# # Macros for lpr domains. # # # Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser # # # lpr_domain(domain_prefix) # # Define a derived domain for the lpr/lpq/lprm programs when executed # by a user domain. # # The type declaration for the executable type for this program is # provided separately in domains/program/lpr.te. # undefine(`lpr_domain') define(`lpr_domain',` # Derived domain based on the calling user domain and the program type $1_lpr_t, domain, privlog, nscd_client_domain; # Transition from the user domain to the derived domain. domain_auto_trans($1_t, lpr_exec_t, $1_lpr_t) allow $1_t $1_lpr_t:process signull; # allow using shared objects, accessing root dir, etc uses_shlib($1_lpr_t) read_locale($1_lpr_t) # The user role is authorized for this domain. role $1_r types $1_lpr_t; # This domain is granted permissions common to most domains (including can_net) can_network_client($1_lpr_t) allow $1_lpr_t port_type:tcp_socket name_connect; can_ypbind($1_lpr_t) # Use capabilities. allow $1_lpr_t $1_lpr_t:capability { setuid dac_override net_bind_service chown }; allow $1_lpr_t self:unix_stream_socket create_stream_socket_perms; # for lpd config files (should have a new type) r_dir_file($1_lpr_t, etc_t) # for test print r_dir_file($1_lpr_t, usr_t) ifdef(`lpd.te', ` r_dir_file($1_lpr_t, printconf_t) ') tmp_domain($1_lpr) # Type for spool files. type $1_print_spool_t, file_type, sysadmfile; # Use this type when creating files in /var/spool/lpd and /var/spool/cups. file_type_auto_trans($1_lpr_t, print_spool_t, $1_print_spool_t, file) allow $1_lpr_t var_spool_t:dir search; # for /dev/null allow $1_lpr_t device_t:dir search; # Access the terminal. access_terminal($1_lpr_t, $1) # Inherit and use descriptors from gnome-pty-helper. ifdef(`gnome-pty-helper.te', `allow $1_lpr_t $1_gph_t:fd use;') allow $1_lpr_t privfd:fd use; # Read user files. read_content(sysadm_lpr_t, $1) read_content($1_lpr_t, $1) # Read and write shared files in the spool directory. allow $1_lpr_t print_spool_t:file rw_file_perms; # lpr can run in lightweight mode, without a local print spooler. If the # lpd policy is present, grant some permissions for this domain and the lpd # domain to interact. ifdef(`lpd.te', ` allow $1_lpr_t { var_t var_run_t }:dir search; allow $1_lpr_t lpd_var_run_t:dir search; allow $1_lpr_t lpd_var_run_t:sock_file write; # Allow lpd to read, rename, and unlink spool files. allow lpd_t $1_print_spool_t:file r_file_perms; allow lpd_t $1_print_spool_t:file link_file_perms; # Connect to lpd via a Unix domain socket. allow $1_lpr_t printer_t:sock_file rw_file_perms; can_unix_connect($1_lpr_t, lpd_t) dontaudit $1_lpr_t $1_t:unix_stream_socket { read write }; # Connect to lpd via a TCP socket. can_tcp_connect($1_lpr_t, lpd_t) allow $1_lpr_t fs_t:filesystem getattr; # Send SIGHUP to lpd. allow $1_lpr_t lpd_t:process signal; ')dnl end if lpd.te ifdef(`xdm.te', ` can_pipe_xdm($1_lpr_t) ') ifdef(`cups.te', ` allow { $1_lpr_t $1_t } cupsd_etc_t:dir search; allow $1_lpr_t { cupsd_etc_t cupsd_rw_etc_t }:file { getattr read }; can_tcp_connect({ $1_lpr_t $1_t }, cupsd_t) ')dnl end ifdef cups.te ')dnl end macro definition