policy/modules/services/cups.te

   1
   2 policy_module(cups,1.7.0)
   3
   4 ########################################
   5 #
   6 # Declarations
   7 #
   8
   9 type cupsd_config_t;
  10 type cupsd_config_exec_t;
  11 init_daemon_domain(cupsd_config_t,cupsd_config_exec_t)
  12
  13 type cupsd_config_var_run_t;
  14 files_pid_file(cupsd_config_var_run_t)
  15
  16 type cupsd_t;
  17 type cupsd_exec_t;
  18 init_daemon_domain(cupsd_t,cupsd_exec_t)
  19
  20 type cupsd_etc_t;
  21 files_config_file(cupsd_etc_t)
  22
  23 type cupsd_rw_etc_t;
  24 files_config_file(cupsd_rw_etc_t)
  25
  26 type cupsd_log_t;
  27 logging_log_file(cupsd_log_t)
  28
  29 type cupsd_lpd_t;
  30 type cupsd_lpd_exec_t;
  31 domain_type(cupsd_lpd_t)
  32 domain_entry_file(cupsd_lpd_t,cupsd_lpd_exec_t)
  33 role system_r types cupsd_lpd_t;
  34
  35 type cupsd_lpd_tmp_t;
  36 files_tmp_file(cupsd_lpd_tmp_t)
  37
  38 type cupsd_lpd_var_run_t;
  39 files_pid_file(cupsd_lpd_var_run_t)
  40
  41 type cupsd_tmp_t;
  42 files_tmp_file(cupsd_tmp_t)
  43
  44 type cupsd_var_run_t;
  45 files_pid_file(cupsd_var_run_t)
  46 mls_trusted_object(cupsd_var_run_t)
  47
  48 type hplip_t;
  49 type hplip_exec_t;
  50 init_daemon_domain(hplip_t,hplip_exec_t)
  51
  52 type hplip_etc_t;
  53 files_config_file(hplip_etc_t)
  54
  55 type hplip_var_run_t;
  56 files_pid_file(hplip_var_run_t)
  57
  58 type ptal_t;
  59 type ptal_exec_t;
  60 init_daemon_domain(ptal_t,ptal_exec_t)
  61
  62 type ptal_etc_t;
  63 files_config_file(ptal_etc_t)
  64
  65 type ptal_var_run_t;
  66 files_pid_file(ptal_var_run_t)
  67
  68 ifdef(`enable_mcs',`
  69         init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh)
  70 ')
  71
  72 ifdef(`enable_mls',`
  73         init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,mls_systemhigh)
  74 ')
  75
  76 ########################################
  77 #
  78 # Cups local policy
  79 #
  80
  81 # /usr/lib/cups/backend/serial needs sys_admin(?!)
