add lpr policy to lpd
This commit is contained in:
Chris PeBenito
parent
2bcdbd8ca3
commit
8dca6b9756
@ -1,3 +1,4 @@
|
||||
- Add lpr per-userdomain policy to lpd.
|
||||
- Miscellaneous fixes from Dan Walsh.
|
||||
- Change initrc_var_run_t interface noun from script_pid to utmp,
|
||||
for greater clarity.
|
||||
|
||||
@ -1738,7 +1738,6 @@ interface(`fs_rw_nfsd_fs',`
|
||||
allow $1 nfsd_fs_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Mount a RAM filesystem.
|
||||
|
||||
@ -97,6 +97,25 @@ interface(`cups_dbus_chat_config',`
|
||||
allow cupsd_config_t $1:dbus send_msg;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read cups configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`cups_read_config',`
|
||||
gen_require(`
|
||||
type cupsd_etc_t, cupsd_rw_etc_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 cupsd_etc_t:dir search_dir_perms;
|
||||
allow $1 cupsd_etc_t:file { getattr read };
|
||||
allow $1 cupsd_rw_etc_t:file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read cups-writable configuration files.
|
||||
@ -150,3 +169,21 @@ interface(`cups_stream_connect_ptal',`
|
||||
allow $1 ptal_var_run_t:sock_file write;
|
||||
allow $1 ptal_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to cups over TCP.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`cups_tcp_connect',`
|
||||
gen_require(`
|
||||
type cupsd_t;
|
||||
')
|
||||
|
||||
allow $1 cupsd_t:tcp_socket { connectto recvfrom };
|
||||
allow cupsd_t $1:tcp_socket { acceptfrom recvfrom };
|
||||
kernel_tcp_recvfrom($1)
|
||||
')
|
||||
|
||||
@ -1,10 +1,20 @@
|
||||
|
||||
#
|
||||
# /dev
|
||||
#
|
||||
/dev/printer -s gen_context(system_u:object_r:printer_t,s0)
|
||||
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
/usr/sbin/checkpc -- gen_context(system_u:object_r:checkpc_exec_t,s0)
|
||||
/usr/sbin/lpd -- gen_context(system_u:object_r:lpd_exec_t,s0)
|
||||
|
||||
/usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
|
||||
/usr/bin/lpr(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
||||
/usr/bin/lpq(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
||||
/usr/bin/lprm(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
||||
|
||||
#
|
||||
# /var
|
||||
#
|
||||
/var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0)
|
||||
/var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0)
|
||||
|
||||
@ -1,5 +1,240 @@
|
||||
## <summary>Line printer daemon</summary>
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## The per user domain template for the lpd module.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## This template creates a derived domains which are used
|
||||
## for lpr printing client.
|
||||
## </p>
|
||||
## <p>
|
||||
## This template is invoked automatically for each user, and
|
||||
## generally does not need to be invoked directly
|
||||
## by policy writers.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </param>
|
||||
## <param name="user_domain">
|
||||
## The type of the user domain.
|
||||
## </param>
|
||||
## <param name="user_role">
|
||||
## The role associated with the user domain.
|
||||
## </param>
|
||||
#
|
||||
template(`lpd_per_userdomain_template',`
|
||||
gen_require(`
|
||||
type lpr_exec_t, lpd_t, print_spool_t, printconf_t, lpd_var_run_t, printer_t;
|
||||
')
|
||||
|
||||
##############################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
# Derived domain based on the calling user domain and the program
|
||||
type $1_lpr_t;
|
||||
domain_type($1_lpr_t)
|
||||
domain_entry_file($1_lpr_t,lpr_exec_t)
|
||||
role $3 types $1_lpr_t;
|
||||
|
||||
type $1_lpr_tmp_t;
|
||||
files_tmp_file($1_lpr_tmp_t)
|
||||
|
||||
# Type for spool files.
|
||||
type $1_print_spool_t;
|
||||
files_type($1_print_spool_t)
|
||||
|
||||
##############################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
allow $1_lpr_t self:capability { setuid dac_override net_bind_service chown };
|
||||
allow $1_lpr_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow $1_lpr_t self:tcp_socket create_socket_perms;
|
||||
allow $1_lpr_t self:udp_socket create_socket_perms;
