[people/stevee/selinux-policy.git] / policy / modules / services / lpd.te


policy_module(lpd, 1.10.0)

########################################
#
# Declarations
#

## <desc>
## <p>
## Use lpd server instead of cups
## </p>
## </desc>
gen_tunable(use_lpd_server,false)

type checkpc_t;
type checkpc_exec_t;
init_system_domain(checkpc_t,checkpc_exec_t)
role system_r types checkpc_t;

type checkpc_log_t;
logging_log_file(checkpc_log_t)

type lpd_t;
type lpd_exec_t;
init_daemon_domain(lpd_t,lpd_exec_t)

type lpd_tmp_t;
files_tmp_file(lpd_tmp_t)

type lpd_var_run_t;
files_pid_file(lpd_var_run_t)

type lpr_exec_t;
application_executable_file(lpr_exec_t)

type print_spool_t;
files_tmp_file(print_spool_t)

type printer_t;
files_type(printer_t)

type printconf_t;
files_type(printconf_t)

########################################
#
# Checkpc local policy
#

# Allow checkpc to access the lpd spool so it can check & fix it.
# This requires that /usr/sbin/checkpc have type checkpc_t.

allow checkpc_t self:capability { setgid setuid dac_override };
allow checkpc_t self:process signal_perms;
allow checkpc_t self:unix_stream_socket create_socket_perms;
allow checkpc_t self:tcp_socket create_socket_perms;
allow checkpc_t self:udp_socket create_socket_perms;

allow checkpc_t checkpc_log_t:file manage_file_perms;
logging_log_filetrans(checkpc_t,checkpc_log_t,file)

allow checkpc_t lpd_var_run_t:dir search_dir_perms;
files_search_pids(checkpc_t)

rw_files_pattern(checkpc_t,print_spool_t,print_spool_t)
delete_files_pattern(checkpc_t,print_spool_t,print_spool_t)
files_search_spool(checkpc_t)

allow checkpc_t printconf_t:file getattr;
allow checkpc_t printconf_t:dir { getattr search read };

kernel_read_system_state(checkpc_t)

corenet_all_recvfrom_unlabeled(checkpc_t)
corenet_all_recvfrom_netlabel(checkpc_t)
corenet_tcp_sendrecv_all_if(checkpc_t)
corenet_udp_sendrecv_all_if(checkpc_t)
corenet_tcp_sendrecv_all_nodes(checkpc_t)
corenet_udp_sendrecv_all_nodes(checkpc_t)
corenet_tcp_sendrecv_all_ports(checkpc_t)
corenet_udp_sendrecv_all_ports(checkpc_t)
corenet_tcp_connect_all_ports(checkpc_t)
corenet_sendrecv_all_client_packets(checkpc_t)

dev_append_printer(checkpc_t)

# This is less desirable, but checkpc demands /bin/bash and /bin/chown:
corecmd_exec_shell(checkpc_t)
corecmd_exec_bin(checkpc_t)

domain_use_interactive_fds(checkpc_t)

files_read_etc_files(checkpc_t)
files_read_etc_runtime_files(checkpc_t)

init_use_script_ptys(checkpc_t)
# Allow access to /dev/console through the fd:
init_use_fds(checkpc_t)

libs_use_ld_so(checkpc_t)
libs_use_shared_libs(checkpc_t)

sysnet_read_config(checkpc_t)

optional_policy(`
	cron_system_entry(checkpc_t,checkpc_exec_t)
')

optional_policy(`
	logging_send_syslog_msg(checkpc_t)
')

optional_policy(`
	nis_use_ypbind(checkpc_t)
')

########################################
#
# Lpd local policy
#

allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner };
dontaudit lpd_t self:capability sys_tty_config;
allow lpd_t self:process signal_perms;
allow lpd_t self:fifo_file rw_fifo_file_perms;
allow lpd_t self:unix_stream_socket create_stream_socket_perms;
allow lpd_t self:unix_dgram_socket create_socket_perms;
allow lpd_t self:tcp_socket create_stream_socket_perms;
allow lpd_t self:udp_socket create_stream_socket_perms;

manage_dirs_pattern(lpd_t,lpd_tmp_t,lpd_tmp_t)
manage_files_pattern(lpd_t,lpd_tmp_t,lpd_tmp_t)
files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir })

manage_files_pattern(lpd_t,lpd_var_run_t,lpd_var_run_t)
manage_sock_files_pattern(lpd_t,lpd_var_run_t,lpd_var_run_t)
files_pid_filetrans(lpd_t,lpd_var_run_t,file)