  82 allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
  83 dontaudit cupsd_t self:capability { sys_tty_config net_admin };
  84 allow cupsd_t self:process { setsched signal_perms };
  85 allow cupsd_t self:fifo_file rw_file_perms;
  86 allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
  87 allow cupsd_t self:unix_dgram_socket create_socket_perms;
  88 allow cupsd_t self:netlink_selinux_socket create_socket_perms;
  89 allow cupsd_t self:netlink_route_socket r_netlink_socket_perms;
  90 allow cupsd_t self:tcp_socket create_stream_socket_perms;
  91 allow cupsd_t self:udp_socket create_socket_perms;
  92 allow cupsd_t self:appletalk_socket create_socket_perms;
  93 # generic socket here until appletalk socket is available in kernels
  94 allow cupsd_t self:socket create_socket_perms;
  95
  96 allow cupsd_t cupsd_etc_t:{ dir file } setattr;
  97 read_files_pattern(cupsd_t,cupsd_etc_t,cupsd_etc_t)
  98 read_lnk_files_pattern(cupsd_t,cupsd_etc_t,cupsd_etc_t)
  99 files_search_etc(cupsd_t)
 100
 101 manage_dirs_pattern(cupsd_t,cupsd_etc_t,cupsd_rw_etc_t)
 102 manage_files_pattern(cupsd_t,cupsd_etc_t,cupsd_rw_etc_t)
 103 filetrans_pattern(cupsd_t,cupsd_etc_t,cupsd_rw_etc_t,file)
 104 files_var_filetrans(cupsd_t,cupsd_rw_etc_t,{ dir file })
 105
 106 # allow cups to execute its backend scripts
 107 can_exec(cupsd_t, cupsd_exec_t)
 108 allow cupsd_t cupsd_exec_t:dir search;
 109 allow cupsd_t cupsd_exec_t:lnk_file read;
 110
 111 manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t)
 112 allow cupsd_t cupsd_log_t:dir setattr;
 113 logging_log_filetrans(cupsd_t,cupsd_log_t,{ file dir })
 114
 115 manage_dirs_pattern(cupsd_t,cupsd_tmp_t,cupsd_tmp_t)
 116 manage_files_pattern(cupsd_t,cupsd_tmp_t,cupsd_tmp_t)
 117 manage_fifo_files_pattern(cupsd_t,cupsd_tmp_t,cupsd_tmp_t)
 118 files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
 119
 120 allow cupsd_t cupsd_var_run_t:dir setattr;
 121 manage_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t)
 122 manage_sock_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t)
 123 files_pid_filetrans(cupsd_t,cupsd_var_run_t,file)
 124
 125 read_files_pattern(cupsd_t,hplip_etc_t,hplip_etc_t)
 126
 127 allow cupsd_t hplip_var_run_t:file { read getattr };
 128
 129 stream_connect_pattern(cupsd_t,ptal_var_run_t,ptal_var_run_t,ptal_t)
 130 allow cupsd_t ptal_var_run_t : sock_file setattr;
 131
 132 kernel_read_system_state(cupsd_t)
 133 kernel_read_network_state(cupsd_t)
 134 kernel_read_all_sysctls(cupsd_t)
 135
 136 corenet_all_recvfrom_unlabeled(cupsd_t)
 137 corenet_all_recvfrom_netlabel(cupsd_t)
 138 corenet_tcp_sendrecv_all_if(cupsd_t)
 139 corenet_udp_sendrecv_all_if(cupsd_t)
 140 corenet_raw_sendrecv_all_if(cupsd_t)
 141 corenet_tcp_sendrecv_all_nodes(cupsd_t)
 142 corenet_udp_sendrecv_all_nodes(cupsd_t)
 143 corenet_raw_sendrecv_all_nodes(cupsd_t)
 144 corenet_tcp_sendrecv_all_ports(cupsd_t)
 145 corenet_udp_sendrecv_all_ports(cupsd_t)
 146 corenet_tcp_bind_all_nodes(cupsd_t)
 147 corenet_udp_bind_all_nodes(cupsd_t)
 148 corenet_tcp_bind_ipp_port(cupsd_t)
 149 corenet_udp_bind_ipp_port(cupsd_t)
 150 corenet_tcp_bind_reserved_port(cupsd_t)
 151 corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
