Add a SELinux Reference Policy module for the sigrok signal analysis software suite (command-line interface). Signed-off-by: Guido Trentalancia <guido@xxxxxxxxxxxxxxxx> --- policy/modules/contrib/sigrok.fc | 1 policy/modules/contrib/sigrok.if | 37 +++++++++++++++++++++++++++++++++++ policy/modules/contrib/sigrok.te | 39 +++++++++++++++++++++++++++++++++++++ policy/modules/roles/unprivuser.te | 4 +++ 4 files changed, 81 insertions(+) diff -pruN a/policy/modules/contrib/sigrok.fc b/policy/modules/contrib/sigrok.fc --- a/policy/modules/contrib/sigrok.fc 1970-01-01 01:00:00.000000000 +0100 +++ b/policy/modules/contrib/sigrok.fc 2018-12-25 21:33:17.512518983 +0100 @@ -0,0 +1 @@ +/usr/bin/sigrok-cli -- gen_context(system_u:object_r:sigrok_exec_t,s0) diff -pruN a/policy/modules/contrib/sigrok.if b/policy/modules/contrib/sigrok.if --- a/policy/modules/contrib/sigrok.if 1970-01-01 01:00:00.000000000 +0100 +++ b/policy/modules/contrib/sigrok.if 2018-12-29 14:52:30.771773190 +0100 @@ -0,0 +1,37 @@ +## <summary>sigrok signal analysis software suite.</summary> + +######################################## +## <summary> +## Execute sigrok in its domain. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`sigrok_run',` + gen_require(` + type sigrok_t, sigrok_exec_t; + attribute_role sigrok_roles; + ') + + ######################################## + # + # Declarations + # + + roleattribute $1 sigrok_roles; + + ######################################## + # + # Policy + # + + domtrans_pattern($2, sigrok_exec_t, sigrok_t) +') diff -pruN a/policy/modules/contrib/sigrok.te b/policy/modules/contrib/sigrok.te --- a/policy/modules/contrib/sigrok.te 1970-01-01 01:00:00.000000000 +0100 +++ b/policy/modules/contrib/sigrok.te 2018-12-29 16:25:21.851742375 +0100 @@ -0,0 +1,39 @@ +policy_module(sigrok, 1.0.0) + +######################################## +# +# Declarations +# + +attribute_role sigrok_roles; +roleattribute system_r sigrok_roles; + +type sigrok_t; +type sigrok_exec_t; +userdom_user_application_domain(sigrok_t, sigrok_exec_t) +role sigrok_roles types sigrok_t; + +######################################## +# +# Local policy +# + +allow sigrok_t self:fifo_file rw_fifo_file_perms; +allow sigrok_t self:netlink_kobject_uevent_socket create_socket_perms; +allow sigrok_t self:tcp_socket create_socket_perms; + +corenet_tcp_connect_all_unreserved_ports(sigrok_t) + +dev_getattr_sysfs_dirs(sigrok_t) +dev_read_sysfs(sigrok_t) +dev_rw_generic_usb_dev(sigrok_t) + +files_read_etc_files(sigrok_t) + +term_use_unallocated_ttys(sigrok_t) + +userdom_use_user_ptys(sigrok_t) + +optional_policy(` + udev_read_pid_files(sigrok_t) +') diff -pruN a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te --- a/policy/modules/roles/unprivuser.te 2017-05-13 21:22:22.837046352 +0200 +++ b/policy/modules/roles/unprivuser.te 2018-12-28 20:07:33.588429238 +0100 @@ -146,6 +146,10 @@ ifndef(`distro_redhat',` ') optional_policy(` + sigrok_run(user_r, user_t) + ') + + optional_policy(` spamassassin_role(user_r, user_t) ')
