Chris PeBenito 0fbfa5
#DESC Cups - Common Unix Printing System
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Created cups policy from lpd policy: Russell Coker <russell@coker.com.au>
Chris PeBenito 0fbfa5
# X-Debian-Packages: cupsys cupsys-client cupsys-bsd
Chris PeBenito 0fbfa5
# Depends: lpd.te lpr.te
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Rules for the cupsd_t domain.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# cupsd_t is the domain of cupsd.
Chris PeBenito 0fbfa5
# cupsd_exec_t is the type of the cupsd executable.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
type ipp_port_t, port_type, reserved_port_type;
Chris PeBenito 0fbfa5
daemon_domain(cupsd, `, auth_chkpwd, nscd_client_domain')
Chris PeBenito 0fbfa5
etcdir_domain(cupsd)
Chris PeBenito 0fbfa5
typealias cupsd_etc_t alias etc_cupsd_t;
Chris PeBenito 0fbfa5
type cupsd_rw_etc_t, file_type, sysadmfile, usercanread;
Chris PeBenito 0fbfa5
typealias cupsd_rw_etc_t alias etc_cupsd_rw_t;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
can_network(cupsd_t)
Chris PeBenito 0fbfa5
logdir_domain(cupsd)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
tmp_domain(cupsd)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow cupsd_t devpts_t:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow cupsd_t device_t:lnk_file read;
Chris PeBenito 0fbfa5
allow cupsd_t printer_device_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
allow cupsd_t urandom_device_t:chr_file { getattr read };
Chris PeBenito 0fbfa5
dontaudit cupsd_t random_device_t:chr_file ioctl;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# temporary solution, we need something better
Chris PeBenito 0fbfa5
allow cupsd_t serial_device:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
r_dir_file(cupsd_t, usbdevfs_t)
Chris PeBenito 0fbfa5
r_dir_file(cupsd_t, usbfs_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`logrotate.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(logrotate_t, cupsd_exec_t, cupsd_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`inetd.te', `
Chris PeBenito 0fbfa5
allow inetd_t printer_port_t:tcp_socket name_bind;
Chris PeBenito 0fbfa5
domain_auto_trans(inetd_t, cupsd_exec_t, cupsd_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# write to spool
Chris PeBenito 0fbfa5
allow cupsd_t var_spool_t:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# this is not ideal, and allowing setattr access to cupsd_etc_t is wrong
Chris PeBenito 0fbfa5
file_type_auto_trans(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
Chris PeBenito 0fbfa5
file_type_auto_trans(cupsd_t, var_t, cupsd_rw_etc_t, file)
Chris PeBenito 0fbfa5
allow cupsd_t cupsd_rw_etc_t:dir { setattr rw_dir_perms };
Chris PeBenito 0fbfa5
allow cupsd_t cupsd_etc_t:file setattr;
Chris PeBenito 0fbfa5
allow cupsd_t cupsd_etc_t:dir setattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow cupsd_t { etc_t etc_runtime_t }:file { getattr read ioctl };
Chris PeBenito 0fbfa5
can_exec(cupsd_t, initrc_exec_t)
Chris PeBenito 0fbfa5
allow cupsd_t proc_t:file r_file_perms;
Chris PeBenito 0fbfa5
allow cupsd_t proc_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
allow cupsd_t self:file { getattr read };
Chris PeBenito 0fbfa5
read_sysctl(cupsd_t)
Chris PeBenito 0fbfa5
allow cupsd_t sysctl_dev_t:dir search;
Chris PeBenito 0fbfa5
allow cupsd_t sysctl_dev_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for /etc/printcap
Chris PeBenito 0fbfa5
dontaudit cupsd_t etc_t:file write;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow cups to execute its backend scripts
Chris PeBenito 0fbfa5
can_exec(cupsd_t, cupsd_exec_t)
Chris PeBenito 0fbfa5
allow cupsd_t cupsd_exec_t:dir search;
Chris PeBenito 0fbfa5
allow cupsd_t cupsd_exec_t:lnk_file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow cupsd_t self:unix_stream_socket create_socket_perms;
Chris PeBenito 0fbfa5
allow cupsd_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 0fbfa5
allow cupsd_t self:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Use capabilities.
Chris PeBenito 0fbfa5
allow cupsd_t self:capability { dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config };
Chris PeBenito 0fbfa5
dontaudit cupsd_t self:capability net_admin;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow cupsd_t self:process setsched;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for /var/lib/defoma
Chris PeBenito 0fbfa5
allow cupsd_t var_lib_t:dir search;
Chris PeBenito 0fbfa5
r_dir_file(cupsd_t, readable_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Bind to the cups/ipp port (631).
Chris PeBenito 0fbfa5
allow cupsd_t ipp_port_t:{ udp_socket tcp_socket } name_bind;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
can_tcp_connect(web_client_domain, cupsd_t)
Chris PeBenito 0fbfa5
can_tcp_connect(cupsd_t, cupsd_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Send to portmap.