 152 corenet_tcp_connect_all_ports(cupsd_t)
 153 corenet_sendrecv_hplip_client_packets(cupsd_t)
 154 corenet_sendrecv_ipp_client_packets(cupsd_t)
 155 corenet_sendrecv_ipp_server_packets(cupsd_t)
 156
 157 dev_rw_printer(cupsd_t)
 158 dev_read_urand(cupsd_t)
 159 dev_read_sysfs(cupsd_t)
 160 dev_read_usbfs(cupsd_t)
 161 dev_getattr_printer_dev(cupsd_t)
 162
 163 domain_read_all_domains_state(cupsd_t)
 164
 165 fs_getattr_all_fs(cupsd_t)
 166 fs_search_auto_mountpoints(cupsd_t)
 167
 168 mls_fd_use_all_levels(cupsd_t)
 169 mls_file_downgrade(cupsd_t)
 170 mls_file_write_down(cupsd_t)
 171 mls_file_read_up(cupsd_t)
 172 mls_rangetrans_target(cupsd_t)
 173 mls_socket_write_all_levels(cupsd_t)
 174
 175 term_use_unallocated_ttys(cupsd_t)
 176 term_search_ptys(cupsd_t)
 177
 178 auth_domtrans_chk_passwd(cupsd_t)
 179 auth_dontaudit_read_pam_pid(cupsd_t)
 180
 181 # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
 182 corecmd_exec_shell(cupsd_t)
 183 corecmd_exec_bin(cupsd_t)
 184
 185 domain_use_interactive_fds(cupsd_t)
 186
 187 files_read_etc_files(cupsd_t)
 188 files_read_etc_runtime_files(cupsd_t)
 189 # read python modules
 190 files_read_usr_files(cupsd_t)
 191 # for /var/lib/defoma
 192 files_search_var_lib(cupsd_t)
 193 files_list_world_readable(cupsd_t)
 194 files_read_world_readable_files(cupsd_t)
 195 files_read_world_readable_symlinks(cupsd_t)
 196 # Satisfy readahead
 197 files_read_var_files(cupsd_t)
 198 files_read_var_symlinks(cupsd_t)
 199 # for /etc/printcap
 200 files_dontaudit_write_etc_files(cupsd_t)
 201 # smbspool seems to be iterating through all existing tmp files.
 202 # redhat bug #214953
 203 # cjp: this might be a broken behavior
 204 files_dontaudit_getattr_all_tmp_files(cupsd_t)
 205
 206 selinux_compute_access_vector(cupsd_t)
 207
 208 init_exec_script_files(cupsd_t)
 209
 210 libs_use_ld_so(cupsd_t)
 211 libs_use_shared_libs(cupsd_t)
 212 # Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
 213 libs_read_lib_files(cupsd_t)
 214
 215 logging_send_audit_msgs(cupsd_t)
 216 logging_send_syslog_msg(cupsd_t)
 217
 218 miscfiles_read_localization(cupsd_t)
 219 # invoking ghostscript needs to read fonts
 220 miscfiles_read_fonts(cupsd_t)
 221
 222 seutil_read_config(cupsd_t)
 223
 224 sysnet_read_config(cupsd_t)
 225
 226 userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
 227 userdom_dontaudit_search_all_users_home_content(cupsd_t)
 228
 229 # Write to /var/spool/cups.
 230 lpd_manage_spool(cupsd_t)
 231
 232 ifdef(`enable_mls',`
 233         lpd_relabel_spool(cupsd_t)
 234 ')
 235
 236 ifdef(`targeted_policy',`
 237         files_dontaudit_read_root_files(cupsd_t)
 238
 239         term_dontaudit_use_unallocated_ttys(cupsd_t)
 240         term_dontaudit_use_generic_ptys(cupsd_t)
 241
 242         init_stream_connect_script(cupsd_t)
 243
 244         unconfined_rw_pipes(cupsd_t)
 245
 246         optional_policy(`
 247                 init_dbus_chat_script(cupsd_t)
 248
 249                 unconfined_dbus_send(cupsd_t)
 250
 251                 dbus_stub(cupsd_t)
 252         ')
 253 ')
 254
 255 optional_policy(`
 256         apm_domtrans_client(cupsd_t)
 257 ')
 258
 259 optional_policy(`
