diff options
Diffstat (limited to 'policy/modules/contrib/lpd.te')
-rw-r--r-- | policy/modules/contrib/lpd.te | 328 |
1 files changed, 328 insertions, 0 deletions
diff --git a/policy/modules/contrib/lpd.te b/policy/modules/contrib/lpd.te new file mode 100644 index 000000000..a03b63a9c --- /dev/null +++ b/policy/modules/contrib/lpd.te @@ -0,0 +1,328 @@ +policy_module(lpd, 1.13.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Use lpd server instead of cups +## </p> +## </desc> +gen_tunable(use_lpd_server, false) + +type checkpc_t; +type checkpc_exec_t; +init_system_domain(checkpc_t, checkpc_exec_t) +role system_r types checkpc_t; + +type checkpc_log_t; +logging_log_file(checkpc_log_t) + +type lpd_t; +type lpd_exec_t; +init_daemon_domain(lpd_t, lpd_exec_t) + +type lpd_tmp_t; +files_tmp_file(lpd_tmp_t) + +type lpd_var_run_t; +files_pid_file(lpd_var_run_t) + +type lpr_t; +type lpr_exec_t; +typealias lpr_t alias { user_lpr_t staff_lpr_t sysadm_lpr_t }; +typealias lpr_t alias { auditadm_lpr_t secadm_lpr_t }; +userdom_user_application_domain(lpr_t, lpr_exec_t) + +type lpr_tmp_t; +typealias lpr_tmp_t alias { user_lpr_tmp_t staff_lpr_tmp_t sysadm_lpr_tmp_t }; +typealias lpr_tmp_t alias { auditadm_lpr_tmp_t secadm_lpr_tmp_t }; +userdom_user_tmp_file(lpr_tmp_t) + +# Type for spool files. +type print_spool_t; +typealias print_spool_t alias { user_print_spool_t staff_print_spool_t sysadm_print_spool_t }; +typealias print_spool_t alias { auditadm_print_spool_t secadm_print_spool_t }; +files_type(print_spool_t) +ubac_constrained(print_spool_t) + +type printer_t; +files_type(printer_t) + +type printconf_t; +files_type(printconf_t) + +######################################## +# +# Checkpc local policy +# + +# Allow checkpc to access the lpd spool so it can check & fix it. +# This requires that /usr/sbin/checkpc have type checkpc_t. + +allow checkpc_t self:capability { setgid setuid dac_override }; +allow checkpc_t self:process signal_perms; +allow checkpc_t self:unix_stream_socket create_socket_perms; +allow checkpc_t self:tcp_socket create_socket_perms; +allow checkpc_t self:udp_socket create_socket_perms; + +allow checkpc_t checkpc_log_t:file manage_file_perms; +logging_log_filetrans(checkpc_t, checkpc_log_t, file) + +allow checkpc_t lpd_var_run_t:dir search_dir_perms; +files_search_pids(checkpc_t) + +rw_files_pattern(checkpc_t, print_spool_t, print_spool_t) +delete_files_pattern(checkpc_t, print_spool_t, print_spool_t) +files_search_spool(checkpc_t) + +allow checkpc_t printconf_t:file getattr; +allow checkpc_t printconf_t:dir list_dir_perms; + +kernel_read_system_state(checkpc_t) + +corenet_all_recvfrom_unlabeled(checkpc_t) +corenet_all_recvfrom_netlabel(checkpc_t) +corenet_tcp_sendrecv_generic_if(checkpc_t) +corenet_udp_sendrecv_generic_if(checkpc_t) +corenet_tcp_sendrecv_generic_node(checkpc_t) +corenet_udp_sendrecv_generic_node(checkpc_t) +corenet_tcp_sendrecv_all_ports(checkpc_t) +corenet_udp_sendrecv_all_ports(checkpc_t) +corenet_tcp_connect_all_ports(checkpc_t) +corenet_sendrecv_all_client_packets(checkpc_t) + +dev_append_printer(checkpc_t) + +# This is less desirable, but checkpc demands /bin/bash and /bin/chown: +corecmd_exec_shell(checkpc_t) +corecmd_exec_bin(checkpc_t) + +domain_use_interactive_fds(checkpc_t) + +files_read_etc_files(checkpc_t) +files_read_etc_runtime_files(checkpc_t) + +init_use_script_ptys(checkpc_t) +# Allow access to /dev/console through the fd: +init_use_fds(checkpc_t) + +sysnet_read_config(checkpc_t) + +userdom_use_user_terminals(checkpc_t) + +optional_policy(` + cron_system_entry(checkpc_t, checkpc_exec_t) +') + +optional_policy(` + logging_send_syslog_msg(checkpc_t) +') + +optional_policy(` + nis_use_ypbind(checkpc_t) +') + +######################################## +# +# Lpd local policy +# + +allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner }; +dontaudit lpd_t self:capability sys_tty_config; +allow lpd_t self:process signal_perms; +allow lpd_t self:fifo_file rw_fifo_file_perms; +allow lpd_t self:unix_stream_socket create_stream_socket_perms; +allow lpd_t self:unix_dgram_socket create_socket_perms; +allow lpd_t self:tcp_socket create_stream_socket_perms; +allow lpd_t self:udp_socket create_stream_socket_perms; + +manage_dirs_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t) +manage_files_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t) +files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir }) + +manage_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t) +manage_sock_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t) +files_pid_filetrans(lpd_t, lpd_var_run_t, file) + +# Write to /var/spool/lpd. +manage_files_pattern(lpd_t, print_spool_t, print_spool_t) +files_search_spool(lpd_t) + +# lpd must be able to execute the filter utilities in /usr/share/printconf. +allow lpd_t printconf_t:dir list_dir_perms; +can_exec(lpd_t, printconf_t) + +# Create and bind to /dev/printer. +allow lpd_t printer_t:lnk_file manage_lnk_file_perms; +dev_filetrans(lpd_t, printer_t, lnk_file) + +kernel_read_kernel_sysctls(lpd_t) +# bash wants access to /proc/meminfo +kernel_read_system_state(lpd_t) + +corenet_all_recvfrom_unlabeled(lpd_t) +corenet_all_recvfrom_netlabel(lpd_t) +corenet_tcp_sendrecv_generic_if(lpd_t) +corenet_udp_sendrecv_generic_if(lpd_t) +corenet_tcp_sendrecv_generic_node(lpd_t) +corenet_udp_sendrecv_generic_node(lpd_t) +corenet_tcp_sendrecv_all_ports(lpd_t) +corenet_udp_sendrecv_all_ports(lpd_t) +corenet_tcp_bind_generic_node(lpd_t) +corenet_tcp_bind_printer_port(lpd_t) +corenet_sendrecv_printer_server_packets(lpd_t) + +dev_read_sysfs(lpd_t) +dev_rw_printer(lpd_t) + +fs_getattr_all_fs(lpd_t) +fs_search_auto_mountpoints(lpd_t) + +# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp +corecmd_exec_bin(lpd_t) +corecmd_exec_shell(lpd_t) + +domain_use_interactive_fds(lpd_t) + +files_read_etc_runtime_files(lpd_t) +files_read_usr_files(lpd_t) +# for defoma +files_list_world_readable(lpd_t) +files_read_world_readable_files(lpd_t) +files_read_world_readable_symlinks(lpd_t) +files_list_var_lib(lpd_t) +files_read_var_lib_files(lpd_t) +files_read_var_lib_symlinks(lpd_t) +# config files for lpd are of type etc_t, probably should change this +files_read_etc_files(lpd_t) + +logging_send_syslog_msg(lpd_t) + +miscfiles_read_fonts(lpd_t) +miscfiles_read_localization(lpd_t) + +sysnet_read_config(lpd_t) + +userdom_dontaudit_use_unpriv_user_fds(lpd_t) +userdom_dontaudit_search_user_home_dirs(lpd_t) + +optional_policy(` + nis_use_ypbind(lpd_t) +') + +optional_policy(` + seutil_sigchld_newrole(lpd_t) +') + +optional_policy(` + udev_read_db(lpd_t) +') + +############################## +# +# Local