162 lines
5.2 KiB
Plaintext
162 lines
5.2 KiB
Plaintext
#DESC Lpd - Print server
|
|
#
|
|
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
|
# Modified by David A. Wheeler <dwheeler@ida.org> for LPRng (Red Hat 7.1)
|
|
# Modified by Russell Coker <russell@coker.com.au>
|
|
# X-Debian-Packages: lpr
|
|
#
|
|
|
|
#################################
|
|
#
|
|
# Rules for the lpd_t domain.
|
|
#
|
|
# lpd_t is the domain of lpd.
|
|
# lpd_exec_t is the type of the lpd executable.
|
|
# printer_t is the type of the Unix domain socket created
|
|
# by lpd.
|
|
#
|
|
daemon_domain(lpd)
|
|
|
|
allow lpd_t lpd_var_run_t:sock_file create_file_perms;
|
|
|
|
read_fonts(lpd_t)
|
|
|
|
type printer_t, file_type, sysadmfile, dev_fs;
|
|
|
|
type printconf_t, file_type, sysadmfile; # Type for files in /usr/share/printconf.
|
|
|
|
tmp_domain(lpd);
|
|
|
|
# for postscript include files
|
|
allow lpd_t usr_t:{ file lnk_file } { getattr read };
|
|
|
|
# Allow checkpc to access the lpd spool so it can check & fix it.
|
|
# This requires that /usr/sbin/checkpc have type checkpc_t.
|
|
type checkpc_t, domain, privlog;
|
|
role system_r types checkpc_t;
|
|
uses_shlib(checkpc_t)
|
|
can_network_client(checkpc_t)
|
|
allow checkpc_t port_type:tcp_socket name_connect;
|
|
can_ypbind(checkpc_t)
|
|
log_domain(checkpc)
|
|
type checkpc_exec_t, file_type, sysadmfile, exec_type;
|
|
domain_auto_trans(initrc_t, checkpc_exec_t, checkpc_t)
|
|
domain_auto_trans(sysadm_t, checkpc_exec_t, checkpc_t)
|
|
role sysadm_r types checkpc_t;
|
|
allow checkpc_t admin_tty_type:chr_file { read write };
|
|
allow checkpc_t privfd:fd use;
|
|
ifdef(`crond.te', `
|
|
system_crond_entry(checkpc_exec_t, checkpc_t)
|
|
')
|
|
allow checkpc_t self:capability { setgid setuid dac_override };
|
|
allow checkpc_t self:process { fork signal_perms };
|
|
|
|
allow checkpc_t proc_t:dir search;
|
|
allow checkpc_t proc_t:lnk_file read;
|
|
allow checkpc_t proc_t:file { getattr read };
|
|
r_dir_file(checkpc_t, self)
|
|
allow checkpc_t self:unix_stream_socket create_socket_perms;
|
|
|
|
allow checkpc_t { etc_t etc_runtime_t }:file { getattr read };
|
|
allow checkpc_t etc_t:lnk_file read;
|
|
|
|
allow checkpc_t { var_t var_spool_t }:dir { getattr search };
|
|
allow checkpc_t print_spool_t:file { rw_file_perms unlink };
|
|
allow checkpc_t print_spool_t:dir { read write search add_name remove_name getattr };
|
|
allow checkpc_t device_t:dir search;
|
|
allow checkpc_t printer_device_t:chr_file { getattr append };
|
|
allow checkpc_t devtty_t:chr_file rw_file_perms;
|
|
allow checkpc_t initrc_devpts_t:chr_file rw_file_perms;
|
|
|
|
# Allow access to /dev/console through the fd:
|
|
allow checkpc_t init_t:fd use;
|
|
|
|
# This is less desirable, but checkpc demands /bin/bash and /bin/chown:
|
|
allow checkpc_t { bin_t sbin_t }:dir search;
|
|
allow checkpc_t bin_t:lnk_file read;
|
|
can_exec(checkpc_t, shell_exec_t)
|
|
can_exec(checkpc_t, bin_t)
|
|
|
|
# bash wants access to /proc/meminfo
|
|
allow lpd_t proc_t:file { getattr read };
|
|
|
|
# gs-gnu wants to read some sysctl entries, it seems to work without though
|
|
dontaudit lpd_t { sysctl_t sysctl_kernel_t }:dir search;
|
|
|
|
# for defoma
|
|
r_dir_file(lpd_t, var_lib_t)
|
|
|
|
allow checkpc_t var_run_t:dir search;
|
|
allow checkpc_t lpd_var_run_t:dir { search getattr };