 260         cron_system_entry(cupsd_t, cupsd_exec_t)
 261 ')
 262
 263 optional_policy(`
 264         dbus_system_bus_client_template(cupsd,cupsd_t)
 265         dbus_send_system_bus(cupsd_t)
 266
 267         userdom_dbus_send_all_users(cupsd_t)
 268
 269         optional_policy(`
 270                 hal_dbus_chat(cupsd_t)
 271         ')
 272 ')
 273
 274 optional_policy(`
 275         hostname_exec(cupsd_t)
 276 ')
 277
 278 optional_policy(`
 279         inetd_core_service_domain(cupsd_t,cupsd_exec_t,cupsd_t)
 280 ')
 281
 282 optional_policy(`
 283         logrotate_domtrans(cupsd_t)
 284 ')
 285
 286 optional_policy(`
 287         nscd_socket_use(cupsd_t)
 288 ')
 289
 290 optional_policy(`
 291         # cups execs smbtool which reads samba_etc_t files
 292         samba_read_config(cupsd_t)
 293         samba_rw_var_files(cupsd_t)
 294 ')
 295
 296 optional_policy(`
 297         seutil_sigchld_newrole(cupsd_t)
 298 ')
 299
 300 optional_policy(`
 301         udev_read_db(cupsd_t)
 302 ')
 303
 304 ########################################
 305 #
 306 # Cups configuration daemon local policy
 307 #
 308
 309 allow cupsd_config_t self:capability { chown sys_tty_config };
 310 dontaudit cupsd_config_t self:capability sys_tty_config;
 311 allow cupsd_config_t self:process signal_perms;
 312 allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
 313 allow cupsd_config_t self:unix_stream_socket create_socket_perms;
 314 allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
 315 allow cupsd_config_t self:tcp_socket create_stream_socket_perms;
 316 allow cupsd_config_t self:netlink_route_socket r_netlink_socket_perms;
 317
 318 allow cupsd_config_t cupsd_t:process signal;
 319 ps_process_pattern(cupsd_config_t,cupsd_t)
 320
 321 manage_files_pattern(cupsd_config_t,cupsd_etc_t,cupsd_etc_t)
 322 manage_lnk_files_pattern(cupsd_config_t,cupsd_etc_t,cupsd_etc_t)
 323 filetrans_pattern(cupsd_config_t,cupsd_etc_t,cupsd_rw_etc_t,file)
 324
 325 manage_files_pattern(cupsd_config_t,cupsd_rw_etc_t,cupsd_rw_etc_t)
 326 manage_lnk_files_pattern(cupsd_config_t,cupsd_rw_etc_t,cupsd_rw_etc_t)
 327 files_var_filetrans(cupsd_config_t,cupsd_rw_etc_t,file)
 328
 329 can_exec(cupsd_config_t, cupsd_config_exec_t)
 330
 331 allow cupsd_config_t cupsd_log_t:file rw_file_perms;
 332
 333 allow cupsd_config_t cupsd_tmp_t:file manage_file_perms;
 334 files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { file dir })
 335
 336 allow cupsd_config_t cupsd_var_run_t:file { getattr read };
 337
 338 manage_files_pattern(cupsd_config_t,cupsd_config_var_run_t,cupsd_config_var_run_t)
 339 files_pid_filetrans(cupsd_config_t,cupsd_config_var_run_t,file)
 340
 341 kernel_read_system_state(cupsd_config_t)
 342 kernel_read_kernel_sysctls(cupsd_config_t)
 343
 344 corenet_all_recvfrom_unlabeled(cupsd_config_t)
 345 corenet_all_recvfrom_netlabel(cupsd_config_t)
 346 corenet_tcp_sendrecv_all_if(cupsd_config_t)
 347 corenet_tcp_sendrecv_all_nodes(cupsd_config_t)
 348 corenet_tcp_sendrecv_all_ports(cupsd_config_t)
 349 corenet_tcp_connect_all_ports(cupsd_config_t)
 350 corenet_sendrecv_all_client_packets(cupsd_config_t)
 351
 352 dev_read_sysfs(cupsd_config_t)
 353 dev_read_urand(cupsd_config_t)
