]>
Commit | Line | Data |
---|---|---|
ad3b9d76 | 1 | |
cfcf5004 | 2 | policy_module(lpd, 1.10.0) |
ad3b9d76 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
56e1b3d2 CP |
9 | ## <desc> |
10 | ## <p> | |
11 | ## Use lpd server instead of cups | |
12 | ## </p> | |
13 | ## </desc> | |
14 | gen_tunable(use_lpd_server,false) | |
15 | ||
ad3b9d76 CP |
16 | type checkpc_t; |
17 | type checkpc_exec_t; | |
18 | init_system_domain(checkpc_t,checkpc_exec_t) | |
19 | role system_r types checkpc_t; | |
20 | ||
21 | type checkpc_log_t; | |
22 | logging_log_file(checkpc_log_t) | |
23 | ||
24 | type lpd_t; | |
25 | type lpd_exec_t; | |
26 | init_daemon_domain(lpd_t,lpd_exec_t) | |
27 | ||
28 | type lpd_tmp_t; | |
29 | files_tmp_file(lpd_tmp_t) | |
30 | ||
31 | type lpd_var_run_t; | |
32 | files_pid_file(lpd_var_run_t) | |
33 | ||
8dca6b97 | 34 | type lpr_exec_t; |
d46cfe45 | 35 | application_executable_file(lpr_exec_t) |
8dca6b97 | 36 | |
ad3b9d76 CP |
37 | type print_spool_t; |
38 | files_tmp_file(print_spool_t) | |
39 | ||
40 | type printer_t; | |
41 | files_type(printer_t) | |
42 | ||
43 | type printconf_t; | |
44 | files_type(printconf_t) | |
45 | ||
46 | ######################################## | |
47 | # | |
48 | # Checkpc local policy | |
49 | # | |
50 | ||
51 | # Allow checkpc to access the lpd spool so it can check & fix it. | |
52 | # This requires that /usr/sbin/checkpc have type checkpc_t. | |
53 | ||
54 | allow checkpc_t self:capability { setgid setuid dac_override }; | |
b516e80f | 55 | allow checkpc_t self:process signal_perms; |
ad3b9d76 | 56 | allow checkpc_t self:unix_stream_socket create_socket_perms; |
b516e80f CP |
57 | allow checkpc_t self:tcp_socket create_socket_perms; |
58 | allow checkpc_t self:udp_socket create_socket_perms; | |
ad3b9d76 | 59 | |
c0868a7a | 60 | allow checkpc_t checkpc_log_t:file manage_file_perms; |
1c1ac67f | 61 | logging_log_filetrans(checkpc_t,checkpc_log_t,file) |
ad3b9d76 | 62 | |
c0868a7a | 63 | allow checkpc_t lpd_var_run_t:dir search_dir_perms; |
ad3b9d76 CP |
64 | files_search_pids(checkpc_t) |
65 | ||
c0868a7a CP |
66 | rw_files_pattern(checkpc_t,print_spool_t,print_spool_t) |
67 | delete_files_pattern(checkpc_t,print_spool_t,print_spool_t) | |
ad3b9d76 CP |
68 | files_search_spool(checkpc_t) |
69 | ||
70 | allow checkpc_t printconf_t:file getattr; | |
71 | allow checkpc_t printconf_t:dir { getattr search read }; | |
72 | ||
73 | kernel_read_system_state(checkpc_t) | |
74 | ||
19006686 CP |
75 | corenet_all_recvfrom_unlabeled(checkpc_t) |
76 | corenet_all_recvfrom_netlabel(checkpc_t) | |
ad3b9d76 CP |
77 | corenet_tcp_sendrecv_all_if(checkpc_t) |
78 | corenet_udp_sendrecv_all_if(checkpc_t) | |
ad3b9d76 CP |
79 | corenet_tcp_sendrecv_all_nodes(checkpc_t) |
