Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/contrib/lpd.te
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/contrib/lpd.te')
-rw-r--r--policy/modules/contrib/lpd.te328
1 files changed, 328 insertions, 0 deletions
diff --git a/policy/modules/contrib/lpd.te b/policy/modules/contrib/lpd.te
new file mode 100644
index 000000000..a03b63a9c
--- /dev/null
+++ b/policy/modules/contrib/lpd.te
@@ -0,0 +1,328 @@
+policy_module(lpd, 1.13.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Use lpd server instead of cups
+## </p>
+## </desc>
+gen_tunable(use_lpd_server, false)
+
+type checkpc_t;
+type checkpc_exec_t;
+init_system_domain(checkpc_t, checkpc_exec_t)
+role system_r types checkpc_t;
+
+type checkpc_log_t;
+logging_log_file(checkpc_log_t)
+
+type lpd_t;
+type lpd_exec_t;
+init_daemon_domain(lpd_t, lpd_exec_t)
+
+type lpd_tmp_t;
+files_tmp_file(lpd_tmp_t)
+
+type lpd_var_run_t;
+files_pid_file(lpd_var_run_t)
+
+type lpr_t;
+type lpr_exec_t;
+typealias lpr_t alias { user_lpr_t staff_lpr_t sysadm_lpr_t };
+typealias lpr_t alias { auditadm_lpr_t secadm_lpr_t };
+userdom_user_application_domain(lpr_t, lpr_exec_t)
+
+type lpr_tmp_t;
+typealias lpr_tmp_t alias { user_lpr_tmp_t staff_lpr_tmp_t sysadm_lpr_tmp_t };
+typealias lpr_tmp_t alias { auditadm_lpr_tmp_t secadm_lpr_tmp_t };
+userdom_user_tmp_file(lpr_tmp_t)
+
+# Type for spool files.
+type print_spool_t;
+typealias print_spool_t alias { user_print_spool_t staff_print_spool_t sysadm_print_spool_t };
+typealias print_spool_t alias { auditadm_print_spool_t secadm_print_spool_t };
+files_type(print_spool_t)
+ubac_constrained(print_spool_t)
+
+type printer_t;
+files_type(printer_t)
+
+type printconf_t;
+files_type(printconf_t)
+
+########################################
+#
+# Checkpc local policy
+#
+
+# Allow checkpc to access the lpd spool so it can check & fix it.
+# This requires that /usr/sbin/checkpc have type checkpc_t.
+
+allow checkpc_t self:capability { setgid setuid dac_override };
+allow checkpc_t self:process signal_perms;
+allow checkpc_t self:unix_stream_socket create_socket_perms;
+allow checkpc_t self:tcp_socket create_socket_perms;
+allow checkpc_t self:udp_socket create_socket_perms;
+
+allow checkpc_t checkpc_log_t:file manage_file_perms;
+logging_log_filetrans(checkpc_t, checkpc_log_t, file)
+
+allow checkpc_t lpd_var_run_t:dir search_dir_perms;
+files_search_pids(checkpc_t)
+
+rw_files_pattern(checkpc_t, print_spool_t, print_spool_t)
+delete_files_pattern(checkpc_t, print_spool_t, print_spool_t)
+files_search_spool(checkpc_t)
+
+allow checkpc_t printconf_t:file getattr;
+allow checkpc_t printconf_t:dir list_dir_perms;
+
+kernel_read_system_state(checkpc_t)
+
+corenet_all_recvfrom_unlabeled(checkpc_t)
+corenet_all_recvfrom_netlabel(checkpc_t)
+corenet_tcp_sendrecv_generic_if(checkpc_t)
+corenet_udp_sendrecv_generic_if(checkpc_t)
+corenet_tcp_sendrecv_generic_node(checkpc_t)
+corenet_udp_sendrecv_generic_node(checkpc_t)
+corenet_tcp_sendrecv_all_ports(checkpc_t)
+corenet_udp_sendrecv_all_ports(checkpc_t)
+corenet_tcp_connect_all_ports(checkpc_t)
+corenet_sendrecv_all_client_packets(checkpc_t)
+
+dev_append_printer(checkpc_t)
+
+# This is less desirable, but checkpc demands /bin/bash and /bin/chown:
+corecmd_exec_shell(checkpc_t)
+corecmd_exec_bin(checkpc_t)
+
+domain_use_interactive_fds(checkpc_t)
+
+files_read_etc_files(checkpc_t)
+files_read_etc_runtime_files(checkpc_t)
+
+init_use_script_ptys(checkpc_t)
+# Allow access to /dev/console through the fd:
+init_use_fds(checkpc_t)