policy +# + +allow lpr_t self:capability { setuid dac_override net_bind_service chown }; +allow lpr_t self:unix_stream_socket create_stream_socket_perms; +allow lpr_t self:tcp_socket create_socket_perms; +allow lpr_t self:udp_socket create_socket_perms; + +can_exec(lpr_t, lpr_exec_t) + +# Allow lpd to read, rename, and unlink spool files. +allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms }; + +kernel_read_kernel_sysctls(lpr_t) + +corenet_all_recvfrom_unlabeled(lpr_t) +corenet_all_recvfrom_netlabel(lpr_t) +corenet_tcp_sendrecv_generic_if(lpr_t) +corenet_udp_sendrecv_generic_if(lpr_t) +corenet_tcp_sendrecv_generic_node(lpr_t) +corenet_udp_sendrecv_generic_node(lpr_t) +corenet_tcp_sendrecv_all_ports(lpr_t) +corenet_udp_sendrecv_all_ports(lpr_t) +corenet_tcp_connect_all_ports(lpr_t) +corenet_sendrecv_all_client_packets(lpr_t) + +dev_read_rand(lpr_t) +dev_read_urand(lpr_t) + +domain_use_interactive_fds(lpr_t) + +files_search_spool(lpr_t) +# for lpd config files (should have a new type) +files_read_etc_files(lpr_t) +# for test print +files_read_usr_files(lpr_t) +#Added to cover read_content macro +files_list_home(lpr_t) +files_read_generic_tmp_files(lpr_t) + +fs_getattr_xattr_fs(lpr_t) + +# Access the terminal. +term_use_controlling_term(lpr_t) +term_use_generic_ptys(lpr_t) + +auth_use_nsswitch(lpr_t) + +miscfiles_read_localization(lpr_t) + +userdom_read_user_tmp_symlinks(lpr_t) +# Write to the user domain tty. +userdom_use_user_terminals(lpr_t) +userdom_read_user_home_content_files(lpr_t) +userdom_read_user_tmp_files(lpr_t) + +tunable_policy(`use_lpd_server',` + # lpr can run in lightweight mode, without a local print spooler. + allow lpr_t lpd_var_run_t:dir search; + allow lpr_t lpd_var_run_t:sock_file write; + files_read_var_files(lpr_t) + + # Connect to lpd via a Unix domain socket. + allow lpr_t printer_t:sock_file rw_sock_file_perms; + allow lpr_t lpd_t:unix_stream_socket connectto; + # Send SIGHUP to lpd. + allow lpr_t lpd_t:process signal; + + manage_dirs_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t) + manage_files_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t) + files_tmp_filetrans(lpr_t, lpr_tmp_t, { file dir }) + + manage_files_pattern(lpr_t, print_spool_t, print_spool_t) + filetrans_pattern(lpr_t, print_spool_t, print_spool_t, file) + # Read and write shared files in the spool directory. + allow lpr_t print_spool_t:file rw_file_perms; + + allow lpr_t printconf_t:dir list_dir_perms; + read_files_pattern(lpr_t, printconf_t, printconf_t) + read_lnk_files_pattern(lpr_t, printconf_t, printconf_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_list_auto_mountpoints(lpr_t) + fs_read_nfs_files(lpr_t) + fs_read_nfs_symlinks(lpr_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_list_auto_mountpoints(lpr_t) + fs_read_cifs_files(lpr_t) + fs_read_cifs_symlinks(lpr_t) +') + +optional_policy(` + cups_read_config(lpr_t) + cups_stream_connect(lpr_t) + cups_read_pid_files(lpr_t) +') + +optional_policy(` + logging_send_syslog_msg(lpr_t) +') |