]> git.ipfire.org Git - people/stevee/selinux-policy.git/blob - policy/modules/services/cups.te
projects / people / stevee / selinux-policy.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
trunk: merge UBAC.
[people/stevee/selinux-policy.git] / policy / modules / services / cups.te
1
2 policy_module(cups, 1.11.1)
3
4 ########################################
5 #
6 # Declarations
7 #
8
9 type cupsd_config_t;
10 type cupsd_config_exec_t;
11 init_daemon_domain(cupsd_config_t, cupsd_config_exec_t)
12
13 type cupsd_config_var_run_t;
14 files_pid_file(cupsd_config_var_run_t)
15
16 type cupsd_t;
17 type cupsd_exec_t;
18 init_daemon_domain(cupsd_t, cupsd_exec_t)
19
20 type cupsd_etc_t;
21 files_config_file(cupsd_etc_t)
22
23 type cupsd_rw_etc_t;
24 files_config_file(cupsd_rw_etc_t)
25
26 type cupsd_log_t;
27 logging_log_file(cupsd_log_t)
28
29 type cupsd_lpd_t;
30 type cupsd_lpd_exec_t;
31 domain_type(cupsd_lpd_t)
32 domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t)
33 role system_r types cupsd_lpd_t;
34
35 type cupsd_lpd_tmp_t;
36 files_tmp_file(cupsd_lpd_tmp_t)
37
38 type cupsd_lpd_var_run_t;
39 files_pid_file(cupsd_lpd_var_run_t)
40
41 type cupsd_tmp_t;
42 files_tmp_file(cupsd_tmp_t)
43
44 type cupsd_var_run_t;
45 files_pid_file(cupsd_var_run_t)
46 mls_trusted_object(cupsd_var_run_t)
47
48 type hplip_t;
49 type hplip_exec_t;
50 init_daemon_domain(hplip_t, hplip_exec_t)
51
52 type hplip_etc_t;
53 files_config_file(hplip_etc_t)
54
55 type hplip_var_run_t;
56 files_pid_file(hplip_var_run_t)
57
58 type ptal_t;
59 type ptal_exec_t;
60 init_daemon_domain(ptal_t, ptal_exec_t)
61
62 type ptal_etc_t;
63 files_config_file(ptal_etc_t)
64
65 type ptal_var_run_t;
66 files_pid_file(ptal_var_run_t)
67
68 ifdef(`enable_mcs',`
69 init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh)
70 ')
71
72 ifdef(`enable_mls',`
73 init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,mls_systemhigh)
74 ')
75
76 ########################################
77 #
78 # Cups local policy
79 #
80
81 # /usr/lib/cups/backend/serial needs sys_admin(?!)
82 allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
83 dontaudit cupsd_t self:capability { sys_tty_config net_admin };
84 allow cupsd_t self:process { setsched signal_perms };
85 allow cupsd_t self:fifo_file rw_file_perms;
86 allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
87 allow cupsd_t self:unix_dgram_socket create_socket_perms;
88 allow cupsd_t self:netlink_selinux_socket create_socket_perms;
89 allow cupsd_t self:tcp_socket create_stream_socket_perms;
90 allow cupsd_t self:udp_socket create_socket_perms;
91 allow cupsd_t self:appletalk_socket create_socket_perms;
92 # generic socket here until appletalk socket is available in kernels
93 allow cupsd_t self:socket create_socket_perms;
94
95 allow cupsd_t cupsd_etc_t:{ dir file } setattr;
96 read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
97 read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
98 files_search_etc(cupsd_t)
99
100 manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
101 manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
102 filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
103 files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file })
104
105 # allow cups to execute its backend scripts
106 can_exec(cupsd_t, cupsd_exec_t)