+
+sysnet_read_config(checkpc_t)
+
+userdom_use_user_terminals(checkpc_t)
+
+optional_policy(`
+ cron_system_entry(checkpc_t, checkpc_exec_t)
+')
+
+optional_policy(`
+ logging_send_syslog_msg(checkpc_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(checkpc_t)
+')
+
+########################################
+#
+# Lpd local policy
+#
+
+allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner };
+dontaudit lpd_t self:capability sys_tty_config;
+allow lpd_t self:process signal_perms;
+allow lpd_t self:fifo_file rw_fifo_file_perms;
+allow lpd_t self:unix_stream_socket create_stream_socket_perms;
+allow lpd_t self:unix_dgram_socket create_socket_perms;
+allow lpd_t self:tcp_socket create_stream_socket_perms;
+allow lpd_t self:udp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t)
+manage_files_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t)
+files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir })
+
+manage_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t)
+manage_sock_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t)
+files_pid_filetrans(lpd_t, lpd_var_run_t, file)
+
+# Write to /var/spool/lpd.
+manage_files_pattern(lpd_t, print_spool_t, print_spool_t)
+files_search_spool(lpd_t)
+
+# lpd must be able to execute the filter utilities in /usr/share/printconf.
+allow lpd_t printconf_t:dir list_dir_perms;
+can_exec(lpd_t, printconf_t)
+
+# Create and bind to /dev/printer.
+allow lpd_t printer_t:lnk_file manage_lnk_file_perms;
+dev_filetrans(lpd_t, printer_t, lnk_file)
+
+kernel_read_kernel_sysctls(lpd_t)
+# bash wants access to /proc/meminfo
+kernel_read_system_state(lpd_t)
+
+corenet_all_recvfrom_unlabeled(lpd_t)
+corenet_all_recvfrom_netlabel(lpd_t)
+corenet_tcp_sendrecv_generic_if(lpd_t)
+corenet_udp_sendrecv_generic_if(lpd_t)
+corenet_tcp_sendrecv_generic_node(lpd_t)
+corenet_udp_sendrecv_generic_node(lpd_t)
+corenet_tcp_sendrecv_all_ports(lpd_t)
+corenet_udp_sendrecv_all_ports(lpd_t)
+corenet_tcp_bind_generic_node(lpd_t)
+corenet_tcp_bind_printer_port(lpd_t)
+corenet_sendrecv_printer_server_packets(lpd_t)
+
+dev_read_sysfs(lpd_t)
+dev_rw_printer(lpd_t)
+
+fs_getattr_all_fs(lpd_t)
+fs_search_auto_mountpoints(lpd_t)
+
+# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
+corecmd_exec_bin(lpd_t)
+corecmd_exec_shell(lpd_t)
+
+domain_use_interactive_fds(lpd_t)
+
+files_read_etc_runtime_files(lpd_t)
+files_read_usr_files(lpd_t)
+# for defoma
+files_list_world_readable(lpd_t)
+files_read_world_readable_files(lpd_t)
+files_read_world_readable_symlinks(lpd_t)
+files_list_var_lib(lpd_t)
+files_read_var_lib_files(lpd_t)
+files_read_var_lib_symlinks(lpd_t)
+# config files for lpd are of type etc_t, probably should change this
+files_read_etc_files(lpd_t)
+
+logging_send_syslog_msg(lpd_t)
+
+miscfiles_read_fonts(lpd_t)
+miscfiles_read_localization(lpd_t)
+
+sysnet_read_config(lpd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(lpd_t)
+userdom_dontaudit_search_user_home_dirs(lpd_t)
+
+optional_policy(`
+ nis_use_ypbind(lpd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(lpd_t)
+')
+
+optional_policy(`
+ udev_read_db(lpd_t)
+')
+
+##############################
+#
+# Local policy
+#
+
+allow lpr_t self:capability { setuid dac_override net_bind_service chown };
+allow lpr_t self:unix_stream_socket create_stream_socket_perms;
+allow lpr_t self:tcp_socket create_socket_perms;
+allow lpr_t self:udp_socket create_socket_perms;
+
+can_exec(lpr_t, lpr_exec_t)
+
+# Allow lpd to read, rename, and unlink spool files.
+allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms };
+
+kernel_read_kernel_sysctls(lpr_t)
+
+corenet_all_recvfrom_unlabeled(lpr_t)
+corenet_all_recvfrom_netlabel(lpr_t)
+corenet_tcp_sendrecv_generic_if(lpr_t)
+corenet_udp_sendrecv_generic_if(lpr_t)
+corenet_tcp_sendrecv_generic_node(lpr_t)
+corenet_udp_sendrecv_generic_node(lpr_t)
+corenet_tcp_sendrecv_all_ports(lpr_t)
+corenet_udp_sendrecv_all_ports(lpr_t)
+corenet_tcp_connect_all_ports(lpr_t)
+corenet_sendrecv_all_client_packets(lpr_t)
+
+dev_read_rand(lpr_t)
+dev_read_urand(lpr_t)
+
+domain_use_interactive_fds(lpr_t)
+
+files_search_spool(lpr_t)
+# for lpd config files (should have a new type)
+files_read_etc_files(lpr_t)
+# for test print
+files_read_usr_files(lpr_t)
+#Added to cover read_content macro
+files_list_home(lpr_t)
+files_read_generic_tmp_files(lpr_t)
+
+fs_getattr_xattr_fs(lpr_t)
+
+# Access the terminal.
+term_use_controlling_term(lpr_t)
+term_use_generic_ptys(lpr_t)
+
+auth_use_nsswitch(lpr_t)
+
+miscfiles_read_localization(lpr_t)
+
+userdom_read_user_tmp_symlinks(lpr_t)
+# Write to the user domain tty.
+userdom_use_user_terminals(lpr_t)
+userdom_read_user_home_content_files(lpr_t)
+userdom_read_user_tmp_files(lpr_t)
+
+tunable_policy(`use_lpd_server',`
+ # lpr can run in lightweight mode, without a local print spooler.
+ allow lpr_t lpd_var_run_t:dir search;
+ allow lpr_t lpd_var_run_t:sock_file write;
+ files_read_var_files(lpr_t)
+
+ # Connect to lpd via a Unix domain socket.
+ allow lpr_t printer_t:sock_file rw_sock_file_perms;
+ allow lpr_t lpd_t:unix_stream_socket connectto;
+ # Send SIGHUP to lpd.
+ allow lpr_t lpd_t:process signal;
+
+ manage_dirs_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t)
+ manage_files_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t)
+ files_tmp_filetrans(lpr_t, lpr_tmp_t, { file dir })
+
+ manage_files_pattern(lpr_t, print_spool_t, print_spool_t)
+ filetrans_pattern(lpr_t, print_spool_t, print_spool_t, file)
+ # Read and write shared files in the spool directory.
+ allow lpr_t print_spool_t:file rw_file_perms;
+
+ allow lpr_t printconf_t:dir list_dir_perms;
+ read_files_pattern(lpr_t, printconf_t, printconf_t)
+ read_lnk_files_pattern(lpr_t, printconf_t, printconf_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(lpr_t)
+ fs_read_nfs_files(lpr_t)
+ fs_read_nfs_symlinks(lpr_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_list_auto_mountpoints(lpr_t)
+ fs_read_cifs_files(lpr_t)
+ fs_read_cifs_symlinks(lpr_t)
+')
+
+optional_policy(`
+ cups_read_config(lpr_t)
+ cups_stream_connect(lpr_t)
+ cups_read_pid_files(lpr_t)
+')
+
+optional_policy(`
+ logging_send_syslog_msg(lpr_t)
+')