policy/modules/services/lpd.if

   1 ## <summary>Line printer daemon</summary>
   2
   3 ########################################
   4 ## <summary>
   5 ##      Role access for lpd
   6 ## </summary>
   7 ## <param name="role">
   8 ##      <summary>
   9 ##      Role allowed access
  10 ##      </summary>
  11 ## </param>
  12 ## <param name="domain">
  13 ##      <summary>
  14 ##      User domain for the role
  15 ##      </summary>
  16 ## </param>
  17 #
  18 interface(`lpd_role',`
  19         gen_require(`
  20                 type lpr_t, lpr_exec_t, print_spool_t;
  21         ')
  22
  23         role $1 types lpr_t;
  24
  25         # Transition from the user domain to the derived domain.
  26         domtrans_pattern($2, lpr_exec_t, lpr_t)
  27         dontaudit lpr_t $2:unix_stream_socket { read write };
  28
  29         ps_process_pattern($2, lpr_t)
  30         allow $2 lpr_t:process signull;
  31
  32         optional_policy(`
  33                 cups_read_config($2)
  34         ')
  35 ')
  36
  37 ########################################
  38 ## <summary>
  39 ##      Execute lpd in the lpd domain.
  40 ## </summary>
  41 ## <param name="domain">
  42 ##      <summary>
  43 ##      Domain allowed to transition.
  44 ##      </summary>
  45 ## </param>
  46 #
  47 interface(`lpd_domtrans_checkpc',`
  48         gen_require(`
  49                 type checkpc_t, checkpc_exec_t;
  50         ')
  51
  52         domtrans_pattern($1, checkpc_exec_t, checkpc_t)
  53 ')
  54
  55 ########################################
  56 ## <summary>
  57 ##      Execute amrecover in the lpd domain, and
  58 ##      allow the specified role the lpd domain.
  59 ## </summary>
  60 ## <param name="domain">
  61 ##      <summary>
  62 ##      Domain allowed to transition.
  63 ##      </summary>
  64 ## </param>
  65 ## <param name="role">
  66 ##      <summary>
  67 ##      Role allowed access.
  68 ##      </summary>
  69 ## </param>
  70 ## <rolecap/>
  71 #
  72 interface(`lpd_run_checkpc',`
  73         gen_require(`
  74                 type checkpc_t;
  75         ')
  76
  77         lpd_domtrans_checkpc($1)
  78         role $2 types checkpc_t;
  79 ')
  80
  81 ########################################
  82 ## <summary>
  83 ##      List the contents of the printer spool directories.
  84 ## </summary>
  85 ## <param name="domain">
  86 ##      <summary>
  87 ##      Domain allowed access.
  88 ##      </summary>
  89 ## </param>
  90 #
  91 interface(`lpd_list_spool',`
  92         gen_require(`
  93                 type print_spool_t;
  94         ')
  95
  96         files_search_spool($1)
  97         allow $1 print_spool_t:dir list_dir_perms;
  98 ')
  99
 100 ########################################
 101 ## <summary>
 102 ##      Read the printer spool files.
 103 ## </summary>
 104 ## <param name="domain">
 105 ##      <summary>
 106 ##      Domain allowed access.
 107 ##      </summary>
 108 ## </param>
 109 #
 110 interface(`lpd_read_spool',`
 111         gen_require(`
 112                 type print_spool_t;
 113         ')
 114
 115         files_search_spool($1)
 116         read_files_pattern($1, print_spool_t, print_spool_t)
 117 ')
 118
 119 ########################################
 120 ## <summary>
 121 ##      Create, read, write, and delete printer spool files.
 122 ## </summary>
 123 ## <param name="domain">
 124 ##      <summary>
 125 ##      Domain allowed access.
 126 ##      </summary>
 127 ## </param>
 128 #
 129 interface(`lpd_manage_spool',`
 130         gen_require(`
 131                 type print_spool_t;
 132         ')
 133
 134         files_search_spool($1)
 135         manage_dirs_pattern($1, print_spool_t, print_spool_t)
 136         manage_files_pattern($1, print_spool_t, print_spool_t)
 137         manage_lnk_files_pattern($1, print_spool_t, print_spool_t)
 138 ')
 139
 140 ########################################
 141 ## <summary>
 142 ##      Relabel from and to the spool files.
 143 ## </summary>
 144 ## <param name="domain">
 145 ##      <summary>
 146 ##      Domain allowed access.
 147 ##      </summary>
 148 ## </param>
 149 #
 150 interface(`lpd_relabel_spool',`
 151         gen_require(`
 152                 type print_spool_t;
 153         ')
 154
 155         files_search_spool($1)
 156         allow $1 print_spool_t:file { relabelto relabelfrom };
 157 ')
 158
 159 ########################################
 160 ## <summary>
 161 ##      List the contents of the printer spool directories.
 162 ## </summary>
 163 ## <param name="domain">
 164 ##      <summary>
 165 ##      Domain allowed access.
 166 ##      </summary>
 167 ## </param>
 168 ## <rolecap/>
 169 #
 170 interface(`lpd_read_config',`
 171         gen_require(`
 172                 type printconf_t;
 173         ')
 174
 175         allow $1 printconf_t:dir list_dir_perms;
 176         read_files_pattern($1, printconf_t, printconf_t)
 177 ')
 178
 179 ########################################
 180 ## <summary>
 181 ##      Transition to a user lpr domain.
 182 ## </summary>
 183 ## <param name="domain">
 184 ##      <summary>
 185 ##      Domain allowed to transition.
 186 ##      </summary>
 187 ## </param>
 188 #
 189 template(`lpd_domtrans_lpr',`
 190         gen_require(`
 191                 type lpr_t, lpr_exec_t;
 192         ')
 193
 194         domtrans_pattern($1, lpr_exec_t, lpr_t)
 195 ')
 196
 197 ########################################
 198 ## <summary>
 199 ##      Allow the specified domain to execute lpr
 200 ##      in the caller domain.
 201 ## </summary>
 202 ## <param name="domain">
 203 ##      <summary>
 204 ##      Domain allowed access.
 205 ##      </summary>
 206 ## </param>
 207 #
 208 interface(`lpd_exec_lpr',`
 209         gen_require(`
 210                 type lpr_exec_t;
 211         ')
 212
 213         can_exec($1, lpr_exec_t)
 214 ')