selinux-policy/policy/modules/services/lpd.te
Dominick Grift 1dfc76f76b Use permission sets where possible.
Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.
2010-09-22 15:39:43 +02:00

334 lines
9.0 KiB
Plaintext

policy_module(lpd, 1.12.0)
########################################
#
# Declarations
#
## <desc>
## <p>
## Use lpd server instead of cups
## </p>
## </desc>
gen_tunable(use_lpd_server, false)
type checkpc_t;
type checkpc_exec_t;
init_system_domain(checkpc_t, checkpc_exec_t)
role system_r types checkpc_t;
type checkpc_log_t;
logging_log_file(checkpc_log_t)
type lpd_t;
type lpd_exec_t;
init_daemon_domain(lpd_t, lpd_exec_t)
type lpd_tmp_t;
files_tmp_file(lpd_tmp_t)
type lpd_var_run_t;
files_pid_file(lpd_var_run_t)
type lpr_t;
type lpr_exec_t;
typealias lpr_t alias { user_lpr_t staff_lpr_t sysadm_lpr_t };
typealias lpr_t alias { auditadm_lpr_t secadm_lpr_t };
application_domain(lpr_t, lpr_exec_t)
ubac_constrained(lpr_t)
type lpr_tmp_t;
typealias lpr_tmp_t alias { user_lpr_tmp_t staff_lpr_tmp_t sysadm_lpr_tmp_t };
typealias lpr_tmp_t alias { auditadm_lpr_tmp_t secadm_lpr_tmp_t };
files_tmp_file(lpr_tmp_t)
ubac_constrained(lpr_tmp_t)
# Type for spool files.
type print_spool_t;
typealias print_spool_t alias { user_print_spool_t staff_print_spool_t sysadm_print_spool_t };
typealias print_spool_t alias { auditadm_print_spool_t secadm_print_spool_t };
files_type(print_spool_t)
ubac_constrained(print_spool_t)
type printer_t;
files_type(printer_t)
type printconf_t;
files_type(printconf_t)
########################################
#
# Checkpc local policy
#
# Allow checkpc to access the lpd spool so it can check & fix it.
# This requires that /usr/sbin/checkpc have type checkpc_t.
allow checkpc_t self:capability { setgid setuid dac_override };
allow checkpc_t self:process signal_perms;
allow checkpc_t self:unix_stream_socket create_socket_perms;
allow checkpc_t self:tcp_socket create_socket_perms;
allow checkpc_t self:udp_socket create_socket_perms;
allow checkpc_t checkpc_log_t:file manage_file_perms;
logging_log_filetrans(checkpc_t, checkpc_log_t, file)
allow checkpc_t lpd_var_run_t:dir search_dir_perms;
files_search_pids(checkpc_t)
rw_files_pattern(checkpc_t, print_spool_t, print_spool_t)
delete_files_pattern(checkpc_t, print_spool_t, print_spool_t)
files_search_spool(checkpc_t)
allow checkpc_t printconf_t:file getattr_file_perms;
allow checkpc_t printconf_t:dir list_dir_perms;
kernel_read_system_state(checkpc_t)
corenet_all_recvfrom_unlabeled(checkpc_t)
corenet_all_recvfrom_netlabel(checkpc_t)
corenet_tcp_sendrecv_generic_if(checkpc_t)
corenet_udp_sendrecv_generic_if(checkpc_t)
corenet_tcp_sendrecv_generic_node(checkpc_t)
corenet_udp_sendrecv_generic_node(checkpc_t)
corenet_tcp_sendrecv_all_ports(checkpc_t)
corenet_udp_sendrecv_all_ports(checkpc_t)
corenet_tcp_connect_all_ports(checkpc_t)
corenet_sendrecv_all_client_packets(checkpc_t)
dev_append_printer(checkpc_t)
# This is less desirable, but checkpc demands /bin/bash and /bin/chown:
corecmd_exec_shell(checkpc_t)
corecmd_exec_bin(checkpc_t)
domain_use_interactive_fds(checkpc_t)
files_read_etc_files(checkpc_t)
files_read_etc_runtime_files(checkpc_t)
init_use_script_ptys(checkpc_t)
# Allow access to /dev/console through the fd:
init_use_fds(checkpc_t)
sysnet_read_config(checkpc_t)
userdom_use_user_terminals(checkpc_t)