 354 dev_read_rand(cupsd_config_t)
 355
 356 fs_getattr_all_fs(cupsd_config_t)
 357 fs_search_auto_mountpoints(cupsd_config_t)
 358
 359 corecmd_exec_bin(cupsd_config_t)
 360 corecmd_exec_shell(cupsd_config_t)
 361
 362 domain_use_interactive_fds(cupsd_config_t)
 363 # killall causes the following
 364 domain_dontaudit_search_all_domains_state(cupsd_config_t)
 365
 366 files_read_usr_files(cupsd_config_t)
 367 files_read_etc_files(cupsd_config_t)
 368 files_read_etc_runtime_files(cupsd_config_t)
 369 files_read_var_symlinks(cupsd_config_t)
 370
 371 # Alternatives asks for this
 372 init_getattr_script_files(cupsd_config_t)
 373
 374 libs_use_ld_so(cupsd_config_t)
 375 libs_use_shared_libs(cupsd_config_t)
 376
 377 logging_send_syslog_msg(cupsd_config_t)
 378
 379 miscfiles_read_localization(cupsd_config_t)
 380
 381 seutil_dontaudit_search_config(cupsd_config_t)
 382
 383 sysnet_read_config(cupsd_config_t)
 384
 385 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
 386 userdom_dontaudit_search_sysadm_home_dirs(cupsd_config_t)
 387
 388 lpd_read_config(cupsd_config_t)
 389
 390 cups_stream_connect(cupsd_config_t)
 391
 392 ifdef(`distro_redhat',`
 393         init_getattr_script_files(cupsd_config_t)
 394
 395         optional_policy(`
 396                 rpm_read_db(cupsd_config_t)
 397         ')
 398 ')
 399
 400 ifdef(`targeted_policy',`
 401         files_dontaudit_read_root_files(cupsd_config_t)
 402
 403         term_dontaudit_use_unallocated_ttys(cupsd_config_t)
 404         term_use_generic_ptys(cupsd_config_t)
 405
 406         unconfined_rw_pipes(cupsd_config_t)
 407 ')
 408
 409 optional_policy(`
 410         cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
 411 ')
 412
 413 optional_policy(`
 414         dbus_system_bus_client_template(cupsd_config,cupsd_config_t)
 415         dbus_connect_system_bus(cupsd_config_t)
 416         dbus_send_system_bus(cupsd_config_t)
 417
 418         optional_policy(`
 419                 hal_dbus_chat(cupsd_config_t)
 420         ')
 421 ')
 422
 423 optional_policy(`
 424         hal_domtrans(cupsd_config_t)
 425         hal_read_tmp_files(cupsd_config_t)
 426 ')
 427
 428 optional_policy(`
 429         hostname_exec(cupsd_config_t)
 430 ')
 431
 432 optional_policy(`
 433         logrotate_use_fds(cupsd_config_t)
 434 ')
 435
 436 optional_policy(`
 437         nis_use_ypbind(cupsd_config_t)
 438 ')
 439
 440 optional_policy(`
 441         nscd_socket_use(cupsd_config_t)
 442 ')
 443
 444 optional_policy(`
 445         rpm_read_db(cupsd_config_t)
 446 ')
 447
 448 optional_policy(`
 449         seutil_sigchld_newrole(cupsd_config_t)
 450 ')
 451
 452 optional_policy(`
 453         udev_read_db(cupsd_config_t)
 454 ')
 455
 456 ########################################
 457 #
 458 # Cups lpd support
 459 #
 460
 461 allow cupsd_lpd_t self:process signal_perms;
 462 allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms;
 463 allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms;
 464 allow cupsd_lpd_t self:udp_socket create_socket_perms;
 465 allow cupsd_lpd_t self:netlink_route_socket r_netlink_socket_perms;
 466
 467 # for identd
 468 # cjp: this should probably only be inetd_child rules?