|
|
|
|
# This is needed to permit chown to read /var/spool/lpd/lp.
|
|
# This is opens up security more than necessary; this means that ANYTHING
|
|
# running in the initrc_t domain can read the printer spool directory.
|
|
# Perhaps executing /etc/rc.d/init.d/lpd should transition
|
|
# to domain lpd_t, instead of waiting for executing lpd.
|
|
allow initrc_t print_spool_t:dir read;
|
|
|
|
# for defoma
|
|
r_dir_file(lpd_t, readable_t)
|
|
|
|
# Use capabilities.
|
|
allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner };
|
|
|
|
# Use the network.
|
|
can_network_server(lpd_t)
|
|
can_ypbind(lpd_t)
|
|
allow lpd_t self:fifo_file rw_file_perms;
|
|
allow lpd_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow lpd_t self:unix_dgram_socket create_socket_perms;
|
|
|
|
allow lpd_t self:file { getattr read };
|
|
allow lpd_t etc_runtime_t:file { getattr read };
|
|
|
|
# Bind to the printer port.
|
|
allow lpd_t printer_port_t:tcp_socket name_bind;
|
|
|
|
# Send to portmap.
|
|
ifdef(`portmap.te', `can_udp_send(lpd_t, portmap_t)')
|
|
|
|
ifdef(`ypbind.te',
|
|
`# Connect to ypbind.
|
|
can_tcp_connect(lpd_t, ypbind_t)')
|
|
|
|
# Create and bind to /dev/printer.
|
|
file_type_auto_trans(lpd_t, device_t, printer_t, lnk_file)
|
|
allow lpd_t printer_t:unix_stream_socket name_bind;
|
|
allow lpd_t printer_t:unix_dgram_socket name_bind;
|
|
allow lpd_t printer_device_t:chr_file rw_file_perms;
|
|
|
|
# Write to /var/spool/lpd.
|
|
allow lpd_t var_spool_t:dir search;
|
|
allow lpd_t print_spool_t:dir rw_dir_perms;
|
|
allow lpd_t print_spool_t:file create_file_perms;
|
|
allow lpd_t print_spool_t:file rw_file_perms;
|
|
|
|
# Execute filter scripts.
|
|
# can_exec(lpd_t, print_spool_t)
|
|
|
|
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
|
|
allow lpd_t bin_t:dir search;
|
|
allow lpd_t bin_t:lnk_file read;
|
|
can_exec(lpd_t, { bin_t sbin_t shell_exec_t })
|
|
|
|
# lpd must be able to execute the filter utilities in /usr/share/printconf.
|
|
can_exec(lpd_t, printconf_t)
|
|
allow lpd_t printconf_t:file rx_file_perms;
|
|
allow lpd_t printconf_t:dir { getattr search read };
|
|
|
|
# config files for lpd are of type etc_t, probably should change this
|
|
allow lpd_t etc_t:file { getattr read };
|
|
allow lpd_t etc_t:lnk_file read;
|
|
|
|
# checkpc needs similar permissions.
|
|
allow checkpc_t printconf_t:file getattr;
|
|
allow checkpc_t printconf_t:dir { getattr search read };
|
|
|
|
# Read printconf files.
|
|
allow initrc_t printconf_t:dir r_dir_perms;
|
|
allow initrc_t printconf_t:file r_file_perms;
|
|
|