107 allow cupsd_t cupsd_exec_t:dir search;
108 allow cupsd_t cupsd_exec_t:lnk_file read;
109
110 manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
111 allow cupsd_t cupsd_log_t:dir setattr;
112 logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
113
114 manage_dirs_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
115 manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
116 manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
117 files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
118
119 allow cupsd_t cupsd_var_run_t:dir setattr;
120 manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
121 manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
122 files_pid_filetrans(cupsd_t, cupsd_var_run_t, file)
123
124 read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
125
126 allow cupsd_t hplip_var_run_t:file read_file_perms;
127
128 stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
129 allow cupsd_t ptal_var_run_t : sock_file setattr;
130
131 kernel_read_system_state(cupsd_t)
132 kernel_read_network_state(cupsd_t)
133 kernel_read_all_sysctls(cupsd_t)
134
135 corenet_all_recvfrom_unlabeled(cupsd_t)
136 corenet_all_recvfrom_netlabel(cupsd_t)
137 corenet_tcp_sendrecv_all_if(cupsd_t)
138 corenet_udp_sendrecv_all_if(cupsd_t)
139 corenet_raw_sendrecv_all_if(cupsd_t)
140 corenet_tcp_sendrecv_all_nodes(cupsd_t)
141 corenet_udp_sendrecv_all_nodes(cupsd_t)
142 corenet_raw_sendrecv_all_nodes(cupsd_t)
143 corenet_tcp_sendrecv_all_ports(cupsd_t)
144 corenet_udp_sendrecv_all_ports(cupsd_t)
145 corenet_tcp_bind_all_nodes(cupsd_t)
146 corenet_udp_bind_all_nodes(cupsd_t)
147 corenet_tcp_bind_ipp_port(cupsd_t)
148 corenet_udp_bind_ipp_port(cupsd_t)
149 corenet_tcp_bind_reserved_port(cupsd_t)
150 corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
151 corenet_tcp_connect_all_ports(cupsd_t)
152 corenet_sendrecv_hplip_client_packets(cupsd_t)
153 corenet_sendrecv_ipp_client_packets(cupsd_t)
154 corenet_sendrecv_ipp_server_packets(cupsd_t)
155
156 dev_rw_printer(cupsd_t)
157 dev_read_urand(cupsd_t)
158 dev_read_sysfs(cupsd_t)
159 dev_read_usbfs(cupsd_t)
160 dev_getattr_printer_dev(cupsd_t)
161
162 domain_read_all_domains_state(cupsd_t)
163
164 fs_getattr_all_fs(cupsd_t)
165 fs_search_auto_mountpoints(cupsd_t)
166
167 mls_file_downgrade(cupsd_t)
168 mls_file_write_all_levels(cupsd_t)
169 mls_file_read_all_levels(cupsd_t)
170 mls_socket_write_all_levels(cupsd_t)
171
172 term_use_unallocated_ttys(cupsd_t)
173 term_search_ptys(cupsd_t)
174
175 auth_domtrans_chk_passwd(cupsd_t)
176 auth_dontaudit_read_pam_pid(cupsd_t)
177
178 # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
179 corecmd_exec_shell(cupsd_t)
180 corecmd_exec_bin(cupsd_t)
181
182 domain_use_interactive_fds(cupsd_t)
183
184 files_read_etc_files(cupsd_t)
185 files_read_etc_runtime_files(cupsd_t)
186 # read python modules
187 files_read_usr_files(cupsd_t)
188 # for /var/lib/defoma
189 files_search_var_lib(cupsd_t)
190 files_list_world_readable(cupsd_t)
191 files_read_world_readable_files(cupsd_t)
192 files_read_world_readable_symlinks(cupsd_t)
193 # Satisfy readahead
194 files_read_var_files(cupsd_t)
195 files_read_var_symlinks(cupsd_t)
196 # for /etc/printcap
197 files_dontaudit_write_etc_files(cupsd_t)
198 # smbspool seems to be iterating through all existing tmp files.
