2 policy_module(cups, 1.11.1)
4 ########################################
10 type cupsd_config_exec_t;
11 init_daemon_domain(cupsd_config_t, cupsd_config_exec_t)
13 type cupsd_config_var_run_t;
14 files_pid_file(cupsd_config_var_run_t)
18 init_daemon_domain(cupsd_t, cupsd_exec_t)
21 files_config_file(cupsd_etc_t)
24 files_config_file(cupsd_rw_etc_t)
27 logging_log_file(cupsd_log_t)
30 type cupsd_lpd_exec_t;
31 domain_type(cupsd_lpd_t)
32 domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t)
33 role system_r types cupsd_lpd_t;
36 files_tmp_file(cupsd_lpd_tmp_t)
38 type cupsd_lpd_var_run_t;
39 files_pid_file(cupsd_lpd_var_run_t)
42 files_tmp_file(cupsd_tmp_t)
45 files_pid_file(cupsd_var_run_t)
46 mls_trusted_object(cupsd_var_run_t)
50 init_daemon_domain(hplip_t, hplip_exec_t)
53 files_config_file(hplip_etc_t)
56 files_pid_file(hplip_var_run_t)
60 init_daemon_domain(ptal_t, ptal_exec_t)
63 files_config_file(ptal_etc_t)
66 files_pid_file(ptal_var_run_t)
69 init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh)
73 init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,mls_systemhigh)
76 ########################################
81 # /usr/lib/cups/backend/serial needs sys_admin(?!)
82 allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
83 dontaudit cupsd_t self:capability { sys_tty_config net_admin };
84 allow cupsd_t self:process { setsched signal_perms };
85 allow cupsd_t self:fifo_file rw_file_perms;
86 allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
87 allow cupsd_t self:unix_dgram_socket create_socket_perms;
88 allow cupsd_t self:netlink_selinux_socket create_socket_perms;
89 allow cupsd_t self:tcp_socket create_stream_socket_perms;
90 allow cupsd_t self:udp_socket create_socket_perms;
91 allow cupsd_t self:appletalk_socket create_socket_perms;
92 # generic socket here until appletalk socket is available in kernels
93 allow cupsd_t self:socket create_socket_perms;
95 allow cupsd_t cupsd_etc_t:{ dir file } setattr;
96 read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
97 read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
98 files_search_etc(cupsd_t)
100 manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
101 manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
102 filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
103 files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file })
105 # allow cups to execute its backend scripts
106 can_exec(cupsd_t, cupsd_exec_t)
107 allow cupsd_t cupsd_exec_t:dir search;
108 allow cupsd_t cupsd_exec_t:lnk_file read;
110 manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
111 allow cupsd_t cupsd_log_t:dir setattr;
112 logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
114 manage_dirs_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
115 manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
116 manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
117 files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
119 allow cupsd_t cupsd_var_run_t:dir setattr;
120 manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
121 manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
122 files_pid_filetrans(cupsd_t, cupsd_var_run_t, file)
