2 policy_module(cups, 1.13.1)
4 ########################################
10 type cupsd_config_exec_t;
11 init_daemon_domain(cupsd_config_t, cupsd_config_exec_t)
13 type cupsd_config_var_run_t;
14 files_pid_file(cupsd_config_var_run_t)
18 init_daemon_domain(cupsd_t, cupsd_exec_t)
21 files_config_file(cupsd_etc_t)
23 type cupsd_initrc_exec_t;
24 init_script_file(cupsd_initrc_exec_t)
26 type cupsd_interface_t;
27 files_type(cupsd_interface_t)
30 files_config_file(cupsd_rw_etc_t)
33 files_lock_file(cupsd_lock_t)
36 logging_log_file(cupsd_log_t)
39 type cupsd_lpd_exec_t;
40 domain_type(cupsd_lpd_t)
41 domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t)
42 role system_r types cupsd_lpd_t;
45 files_tmp_file(cupsd_lpd_tmp_t)
47 type cupsd_lpd_var_run_t;
48 files_pid_file(cupsd_lpd_var_run_t)
52 cups_backend(cups_pdf_t, cups_pdf_exec_t)
55 files_tmp_file(cups_pdf_tmp_t)
58 files_tmp_file(cupsd_tmp_t)
61 files_pid_file(cupsd_var_run_t)
62 mls_trusted_object(cupsd_var_run_t)
66 init_daemon_domain(hplip_t, hplip_exec_t)
67 # For CUPS to run as a backend
68 cups_backend(hplip_t, hplip_exec_t)
71 files_config_file(hplip_etc_t)
74 files_tmp_file(hplip_tmp_t)
77 files_type(hplip_var_lib_t)
80 files_pid_file(hplip_var_run_t)
84 init_daemon_domain(ptal_t, ptal_exec_t)
87 files_config_file(ptal_etc_t)
90 files_pid_file(ptal_var_run_t)
93 init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, s0 - mcs_systemhigh)
97 init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh)
100 ########################################
105 # /usr/lib/cups/backend/serial needs sys_admin(?!)
106 allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_rawio sys_resource sys_tty_config };
107 dontaudit cupsd_t self:capability { sys_tty_config net_admin };
108 allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
109 allow cupsd_t self:fifo_file rw_fifo_file_perms;
110 allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
111 allow cupsd_t self:unix_dgram_socket create_socket_perms;
112 allow cupsd_t self:netlink_selinux_socket create_socket_perms;
113 allow cupsd_t self:shm create_shm_perms;
114 allow cupsd_t self:sem create_sem_perms;
115 allow cupsd_t self:tcp_socket create_stream_socket_perms;
116 allow cupsd_t self:udp_socket create_socket_perms;
117 allow cupsd_t self:appletalk_socket create_socket_perms;
118 # generic socket here until appletalk socket is available in kernels
119 allow cupsd_t self:socket create_socket_perms;
121 allow cupsd_t cupsd_etc_t:{ dir file } setattr;
122 read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
123 read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
124 files_search_etc(cupsd_t)
126 manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
128 manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
129 manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
130 filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
131 files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file })
133 # allow cups to execute its backend scripts
134 can_exec(cupsd_t, cupsd_exec_t)
135 allow cupsd_t cupsd_exec_t:dir search_dir_perms;
136 allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
138 allow cupsd_t cupsd_lock_t:file manage_file_perms;
139 files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
141 manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
142 allow cupsd_t cupsd_log_t:dir setattr;