199 # redhat bug #214953
200 # cjp: this might be a broken behavior
201 files_dontaudit_getattr_all_tmp_files(cupsd_t)
202
203 selinux_compute_access_vector(cupsd_t)
204
205 init_exec_script_files(cupsd_t)
206
207 auth_use_nsswitch(cupsd_t)
208
209 # Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
210 libs_read_lib_files(cupsd_t)
211
212 logging_send_audit_msgs(cupsd_t)
213 logging_send_syslog_msg(cupsd_t)
214
215 miscfiles_read_localization(cupsd_t)
216 # invoking ghostscript needs to read fonts
217 miscfiles_read_fonts(cupsd_t)
218
219 seutil_read_config(cupsd_t)
220
221 sysnet_read_config(cupsd_t)
222
223 userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
224 userdom_dontaudit_search_user_home_content(cupsd_t)
225
226 # Write to /var/spool/cups.
227 lpd_manage_spool(cupsd_t)
228
229 ifdef(`enable_mls',`
230 lpd_relabel_spool(cupsd_t)
231 ')
232
233 optional_policy(`
234 apm_domtrans_client(cupsd_t)
235 ')
236
237 optional_policy(`
238 cron_system_entry(cupsd_t, cupsd_exec_t)
239 ')
240
241 optional_policy(`
242 dbus_system_bus_client(cupsd_t)
243
244 userdom_dbus_send_all_users(cupsd_t)
245
246 optional_policy(`
247 hal_dbus_chat(cupsd_t)
248 ')
249 ')
250
251 optional_policy(`
252 hostname_exec(cupsd_t)
253 ')
254
255 optional_policy(`
256 inetd_core_service_domain(cupsd_t, cupsd_exec_t)
257 ')
258
259 optional_policy(`
260 logrotate_domtrans(cupsd_t)
261 ')
262
263 optional_policy(`
264 # cups execs smbtool which reads samba_etc_t files
265 samba_read_config(cupsd_t)
266 samba_rw_var_files(cupsd_t)
267 ')
268
269 optional_policy(`
270 seutil_sigchld_newrole(cupsd_t)
271 ')
272
273 optional_policy(`
274 udev_read_db(cupsd_t)
275 ')
276
277 ########################################
278 #
279 # Cups configuration daemon local policy
280 #
281
282 allow cupsd_config_t self:capability { chown sys_tty_config };
283 dontaudit cupsd_config_t self:capability sys_tty_config;
284 allow cupsd_config_t self:process signal_perms;
285 allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
286 allow cupsd_config_t self:unix_stream_socket create_socket_perms;
287 allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
288 allow cupsd_config_t self:tcp_socket create_stream_socket_perms;
289
290 allow cupsd_config_t cupsd_t:process signal;
291 ps_process_pattern(cupsd_config_t, cupsd_t)
292
293 manage_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t)
294 manage_lnk_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t)
295 filetrans_pattern(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
296
297 manage_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
298 manage_lnk_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
299 files_var_filetrans(cupsd_config_t, cupsd_rw_etc_t, file)
300
301 can_exec(cupsd_config_t, cupsd_config_exec_t)
302
303 allow cupsd_config_t cupsd_log_t:file rw_file_perms;
304
305 allow cupsd_config_t cupsd_tmp_t:file manage_file_perms;
306 files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { file dir })
307
308 allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
309
310 manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
311 files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
312
313 kernel_read_system_state(cupsd_config_t)
314 kernel_read_kernel_sysctls(cupsd_config_t)
315
316 corenet_all_recvfrom_unlabeled(cupsd_config_t)