|
||||
|
||||
# lpr can run in lightweight mode, without a local print spooler.
|
||||
allow $1_lpr_t lpd_var_run_t:dir search;
|
||||
allow $1_lpr_t lpd_var_run_t:sock_file write;
|
||||
files_read_var_files($1_lpr_t)
|
||||
|
||||
# Connect to lpd via a Unix domain socket.
|
||||
allow $1_lpr_t printer_t:sock_file rw_file_perms;
|
||||
allow $1_lpr_t lpd_t:unix_stream_socket connectto;
|
||||
# connecto to a network lpd
|
||||
allow $1_lpr_t lpd_t:tcp_socket { connectto recvfrom };
|
||||
allow lpd_t $1_lpr_t:tcp_socket { acceptfrom recvfrom };
|
||||
# Send SIGHUP to lpd.
|
||||
allow $1_lpr_t lpd_t:process signal;
|
||||
|
||||
can_exec($1_lpr_t,lpr_exec_t)
|
||||
|
||||
allow $1_lpr_t $1_lpr_tmp_t:dir create_dir_perms;
|
||||
allow $1_lpr_t $1_lpr_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp($1_lpr_t, $1_lpr_tmp_t, { file dir })
|
||||
|
||||
allow $1_lpr_t $1_print_spool_t:file create_file_perms;
|
||||
allow $1_lpr_t print_spool_t:dir rw_dir_perms;
|
||||
type_transition $1_lpr_t print_spool_t:file $1_print_spool_t;
|
||||
# Read and write shared files in the spool directory.
|
||||
allow $1_lpr_t print_spool_t:file rw_file_perms;
|
||||
|
||||
allow $1_lpr_t printconf_t:dir r_dir_perms;
|
||||
allow $1_lpr_t printconf_t:file r_file_perms;
|
||||
allow $1_lpr_t printconf_t:lnk_file { getattr read };
|
||||
|
||||
dontaudit $1_lpr_t $2:unix_stream_socket { read write };
|
||||
|
||||
# Transition from the user domain to the derived domain.
|
||||
allow $2 $1_lpr_t:fd use;
|
||||
allow $1_lpr_t $2:fd use;
|
||||
allow $1_lpr_t $2:fifo_file rw_file_perms;
|
||||
allow $1_lpr_t $2:process sigchld;
|
||||
domain_auto_trans($2,lpr_exec_t,$1_lpr_t)
|
||||
|
||||
allow $2 $1_lpr_t:process signull;
|
||||
|
||||
# Allow lpd to read, rename, and unlink spool files.
|
||||
allow lpd_t $1_print_spool_t:file r_file_perms;
|
||||
allow lpd_t $1_print_spool_t:file link_file_perms;
|
||||
|
||||
kernel_tcp_recvfrom($1_lpr_t)
|
||||
|
||||
corenet_tcp_sendrecv_generic_if($1_lpr_t)
|
||||
corenet_udp_sendrecv_generic_if($1_lpr_t)
|
||||
corenet_raw_sendrecv_generic_if($1_lpr_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_lpr_t)
|
||||
corenet_udp_sendrecv_all_nodes($1_lpr_t)
|
||||
corenet_raw_sendrecv_all_nodes($1_lpr_t)
|
||||
corenet_tcp_sendrecv_all_ports($1_lpr_t)
|
||||
corenet_udp_sendrecv_all_ports($1_lpr_t)
|
||||
corenet_tcp_bind_all_nodes($1_lpr_t)
|
||||
corenet_udp_bind_all_nodes($1_lpr_t)
|
||||
corenet_tcp_connect_all_ports($1_lpr_t)
|
||||
|
||||
# for /dev/null
|
||||
dev_list_all_dev_nodes($1_lpr_t)
|
||||
|
||||
domain_use_wide_inherit_fd($1_lpr_t)
|
||||
|
||||
files_search_spool($1_lpr_t)
|
||||
# for lpd config files (should have a new type)
|
||||
files_read_etc_files($1_lpr_t)
|
||||
# for test print
|
||||
files_read_usr_files($1_lpr_t)
|
||||
#Added to cover read_content macro
|
||||
files_list_home($1_lpr_t)
|
||||
files_read_generic_tmp_files($1_lpr_t)
|
||||
|
||||
fs_getattr_xattr_fs($1_lpr_t)