# Write to /var/spool/lpd.
manage_files_pattern(lpd_t,print_spool_t,print_spool_t)
files_search_spool(lpd_t)

# lpd must be able to execute the filter utilities in /usr/share/printconf.
allow lpd_t printconf_t:dir { getattr search read };
can_exec(lpd_t, printconf_t)

# Create and bind to /dev/printer.
allow lpd_t printer_t:lnk_file manage_lnk_file_perms;
dev_filetrans(lpd_t,printer_t,lnk_file)

kernel_read_kernel_sysctls(lpd_t)
# bash wants access to /proc/meminfo
kernel_read_system_state(lpd_t)

corenet_all_recvfrom_unlabeled(lpd_t)
corenet_all_recvfrom_netlabel(lpd_t)
corenet_tcp_sendrecv_all_if(lpd_t)
corenet_udp_sendrecv_all_if(lpd_t)
corenet_tcp_sendrecv_all_nodes(lpd_t)
corenet_udp_sendrecv_all_nodes(lpd_t)
corenet_tcp_sendrecv_all_ports(lpd_t)
corenet_udp_sendrecv_all_ports(lpd_t)
corenet_tcp_bind_all_nodes(lpd_t)
corenet_tcp_bind_printer_port(lpd_t)
corenet_sendrecv_printer_server_packets(lpd_t)

dev_read_sysfs(lpd_t)
dev_rw_printer(lpd_t)

fs_getattr_all_fs(lpd_t)
fs_search_auto_mountpoints(lpd_t)

# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
corecmd_exec_bin(lpd_t)
corecmd_exec_shell(lpd_t)

domain_use_interactive_fds(lpd_t)

files_read_etc_runtime_files(lpd_t)
files_read_usr_files(lpd_t)
# for defoma
files_list_world_readable(lpd_t)
files_read_world_readable_files(lpd_t)
files_read_world_readable_symlinks(lpd_t)
files_list_var_lib(lpd_t)
files_read_var_lib_files(lpd_t)
files_read_var_lib_symlinks(lpd_t)
# config files for lpd are of type etc_t, probably should change this
files_read_etc_files(lpd_t)

libs_use_ld_so(lpd_t)
libs_use_shared_libs(lpd_t)

logging_send_syslog_msg(lpd_t)

miscfiles_read_fonts(lpd_t)
miscfiles_read_localization(lpd_t)

sysnet_read_config(lpd_t)

userdom_dontaudit_use_unpriv_user_fds(lpd_t)

sysadm_dontaudit_search_home_dirs(lpd_t)

optional_policy(`
	nis_use_ypbind(lpd_t)
')

optional_policy(`
	seutil_sigchld_newrole(lpd_t)
')

