Re: [PATCH v3] Add sigrok contrib module

Chris PeBenito <pebenito@xxxxxxxx> · Thu, 3 Jan 2019 20:52:53 -0500

On 1/3/19 6:20 PM, Guido Trentalancia wrote:
Add a SELinux Reference Policy module for the sigrok
signal analysis software suite (command-line interface).

Signed-off-by: Guido Trentalancia <guido@xxxxxxxxxxxxxxxx>
---
  policy/modules/apps/sigrok.fc   |    1
  policy/modules/apps/sigrok.if   |   37 +++++++++++++++++++++++++++++++++++
  policy/modules/apps/sigrok.te   |   39 +++++++++++++++++++++++++++++++++++++
  policy/modules/roles/unprivuser.te |    4 +++
  4 files changed, 81 insertions(+)

diff -pruN a/policy/modules/apps/sigrok.fc b/policy/modules/apps/sigrok.fc

--- a/policy/modules/apps/sigrok.fc	1970-01-01 01:00:00.000000000 +0100
+++ b/policy/modules/apps/sigrok.fc	2018-12-25 21:33:17.512518983 +0100
@@ -0,0 +1 @@
+/usr/bin/sigrok-cli	--	gen_context(system_u:object_r:sigrok_exec_t,s0)
diff -pruN a/policy/modules/apps/sigrok.if b/policy/modules/apps/sigrok.if
--- a/policy/modules/apps/sigrok.if	1970-01-01 01:00:00.000000000 +0100
+++ b/policy/modules/apps/sigrok.if	2018-12-29 14:52:30.771773190 +0100
@@ -0,0 +1,37 @@
+## <summary>sigrok signal analysis software suite.</summary>
+
+########################################
+## <summary>
+##	Execute sigrok in its domain.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role.
+##	</summary>
+## </param>
+#
+interface(`sigrok_run',`
+	gen_require(`
+		type sigrok_t, sigrok_exec_t;
+		attribute_role sigrok_roles;
+	')
+
+	########################################
+	#
+	# Declarations
+	#
+
+	roleattribute $1 sigrok_roles;
+
+	########################################
+	#
+	# Policy
+	#
+
+	domtrans_pattern($2, sigrok_exec_t, sigrok_t)
+')
diff -pruN a/policy/modules/apps/sigrok.te b/policy/modules/apps/sigrok.te
--- a/policy/modules/apps/sigrok.te	1970-01-01 01:00:00.000000000 +0100
+++ b/policy/modules/apps/sigrok.te	2018-12-29 16:25:21.851742375 +0100
@@ -0,0 +1,39 @@
+policy_module(sigrok, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role sigrok_roles;
+roleattribute system_r sigrok_roles;
+
+type sigrok_t;
+type sigrok_exec_t;
+userdom_user_application_domain(sigrok_t, sigrok_exec_t)
+role sigrok_roles types sigrok_t;
+
+########################################
+#
+# Local policy
+#
+
+allow sigrok_t self:fifo_file rw_fifo_file_perms;
+allow sigrok_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow sigrok_t self:tcp_socket create_socket_perms;
+
+corenet_tcp_connect_all_unreserved_ports(sigrok_t)
+
+dev_getattr_sysfs_dirs(sigrok_t)
+dev_read_sysfs(sigrok_t)
+dev_rw_generic_usb_dev(sigrok_t)
+
+files_read_etc_files(sigrok_t)
+
+term_use_unallocated_ttys(sigrok_t)
+
+userdom_use_user_ptys(sigrok_t)
+
+optional_policy(`
+	udev_read_pid_files(sigrok_t)
+')
diff -pruN a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
--- a/policy/modules/roles/unprivuser.te	2017-05-13 21:22:22.837046352 +0200
+++ b/policy/modules/roles/unprivuser.te	2018-12-28 20:07:33.588429238 +0100
@@ -146,6 +146,10 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
+		sigrok_run(user_r, user_t)
+	')
+
+	optional_policy(`
  		spamassassin_role(user_r, user_t)
  	')

Merged.

--
Chris PeBenito






