Add sigrok contrib module

Add a SELinux Reference Policy module for the sigrok signal analysis software suite (command-line interface). Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
2019-01-04 00:20:14 +01:00 · 2019-01-04 00:20:14 +01:00 · 9e6febb049
commit 9e6febb049
parent 65b7fa3f43
4 changed files with 81 additions and 0 deletions
--- a/policy/modules/apps/sigrok.fc
+++ b/policy/modules/apps/sigrok.fc
@ -0,0 +1 @@
+/usr/bin/sigrok-cli	--	gen_context(system_u:object_r:sigrok_exec_t,s0)
--- a/policy/modules/apps/sigrok.if
+++ b/policy/modules/apps/sigrok.if
@ -0,0 +1,37 @@
+## <summary>sigrok signal analysis software suite.</summary>
+
+########################################
+## <summary>
+##	Execute sigrok in its domain.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role.
+##	</summary>
+## </param>
+#
+interface(`sigrok_run',`
+	gen_require(`
+		type sigrok_t, sigrok_exec_t;
+		attribute_role sigrok_roles;
+	')
+
+	########################################
+	#
+	# Declarations
+	#
+
+	roleattribute $1 sigrok_roles;
+
+	########################################
+	#
+	# Policy
+	#
+
+	domtrans_pattern($2, sigrok_exec_t, sigrok_t)
+')
--- a/policy/modules/apps/sigrok.te
+++ b/policy/modules/apps/sigrok.te
@ -0,0 +1,39 @@
+policy_module(sigrok, 1.0.0)
+  
+########################################
+#
+# Declarations
+#
+
+attribute_role sigrok_roles;
+roleattribute system_r sigrok_roles;
+
+type sigrok_t;
+type sigrok_exec_t;
+userdom_user_application_domain(sigrok_t, sigrok_exec_t)
+role sigrok_roles types sigrok_t;
+
+########################################
+#
+# Local policy
+#
+
+allow sigrok_t self:fifo_file rw_fifo_file_perms;
+allow sigrok_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow sigrok_t self:tcp_socket create_socket_perms;
+
+corenet_tcp_connect_all_unreserved_ports(sigrok_t)
+
+dev_getattr_sysfs_dirs(sigrok_t)
+dev_read_sysfs(sigrok_t)
+dev_rw_generic_usb_dev(sigrok_t)
+
+files_read_etc_files(sigrok_t)
+
+term_use_unallocated_ttys(sigrok_t)
+
+userdom_use_user_ptys(sigrok_t)
+
+optional_policy(`
+	udev_read_pid_files(sigrok_t)
+')
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@ -149,6 +149,10 @@ ifndef(`distro_redhat',`
 		rssh_role(user_r, user_t)
 	')

+	optional_policy(`
+		sigrok_run(user_r, user_t)
+	')
+
 	optional_policy(`
 		spamassassin_role(user_r, user_t)
 	')
				`@ -0,0 +1 @@`
				`/usr/bin/sigrok-cli -- gen_context(system_u:object_r:sigrok_exec_t,s0)`