143 logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
145 manage_dirs_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
146 manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
147 manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
148 files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
150 allow cupsd_t cupsd_var_run_t:dir setattr;
151 manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
152 manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
153 manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
154 files_pid_filetrans(cupsd_t, cupsd_var_run_t, { file fifo_file })
156 allow cupsd_t hplip_t:process { signal sigkill };
158 read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
160 allow cupsd_t hplip_var_run_t:file read_file_perms;
162 stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
163 allow cupsd_t ptal_var_run_t : sock_file setattr;
165 kernel_read_system_state(cupsd_t)
166 kernel_read_network_state(cupsd_t)
167 kernel_read_all_sysctls(cupsd_t)
168 kernel_request_load_module(cupsd_t)
170 corenet_all_recvfrom_unlabeled(cupsd_t)
171 corenet_all_recvfrom_netlabel(cupsd_t)
172 corenet_tcp_sendrecv_generic_if(cupsd_t)
173 corenet_udp_sendrecv_generic_if(cupsd_t)
174 corenet_raw_sendrecv_generic_if(cupsd_t)
175 corenet_tcp_sendrecv_generic_node(cupsd_t)
176 corenet_udp_sendrecv_generic_node(cupsd_t)
177 corenet_raw_sendrecv_generic_node(cupsd_t)
178 corenet_tcp_sendrecv_all_ports(cupsd_t)
179 corenet_udp_sendrecv_all_ports(cupsd_t)
180 corenet_tcp_bind_generic_node(cupsd_t)
181 corenet_udp_bind_generic_node(cupsd_t)
182 corenet_tcp_bind_ipp_port(cupsd_t)
183 corenet_udp_bind_ipp_port(cupsd_t)
184 corenet_udp_bind_howl_port(cupsd_t)
185 corenet_tcp_bind_reserved_port(cupsd_t)
186 corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
187 corenet_tcp_bind_all_rpc_ports(cupsd_t)
188 corenet_tcp_connect_all_ports(cupsd_t)
189 corenet_sendrecv_hplip_client_packets(cupsd_t)
190 corenet_sendrecv_ipp_client_packets(cupsd_t)
191 corenet_sendrecv_ipp_server_packets(cupsd_t)
193 dev_rw_printer(cupsd_t)
194 dev_read_urand(cupsd_t)
195 dev_read_sysfs(cupsd_t)
196 dev_rw_input_dev(cupsd_t) #447878
197 dev_rw_generic_usb_dev(cupsd_t)
198 dev_rw_usbfs(cupsd_t)
199 dev_getattr_printer_dev(cupsd_t)
201 domain_read_all_domains_state(cupsd_t)
203 fs_getattr_all_fs(cupsd_t)
204 fs_search_auto_mountpoints(cupsd_t)
205 fs_search_fusefs(cupsd_t)
206 fs_read_anon_inodefs_files(cupsd_t)
208 mls_file_downgrade(cupsd_t)
209 mls_file_write_all_levels(cupsd_t)
210 mls_file_read_all_levels(cupsd_t)
211 mls_rangetrans_target(cupsd_t)
212 mls_socket_write_all_levels(cupsd_t)
213 mls_fd_use_all_levels(cupsd_t)
215 term_use_unallocated_ttys(cupsd_t)
216 term_search_ptys(cupsd_t)
218 # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
219 corecmd_exec_shell(cupsd_t)
220 corecmd_exec_bin(cupsd_t)
222 domain_use_interactive_fds(cupsd_t)
224 files_list_spool(cupsd_t)
225 files_read_etc_files(cupsd_t)
226 files_read_etc_runtime_files(cupsd_t)
227 # read python modules
228 files_read_usr_files(cupsd_t)
229 # for /var/lib/defoma
230 files_read_var_lib_files(cupsd_t)
231 files_list_world_readable(cupsd_t)
232 files_read_world_readable_files(cupsd_t)
233 files_read_world_readable_symlinks(cupsd_t)
235 files_read_var_files(cupsd_t)
236 files_read_var_symlinks(cupsd_t)
238 files_dontaudit_write_etc_files(cupsd_t)
239 # smbspool seems to be iterating through all existing tmp files.