 469 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
 470 allow cupsd_lpd_t self:capability { setuid setgid };
 471 files_search_home(cupsd_lpd_t)
 472 optional_policy(`
 473         kerberos_use(cupsd_lpd_t)
 474 ')
 475 #end for identd
 476
 477 allow cupsd_lpd_t cupsd_etc_t:dir list_dir_perms;
 478 read_files_pattern(cupsd_lpd_t,cupsd_etc_t,cupsd_etc_t)
 479 read_lnk_files_pattern(cupsd_lpd_t,cupsd_etc_t,cupsd_etc_t)
 480
 481 allow cupsd_lpd_t cupsd_rw_etc_t:dir list_dir_perms;
 482 read_files_pattern(cupsd_lpd_t,cupsd_rw_etc_t,cupsd_rw_etc_t)
 483 read_lnk_files_pattern(cupsd_lpd_t,cupsd_rw_etc_t,cupsd_rw_etc_t)
 484
 485 manage_dirs_pattern(cupsd_lpd_t,cupsd_lpd_tmp_t,cupsd_lpd_tmp_t)
 486 manage_files_pattern(cupsd_lpd_t,cupsd_lpd_tmp_t,cupsd_lpd_tmp_t)
 487 files_tmp_filetrans(cupsd_lpd_t, cupsd_lpd_tmp_t, { file dir })
 488
 489 manage_files_pattern(cupsd_lpd_t,cupsd_lpd_var_run_t,cupsd_lpd_var_run_t)
 490 files_pid_filetrans(cupsd_lpd_t,cupsd_lpd_var_run_t,file)
 491
 492 kernel_read_kernel_sysctls(cupsd_lpd_t)
 493 kernel_read_system_state(cupsd_lpd_t)
 494 kernel_read_network_state(cupsd_lpd_t)
 495
 496 corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
 497 corenet_all_recvfrom_netlabel(cupsd_lpd_t)
 498 corenet_tcp_sendrecv_all_if(cupsd_lpd_t)
 499 corenet_udp_sendrecv_all_if(cupsd_lpd_t)
 500 corenet_tcp_sendrecv_all_nodes(cupsd_lpd_t)
 501 corenet_udp_sendrecv_all_nodes(cupsd_lpd_t)
 502 corenet_tcp_sendrecv_all_ports(cupsd_lpd_t)
 503 corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
 504 corenet_tcp_bind_all_nodes(cupsd_lpd_t)
 505 corenet_udp_bind_all_nodes(cupsd_lpd_t)
 506 corenet_tcp_connect_ipp_port(cupsd_lpd_t)
 507
 508 dev_read_urand(cupsd_lpd_t)
 509 dev_read_rand(cupsd_lpd_t)
 510
 511 fs_getattr_xattr_fs(cupsd_lpd_t)
 512
 513 files_read_etc_files(cupsd_lpd_t)
 514
 515 libs_use_ld_so(cupsd_lpd_t)
 516 libs_use_shared_libs(cupsd_lpd_t)
 517
 518 logging_send_syslog_msg(cupsd_lpd_t)
 519
 520 miscfiles_read_localization(cupsd_lpd_t)
 521
 522 sysnet_read_config(cupsd_lpd_t)
 523
 524 cups_stream_connect(cupsd_lpd_t)
 525
 526 optional_policy(`
 527         inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t)
 528 ')
 529
 530 optional_policy(`
 531         nis_use_ypbind(cupsd_lpd_t)
 532 ')
 533
 534 optional_policy(`
 535         nscd_socket_use(cupsd_lpd_t)
 536 ')
 537
 538 ########################################
 539 #
 540 # HPLIP local policy
 541 #
 542
 543 # Needed for USB Scanneer and xsane
 544 allow hplip_t self:capability { dac_override dac_read_search net_raw };
 545 dontaudit hplip_t self:capability sys_tty_config;
 546 allow hplip_t self:fifo_file rw_fifo_file_perms;
 547 allow hplip_t self:process signal_perms;