124 read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
126 allow cupsd_t hplip_var_run_t:file read_file_perms;
128 stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
129 allow cupsd_t ptal_var_run_t : sock_file setattr;
131 kernel_read_system_state(cupsd_t)
132 kernel_read_network_state(cupsd_t)
133 kernel_read_all_sysctls(cupsd_t)
135 corenet_all_recvfrom_unlabeled(cupsd_t)
136 corenet_all_recvfrom_netlabel(cupsd_t)
137 corenet_tcp_sendrecv_all_if(cupsd_t)
138 corenet_udp_sendrecv_all_if(cupsd_t)
139 corenet_raw_sendrecv_all_if(cupsd_t)
140 corenet_tcp_sendrecv_all_nodes(cupsd_t)
141 corenet_udp_sendrecv_all_nodes(cupsd_t)
142 corenet_raw_sendrecv_all_nodes(cupsd_t)
143 corenet_tcp_sendrecv_all_ports(cupsd_t)
144 corenet_udp_sendrecv_all_ports(cupsd_t)
145 corenet_tcp_bind_all_nodes(cupsd_t)
146 corenet_udp_bind_all_nodes(cupsd_t)
147 corenet_tcp_bind_ipp_port(cupsd_t)
148 corenet_udp_bind_ipp_port(cupsd_t)
149 corenet_tcp_bind_reserved_port(cupsd_t)
150 corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
151 corenet_tcp_connect_all_ports(cupsd_t)
152 corenet_sendrecv_hplip_client_packets(cupsd_t)
153 corenet_sendrecv_ipp_client_packets(cupsd_t)
154 corenet_sendrecv_ipp_server_packets(cupsd_t)
156 dev_rw_printer(cupsd_t)
157 dev_read_urand(cupsd_t)
158 dev_read_sysfs(cupsd_t)
159 dev_read_usbfs(cupsd_t)
160 dev_getattr_printer_dev(cupsd_t)
162 domain_read_all_domains_state(cupsd_t)
164 fs_getattr_all_fs(cupsd_t)
165 fs_search_auto_mountpoints(cupsd_t)
167 mls_file_downgrade(cupsd_t)
168 mls_file_write_all_levels(cupsd_t)
169 mls_file_read_all_levels(cupsd_t)
170 mls_socket_write_all_levels(cupsd_t)
172 term_use_unallocated_ttys(cupsd_t)
173 term_search_ptys(cupsd_t)
175 auth_domtrans_chk_passwd(cupsd_t)
176 auth_dontaudit_read_pam_pid(cupsd_t)
178 # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
179 corecmd_exec_shell(cupsd_t)
180 corecmd_exec_bin(cupsd_t)
182 domain_use_interactive_fds(cupsd_t)
184 files_read_etc_files(cupsd_t)
185 files_read_etc_runtime_files(cupsd_t)
186 # read python modules
187 files_read_usr_files(cupsd_t)
188 # for /var/lib/defoma
189 files_search_var_lib(cupsd_t)
190 files_list_world_readable(cupsd_t)
191 files_read_world_readable_files(cupsd_t)
192 files_read_world_readable_symlinks(cupsd_t)
194 files_read_var_files(cupsd_t)
195 files_read_var_symlinks(cupsd_t)
197 files_dontaudit_write_etc_files(cupsd_t)
198 # smbspool seems to be iterating through all existing tmp files.
200 # cjp: this might be a broken behavior
201 files_dontaudit_getattr_all_tmp_files(cupsd_t)
203 selinux_compute_access_vector(cupsd_t)
205 init_exec_script_files(cupsd_t)
207 auth_use_nsswitch(cupsd_t)
209 # Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
210 libs_read_lib_files(cupsd_t)
212 logging_send_audit_msgs(cupsd_t)
213 logging_send_syslog_msg(cupsd_t)
215 miscfiles_read_localization(cupsd_t)
216 # invoking ghostscript needs to read fonts
217 miscfiles_read_fonts(cupsd_t)
219 seutil_read_config(cupsd_t)
221 sysnet_read_config(cupsd_t)
223 userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
224 userdom_dontaudit_search_user_home_content(cupsd_t)
226 # Write to /var/spool/cups.