241 # cjp: this might be a broken behavior
242 files_dontaudit_getattr_all_tmp_files(cupsd_t)
244 selinux_compute_access_vector(cupsd_t)
245 selinux_validate_context(cupsd_t)
247 init_exec_script_files(cupsd_t)
248 init_read_utmp(cupsd_t)
250 auth_domtrans_chk_passwd(cupsd_t)
251 auth_dontaudit_read_pam_pid(cupsd_t)
252 auth_rw_faillog(cupsd_t)
253 auth_use_nsswitch(cupsd_t)
255 # Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
256 libs_read_lib_files(cupsd_t)
257 libs_exec_lib_files(cupsd_t)
259 logging_send_audit_msgs(cupsd_t)
260 logging_send_syslog_msg(cupsd_t)
262 miscfiles_read_localization(cupsd_t)
263 # invoking ghostscript needs to read fonts
264 miscfiles_read_fonts(cupsd_t)
265 miscfiles_setattr_fonts_cache_dirs(cupsd_t)
267 seutil_read_config(cupsd_t)
268 sysnet_exec_ifconfig(cupsd_t)
270 files_dontaudit_list_home(cupsd_t)
271 userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
272 userdom_dontaudit_search_user_home_content(cupsd_t)
274 # Write to /var/spool/cups.
275 lpd_manage_spool(cupsd_t)
276 lpd_read_config(cupsd_t)
277 lpd_exec_lpr(cupsd_t)
278 lpd_relabel_spool(cupsd_t)
281 apm_domtrans_client(cupsd_t)
285 cron_system_entry(cupsd_t, cupsd_exec_t)
289 dbus_system_bus_client(cupsd_t)
291 userdom_dbus_send_all_users(cupsd_t)
294 avahi_dbus_chat(cupsd_t)
298 hal_dbus_chat(cupsd_t)
302 unconfined_dbus_chat(cupsd_t)
307 hostname_exec(cupsd_t)
311 inetd_core_service_domain(cupsd_t, cupsd_exec_t)
315 logrotate_domtrans(cupsd_t)
319 mta_send_mail(cupsd_t)
323 # cups execs smbtool which reads samba_etc_t files
324 samba_read_config(cupsd_t)
325 samba_rw_var_files(cupsd_t)
329 seutil_sigchld_newrole(cupsd_t)
333 snmp_read_snmp_var_lib_files(cupsd_t)
337 udev_read_db(cupsd_t)
340 ########################################
342 # Cups configuration daemon local policy
345 allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
346 dontaudit cupsd_config_t self:capability sys_tty_config;
347 allow cupsd_config_t self:process { getsched signal_perms };
348 allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
349 allow cupsd_config_t self:unix_stream_socket create_socket_perms;
350 allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
351 allow cupsd_config_t self:tcp_socket create_stream_socket_perms;
353 allow cupsd_config_t cupsd_t:process signal;
354 ps_process_pattern(cupsd_config_t, cupsd_t)
356 manage_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t)
357 manage_lnk_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t)
358 filetrans_pattern(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
360 manage_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
361 manage_lnk_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
362 files_var_filetrans(cupsd_config_t, cupsd_rw_etc_t, file)
364 can_exec(cupsd_config_t, cupsd_config_exec_t)
366 allow cupsd_config_t cupsd_log_t:file rw_file_perms;
368 manage_lnk_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
369 manage_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
370 manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
371 files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
373 allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
375 manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
376 files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
378 domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
380 read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
382 kernel_read_system_state(cupsd_config_t)
383 kernel_read_all_sysctls(cupsd_config_t)
385 corenet_all_recvfrom_unlabeled(cupsd_config_t)
386 corenet_all_recvfrom_netlabel(cupsd_config_t)
387 corenet_tcp_sendrecv_generic_if(cupsd_config_t)