Chris PeBenito 0fbfa5
ifdef(`portmap.te', `
Chris PeBenito 0fbfa5
can_udp_send(cupsd_t, portmap_t)
Chris PeBenito 0fbfa5
can_udp_send(portmap_t, cupsd_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Write to /var/spool/cups.
Chris PeBenito 0fbfa5
allow cupsd_t print_spool_t:dir { setattr rw_dir_perms };
Chris PeBenito 0fbfa5
allow cupsd_t print_spool_t:file create_file_perms;
Chris PeBenito 0fbfa5
allow cupsd_t print_spool_t:file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
Chris PeBenito 0fbfa5
allow cupsd_t { bin_t sbin_t }:dir { search getattr };
Chris PeBenito 0fbfa5
allow cupsd_t bin_t:lnk_file read;
Chris PeBenito 0fbfa5
can_exec(cupsd_t, { shell_exec_t bin_t sbin_t })
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# They will also invoke ghostscript, which needs to read fonts
Chris PeBenito 0fbfa5
r_dir_file(cupsd_t, fonts_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
Chris PeBenito 0fbfa5
allow cupsd_t lib_t:file { read getattr };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# read python modules
Chris PeBenito 0fbfa5
allow cupsd_t usr_t:{ file lnk_file } { read getattr ioctl };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# lots of errors generated requiring the following
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
allow cupsd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Satisfy readahead
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
allow initrc_t cupsd_log_t:file { getattr read };
Chris PeBenito 0fbfa5
r_dir_file(cupsd_t, var_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
r_dir_file(cupsd_t, usercanread)
Chris PeBenito 0fbfa5
ifdef(`samba.te', `
Chris PeBenito 0fbfa5
rw_dir_file(cupsd_t, samba_var_t)
Chris PeBenito 0fbfa5
allow smbd_t cupsd_etc_t:dir search;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`pam.te', `
Chris PeBenito 0fbfa5
dontaudit cupsd_t pam_var_run_t:file { getattr read };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
dontaudit cupsd_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
Chris PeBenito 0fbfa5
# PTAL
Chris PeBenito 0fbfa5
daemon_domain(ptal)
Chris PeBenito 0fbfa5
etcdir_domain(ptal)
Chris PeBenito 0fbfa5
allow ptal_t ptal_var_run_t:fifo_file create_file_perms;
Chris PeBenito 0fbfa5
allow ptal_t ptal_var_run_t:sock_file create_file_perms;
Chris PeBenito 0fbfa5
allow ptal_t self:capability chown;
Chris PeBenito 0fbfa5
allow ptal_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
Chris PeBenito 0fbfa5
allow ptal_t self:unix_stream_socket { listen accept };
Chris PeBenito 0fbfa5
allow ptal_t self:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
allow ptal_t device_t:dir read;
Chris PeBenito 0fbfa5
allow ptal_t printer_device_t:chr_file { ioctl read write };
Chris PeBenito 0fbfa5
allow initrc_t printer_device_t:chr_file getattr;
Chris PeBenito 0fbfa5
allow ptal_t { etc_t etc_runtime_t }:file { getattr read };
Chris PeBenito 0fbfa5
r_dir_file(ptal_t, usbdevfs_t)
Chris PeBenito 0fbfa5
r_dir_file(ptal_t, usbfs_t)
Chris PeBenito 0fbfa5
allow cupsd_t ptal_var_run_t:sock_file { write setattr };
Chris PeBenito 0fbfa5
allow cupsd_t ptal_t:unix_stream_socket connectto;
Chris PeBenito 0fbfa5
allow cupsd_t ptal_var_run_t:dir search;
Chris PeBenito 0fbfa5
dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow initrc_t ptal_var_run_t:dir rmdir;
Chris PeBenito 0fbfa5
allow initrc_t ptal_var_run_t:fifo_file unlink;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
dontaudit cupsd_t selinux_config_t:dir search;
Chris PeBenito 0fbfa5
dontaudit cupsd_t selinux_config_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow cupsd_t printconf_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
dbusd_client(system, cupsd)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`hald.te', `
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# CUPS configuration daemon
Chris PeBenito 0fbfa5
daemon_domain(cupsd_config)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow cupsd_config_t devpts_t:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`distro_redhat', `
Chris PeBenito 0fbfa5
ifdef(`rpm.te', `
Chris PeBenito 0fbfa5
allow cupsd_config_t rpm_var_lib_t:dir { getattr search };
Chris PeBenito 0fbfa5
allow cupsd_config_t rpm_var_lib_t:file { getattr read };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
