#DESC Lpd - Print server
#
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  
# Modified by David A. Wheeler <dwheeler@ida.org> for LPRng (Red Hat 7.1)
# Modified by Russell Coker <russell@coker.com.au>
# X-Debian-Packages: lpr
#

#################################
#
# Rules for the lpd_t domain.
#
# lpd_t is the domain of lpd.
# lpd_exec_t is the type of the lpd executable.
# printer_t is the type of the Unix domain socket created
# by lpd.
#
daemon_domain(lpd)

allow lpd_t lpd_var_run_t:sock_file create_file_perms;

read_fonts(lpd_t)

type printer_t, file_type, sysadmfile, dev_fs;

type printconf_t, file_type, sysadmfile;   # Type for files in /usr/share/printconf.

tmp_domain(lpd);

# for postscript include files
allow lpd_t usr_t:{ file lnk_file } { getattr read };

# Allow checkpc to access the lpd spool so it can check & fix it.
# This requires that /usr/sbin/checkpc have type checkpc_t.
type checkpc_t, domain, privlog;
role system_r types checkpc_t;
uses_shlib(checkpc_t)
can_network_client(checkpc_t)
allow checkpc_t port_type:tcp_socket name_connect;
can_ypbind(checkpc_t)
log_domain(checkpc)
type checkpc_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(initrc_t, checkpc_exec_t, checkpc_t)
domain_auto_trans(sysadm_t, checkpc_exec_t, checkpc_t)
role sysadm_r types checkpc_t;
allow checkpc_t admin_tty_type:chr_file { read write };
allow checkpc_t privfd:fd use;
ifdef(`crond.te', `
system_crond_entry(checkpc_exec_t, checkpc_t)
')
allow checkpc_t self:capability { setgid setuid dac_override };
allow checkpc_t self:process { fork signal_perms };

allow checkpc_t proc_t:dir search;
allow checkpc_t proc_t:lnk_file read;
allow checkpc_t proc_t:file { getattr read };
r_dir_file(checkpc_t, self)
allow checkpc_t self:unix_stream_socket create_socket_perms;

allow checkpc_t { etc_t etc_runtime_t }:file { getattr read };
allow checkpc_t etc_t:lnk_file read;

allow checkpc_t { var_t var_spool_t }:dir { getattr search };
allow checkpc_t print_spool_t:file { rw_file_perms unlink };
allow checkpc_t print_spool_t:dir { read write search add_name remove_name getattr };
allow checkpc_t device_t:dir search;
allow checkpc_t printer_device_t:chr_file { getattr append };
allow checkpc_t devtty_t:chr_file rw_file_perms;
allow checkpc_t initrc_devpts_t:chr_file rw_file_perms;

# Allow access to /dev/console through the fd:
allow checkpc_t init_t:fd use;

# This is less desirable, but checkpc demands /bin/bash and /bin/chown:
allow checkpc_t { bin_t sbin_t }:dir search;
allow checkpc_t bin_t:lnk_file read;
can_exec(checkpc_t, shell_exec_t)
can_exec(checkpc_t, bin_t)

# bash wants access to /proc/meminfo
allow lpd_t proc_t:file { getattr read };

# gs-gnu wants to read some sysctl entries, it seems to work without though
dontaudit lpd_t { sysctl_t sysctl_kernel_t }:dir search;

# for defoma
r_dir_file(lpd_t, var_lib_t)

allow checkpc_t var_run_t:dir search;
allow checkpc_t lpd_var_run_t:dir { search getattr };

# This is needed to permit chown to read /var/spool/lpd/lp.
# This is opens up security more than necessary; this means that ANYTHING
# running in the initrc_t domain can read the printer spool directory.
# Perhaps executing /etc/rc.d/init.d/lpd should transition
# to domain lpd_t, instead of waiting for executing lpd.
allow initrc_t print_spool_t:dir read;

# for defoma
r_dir_file(lpd_t, readable_t)

# Use capabilities.
allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner };

# Use the network.
can_network_server(lpd_t)
can_ypbind(lpd_t)
allow lpd_t self:fifo_file rw_file_perms;
allow lpd_t self:unix_stream_socket create_stream_socket_perms;
allow lpd_t self:unix_dgram_socket create_socket_perms;

allow lpd_t self:file { getattr read };
allow lpd_t etc_runtime_t:file { getattr read };

# Bind to the printer port.
allow lpd_t printer_port_t:tcp_socket name_bind;

# Send to portmap.
ifdef(`portmap.te', `can_udp_send(lpd_t, portmap_t)')

ifdef(`ypbind.te',
`# Connect to ypbind.
can_tcp_connect(lpd_t, ypbind_t)')

# Create and bind to /dev/printer.
file_type_auto_trans(lpd_t, device_t, printer_t, lnk_file)
allow lpd_t printer_t:unix_stream_socket name_bind;
allow lpd_t printer_t:unix_dgram_socket name_bind;
allow lpd_t printer_device_t:chr_file rw_file_perms;

# Write to /var/spool/lpd.
allow lpd_t var_spool_t:dir search;
allow lpd_t print_spool_t:dir rw_dir_perms;
allow lpd_t print_spool_t:file create_file_perms;
allow lpd_t print_spool_t:file rw_file_perms;

# Execute filter scripts.
# can_exec(lpd_t, print_spool_t)

# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
allow lpd_t bin_t:dir search;
allow lpd_t bin_t:lnk_file read;
can_exec(lpd_t, { bin_t sbin_t shell_exec_t })

# lpd must be able to execute the filter utilities in /usr/share/printconf.
can_exec(lpd_t, printconf_t)
allow lpd_t printconf_t:file rx_file_perms;
allow lpd_t printconf_t:dir { getattr search read };

# config files for lpd are of type etc_t, probably should change this
allow lpd_t etc_t:file { getattr read };
allow lpd_t etc_t:lnk_file read;

# checkpc needs similar permissions.
allow checkpc_t printconf_t:file getattr;
allow checkpc_t printconf_t:dir { getattr search read };

# Read printconf files.
allow initrc_t printconf_t:dir r_dir_perms;
allow initrc_t printconf_t:file r_file_perms;