388 corenet_tcp_sendrecv_generic_node(cupsd_config_t)
389 corenet_tcp_sendrecv_all_ports(cupsd_config_t)
390 corenet_tcp_connect_all_ports(cupsd_config_t)
391 corenet_sendrecv_all_client_packets(cupsd_config_t)
393 dev_read_sysfs(cupsd_config_t)
394 dev_read_urand(cupsd_config_t)
395 dev_read_rand(cupsd_config_t)
396 dev_rw_generic_usb_dev(cupsd_config_t)
398 files_search_all_mountpoints(cupsd_config_t)
400 fs_getattr_all_fs(cupsd_config_t)
401 fs_search_auto_mountpoints(cupsd_config_t)
403 corecmd_exec_bin(cupsd_config_t)
404 corecmd_exec_shell(cupsd_config_t)
406 domain_use_interactive_fds(cupsd_config_t)
407 # killall causes the following
408 domain_dontaudit_search_all_domains_state(cupsd_config_t)
410 files_read_usr_files(cupsd_config_t)
411 files_read_etc_files(cupsd_config_t)
412 files_read_etc_runtime_files(cupsd_config_t)
413 files_read_var_symlinks(cupsd_config_t)
415 # Alternatives asks for this
416 init_getattr_all_script_files(cupsd_config_t)
418 auth_use_nsswitch(cupsd_config_t)
420 logging_send_syslog_msg(cupsd_config_t)
422 miscfiles_read_localization(cupsd_config_t)
423 miscfiles_read_hwdata(cupsd_config_t)
425 seutil_dontaudit_search_config(cupsd_config_t)
427 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
428 userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
430 cups_stream_connect(cupsd_config_t)
432 lpd_read_config(cupsd_config_t)
434 ifdef(`distro_redhat',`
436 rpm_read_db(cupsd_config_t)
441 term_use_generic_ptys(cupsd_config_t)
445 cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
449 dbus_system_domain(cupsd_config_t, cupsd_config_exec_t)
452 hal_dbus_chat(cupsd_config_t)
457 hal_domtrans(cupsd_config_t)
458 hal_read_tmp_files(cupsd_config_t)
459 hal_dontaudit_use_fds(hplip_t)
463 hostname_exec(cupsd_config_t)
467 logrotate_use_fds(cupsd_config_t)
471 policykit_dbus_chat(cupsd_config_t)
472 userdom_read_all_users_state(cupsd_config_t)
476 rpm_read_db(cupsd_config_t)
480 seutil_sigchld_newrole(cupsd_config_t)
484 udev_read_db(cupsd_config_t)
488 unconfined_stream_connect(cupsd_config_t)
491 ########################################
496 allow cupsd_lpd_t self:process signal_perms;
497 allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms;
498 allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms;
499 allow cupsd_lpd_t self:udp_socket create_socket_perms;
502 # cjp: this should probably only be inetd_child rules?
503 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
504 allow cupsd_lpd_t self:capability { setuid setgid };
505 files_search_home(cupsd_lpd_t)
507 kerberos_use(cupsd_lpd_t)
511 allow cupsd_lpd_t cupsd_etc_t:dir list_dir_perms;
512 read_files_pattern(cupsd_lpd_t, cupsd_etc_t, cupsd_etc_t)
513 read_lnk_files_pattern(cupsd_lpd_t, cupsd_etc_t, cupsd_etc_t)
515 allow cupsd_lpd_t cupsd_rw_etc_t:dir list_dir_perms;
516 read_files_pattern(cupsd_lpd_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
517 read_lnk_files_pattern(cupsd_lpd_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
519 manage_dirs_pattern(cupsd_lpd_t, cupsd_lpd_tmp_t, cupsd_lpd_tmp_t)
520 manage_files_pattern(cupsd_lpd_t, cupsd_lpd_tmp_t, cupsd_lpd_tmp_t)
521 files_tmp_filetrans(cupsd_lpd_t, cupsd_lpd_tmp_t, { file dir })
523 manage_files_pattern(cupsd_lpd_t, cupsd_lpd_var_run_t, cupsd_lpd_var_run_t)
524 files_pid_filetrans(cupsd_lpd_t, cupsd_lpd_var_run_t, file)
526 kernel_read_kernel_sysctls(cupsd_lpd_t)
527 kernel_read_system_state(cupsd_lpd_t)
528 kernel_read_network_state(cupsd_lpd_t)
530 corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
531 corenet_all_recvfrom_netlabel(cupsd_lpd_t)
532 corenet_tcp_sendrecv_generic_if(cupsd_lpd_t)
533 corenet_udp_sendrecv_generic_if(cupsd_lpd_t)