allow cupsd_config_t initrc_exec_t:file getattr;
Chris PeBenito 0fbfa5
')dnl end distro_redhat
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow cupsd_config_t { etc_t etc_runtime_t net_conf_t }:file { getattr read };
Chris PeBenito 0fbfa5
allow cupsd_config_t self:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow cupsd_config_t proc_t:file { getattr read };
Chris PeBenito 0fbfa5
allow cupsd_config_t cupsd_var_run_t:file { getattr read };
Chris PeBenito 0fbfa5
allow cupsd_config_t cupsd_t:process { signal };
Chris PeBenito 0fbfa5
allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
Chris PeBenito 0fbfa5
can_ps(cupsd_config_t, cupsd_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow cupsd_config_t self:capability chown;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
rw_dir_create_file(cupsd_config_t, cupsd_etc_t)
Chris PeBenito 0fbfa5
rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t)
Chris PeBenito 0fbfa5
file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
can_network_tcp(cupsd_config_t)
Chris PeBenito 0fbfa5
can_tcp_connect(cupsd_config_t, cupsd_t)
Chris PeBenito 0fbfa5
allow cupsd_config_t self:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow cupsd_config_t self:unix_stream_socket create_socket_perms;
Chris PeBenito 0fbfa5
ifdef(`dbusd.te', `
Chris PeBenito 0fbfa5
dbusd_client(system, cupsd_config)
Chris PeBenito 0fbfa5
allow cupsd_config_t userdomain:dbus send_msg;
Chris PeBenito 0fbfa5
allow cupsd_config_t system_dbusd_t:dbus { send_msg acquire_svc };
Chris PeBenito 0fbfa5
allow cupsd_t system_dbusd_t:dbus send_msg;
Chris PeBenito 0fbfa5
allow userdomain cupsd_config_t:dbus send_msg;
Chris PeBenito 0fbfa5
allow cupsd_config_t hald_t:dbus send_msg;
Chris PeBenito 0fbfa5
allow hald_t cupsd_config_t:dbus send_msg;
Chris PeBenito 0fbfa5
allow cupsd_t userdomain:dbus send_msg;
Chris PeBenito 0fbfa5
allow cupsd_t hald_t:dbus send_msg;
Chris PeBenito 0fbfa5
allow hald_t cupsd_t:dbus send_msg;
Chris PeBenito 0fbfa5
')dnl end if dbusd.te
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
can_exec(cupsd_config_t, { bin_t sbin_t shell_exec_t })
Chris PeBenito 0fbfa5
ifdef(`hostname.te', `
Chris PeBenito 0fbfa5
can_exec(cupsd_t, hostname_exec_t)
Chris PeBenito 0fbfa5
can_exec(cupsd_config_t, hostname_exec_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
allow cupsd_config_t { bin_t sbin_t }:dir { search getattr };
Chris PeBenito 0fbfa5
allow cupsd_config_t { bin_t sbin_t }:lnk_file read;
Chris PeBenito 0fbfa5
# killall causes the following
Chris PeBenito 0fbfa5
dontaudit cupsd_config_t domain:dir { getattr search };
Chris PeBenito 0fbfa5
dontaudit cupsd_config_t selinux_config_t:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
can_exec(cupsd_config_t, cupsd_config_exec_t) 
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow cupsd_config_t usr_t:file { getattr read };
Chris PeBenito 0fbfa5
allow cupsd_config_t var_lib_t:dir { getattr search };
Chris PeBenito 0fbfa5
allow cupsd_config_t rpm_var_lib_t:file { getattr read };
Chris PeBenito 0fbfa5
allow cupsd_config_t printconf_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow cupsd_config_t urandom_device_t:chr_file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
domain_auto_trans(hald_t, cupsd_config_exec_t, cupsd_config_t)
Chris PeBenito 0fbfa5
ifdef(`logrotate.te', `
Chris PeBenito 0fbfa5
allow cupsd_config_t logrotate_t:fd use;
Chris PeBenito 0fbfa5
')dnl end if logrotate.te
Chris PeBenito 0fbfa5
allow cupsd_config_t system_crond_t:fd use;
Chris PeBenito 0fbfa5
allow cupsd_config_t crond_t:fifo_file read;
Chris PeBenito 0fbfa5
allow cupsd_t crond_t:fifo_file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Alternatives asks for this
Chris PeBenito 0fbfa5
allow cupsd_config_t initrc_exec_t:file getattr;
Chris PeBenito 0fbfa5
') dnl end if hald.te
Chris PeBenito 0fbfa5
ifdef(`targeted_policy', `
Chris PeBenito 0fbfa5
can_unix_connect(cupsd_t, initrc_t)
Chris PeBenito 0fbfa5
allow cupsd_t initrc_t:dbus send_msg;
Chris PeBenito 0fbfa5
allow initrc_t cupsd_t:dbus send_msg;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`targeted_policy', `
Chris PeBenito 0fbfa5
allow cupsd_t unconfined_t:dbus send_msg;
Chris PeBenito 0fbfa5
')