 548 allow hplip_t self:unix_dgram_socket create_socket_perms;
 549 allow hplip_t self:unix_stream_socket create_socket_perms;
 550 allow hplip_t self:netlink_route_socket r_netlink_socket_perms;
 551 allow hplip_t self:tcp_socket create_stream_socket_perms;
 552 allow hplip_t self:udp_socket create_socket_perms;
 553 allow hplip_t self:rawip_socket create_socket_perms;
 554
 555 allow hplip_t cupsd_etc_t:dir search;
 556
 557 cups_stream_connect(hplip_t)
 558
 559 allow hplip_t hplip_etc_t:dir list_dir_perms;
 560 read_files_pattern(hplip_t,hplip_etc_t,hplip_etc_t)
 561 read_lnk_files_pattern(hplip_t,hplip_etc_t,hplip_etc_t)
 562 files_search_etc(hplip_t)
 563
 564 manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
 565 files_pid_filetrans(hplip_t,hplip_var_run_t,file)
 566
 567 kernel_read_system_state(hplip_t)
 568 kernel_read_kernel_sysctls(hplip_t)
 569
 570 corenet_all_recvfrom_unlabeled(hplip_t)
 571 corenet_all_recvfrom_netlabel(hplip_t)
 572 corenet_tcp_sendrecv_all_if(hplip_t)
 573 corenet_udp_sendrecv_all_if(hplip_t)
 574 corenet_raw_sendrecv_all_if(hplip_t)
 575 corenet_tcp_sendrecv_all_nodes(hplip_t)
 576 corenet_udp_sendrecv_all_nodes(hplip_t)
 577 corenet_raw_sendrecv_all_nodes(hplip_t)
 578 corenet_tcp_sendrecv_all_ports(hplip_t)
 579 corenet_udp_sendrecv_all_ports(hplip_t)
 580 corenet_tcp_bind_all_nodes(hplip_t)
 581 corenet_udp_bind_all_nodes(hplip_t)
 582 corenet_tcp_bind_hplip_port(hplip_t)
 583 corenet_tcp_connect_hplip_port(hplip_t)
 584 corenet_tcp_connect_ipp_port(hplip_t)
 585 corenet_sendrecv_hplip_client_packets(hplip_t)
 586 corenet_receive_hplip_server_packets(hplip_t)
 587
 588 dev_read_sysfs(hplip_t)
 589 dev_rw_printer(hplip_t)
 590 dev_read_urand(hplip_t)
 591 dev_read_rand(hplip_t)
 592 dev_rw_generic_usb_dev(hplip_t)
 593 dev_read_usbfs(hplip_t)
 594
 595 fs_getattr_all_fs(hplip_t)
 596 fs_search_auto_mountpoints(hplip_t)
 597
 598 # for python
 599 corecmd_exec_bin(hplip_t)
 600
 601 domain_use_interactive_fds(hplip_t)
 602
 603 files_read_etc_files(hplip_t)
 604 files_read_etc_runtime_files(hplip_t)
 605 files_read_usr_files(hplip_t)
 606
 607 libs_use_ld_so(hplip_t)
 608 libs_use_shared_libs(hplip_t)
 609
 610 logging_send_syslog_msg(hplip_t)
 611
 612 miscfiles_read_localization(hplip_t)
 613
 614 sysnet_read_config(hplip_t)
 615
 616 userdom_dontaudit_use_unpriv_user_fds(hplip_t)
 617 userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
 618 userdom_dontaudit_search_all_users_home_content(hplip_t)
 619
 620 lpd_read_config(cupsd_t)
 621
 622 ifdef(`targeted_policy', `
 623         term_dontaudit_use_unallocated_ttys(hplip_t)
 624         term_dontaudit_use_generic_ptys(hplip_t)
 625         files_dontaudit_read_root_files(hplip_t)