227 lpd_manage_spool(cupsd_t)
230 lpd_relabel_spool(cupsd_t)
234 apm_domtrans_client(cupsd_t)
238 cron_system_entry(cupsd_t, cupsd_exec_t)
242 dbus_system_bus_client(cupsd_t)
244 userdom_dbus_send_all_users(cupsd_t)
247 hal_dbus_chat(cupsd_t)
252 hostname_exec(cupsd_t)
256 inetd_core_service_domain(cupsd_t, cupsd_exec_t)
260 logrotate_domtrans(cupsd_t)
264 # cups execs smbtool which reads samba_etc_t files
265 samba_read_config(cupsd_t)
266 samba_rw_var_files(cupsd_t)
270 seutil_sigchld_newrole(cupsd_t)
274 udev_read_db(cupsd_t)
277 ########################################
279 # Cups configuration daemon local policy
282 allow cupsd_config_t self:capability { chown sys_tty_config };
283 dontaudit cupsd_config_t self:capability sys_tty_config;
284 allow cupsd_config_t self:process signal_perms;
285 allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
286 allow cupsd_config_t self:unix_stream_socket create_socket_perms;
287 allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
288 allow cupsd_config_t self:tcp_socket create_stream_socket_perms;
290 allow cupsd_config_t cupsd_t:process signal;
291 ps_process_pattern(cupsd_config_t, cupsd_t)
293 manage_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t)
294 manage_lnk_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t)
295 filetrans_pattern(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
297 manage_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
298 manage_lnk_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
299 files_var_filetrans(cupsd_config_t, cupsd_rw_etc_t, file)
301 can_exec(cupsd_config_t, cupsd_config_exec_t)
303 allow cupsd_config_t cupsd_log_t:file rw_file_perms;
305 allow cupsd_config_t cupsd_tmp_t:file manage_file_perms;
306 files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { file dir })
308 allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
310 manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
311 files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
313 kernel_read_system_state(cupsd_config_t)
314 kernel_read_kernel_sysctls(cupsd_config_t)
316 corenet_all_recvfrom_unlabeled(cupsd_config_t)
317 corenet_all_recvfrom_netlabel(cupsd_config_t)
318 corenet_tcp_sendrecv_all_if(cupsd_config_t)
319 corenet_tcp_sendrecv_all_nodes(cupsd_config_t)
320 corenet_tcp_sendrecv_all_ports(cupsd_config_t)
321 corenet_tcp_connect_all_ports(cupsd_config_t)
322 corenet_sendrecv_all_client_packets(cupsd_config_t)
324 dev_read_sysfs(cupsd_config_t)
325 dev_read_urand(cupsd_config_t)
326 dev_read_rand(cupsd_config_t)
328 fs_getattr_all_fs(cupsd_config_t)
329 fs_search_auto_mountpoints(cupsd_config_t)
331 corecmd_exec_bin(cupsd_config_t)
332 corecmd_exec_shell(cupsd_config_t)
334 domain_use_interactive_fds(cupsd_config_t)
335 # killall causes the following
336 domain_dontaudit_search_all_domains_state(cupsd_config_t)
338 files_read_usr_files(cupsd_config_t)
339 files_read_etc_files(cupsd_config_t)
340 files_read_etc_runtime_files(cupsd_config_t)
341 files_read_var_symlinks(cupsd_config_t)
343 # Alternatives asks for this
344 init_getattr_script_files(cupsd_config_t)
346 auth_use_nsswitch(cupsd_config_t)
348 logging_send_syslog_msg(cupsd_config_t)
350 miscfiles_read_localization(cupsd_config_t)
352 seutil_dontaudit_search_config(cupsd_config_t)
354 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
355 userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
357 cups_stream_connect(cupsd_config_t)
359 lpd_read_config(cupsd_config_t)
361 ifdef(`distro_redhat',`
362 init_getattr_script_files(cupsd_config_t)
365 rpm_read_db(cupsd_config_t)
370 cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
374 dbus_system_bus_client(cupsd_config_t)
375 dbus_connect_system_bus(cupsd_config_t)
378 hal_dbus_chat(cupsd_config_t)
383 hal_domtrans(cupsd_config_t)
384 hal_read_tmp_files(cupsd_config_t)
388 hostname_exec(cupsd_config_t)
392 logrotate_use_fds(cupsd_config_t)
396 rpm_read_db(cupsd_config_t)
400 seutil_sigchld_newrole(cupsd_config_t)
404 udev_read_db(cupsd_config_t)
407 ########################################
412 allow cupsd_lpd_t self:process signal_perms;
413 allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms;
414 allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms;
415 allow cupsd_lpd_t self:udp_socket create_socket_perms;
418 # cjp: this should probably only be inetd_child rules?