317 corenet_all_recvfrom_netlabel(cupsd_config_t)
318 corenet_tcp_sendrecv_all_if(cupsd_config_t)
319 corenet_tcp_sendrecv_all_nodes(cupsd_config_t)
320 corenet_tcp_sendrecv_all_ports(cupsd_config_t)
321 corenet_tcp_connect_all_ports(cupsd_config_t)
322 corenet_sendrecv_all_client_packets(cupsd_config_t)
323
324 dev_read_sysfs(cupsd_config_t)
325 dev_read_urand(cupsd_config_t)
326 dev_read_rand(cupsd_config_t)
327
328 fs_getattr_all_fs(cupsd_config_t)
329 fs_search_auto_mountpoints(cupsd_config_t)
330
331 corecmd_exec_bin(cupsd_config_t)
332 corecmd_exec_shell(cupsd_config_t)
333
334 domain_use_interactive_fds(cupsd_config_t)
335 # killall causes the following
336 domain_dontaudit_search_all_domains_state(cupsd_config_t)
337
338 files_read_usr_files(cupsd_config_t)
339 files_read_etc_files(cupsd_config_t)
340 files_read_etc_runtime_files(cupsd_config_t)
341 files_read_var_symlinks(cupsd_config_t)
342
343 # Alternatives asks for this
344 init_getattr_script_files(cupsd_config_t)
345
346 auth_use_nsswitch(cupsd_config_t)
347
348 logging_send_syslog_msg(cupsd_config_t)
349
350 miscfiles_read_localization(cupsd_config_t)
351
352 seutil_dontaudit_search_config(cupsd_config_t)
353
354 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
355 userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
356
357 cups_stream_connect(cupsd_config_t)
358
359 lpd_read_config(cupsd_config_t)
360
361 ifdef(`distro_redhat',`
362 init_getattr_script_files(cupsd_config_t)
363
364 optional_policy(`
365 rpm_read_db(cupsd_config_t)
366 ')
367 ')
368
369 optional_policy(`
370 cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
371 ')
372
373 optional_policy(`
374 dbus_system_bus_client(cupsd_config_t)
375 dbus_connect_system_bus(cupsd_config_t)
376
377 optional_policy(`
378 hal_dbus_chat(cupsd_config_t)
379 ')
380 ')
381
382 optional_policy(`
383 hal_domtrans(cupsd_config_t)
384 hal_read_tmp_files(cupsd_config_t)
385 ')
386
387 optional_policy(`
388 hostname_exec(cupsd_config_t)
389 ')
390
391 optional_policy(`
392 logrotate_use_fds(cupsd_config_t)
393 ')
394
395 optional_policy(`
396 rpm_read_db(cupsd_config_t)
397 ')
398
399 optional_policy(`
400 seutil_sigchld_newrole(cupsd_config_t)
401 ')
402
403 optional_policy(`
404 udev_read_db(cupsd_config_t)
405 ')
406
407 ########################################
408 #
409 # Cups lpd support
410 #
411
412 allow cupsd_lpd_t self:process signal_perms;
413 allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms;
414 allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms;
415 allow cupsd_lpd_t self:udp_socket create_socket_perms;
416
417 # for identd
418 # cjp: this should probably only be inetd_child rules?
419 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
420 allow cupsd_lpd_t self:capability { setuid setgid };
421 files_search_home(cupsd_lpd_t)
422 optional_policy(`
423 kerberos_use(cupsd_lpd_t)
424 ')
425 #end for identd
426
427 allow cupsd_lpd_t cupsd_etc_t:dir list_dir_perms;
428 read_files_pattern(cupsd_lpd_t, cupsd_etc_t, cupsd_etc_t)
429 read_lnk_files_pattern(cupsd_lpd_t, cupsd_etc_t, cupsd_etc_t)
430
431 allow cupsd_lpd_t cupsd_rw_etc_t:dir list_dir_perms;
432 read_files_pattern(cupsd_lpd_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
433 read_lnk_files_pattern(cupsd_lpd_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