80 | corenet_udp_sendrecv_all_nodes(checkpc_t) | |
ad3b9d76 CP |
81 | corenet_tcp_sendrecv_all_ports(checkpc_t) |
82 | corenet_udp_sendrecv_all_ports(checkpc_t) | |
ad3b9d76 | 83 | corenet_tcp_connect_all_ports(checkpc_t) |
141cffdd | 84 | corenet_sendrecv_all_client_packets(checkpc_t) |
ad3b9d76 CP |
85 | |
86 | dev_append_printer(checkpc_t) | |
87 | ||
88 | # This is less desirable, but checkpc demands /bin/bash and /bin/chown: | |
89 | corecmd_exec_shell(checkpc_t) | |
90 | corecmd_exec_bin(checkpc_t) | |
91 | ||
15722ec9 | 92 | domain_use_interactive_fds(checkpc_t) |
ad3b9d76 CP |
93 | |
94 | files_read_etc_files(checkpc_t) | |
95 | files_read_etc_runtime_files(checkpc_t) | |
96 | ||
1815bad1 | 97 | init_use_script_ptys(checkpc_t) |
ad3b9d76 | 98 | # Allow access to /dev/console through the fd: |
1c1ac67f | 99 | init_use_fds(checkpc_t) |
ad3b9d76 CP |
100 | |
101 | libs_use_ld_so(checkpc_t) | |
102 | libs_use_shared_libs(checkpc_t) | |
103 | ||
104 | sysnet_read_config(checkpc_t) | |
105 | ||
bb7170f6 | 106 | optional_policy(` |
ad3b9d76 CP |
107 | cron_system_entry(checkpc_t,checkpc_exec_t) |
108 | ') | |
109 | ||
bb7170f6 | 110 | optional_policy(` |
ad3b9d76 CP |
111 | logging_send_syslog_msg(checkpc_t) |
112 | ') | |
113 | ||
bb7170f6 | 114 | optional_policy(` |
ad3b9d76 CP |
115 | nis_use_ypbind(checkpc_t) |
116 | ') | |
117 | ||
118 | ######################################## | |
119 | # | |
120 | # Lpd local policy | |
121 | # | |
122 | ||
123 | allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner }; | |
124 | dontaudit lpd_t self:capability sys_tty_config; | |
2e0a8801 | 125 | allow lpd_t self:process signal_perms; |
c0868a7a | 126 | allow lpd_t self:fifo_file rw_fifo_file_perms; |
ad3b9d76 CP |
127 | allow lpd_t self:unix_stream_socket create_stream_socket_perms; |
128 | allow lpd_t self:unix_dgram_socket create_socket_perms; | |
b516e80f CP |
129 | allow lpd_t self:tcp_socket create_stream_socket_perms; |
130 | allow lpd_t self:udp_socket create_stream_socket_perms; | |
ad3b9d76 | 131 | |
c0868a7a CP |
132 | manage_dirs_pattern(lpd_t,lpd_tmp_t,lpd_tmp_t) |
133 | manage_files_pattern(lpd_t,lpd_tmp_t,lpd_tmp_t) | |
103fe280 | 134 | files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir }) |
ad3b9d76 | 135 | |
c0868a7a CP |
136 | manage_files_pattern(lpd_t,lpd_var_run_t,lpd_var_run_t) |
137 | manage_sock_files_pattern(lpd_t,lpd_var_run_t,lpd_var_run_t) | |
1c1ac67f | 138 | files_pid_filetrans(lpd_t,lpd_var_run_t,file) |
ad3b9d76 CP |
139 | |
140 | # Write to /var/spool/lpd. | |
c0868a7a | 141 | manage_files_pattern(lpd_t,print_spool_t,print_spool_t) |
ad3b9d76 CP |
142 | files_search_spool(lpd_t) |
143 | ||
144 | # lpd must be able to execute the filter utilities in /usr/share/printconf. | |