|
||||
|
||||
# Access the terminal.
|
||||
term_use_controlling_term($1_lpr_t)
|
||||
term_use_generic_pty($1_lpr_t)
|
||||
|
||||
libs_use_ld_so($1_lpr_t)
|
||||
libs_use_shared_libs($1_lpr_t)
|
||||
|
||||
miscfiles_read_localization($1_lpr_t)
|
||||
|
||||
sysnet_read_config($1_lpr_t)
|
||||
|
||||
userdom_read_user_tmp_symlinks($1,$1_lpr_t)
|
||||
# Write to the user domain tty.
|
||||
userdom_use_user_terminals($1,$1_lpr_t)
|
||||
|
||||
tunable_policy(`read_default_t',`
|
||||
files_list_default($1_lpr_t)
|
||||
files_read_default_symlinks($1_lpr_t)
|
||||
files_read_default_files($1_lpr_t)
|
||||
')
|
||||
|
||||
tunable_policy(`read_untrusted_content',`
|
||||
#list and read user specific untrusted content
|
||||
files_list_home($1_lpr_t)
|
||||
userdom_list_user_home($1,$1_lpr_t)
|
||||
userdom_read_user_untrusted_content_files($1,$1_lpr_t)
|
||||
|
||||
#list and read user specific temporary untrusted content
|
||||
files_list_tmp($1_lpr_t)
|
||||
userdom_read_user_tmp_untrusted_content_files($1,$1_lpr_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
files_list_home($1_lpr_t)
|
||||
fs_list_auto_mountpoints($1_lpr_t)
|
||||
fs_read_nfs_files($1_lpr_t)
|
||||
fs_read_nfs_symlinks($1_lpr_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
files_list_home($1_lpr_t)
|
||||
fs_list_auto_mountpoints($1_lpr_t)
|
||||
fs_read_cifs_files($1_lpr_t)
|
||||
fs_read_cifs_symlinks($1_lpr_t)
|
||||
')
|
||||
|
||||
optional_policy(`cups',`
|
||||
cups_read_config($1_lpr_t)
|
||||
cups_tcp_connect($1_lpr_t)
|
||||
cups_read_config($2)
|
||||
cups_tcp_connect($2)
|
||||
')
|
||||
|
||||
optional_policy(`logging',`
|
||||
logging_send_syslog_msg($1_lpr_t)
|
||||
')
|
||||
|
||||
optional_policy(`nscd',`
|
||||
nscd_use_socket($1_lpr_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis',`
|
||||
nis_use_ypbind($1_lpr_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`xdm', `
|
||||
allow $1_lpr_t xdm_t:fd use;
|
||||
allow $1_lpr_t xdm_var_run_t:dir search;
|
||||
allow $1_lpr_t xdm_t:fifo_file { getattr read write ioctl };
|
||||
')
|
||||
') dnl end TODO
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## The administrative functions template for the lpd module.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## This template creates rules for administrating the ldp service,
|
||||
## allowing the specified user to manage lpr files.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </param>
|
||||
#
|
||||
template(`lpr_admin_template',`
|
||||
gen_require(`
|
||||
type $1_lpr_t;
|
||||
')
|
||||
|
||||
userdom_read_all_user_files($1_lpr_t)
|
||||
|
||||
# Allow per user lpr domain read acces for specific user.
|
||||
tunable_policy(`read_untrusted_content',`
|
||||
userdom_read_all_untrusted_content($1_lpr_t)
|
||||
userdom_read_all_tmp_untrusted_content($1_lpr_t)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute lpd in the lpd domain.
