1 ## <summary>Line printer daemon</summary>
3 ########################################
12 ## <param name="domain">
14 ## User domain for the role
18 interface(`lpd_role',`
20 type lpr_t, lpr_exec_t, print_spool_t;
25 # Transition from the user domain to the derived domain.
26 domtrans_pattern($2, lpr_exec_t, lpr_t)
27 dontaudit lpr_t $2:unix_stream_socket { read write };
29 ps_process_pattern($2, lpr_t)
30 allow $2 lpr_t:process signull;
37 ########################################
39 ## Execute lpd in the lpd domain.
41 ## <param name="domain">
43 ## Domain allowed to transition.
47 interface(`lpd_domtrans_checkpc',`
49 type checkpc_t, checkpc_exec_t;
52 domtrans_pattern($1, checkpc_exec_t, checkpc_t)
55 ########################################
57 ## Execute amrecover in the lpd domain, and
58 ## allow the specified role the lpd domain.
60 ## <param name="domain">
62 ## Domain allowed to transition.
65 ## <param name="role">
67 ## Role allowed access.
72 interface(`lpd_run_checkpc',`
77 lpd_domtrans_checkpc($1)
78 role $2 types checkpc_t;
81 ########################################
83 ## List the contents of the printer spool directories.
85 ## <param name="domain">
87 ## Domain allowed access.
91 interface(`lpd_list_spool',`
96 files_search_spool($1)
97 allow $1 print_spool_t:dir list_dir_perms;
100 ########################################
102 ## Read the printer spool files.
104 ## <param name="domain">
106 ## Domain allowed access.
110 interface(`lpd_read_spool',`
115 files_search_spool($1)
116 read_files_pattern($1, print_spool_t, print_spool_t)
119 ########################################
121 ## Create, read, write, and delete printer spool files.
123 ## <param name="domain">
125 ## Domain allowed access.
129 interface(`lpd_manage_spool',`
134 files_search_spool($1)
135 manage_dirs_pattern($1, print_spool_t, print_spool_t)
136 manage_files_pattern($1, print_spool_t, print_spool_t)
137 manage_lnk_files_pattern($1, print_spool_t, print_spool_t)
140 ########################################
142 ## Relabel from and to the spool files.
144 ## <param name="domain">
146 ## Domain allowed access.
150 interface(`lpd_relabel_spool',`
155 files_search_spool($1)
156 allow $1 print_spool_t:file { relabelto relabelfrom };
159 ########################################
161 ## List the contents of the printer spool directories.
163 ## <param name="domain">
165 ## Domain allowed access.
170 interface(`lpd_read_config',`
175 allow $1 printconf_t:dir list_dir_perms;
176 read_files_pattern($1, printconf_t, printconf_t)
179 ########################################
181 ## Transition to a user lpr domain.
183 ## <param name="domain">
185 ## Domain allowed to transition.
189 template(`lpd_domtrans_lpr',`
191 type lpr_t, lpr_exec_t;
194 domtrans_pattern($1, lpr_exec_t, lpr_t)
197 ########################################
199 ## Allow the specified domain to execute lpr
200 ## in the caller domain.
202 ## <param name="domain">
204 ## Domain allowed access.
208 interface(`lpd_exec_lpr',`
213 can_exec($1, lpr_exec_t)