534 corenet_tcp_sendrecv_generic_node(cupsd_lpd_t)
535 corenet_udp_sendrecv_generic_node(cupsd_lpd_t)
536 corenet_tcp_sendrecv_all_ports(cupsd_lpd_t)
537 corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
538 corenet_tcp_bind_generic_node(cupsd_lpd_t)
539 corenet_udp_bind_generic_node(cupsd_lpd_t)
540 corenet_tcp_connect_ipp_port(cupsd_lpd_t)
542 dev_read_urand(cupsd_lpd_t)
543 dev_read_rand(cupsd_lpd_t)
545 fs_getattr_xattr_fs(cupsd_lpd_t)
547 files_read_etc_files(cupsd_lpd_t)
549 auth_use_nsswitch(cupsd_lpd_t)
551 logging_send_syslog_msg(cupsd_lpd_t)
553 miscfiles_read_localization(cupsd_lpd_t)
554 miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
556 cups_stream_connect(cupsd_lpd_t)
559 inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
562 ########################################
564 # cups_pdf local policy
567 allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
568 allow cups_pdf_t self:fifo_file rw_file_perms;
569 allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
571 manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
573 manage_files_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
574 manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
575 files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
577 fs_rw_anon_inodefs_files(cups_pdf_t)
579 kernel_read_system_state(cups_pdf_t)
581 files_read_etc_files(cups_pdf_t)
582 files_read_usr_files(cups_pdf_t)
584 corecmd_exec_shell(cups_pdf_t)
585 corecmd_exec_bin(cups_pdf_t)
587 auth_use_nsswitch(cups_pdf_t)
589 miscfiles_read_localization(cups_pdf_t)
590 miscfiles_read_fonts(cups_pdf_t)
592 userdom_home_filetrans_user_home_dir(cups_pdf_t)
593 userdom_manage_user_home_content_dirs(cups_pdf_t)
594 userdom_manage_user_home_content_files(cups_pdf_t)
596 lpd_manage_spool(cups_pdf_t)
599 tunable_policy(`use_nfs_home_dirs',`
600 fs_search_auto_mountpoints(cups_pdf_t)
601 fs_manage_nfs_dirs(cups_pdf_t)
602 fs_manage_nfs_files(cups_pdf_t)
605 tunable_policy(`use_samba_home_dirs',`
606 fs_manage_cifs_dirs(cups_pdf_t)
607 fs_manage_cifs_files(cups_pdf_t)
610 ########################################
615 # Needed for USB Scanneer and xsane
616 allow hplip_t self:capability { dac_override dac_read_search net_raw };
617 dontaudit hplip_t self:capability sys_tty_config;
618 allow hplip_t self:fifo_file rw_fifo_file_perms;
619 allow hplip_t self:process signal_perms;
620 allow hplip_t self:unix_dgram_socket create_socket_perms;
621 allow hplip_t self:unix_stream_socket create_socket_perms;
622 allow hplip_t self:netlink_route_socket r_netlink_socket_perms;
623 allow hplip_t self:tcp_socket create_stream_socket_perms;
624 allow hplip_t self:udp_socket create_socket_perms;
625 allow hplip_t self:rawip_socket create_socket_perms;
627 allow hplip_t cupsd_etc_t:dir search_dir_perms;
628 manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
629 manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
630 files_tmp_filetrans(hplip_t, cupsd_tmp_t, { file dir })
632 cups_stream_connect(hplip_t)
634 allow hplip_t hplip_etc_t:dir list_dir_perms;
635 read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
636 read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
637 files_search_etc(hplip_t)
639 manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
640 manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
642 manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
643 files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
645 manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
646 files_pid_filetrans(hplip_t, hplip_var_run_t, file)
648 kernel_read_system_state(hplip_t)
649 kernel_read_kernel_sysctls(hplip_t)
651 corenet_all_recvfrom_unlabeled(hplip_t)