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(lpd,1.1.0)
|
||||
policy_module(lpd,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -24,6 +24,9 @@ files_tmp_file(lpd_tmp_t)
|
||||
type lpd_var_run_t;
|
||||
files_pid_file(lpd_var_run_t)
|
||||
|
||||
type lpr_exec_t;
|
||||
files_type(lpr_exec_t)
|
||||
|
||||
type print_spool_t;
|
||||
files_tmp_file(print_spool_t)
|
||||
|
||||
@ -152,6 +155,7 @@ allow lpd_t printer_t:unix_stream_socket name_bind;
|
||||
allow lpd_t printer_t:unix_dgram_socket name_bind;
|
||||
|
||||
kernel_read_kernel_sysctl(lpd_t)
|
||||
kernel_tcp_recvfrom(lpd_t)
|
||||
# bash wants access to /proc/meminfo
|
||||
kernel_read_system_state(lpd_t)
|
||||
|
||||
|
||||
@ -57,11 +57,11 @@ template(`base_user_template',`
|
||||
files_tmpfs_file($1_tmpfs_t)
|
||||
|
||||
# types for network-obtained content
|
||||
type $1_untrusted_content_t, $1_file_type; #, customizable
|
||||
type $1_untrusted_content_t, $1_file_type, untrusted_content_type; #, customizable
|
||||
files_type($1_untrusted_content_t)
|
||||
files_poly_member($1_untrusted_content_t)
|
||||
|
||||
type $1_untrusted_content_tmp_t, $1_file_type; # customizable
|
||||
type $1_untrusted_content_tmp_t, $1_file_type, untrusted_content_tmp_type; # customizable
|
||||
files_tmp_file($1_untrusted_content_tmp_t)
|
||||
|
||||
type $1_tty_device_t;
|
||||
@ -915,6 +915,10 @@ template(`admin_user_template',`
|
||||
cron_admin_template($1,$1_t,$1_r)
|
||||
')
|
||||
|
||||
optional_policy(`lpd',`
|
||||
lpr_admin_template($1,$1_t,$1_r)
|
||||
')
|
||||
|
||||
optional_policy(`mta',`
|
||||
mta_admin_template($1,$1_t,$1_r)
|
||||
')
|
||||
@ -1117,6 +1121,36 @@ template(`userdom_search_user_home',`
|
||||
allow $2 $1_home_dir_t:dir { getattr search };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## List user home directories.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## List user home directories.
|
||||
## </p>
|
||||
## <p>
|
||||
## This is a templated interface, and should only
|
||||
## be called from a per-userdomain template.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
template(`userdom_list_user_home',`
|
||||
gen_require(`
|
||||
type $1_home_dir_t;
|
||||
')
|
||||
|
||||
files_search_home($2)
|
||||
allow $2 $1_home_dir_t:dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do a domain transition to the specified
|
||||
@ -2251,6 +2285,40 @@ template(`userdom_read_user_tmp_untrusted_content_symlinks',`
|
||||
allow $2 $1_untrusted_content_tmp_t:lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read all user untrusted content files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_read_all_untrusted_content',`
|
||||
gen_require(`
|
||||
attribute untrusted_content_type;
|
||||
')
|
||||
|
||||
allow $1 untrusted_content_type:dir r_dir_perms;
|
||||
allow $1 untrusted_content_type:{ file lnk_file } r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read all user temporary untrusted content files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_read_all_tmp_untrusted_content',`
|
||||
gen_require(`
|
||||
attribute untrusted_content_tmp_type;
|
||||
')
|
||||
|
||||
allow $1 untrusted_content_tmp_type:dir r_dir_perms;
|
||||
allow $1 untrusted_content_tmp_type:{ file lnk_file } r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write a user domain tty and pty.
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(userdomain,1.2.1)
|
||||
policy_module(userdomain,1.2.2)
|
||||
|
||||
gen_require(`
|
||||
role sysadm_r, staff_r, user_r, secadm_r;
|
||||
@ -43,6 +43,9 @@ attribute userdomain;
|
||||
# unprivileged user domains
|
||||
attribute unpriv_userdomain;
|
||||
|
||||
attribute untrusted_content_type;
|
||||
attribute untrusted_content_tmp_type;
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
|
||||
Loading…
Reference in New Issue
Block a user