optional_policy(`
cron_system_entry(checkpc_t, checkpc_exec_t)
')
optional_policy(`
logging_send_syslog_msg(checkpc_t)
')
optional_policy(`
nis_use_ypbind(checkpc_t)
')
########################################
#
# Lpd local policy
#
allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner };
dontaudit lpd_t self:capability sys_tty_config;
allow lpd_t self:process signal_perms;
allow lpd_t self:fifo_file rw_fifo_file_perms;
allow lpd_t self:unix_stream_socket create_stream_socket_perms;
allow lpd_t self:unix_dgram_socket create_socket_perms;
allow lpd_t self:tcp_socket create_stream_socket_perms;
allow lpd_t self:udp_socket create_stream_socket_perms;
manage_dirs_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t)
manage_files_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t)
files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir })
manage_dirs_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t)
manage_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t)
manage_sock_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t)
files_pid_filetrans(lpd_t, lpd_var_run_t, { dir file })
# Write to /var/spool/lpd.
manage_files_pattern(lpd_t, print_spool_t, print_spool_t)
files_search_spool(lpd_t)
# lpd must be able to execute the filter utilities in /usr/share/printconf.
allow lpd_t printconf_t:dir list_dir_perms;
can_exec(lpd_t, printconf_t)
# Create and bind to /dev/printer.
allow lpd_t printer_t:lnk_file manage_lnk_file_perms;
dev_filetrans(lpd_t, printer_t, lnk_file)
kernel_read_kernel_sysctls(lpd_t)
# bash wants access to /proc/meminfo
kernel_read_system_state(lpd_t)
corenet_all_recvfrom_unlabeled(lpd_t)
corenet_all_recvfrom_netlabel(lpd_t)
corenet_tcp_sendrecv_generic_if(lpd_t)
corenet_udp_sendrecv_generic_if(lpd_t)
corenet_tcp_sendrecv_generic_node(lpd_t)
corenet_udp_sendrecv_generic_node(lpd_t)
corenet_tcp_sendrecv_all_ports(lpd_t)
corenet_udp_sendrecv_all_ports(lpd_t)
corenet_tcp_bind_generic_node(lpd_t)
corenet_tcp_bind_printer_port(lpd_t)
corenet_sendrecv_printer_server_packets(lpd_t)
dev_read_sysfs(lpd_t)
dev_rw_printer(lpd_t)
fs_getattr_all_fs(lpd_t)
fs_search_auto_mountpoints(lpd_t)
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
corecmd_exec_bin(lpd_t)
corecmd_exec_shell(lpd_t)
domain_use_interactive_fds(lpd_t)
files_read_etc_runtime_files(lpd_t)
files_read_usr_files(lpd_t)
# for defoma
files_list_world_readable(lpd_t)
files_read_world_readable_files(lpd_t)
files_read_world_readable_symlinks(lpd_t)
files_list_var_lib(lpd_t)
files_read_var_lib_files(lpd_t)
files_read_var_lib_symlinks(lpd_t)
# config files for lpd are of type etc_t, probably should change this
files_read_etc_files(lpd_t)
logging_send_syslog_msg(lpd_t)
miscfiles_read_fonts(lpd_t)
miscfiles_read_localization(lpd_t)
sysnet_read_config(lpd_t)
userdom_dontaudit_use_unpriv_user_fds(lpd_t)
userdom_dontaudit_search_user_home_dirs(lpd_t)
optional_policy(`
nis_use_ypbind(lpd_t)
')
optional_policy(`
seutil_sigchld_newrole(lpd_t)
')
optional_policy(`
udev_read_db(lpd_t)
')
##############################
#
# Local policy
#
allow lpr_t self:capability { setuid dac_override net_bind_service chown };
allow lpr_t self:unix_stream_socket create_stream_socket_perms;
allow lpr_t self:tcp_socket create_socket_perms;
allow lpr_t self:udp_socket create_socket_perms;
can_exec(lpr_t, lpr_exec_t)