optional_policy(`
	udev_read_db(lpd_t)
')
Commit	Line	Data
ad3b9d76	1
cfcf5004	2	policy_module(lpd, 1.10.0)
ad3b9d76 CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
56e1b3d2 CP	9	## <desc>
	10	## <p>
	11	## Use lpd server instead of cups
	12	## </p>
	13	## </desc>
	14	gen_tunable(use_lpd_server,false)
	15
ad3b9d76 CP	16	type checkpc_t;
	17	type checkpc_exec_t;
	18	init_system_domain(checkpc_t,checkpc_exec_t)
	19	role system_r types checkpc_t;
	20
	21	type checkpc_log_t;
	22	logging_log_file(checkpc_log_t)
	23
	24	type lpd_t;
	25	type lpd_exec_t;
	26	init_daemon_domain(lpd_t,lpd_exec_t)
	27
	28	type lpd_tmp_t;
	29	files_tmp_file(lpd_tmp_t)
	30
	31	type lpd_var_run_t;
	32	files_pid_file(lpd_var_run_t)
	33
8dca6b97	34	type lpr_exec_t;
d46cfe45	35	application_executable_file(lpr_exec_t)
8dca6b97	36
ad3b9d76 CP	37	type print_spool_t;
	38	files_tmp_file(print_spool_t)
	39
	40	type printer_t;
	41	files_type(printer_t)
	42
	43	type printconf_t;
	44	files_type(printconf_t)
	45
	46	########################################
	47	#
	48	# Checkpc local policy
	49	#
	50
	51	# Allow checkpc to access the lpd spool so it can check & fix it.
	52	# This requires that /usr/sbin/checkpc have type checkpc_t.
	53
	54	allow checkpc_t self:capability { setgid setuid dac_override };
b516e80f	55	allow checkpc_t self:process signal_perms;
ad3b9d76	56	allow checkpc_t self:unix_stream_socket create_socket_perms;
b516e80f CP	57	allow checkpc_t self:tcp_socket create_socket_perms;
b516e80f CP	58	allow checkpc_t self:udp_socket create_socket_perms;
ad3b9d76	59
c0868a7a	60	allow checkpc_t checkpc_log_t:file manage_file_perms;
1c1ac67f	61	logging_log_filetrans(checkpc_t,checkpc_log_t,file)
ad3b9d76	62
c0868a7a	63	allow checkpc_t lpd_var_run_t:dir search_dir_perms;
ad3b9d76 CP	64	files_search_pids(checkpc_t)
ad3b9d76 CP	65
c0868a7a CP	66	rw_files_pattern(checkpc_t,print_spool_t,print_spool_t)
c0868a7a CP	67	delete_files_pattern(checkpc_t,print_spool_t,print_spool_t)
ad3b9d76 CP	68	files_search_spool(checkpc_t)
	69
	70	allow checkpc_t printconf_t:file getattr;
	71	allow checkpc_t printconf_t:dir { getattr search read };
	72
	73	kernel_read_system_state(checkpc_t)
	74
19006686 CP	75	corenet_all_recvfrom_unlabeled(checkpc_t)
19006686 CP	76	corenet_all_recvfrom_netlabel(checkpc_t)
ad3b9d76 CP	77	corenet_tcp_sendrecv_all_if(checkpc_t)
ad3b9d76 CP	78	corenet_udp_sendrecv_all_if(checkpc_t)
ad3b9d76 CP	79	corenet_tcp_sendrecv_all_nodes(checkpc_t)
ad3b9d76 CP	80	corenet_udp_sendrecv_all_nodes(checkpc_t)
ad3b9d76 CP	81	corenet_tcp_sendrecv_all_ports(checkpc_t)
ad3b9d76 CP	82	corenet_udp_sendrecv_all_ports(checkpc_t)
ad3b9d76	83	corenet_tcp_connect_all_ports(checkpc_t)
141cffdd	84	corenet_sendrecv_all_client_packets(checkpc_t)
ad3b9d76 CP	85
	86	dev_append_printer(checkpc_t)
	87
	88	# This is less desirable, but checkpc demands /bin/bash and /bin/chown:
	89	corecmd_exec_shell(checkpc_t)
	90	corecmd_exec_bin(checkpc_t)
	91
15722ec9	92	domain_use_interactive_fds(checkpc_t)
ad3b9d76 CP	93
	94	files_read_etc_files(checkpc_t)
	95	files_read_etc_runtime_files(checkpc_t)
	96
1815bad1	97	init_use_script_ptys(checkpc_t)
ad3b9d76	98	# Allow access to /dev/console through the fd:
1c1ac67f	99	init_use_fds(checkpc_t)
ad3b9d76 CP	100
	101	libs_use_ld_so(checkpc_t)
	102	libs_use_shared_libs(checkpc_t)
	103
	104	sysnet_read_config(checkpc_t)
	105
bb7170f6	106	optional_policy(`
ad3b9d76 CP	107	cron_system_entry(checkpc_t,checkpc_exec_t)
	108	')
	109
bb7170f6	110	optional_policy(`
ad3b9d76 CP	111	logging_send_syslog_msg(checkpc_t)
	112	')
	113
bb7170f6	114	optional_policy(`
ad3b9d76 CP	115	nis_use_ypbind(checkpc_t)
	116	')
	117
	118	########################################
	119	#