434
435 manage_dirs_pattern(cupsd_lpd_t, cupsd_lpd_tmp_t, cupsd_lpd_tmp_t)
436 manage_files_pattern(cupsd_lpd_t, cupsd_lpd_tmp_t, cupsd_lpd_tmp_t)
437 files_tmp_filetrans(cupsd_lpd_t, cupsd_lpd_tmp_t, { file dir })
438
439 manage_files_pattern(cupsd_lpd_t, cupsd_lpd_var_run_t, cupsd_lpd_var_run_t)
440 files_pid_filetrans(cupsd_lpd_t, cupsd_lpd_var_run_t, file)
441
442 kernel_read_kernel_sysctls(cupsd_lpd_t)
443 kernel_read_system_state(cupsd_lpd_t)
444 kernel_read_network_state(cupsd_lpd_t)
445
446 corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
447 corenet_all_recvfrom_netlabel(cupsd_lpd_t)
448 corenet_tcp_sendrecv_all_if(cupsd_lpd_t)
449 corenet_udp_sendrecv_all_if(cupsd_lpd_t)
450 corenet_tcp_sendrecv_all_nodes(cupsd_lpd_t)
451 corenet_udp_sendrecv_all_nodes(cupsd_lpd_t)
452 corenet_tcp_sendrecv_all_ports(cupsd_lpd_t)
453 corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
454 corenet_tcp_bind_all_nodes(cupsd_lpd_t)
455 corenet_udp_bind_all_nodes(cupsd_lpd_t)
456 corenet_tcp_connect_ipp_port(cupsd_lpd_t)
457
458 dev_read_urand(cupsd_lpd_t)
459 dev_read_rand(cupsd_lpd_t)
460
461 fs_getattr_xattr_fs(cupsd_lpd_t)
462
463 files_read_etc_files(cupsd_lpd_t)
464
465 auth_use_nsswitch(cupsd_lpd_t)
466
467 logging_send_syslog_msg(cupsd_lpd_t)
468
469 miscfiles_read_localization(cupsd_lpd_t)
470
471 cups_stream_connect(cupsd_lpd_t)
472
473 optional_policy(`
474 inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
475 ')
476
477 ########################################
478 #
479 # HPLIP local policy
480 #
481
482 # Needed for USB Scanneer and xsane
483 allow hplip_t self:capability { dac_override dac_read_search net_raw };
484 dontaudit hplip_t self:capability sys_tty_config;
485 allow hplip_t self:fifo_file rw_fifo_file_perms;
486 allow hplip_t self:process signal_perms;
487 allow hplip_t self:unix_dgram_socket create_socket_perms;
488 allow hplip_t self:unix_stream_socket create_socket_perms;
489 allow hplip_t self:netlink_route_socket r_netlink_socket_perms;
490 allow hplip_t self:tcp_socket create_stream_socket_perms;
491 allow hplip_t self:udp_socket create_socket_perms;
492 allow hplip_t self:rawip_socket create_socket_perms;
493
494 allow hplip_t cupsd_etc_t:dir search;
495
496 cups_stream_connect(hplip_t)
497
498 allow hplip_t hplip_etc_t:dir list_dir_perms;
499 read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
500 read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
501 files_search_etc(hplip_t)
502
503 manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
504 files_pid_filetrans(hplip_t, hplip_var_run_t, file)
505
506 kernel_read_system_state(hplip_t)
507 kernel_read_kernel_sysctls(hplip_t)
508
509 corenet_all_recvfrom_unlabeled(hplip_t)
510 corenet_all_recvfrom_netlabel(hplip_t)
511 corenet_tcp_sendrecv_all_if(hplip_t)
512 corenet_udp_sendrecv_all_if(hplip_t)
513 corenet_raw_sendrecv_all_if(hplip_t)
514 corenet_tcp_sendrecv_all_nodes(hplip_t)
515 corenet_udp_sendrecv_all_nodes(hplip_t)
516 corenet_raw_sendrecv_all_nodes(hplip_t)
517 corenet_tcp_sendrecv_all_ports(hplip_t)
518 corenet_udp_sendrecv_all_ports(hplip_t)
519 corenet_tcp_bind_all_nodes(hplip_t)
520 corenet_udp_bind_all_nodes(hplip_t)
521 corenet_tcp_bind_hplip_port(hplip_t)
522 corenet_tcp_connect_hplip_port(hplip_t)
523 corenet_tcp_connect_ipp_port(hplip_t)