# Allow lpd to read, rename, and unlink spool files.
allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms };
kernel_read_kernel_sysctls(lpr_t)
corenet_all_recvfrom_unlabeled(lpr_t)
corenet_all_recvfrom_netlabel(lpr_t)
corenet_tcp_sendrecv_generic_if(lpr_t)
corenet_udp_sendrecv_generic_if(lpr_t)
corenet_tcp_sendrecv_generic_node(lpr_t)
corenet_udp_sendrecv_generic_node(lpr_t)
corenet_tcp_sendrecv_all_ports(lpr_t)
corenet_udp_sendrecv_all_ports(lpr_t)
corenet_tcp_connect_all_ports(lpr_t)
corenet_sendrecv_all_client_packets(lpr_t)
dev_read_rand(lpr_t)
dev_read_urand(lpr_t)
domain_use_interactive_fds(lpr_t)
files_search_spool(lpr_t)
# for lpd config files (should have a new type)
files_read_etc_files(lpr_t)
# for test print
files_read_usr_files(lpr_t)
#Added to cover read_content macro
files_list_home(lpr_t)
files_read_generic_tmp_files(lpr_t)
fs_getattr_xattr_fs(lpr_t)
# Access the terminal.
term_use_controlling_term(lpr_t)
term_use_generic_ptys(lpr_t)
auth_use_nsswitch(lpr_t)
miscfiles_read_localization(lpr_t)
userdom_read_user_tmp_symlinks(lpr_t)
# Write to the user domain tty.
userdom_use_user_terminals(lpr_t)
userdom_read_user_home_content_files(lpr_t)
userdom_read_user_tmp_files(lpr_t)
tunable_policy(`use_lpd_server',`
# lpr can run in lightweight mode, without a local print spooler.
allow lpr_t lpd_var_run_t:dir search_dir_perms;
allow lpr_t lpd_var_run_t:sock_file write_sock_file_perms;
files_read_var_files(lpr_t)
# Connect to lpd via a Unix domain socket.
allow lpr_t printer_t:sock_file rw_sock_file_perms;
allow lpr_t lpd_t:unix_stream_socket connectto;
# Send SIGHUP to lpd.
allow lpr_t lpd_t:process signal;
manage_dirs_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t)
manage_files_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t)
files_tmp_filetrans(lpr_t, lpr_tmp_t, { file dir })
manage_files_pattern(lpr_t, print_spool_t, print_spool_t)
filetrans_pattern(lpr_t, print_spool_t, print_spool_t, file)
# Read and write shared files in the spool directory.
allow lpr_t print_spool_t:file rw_file_perms;
allow lpr_t printconf_t:dir list_dir_perms;
read_files_pattern(lpr_t, printconf_t, printconf_t)
read_lnk_files_pattern(lpr_t, printconf_t, printconf_t)
')
tunable_policy(`use_nfs_home_dirs',`
files_list_home(lpr_t)
fs_list_auto_mountpoints(lpr_t)
fs_read_nfs_files(lpr_t)
fs_read_nfs_symlinks(lpr_t)
')
tunable_policy(`use_samba_home_dirs',`
files_list_home(lpr_t)
fs_list_auto_mountpoints(lpr_t)
fs_read_cifs_files(lpr_t)
fs_read_cifs_symlinks(lpr_t)
')
optional_policy(`
cups_read_config(lpr_t)
cups_stream_connect(lpr_t)
cups_read_pid_files(lpr_t)
')
optional_policy(`
logging_send_syslog_msg(lpr_t)
')