	120	# Lpd local policy
	121	#
	122
	123	allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner };
	124	dontaudit lpd_t self:capability sys_tty_config;
2e0a8801	125	allow lpd_t self:process signal_perms;
c0868a7a	126	allow lpd_t self:fifo_file rw_fifo_file_perms;
ad3b9d76 CP	127	allow lpd_t self:unix_stream_socket create_stream_socket_perms;
ad3b9d76 CP	128	allow lpd_t self:unix_dgram_socket create_socket_perms;
b516e80f CP	129	allow lpd_t self:tcp_socket create_stream_socket_perms;
b516e80f CP	130	allow lpd_t self:udp_socket create_stream_socket_perms;
ad3b9d76	131
c0868a7a CP	132	manage_dirs_pattern(lpd_t,lpd_tmp_t,lpd_tmp_t)
c0868a7a CP	133	manage_files_pattern(lpd_t,lpd_tmp_t,lpd_tmp_t)
103fe280	134	files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir })
ad3b9d76	135
c0868a7a CP	136	manage_files_pattern(lpd_t,lpd_var_run_t,lpd_var_run_t)
c0868a7a CP	137	manage_sock_files_pattern(lpd_t,lpd_var_run_t,lpd_var_run_t)
1c1ac67f	138	files_pid_filetrans(lpd_t,lpd_var_run_t,file)
ad3b9d76 CP	139
ad3b9d76 CP	140	# Write to /var/spool/lpd.
c0868a7a	141	manage_files_pattern(lpd_t,print_spool_t,print_spool_t)
ad3b9d76 CP	142	files_search_spool(lpd_t)
	143
	144	# lpd must be able to execute the filter utilities in /usr/share/printconf.
	145	allow lpd_t printconf_t:dir { getattr search read };
	146	can_exec(lpd_t, printconf_t)
	147
	148	# Create and bind to /dev/printer.
c0868a7a	149	allow lpd_t printer_t:lnk_file manage_lnk_file_perms;
103fe280	150	dev_filetrans(lpd_t,printer_t,lnk_file)
ad3b9d76	151
445522dc	152	kernel_read_kernel_sysctls(lpd_t)
ad3b9d76 CP	153	# bash wants access to /proc/meminfo
	154	kernel_read_system_state(lpd_t)
	155
19006686 CP	156	corenet_all_recvfrom_unlabeled(lpd_t)
19006686 CP	157	corenet_all_recvfrom_netlabel(lpd_t)
ad3b9d76 CP	158	corenet_tcp_sendrecv_all_if(lpd_t)
ad3b9d76 CP	159	corenet_udp_sendrecv_all_if(lpd_t)
ad3b9d76 CP	160	corenet_tcp_sendrecv_all_nodes(lpd_t)
ad3b9d76 CP	161	corenet_udp_sendrecv_all_nodes(lpd_t)
ad3b9d76 CP	162	corenet_tcp_sendrecv_all_ports(lpd_t)
	163	corenet_udp_sendrecv_all_ports(lpd_t)
	164	corenet_tcp_bind_all_nodes(lpd_t)
ad3b9d76	165	corenet_tcp_bind_printer_port(lpd_t)
141cffdd	166	corenet_sendrecv_printer_server_packets(lpd_t)
ad3b9d76 CP	167
	168	dev_read_sysfs(lpd_t)
	169	dev_rw_printer(lpd_t)
	170
	171	fs_getattr_all_fs(lpd_t)
	172	fs_search_auto_mountpoints(lpd_t)
	173
ad3b9d76 CP	174	# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
ad3b9d76 CP	175	corecmd_exec_bin(lpd_t)
ad3b9d76 CP	176	corecmd_exec_shell(lpd_t)
ad3b9d76 CP	177
15722ec9	178	domain_use_interactive_fds(lpd_t)
ad3b9d76 CP	179
	180	files_read_etc_runtime_files(lpd_t)
	181	files_read_usr_files(lpd_t)
	182	# for defoma
	183	files_list_world_readable(lpd_t)
	184	files_read_world_readable_files(lpd_t)
	185	files_read_world_readable_symlinks(lpd_t)
	186	files_list_var_lib(lpd_t)
	187	files_read_var_lib_files(lpd_t)
	188	files_read_var_lib_symlinks(lpd_t)
	189	# config files for lpd are of type etc_t, probably should change this
	190	files_read_etc_files(lpd_t)
	191
ad3b9d76 CP	192	libs_use_ld_so(lpd_t)
	193	libs_use_shared_libs(lpd_t)
	194
	195	logging_send_syslog_msg(lpd_t)
	196
	197	miscfiles_read_fonts(lpd_t)
	198	miscfiles_read_localization(lpd_t)
	199
	200	sysnet_read_config(lpd_t)
	201
15722ec9	202	userdom_dontaudit_use_unpriv_user_fds(lpd_t)
e9c6cda7 CP	203
e9c6cda7 CP	204	sysadm_dontaudit_search_home_dirs(lpd_t)
ad3b9d76	205
bb7170f6	206	optional_policy(`
ad3b9d76	207	nis_use_ypbind(lpd_t)
ad3b9d76 CP	208	')
ad3b9d76 CP	209
bb7170f6	210	optional_policy(`
ad3b9d76 CP	211	seutil_sigchld_newrole(lpd_t)
	212	')
	213
bb7170f6	214	optional_policy(`
ad3b9d76 CP	215	udev_read_db(lpd_t)
ad3b9d76 CP	216	')