524 corenet_sendrecv_hplip_client_packets(hplip_t)
525 corenet_receive_hplip_server_packets(hplip_t)
526
527 dev_read_sysfs(hplip_t)
528 dev_rw_printer(hplip_t)
529 dev_read_urand(hplip_t)
530 dev_read_rand(hplip_t)
531 dev_rw_generic_usb_dev(hplip_t)
532 dev_read_usbfs(hplip_t)
533
534 fs_getattr_all_fs(hplip_t)
535 fs_search_auto_mountpoints(hplip_t)
536
537 # for python
538 corecmd_exec_bin(hplip_t)
539
540 domain_use_interactive_fds(hplip_t)
541
542 files_read_etc_files(hplip_t)
543 files_read_etc_runtime_files(hplip_t)
544 files_read_usr_files(hplip_t)
545
546 logging_send_syslog_msg(hplip_t)
547
548 miscfiles_read_localization(hplip_t)
549
550 sysnet_read_config(hplip_t)
551
552 userdom_dontaudit_use_unpriv_user_fds(hplip_t)
553 userdom_dontaudit_search_user_home_dirs(hplip_t)
554 userdom_dontaudit_search_user_home_content(hplip_t)
555
556 lpd_read_config(cupsd_t)
557
558 optional_policy(`
559 dbus_system_bus_client(hplip_t)
560 ')
561
562 optional_policy(`
563 seutil_sigchld_newrole(hplip_t)
564 ')
565
566 optional_policy(`
567 snmp_read_snmp_var_lib_files(hplip_t)
568 ')
569
570 optional_policy(`
571 udev_read_db(hplip_t)
572 ')
573
574 ########################################
575 #
576 # PTAL local policy
577 #
578
579 allow ptal_t self:capability { chown sys_rawio };
580 dontaudit ptal_t self:capability sys_tty_config;
581 allow ptal_t self:fifo_file rw_fifo_file_perms;
582 allow ptal_t self:unix_dgram_socket create_socket_perms;
583 allow ptal_t self:unix_stream_socket create_stream_socket_perms;
584 allow ptal_t self:tcp_socket create_stream_socket_perms;
585
586 allow ptal_t ptal_etc_t:dir list_dir_perms;
587 read_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t)
588 read_lnk_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t)
589 files_search_etc(ptal_t)
590
591 manage_dirs_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
592 manage_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
593 manage_lnk_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
594 manage_fifo_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
595 manage_sock_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
596 files_pid_filetrans(ptal_t, ptal_var_run_t, { dir file lnk_file sock_file fifo_file })
597
598 kernel_read_kernel_sysctls(ptal_t)
599 kernel_list_proc(ptal_t)
600 kernel_read_proc_symlinks(ptal_t)
601
602 corenet_all_recvfrom_unlabeled(ptal_t)
603 corenet_all_recvfrom_netlabel(ptal_t)
604 corenet_tcp_sendrecv_all_if(ptal_t)
605 corenet_tcp_sendrecv_all_nodes(ptal_t)
606 corenet_tcp_sendrecv_all_ports(ptal_t)
607 corenet_tcp_bind_all_nodes(ptal_t)
608 corenet_tcp_bind_ptal_port(ptal_t)
609
610 dev_read_sysfs(ptal_t)
611 dev_read_usbfs(ptal_t)
612 dev_rw_printer(ptal_t)
613
614 fs_getattr_all_fs(ptal_t)
615 fs_search_auto_mountpoints(ptal_t)
616
617 domain_use_interactive_fds(ptal_t)
618
619 files_read_etc_files(ptal_t)
620 files_read_etc_runtime_files(ptal_t)
621
622 logging_send_syslog_msg(ptal_t)
623
624 miscfiles_read_localization(ptal_t)
625
626 sysnet_read_config(ptal_t)
627
628 userdom_dontaudit_use_unpriv_user_fds(ptal_t)
629 userdom_dontaudit_search_user_home_content(ptal_t)
630
631 optional_policy(`
632 seutil_sigchld_newrole(ptal_t)
633 ')
634
635 optional_policy(`
636 udev_read_db(ptal_t)
637 ')
The IPFire selinux policy.