652 corenet_all_recvfrom_netlabel(hplip_t)
653 corenet_tcp_sendrecv_generic_if(hplip_t)
654 corenet_udp_sendrecv_generic_if(hplip_t)
655 corenet_raw_sendrecv_generic_if(hplip_t)
656 corenet_tcp_sendrecv_generic_node(hplip_t)
657 corenet_udp_sendrecv_generic_node(hplip_t)
658 corenet_raw_sendrecv_generic_node(hplip_t)
659 corenet_tcp_sendrecv_all_ports(hplip_t)
660 corenet_udp_sendrecv_all_ports(hplip_t)
661 corenet_tcp_bind_generic_node(hplip_t)
662 corenet_udp_bind_generic_node(hplip_t)
663 corenet_tcp_bind_hplip_port(hplip_t)
664 corenet_tcp_connect_hplip_port(hplip_t)
665 corenet_tcp_connect_ipp_port(hplip_t)
666 corenet_sendrecv_hplip_client_packets(hplip_t)
667 corenet_receive_hplip_server_packets(hplip_t)
668 corenet_udp_bind_howl_port(hplip_t)
670 dev_read_sysfs(hplip_t)
671 dev_rw_printer(hplip_t)
672 dev_read_urand(hplip_t)
673 dev_read_rand(hplip_t)
674 dev_rw_generic_usb_dev(hplip_t)
675 dev_rw_usbfs(hplip_t)
677 fs_getattr_all_fs(hplip_t)
678 fs_search_auto_mountpoints(hplip_t)
679 fs_rw_anon_inodefs_files(hplip_t)
682 corecmd_exec_bin(hplip_t)
684 domain_use_interactive_fds(hplip_t)
686 files_read_etc_files(hplip_t)
687 files_read_etc_runtime_files(hplip_t)
688 files_read_usr_files(hplip_t)
690 logging_send_syslog_msg(hplip_t)
692 miscfiles_read_localization(hplip_t)
694 sysnet_read_config(hplip_t)
696 userdom_dontaudit_use_unpriv_user_fds(hplip_t)
697 userdom_dontaudit_search_user_home_dirs(hplip_t)
698 userdom_dontaudit_search_user_home_content(hplip_t)
700 lpd_read_config(hplip_t)
701 lpd_manage_spool(hplip_t)
704 dbus_system_bus_client(hplip_t)
708 seutil_sigchld_newrole(hplip_t)
712 snmp_read_snmp_var_lib_files(hplip_t)
716 udev_read_db(hplip_t)
719 ########################################
724 allow ptal_t self:capability { chown sys_rawio };
725 dontaudit ptal_t self:capability sys_tty_config;
726 allow ptal_t self:fifo_file rw_fifo_file_perms;
727 allow ptal_t self:unix_dgram_socket create_socket_perms;
728 allow ptal_t self:unix_stream_socket create_stream_socket_perms;
729 allow ptal_t self:tcp_socket create_stream_socket_perms;
731 allow ptal_t ptal_etc_t:dir list_dir_perms;
732 read_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t)
733 read_lnk_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t)
734 files_search_etc(ptal_t)
736 manage_dirs_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
737 manage_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
738 manage_lnk_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
739 manage_fifo_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
740 manage_sock_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
741 files_pid_filetrans(ptal_t, ptal_var_run_t, { dir file lnk_file sock_file fifo_file })
743 kernel_read_kernel_sysctls(ptal_t)
744 kernel_list_proc(ptal_t)
745 kernel_read_proc_symlinks(ptal_t)
747 corenet_all_recvfrom_unlabeled(ptal_t)
748 corenet_all_recvfrom_netlabel(ptal_t)
749 corenet_tcp_sendrecv_generic_if(ptal_t)
750 corenet_tcp_sendrecv_generic_node(ptal_t)
751 corenet_tcp_sendrecv_all_ports(ptal_t)
752 corenet_tcp_bind_generic_node(ptal_t)
753 corenet_tcp_bind_ptal_port(ptal_t)
755 dev_read_sysfs(ptal_t)
756 dev_read_usbfs(ptal_t)
757 dev_rw_printer(ptal_t)
759 fs_getattr_all_fs(ptal_t)
760 fs_search_auto_mountpoints(ptal_t)
762 domain_use_interactive_fds(ptal_t)
764 files_read_etc_files(ptal_t)
765 files_read_etc_runtime_files(ptal_t)
767 logging_send_syslog_msg(ptal_t)
769 miscfiles_read_localization(ptal_t)
771 sysnet_read_config(ptal_t)
773 userdom_dontaudit_use_unpriv_user_fds(ptal_t)
774 userdom_dontaudit_search_user_home_content(ptal_t)
777 seutil_sigchld_newrole(ptal_t)
projects / people / stevee / selinux-policy.git / blob