigrok.fc > > b/policy/modules/contrib/sigrok.fc > > --- a/policy/modules/contrib/sigrok.fc 1970-01-01 > > 01:00:00.000000000 +0100 > > +++ b/policy/modules/contrib/sigrok.fc 2018-12-25 > > 21:33:17.512518983 +0100 > > @@ -0,0 +1 @@ > > +/usr/bin/sigrok-cli -- gen_context(system_u:object_r > > :sigrok_exec_t,s0) > > diff -pruN a/policy/modules/contrib/sigrok.if > > b/policy/modules/contrib/sigrok.if > > --- a/policy/modules/contrib/sigrok.if 1970-01-01 > > 01:00:00.000000000 +0100 > > +++ b/policy/modules/contrib/sigrok.if 2018-12-29 > > 14:52:30.771773190 +0100 > > @@ -0,0 +1,37 @@ > > +## <summary>sigrok signal analysis software suite.</summary> > > + > > +######################################## > > +## <summary> > > +## Role access for sigrok. > > +## </summary> > > +## <param name="role"> > > +## <summary> > > +## Role allowed access. > > +## </summary> > > +## </param> > > +## <param name="domain"> > > +## <summary> > > +## User domain for the role. > > +## </summary> > > +## </param> > > +# > > +interface(`sigrok_role',` > > + gen_require(` > > + type sigrok_t, sigrok_exec_t; > > + attribute_role sigrok_roles; > > + ') > > + > > + ######################################## > > + # > > + # Declarations > > + # > > + > > + roleattribute $1 sigrok_roles; > > + > > + ######################################## > > + # > > + # Policy > > + # > > + > > + domtrans_pattern($2, sigrok_exec_t, sigrok_t) > > +') > > Is there going to be future content for this module, especially for > this > interface? It is the equivalent of a "run" interface, which would > make > more sense, unless there will be more content added in the future. > > > > diff -pruN a/policy/modules/contrib/sigrok.te > > b/policy/modules/contrib/sigrok.te > > --- a/policy/modules/contrib/sigrok.te 1970-01-01 > > 01:00:00.000000000 +0100 > > +++ b/policy/modules/contrib/sigrok.te 2018-12-29 > > 16:25:21.851742375 +0100 > > @@ -0,0 +1,39 @@ > > +policy_module(sigrok, 1.0.0) > > + > > +######################################## > > +# > > +# Declarations > > +# > > + > > +attribute_role sigrok_roles; > > +roleattribute system_r sigrok_roles; > > + > > +type sigrok_t; > > +type sigrok_exec_t; > > +userdom_user_application_domain(sigrok_t, sigrok_exec_t) > > +role sigrok_roles types sigrok_t; > > + > > +######################################## > > +# > > +# Local policy > > +# > > + > > +allow sigrok_t self:fifo_file rw_fifo_file_perms; > > +allow sigrok_t self:netlink_kobject_uevent_socket > > create_socket_perms; > > +allow sigrok_t self:tcp_socket create_socket_perms; > > + > > +corenet_tcp_connect_all_unreserved_ports(sigrok_t) > > + > > +dev_getattr_sysfs_dirs(sigrok_t) > > +dev_read_sysfs(sigrok_t) > > +dev_rw_generic_usb_dev(sigrok_t) > > + > > +files_read_etc_files(sigrok_t) > > + > > +term_use_unallocated_ttys(sigrok_t) > > + > > +userdom_use_user_ptys(sigrok_t) > > + > > +optional_policy(` > > + udev_read_pid_files(sigrok_t) > > +') > > diff -pruN a/policy/modules/roles/unprivuser.te > > b/policy/modules/roles/unprivuser.te > > --- a/policy/modules/roles/unprivuser.te 2017-05-13 > > 21:22:22.837046352 +0200 > > +++ b/policy/modules/roles/unprivuser.te 2018-12-28 > > 20:07:33.588429238 +0100 > > @@ -146,6 +146,10 @@ ifndef(`distro_redhat',` > > ') > > > > optional_policy(` > > + sigrok_role(user_r, user_t) > > + ') > > + > > + optional_policy(` > > spamassassin_role(user_r, user_t) > > ') > > > > > >