419 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
420 allow cupsd_lpd_t self:capability { setuid setgid };
421 files_search_home(cupsd_lpd_t)
423 kerberos_use(cupsd_lpd_t)
427 allow cupsd_lpd_t cupsd_etc_t:dir list_dir_perms;
428 read_files_pattern(cupsd_lpd_t, cupsd_etc_t, cupsd_etc_t)
429 read_lnk_files_pattern(cupsd_lpd_t, cupsd_etc_t, cupsd_etc_t)
431 allow cupsd_lpd_t cupsd_rw_etc_t:dir list_dir_perms;
432 read_files_pattern(cupsd_lpd_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
433 read_lnk_files_pattern(cupsd_lpd_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
435 manage_dirs_pattern(cupsd_lpd_t, cupsd_lpd_tmp_t, cupsd_lpd_tmp_t)
436 manage_files_pattern(cupsd_lpd_t, cupsd_lpd_tmp_t, cupsd_lpd_tmp_t)
437 files_tmp_filetrans(cupsd_lpd_t, cupsd_lpd_tmp_t, { file dir })
439 manage_files_pattern(cupsd_lpd_t, cupsd_lpd_var_run_t, cupsd_lpd_var_run_t)
440 files_pid_filetrans(cupsd_lpd_t, cupsd_lpd_var_run_t, file)
442 kernel_read_kernel_sysctls(cupsd_lpd_t)
443 kernel_read_system_state(cupsd_lpd_t)
444 kernel_read_network_state(cupsd_lpd_t)
446 corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
447 corenet_all_recvfrom_netlabel(cupsd_lpd_t)
448 corenet_tcp_sendrecv_all_if(cupsd_lpd_t)
449 corenet_udp_sendrecv_all_if(cupsd_lpd_t)
450 corenet_tcp_sendrecv_all_nodes(cupsd_lpd_t)
451 corenet_udp_sendrecv_all_nodes(cupsd_lpd_t)
452 corenet_tcp_sendrecv_all_ports(cupsd_lpd_t)
453 corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
454 corenet_tcp_bind_all_nodes(cupsd_lpd_t)
455 corenet_udp_bind_all_nodes(cupsd_lpd_t)
456 corenet_tcp_connect_ipp_port(cupsd_lpd_t)
458 dev_read_urand(cupsd_lpd_t)
459 dev_read_rand(cupsd_lpd_t)
461 fs_getattr_xattr_fs(cupsd_lpd_t)
463 files_read_etc_files(cupsd_lpd_t)
465 auth_use_nsswitch(cupsd_lpd_t)
467 logging_send_syslog_msg(cupsd_lpd_t)
469 miscfiles_read_localization(cupsd_lpd_t)
471 cups_stream_connect(cupsd_lpd_t)
474 inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
477 ########################################
482 # Needed for USB Scanneer and xsane
483 allow hplip_t self:capability { dac_override dac_read_search net_raw };
484 dontaudit hplip_t self:capability sys_tty_config;
485 allow hplip_t self:fifo_file rw_fifo_file_perms;
486 allow hplip_t self:process signal_perms;
487 allow hplip_t self:unix_dgram_socket create_socket_perms;
488 allow hplip_t self:unix_stream_socket create_socket_perms;
489 allow hplip_t self:netlink_route_socket r_netlink_socket_perms;
490 allow hplip_t self:tcp_socket create_stream_socket_perms;
491 allow hplip_t self:udp_socket create_socket_perms;
492 allow hplip_t self:rawip_socket create_socket_perms;
494 allow hplip_t cupsd_etc_t:dir search;
496 cups_stream_connect(hplip_t)
498 allow hplip_t hplip_etc_t:dir list_dir_perms;
499 read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
500 read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
501 files_search_etc(hplip_t)
503 manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
504 files_pid_filetrans(hplip_t, hplip_var_run_t, file)
506 kernel_read_system_state(hplip_t)
507 kernel_read_kernel_sysctls(hplip_t)
509 corenet_all_recvfrom_unlabeled(hplip_t)
510 corenet_all_recvfrom_netlabel(hplip_t)
511 corenet_tcp_sendrecv_all_if(hplip_t)
512 corenet_udp_sendrecv_all_if(hplip_t)
513 corenet_raw_sendrecv_all_if(hplip_t)
