#DESC Lpd - Print server # # Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser # Modified by David A. Wheeler <dwheeler@ida.org> for LPRng (Red Hat 7.1) # Modified by Russell Coker <russell@coker.com.au> # X-Debian-Packages: lpr # ################################# # # Rules for the lpd_t domain. # # lpd_t is the domain of lpd. # lpd_exec_t is the type of the lpd executable. # printer_t is the type of the Unix domain socket created # by lpd. # daemon_domain(lpd) allow lpd_t lpd_var_run_t:sock_file create_file_perms; read_fonts(lpd_t) type printer_t, file_type, sysadmfile, dev_fs; type printconf_t, file_type, sysadmfile; # Type for files in /usr/share/printconf. tmp_domain(lpd); # for postscript include files allow lpd_t usr_t:{ file lnk_file } { getattr read }; # Allow checkpc to access the lpd spool so it can check & fix it. # This requires that /usr/sbin/checkpc have type checkpc_t. type checkpc_t, domain, privlog; role system_r types checkpc_t; uses_shlib(checkpc_t) can_network_client(checkpc_t) allow checkpc_t port_type:tcp_socket name_connect; can_ypbind(checkpc_t) log_domain(checkpc) type checkpc_exec_t, file_type, sysadmfile, exec_type; domain_auto_trans(initrc_t, checkpc_exec_t, checkpc_t) domain_auto_trans(sysadm_t, checkpc_exec_t, checkpc_t) role sysadm_r types checkpc_t; allow checkpc_t admin_tty_type:chr_file { read write }; allow checkpc_t privfd:fd use; ifdef(`crond.te', ` system_crond_entry(checkpc_exec_t, checkpc_t) ') allow checkpc_t self:capability { setgid setuid dac_override }; allow checkpc_t self:process { fork signal_perms }; allow checkpc_t proc_t:dir search; allow checkpc_t proc_t:lnk_file read; allow checkpc_t proc_t:file { getattr read }; r_dir_file(checkpc_t, self) allow checkpc_t self:unix_stream_socket create_socket_perms; allow checkpc_t { etc_t etc_runtime_t }:file { getattr read }; allow checkpc_t etc_t:lnk_file read; allow checkpc_t { var_t var_spool_t }:dir { getattr search }; allow checkpc_t print_spool_t:file { rw_file_perms unlink }; allow checkpc_t print_spool_t:dir { read write search add_name remove_name getattr }; allow checkpc_t device_t:dir search; allow checkpc_t printer_device_t:chr_file { getattr append }; allow checkpc_t devtty_t:chr_file rw_file_perms; allow checkpc_t initrc_devpts_t:chr_file rw_file_perms; # Allow access to /dev/console through the fd: allow checkpc_t init_t:fd use; # This is less desirable, but checkpc demands /bin/bash and /bin/chown: allow checkpc_t { bin_t sbin_t }:dir search; allow checkpc_t bin_t:lnk_file read; can_exec(checkpc_t, shell_exec_t) can_exec(checkpc_t, bin_t) # bash wants access to /proc/meminfo allow lpd_t proc_t:file { getattr read }; # gs-gnu wants to read some sysctl entries, it seems to work without though dontaudit lpd_t { sysctl_t sysctl_kernel_t }:dir search; # for defoma r_dir_file(lpd_t, var_lib_t) allow checkpc_t var_run_t:dir search; allow checkpc_t lpd_var_run_t:dir { search getattr }; # This is needed to permit chown to read /var/spool/lpd/lp. # This is opens up security more than necessary; this means that ANYTHING # running in the initrc_t domain can read the printer spool directory. # Perhaps executing /etc/rc.d/init.d/lpd should transition # to domain lpd_t, instead of waiting for executing lpd. allow initrc_t print_spool_t:dir read; # for defoma r_dir_file(lpd_t, readable_t) # Use capabilities. allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner }; # Use the network. can_network_server(lpd_t) can_ypbind(lpd_t) allow lpd_t self:fifo_file rw_file_perms; allow lpd_t self:unix_stream_socket create_stream_socket_perms; allow lpd_t self:unix_dgram_socket create_socket_perms; allow lpd_t self:file { getattr read }; allow lpd_t etc_runtime_t:file { getattr read }; # Bind to the printer port. allow lpd_t printer_port_t:tcp_socket name_bind; # Send to portmap. ifdef(`portmap.te', `can_udp_send(lpd_t, portmap_t)') ifdef(`ypbind.te', `# Connect to ypbind. can_tcp_connect(lpd_t, ypbind_t)') # Create and bind to /dev/printer. file_type_auto_trans(lpd_t, device_t, printer_t, lnk_file) allow lpd_t printer_t:unix_stream_socket name_bind; allow lpd_t printer_t:unix_dgram_socket name_bind; allow lpd_t printer_device_t:chr_file rw_file_perms; # Write to /var/spool/lpd. allow lpd_t var_spool_t:dir search; allow lpd_t print_spool_t:dir rw_dir_perms; allow lpd_t print_spool_t:file create_file_perms; allow lpd_t print_spool_t:file rw_file_perms; # Execute filter scripts. # can_exec(lpd_t, print_spool_t) # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp allow lpd_t bin_t:dir search; allow lpd_t bin_t:lnk_file read; can_exec(lpd_t, { bin_t sbin_t shell_exec_t }) # lpd must be able to execute the filter utilities in /usr/share/printconf. can_exec(lpd_t, printconf_t) allow lpd_t printconf_t:file rx_file_perms; allow lpd_t printconf_t:dir { getattr search read }; # config files for lpd are of type etc_t, probably should change this allow lpd_t etc_t:file { getattr read }; allow lpd_t etc_t:lnk_file read; # checkpc needs similar permissions. allow checkpc_t printconf_t:file getattr; allow checkpc_t printconf_t:dir { getattr search read }; # Read printconf files. allow initrc_t printconf_t:dir r_dir_perms; allow initrc_t printconf_t:file r_file_perms;