145 | allow lpd_t printconf_t:dir { getattr search read }; | |
146 | can_exec(lpd_t, printconf_t) | |
147 | ||
148 | # Create and bind to /dev/printer. | |
c0868a7a | 149 | allow lpd_t printer_t:lnk_file manage_lnk_file_perms; |
103fe280 | 150 | dev_filetrans(lpd_t,printer_t,lnk_file) |
ad3b9d76 | 151 | |
445522dc | 152 | kernel_read_kernel_sysctls(lpd_t) |
ad3b9d76 CP |
153 | # bash wants access to /proc/meminfo |
154 | kernel_read_system_state(lpd_t) | |
155 | ||
19006686 CP |
156 | corenet_all_recvfrom_unlabeled(lpd_t) |
157 | corenet_all_recvfrom_netlabel(lpd_t) | |
ad3b9d76 CP |
158 | corenet_tcp_sendrecv_all_if(lpd_t) |
159 | corenet_udp_sendrecv_all_if(lpd_t) | |
ad3b9d76 CP |
160 | corenet_tcp_sendrecv_all_nodes(lpd_t) |
161 | corenet_udp_sendrecv_all_nodes(lpd_t) | |
ad3b9d76 CP |
162 | corenet_tcp_sendrecv_all_ports(lpd_t) |
163 | corenet_udp_sendrecv_all_ports(lpd_t) | |
164 | corenet_tcp_bind_all_nodes(lpd_t) | |
ad3b9d76 | 165 | corenet_tcp_bind_printer_port(lpd_t) |
141cffdd | 166 | corenet_sendrecv_printer_server_packets(lpd_t) |
ad3b9d76 CP |
167 | |
168 | dev_read_sysfs(lpd_t) | |
169 | dev_rw_printer(lpd_t) | |
170 | ||
171 | fs_getattr_all_fs(lpd_t) | |
172 | fs_search_auto_mountpoints(lpd_t) | |
173 | ||
ad3b9d76 CP |
174 | # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp |
175 | corecmd_exec_bin(lpd_t) | |
ad3b9d76 CP |
176 | corecmd_exec_shell(lpd_t) |
177 | ||
15722ec9 | 178 | domain_use_interactive_fds(lpd_t) |
ad3b9d76 CP |
179 | |
180 | files_read_etc_runtime_files(lpd_t) | |
181 | files_read_usr_files(lpd_t) | |
182 | # for defoma | |
183 | files_list_world_readable(lpd_t) | |
184 | files_read_world_readable_files(lpd_t) | |
185 | files_read_world_readable_symlinks(lpd_t) | |
186 | files_list_var_lib(lpd_t) | |
187 | files_read_var_lib_files(lpd_t) | |
188 | files_read_var_lib_symlinks(lpd_t) | |
189 | # config files for lpd are of type etc_t, probably should change this | |
190 | files_read_etc_files(lpd_t) | |
191 | ||
ad3b9d76 CP |
192 | libs_use_ld_so(lpd_t) |
193 | libs_use_shared_libs(lpd_t) | |
194 | ||
195 | logging_send_syslog_msg(lpd_t) | |
196 | ||
197 | miscfiles_read_fonts(lpd_t) | |
198 | miscfiles_read_localization(lpd_t) | |
199 | ||
200 | sysnet_read_config(lpd_t) | |
201 | ||
15722ec9 | 202 | userdom_dontaudit_use_unpriv_user_fds(lpd_t) |
e9c6cda7 CP |
203 | |
204 | sysadm_dontaudit_search_home_dirs(lpd_t) | |
ad3b9d76 | 205 | |
bb7170f6 | 206 | optional_policy(` |
ad3b9d76 | 207 | nis_use_ypbind(lpd_t) |
ad3b9d76 CP |
208 | ') |
209 | ||
bb7170f6 | 210 | optional_policy(` |
ad3b9d76 CP |
211 | seutil_sigchld_newrole(lpd_t) |
212 | ') | |
213 | ||
bb7170f6 | 214 | optional_policy(` |
ad3b9d76 CP |
215 | udev_read_db(lpd_t) |
216 | ') |