514 corenet_tcp_sendrecv_all_nodes(hplip_t)
515 corenet_udp_sendrecv_all_nodes(hplip_t)
516 corenet_raw_sendrecv_all_nodes(hplip_t)
517 corenet_tcp_sendrecv_all_ports(hplip_t)
518 corenet_udp_sendrecv_all_ports(hplip_t)
519 corenet_tcp_bind_all_nodes(hplip_t)
520 corenet_udp_bind_all_nodes(hplip_t)
521 corenet_tcp_bind_hplip_port(hplip_t)
522 corenet_tcp_connect_hplip_port(hplip_t)
523 corenet_tcp_connect_ipp_port(hplip_t)
524 corenet_sendrecv_hplip_client_packets(hplip_t)
525 corenet_receive_hplip_server_packets(hplip_t)
527 dev_read_sysfs(hplip_t)
528 dev_rw_printer(hplip_t)
529 dev_read_urand(hplip_t)
530 dev_read_rand(hplip_t)
531 dev_rw_generic_usb_dev(hplip_t)
532 dev_read_usbfs(hplip_t)
534 fs_getattr_all_fs(hplip_t)
535 fs_search_auto_mountpoints(hplip_t)
538 corecmd_exec_bin(hplip_t)
540 domain_use_interactive_fds(hplip_t)
542 files_read_etc_files(hplip_t)
543 files_read_etc_runtime_files(hplip_t)
544 files_read_usr_files(hplip_t)
546 logging_send_syslog_msg(hplip_t)
548 miscfiles_read_localization(hplip_t)
550 sysnet_read_config(hplip_t)
552 userdom_dontaudit_use_unpriv_user_fds(hplip_t)
553 userdom_dontaudit_search_user_home_dirs(hplip_t)
554 userdom_dontaudit_search_user_home_content(hplip_t)
556 lpd_read_config(cupsd_t)
559 dbus_system_bus_client(hplip_t)
563 seutil_sigchld_newrole(hplip_t)
567 snmp_read_snmp_var_lib_files(hplip_t)
571 udev_read_db(hplip_t)
574 ########################################
579 allow ptal_t self:capability { chown sys_rawio };
580 dontaudit ptal_t self:capability sys_tty_config;
581 allow ptal_t self:fifo_file rw_fifo_file_perms;
582 allow ptal_t self:unix_dgram_socket create_socket_perms;
583 allow ptal_t self:unix_stream_socket create_stream_socket_perms;
584 allow ptal_t self:tcp_socket create_stream_socket_perms;
586 allow ptal_t ptal_etc_t:dir list_dir_perms;
587 read_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t)
588 read_lnk_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t)
589 files_search_etc(ptal_t)
591 manage_dirs_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
592 manage_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
593 manage_lnk_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
594 manage_fifo_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
595 manage_sock_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
596 files_pid_filetrans(ptal_t, ptal_var_run_t, { dir file lnk_file sock_file fifo_file })
598 kernel_read_kernel_sysctls(ptal_t)
599 kernel_list_proc(ptal_t)
600 kernel_read_proc_symlinks(ptal_t)
602 corenet_all_recvfrom_unlabeled(ptal_t)
603 corenet_all_recvfrom_netlabel(ptal_t)
604 corenet_tcp_sendrecv_all_if(ptal_t)
605 corenet_tcp_sendrecv_all_nodes(ptal_t)
606 corenet_tcp_sendrecv_all_ports(ptal_t)
607 corenet_tcp_bind_all_nodes(ptal_t)
608 corenet_tcp_bind_ptal_port(ptal_t)
610 dev_read_sysfs(ptal_t)
611 dev_read_usbfs(ptal_t)
612 dev_rw_printer(ptal_t)
614 fs_getattr_all_fs(ptal_t)
615 fs_search_auto_mountpoints(ptal_t)
617 domain_use_interactive_fds(ptal_t)
619 files_read_etc_files(ptal_t)
620 files_read_etc_runtime_files(ptal_t)
622 logging_send_syslog_msg(ptal_t)
624 miscfiles_read_localization(ptal_t)
626 sysnet_read_config(ptal_t)
628 userdom_dontaudit_use_unpriv_user_fds(ptal_t)
629 userdom_dontaudit_search_user_home_content(ptal_t)
632 seutil_sigchld_newrole(ptal_t)