 626 ')
 627
 628 optional_policy(`
 629         seutil_sigchld_newrole(hplip_t)
 630 ')
 631
 632 optional_policy(`
 633         snmp_read_snmp_var_lib_files(hplip_t)
 634 ')
 635
 636 optional_policy(`
 637         udev_read_db(hplip_t)
 638 ')
 639
 640 ########################################
 641 #
 642 # PTAL local policy
 643 #
 644
 645 allow ptal_t self:capability { chown sys_rawio };
 646 dontaudit ptal_t self:capability sys_tty_config;
 647 allow ptal_t self:fifo_file rw_fifo_file_perms;
 648 allow ptal_t self:unix_dgram_socket create_socket_perms;
 649 allow ptal_t self:unix_stream_socket create_stream_socket_perms;
 650 allow ptal_t self:tcp_socket create_stream_socket_perms;
 651
 652 allow ptal_t ptal_etc_t:dir list_dir_perms;
 653 read_files_pattern(ptal_t,ptal_etc_t,ptal_etc_t)
 654 read_lnk_files_pattern(ptal_t,ptal_etc_t,ptal_etc_t)
 655 files_search_etc(ptal_t)
 656
 657 manage_dirs_pattern(ptal_t,ptal_var_run_t,ptal_var_run_t)
 658 manage_files_pattern(ptal_t,ptal_var_run_t,ptal_var_run_t)
 659 manage_lnk_files_pattern(ptal_t,ptal_var_run_t,ptal_var_run_t)
 660 manage_fifo_files_pattern(ptal_t,ptal_var_run_t,ptal_var_run_t)
 661 manage_sock_files_pattern(ptal_t,ptal_var_run_t,ptal_var_run_t)
 662 files_pid_filetrans(ptal_t,ptal_var_run_t,{ dir file lnk_file sock_file fifo_file })
 663
 664 kernel_read_kernel_sysctls(ptal_t)
 665 kernel_list_proc(ptal_t)
 666 kernel_read_proc_symlinks(ptal_t)
 667
 668 corenet_all_recvfrom_unlabeled(ptal_t)
 669 corenet_all_recvfrom_netlabel(ptal_t)
 670 corenet_tcp_sendrecv_all_if(ptal_t)
 671 corenet_tcp_sendrecv_all_nodes(ptal_t)
 672 corenet_tcp_sendrecv_all_ports(ptal_t)
 673 corenet_tcp_bind_all_nodes(ptal_t)
 674 corenet_tcp_bind_ptal_port(ptal_t)
 675
 676 dev_read_sysfs(ptal_t)
 677 dev_read_usbfs(ptal_t)
 678 dev_rw_printer(ptal_t)
 679
 680 fs_getattr_all_fs(ptal_t)
 681 fs_search_auto_mountpoints(ptal_t)
 682
 683 domain_use_interactive_fds(ptal_t)
 684
 685 files_read_etc_files(ptal_t)
 686 files_read_etc_runtime_files(ptal_t)
 687
 688 libs_use_ld_so(ptal_t)
 689 libs_use_shared_libs(ptal_t)
 690
 691 logging_send_syslog_msg(ptal_t)
 692
 693 miscfiles_read_localization(ptal_t)
 694
 695 sysnet_read_config(ptal_t)
 696
 697 userdom_dontaudit_use_unpriv_user_fds(ptal_t)
 698 userdom_dontaudit_search_all_users_home_content(ptal_t)
 699
 700 ifdef(`targeted_policy', `
 701         term_dontaudit_use_unallocated_ttys(ptal_t)
 702         term_dontaudit_use_generic_ptys(ptal_t)
 703         files_dontaudit_read_root_files(ptal_t)
 704 ')
 705
 706 optional_policy(`
 707         seutil_sigchld_newrole(ptal_t)
 708 ')
 709
 710 optional_policy(`
 711         udev_read_db(ptal_t)
 712 ')