Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Macros for lpr domains.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser 
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# lpr_domain(domain_prefix)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Define a derived domain for the lpr/lpq/lprm programs when executed
Chris PeBenito 0fbfa5
# by a user domain.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# The type declaration for the executable type for this program is
Chris PeBenito 0fbfa5
# provided separately in domains/program/lpr.te. 
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
undefine(`lpr_domain')
Chris PeBenito 0fbfa5
define(`lpr_domain',`
Chris PeBenito 0fbfa5
# Derived domain based on the calling user domain and the program
Chris PeBenito 0fbfa5
type $1_lpr_t, domain, privlog, nscd_client_domain;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Transition from the user domain to the derived domain.
Chris PeBenito 0fbfa5
domain_auto_trans($1_t, lpr_exec_t, $1_lpr_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow $1_t $1_lpr_t:process signull;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow using shared objects, accessing root dir, etc
Chris PeBenito 0fbfa5
uses_shlib($1_lpr_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
read_locale($1_lpr_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The user role is authorized for this domain.
Chris PeBenito 0fbfa5
role $1_r types $1_lpr_t;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# This domain is granted permissions common to most domains (including can_net)
Chris PeBenito 0fbfa5
can_network_client($1_lpr_t)
Chris PeBenito 0fbfa5
can_ypbind($1_lpr_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Use capabilities.
Chris PeBenito 0fbfa5
allow $1_lpr_t $1_lpr_t:capability { setuid dac_override net_bind_service chown };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow $1_lpr_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for lpd config files (should have a new type)
Chris PeBenito 0fbfa5
r_dir_file($1_lpr_t, etc_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for test print
Chris PeBenito 0fbfa5
r_dir_file($1_lpr_t, usr_t)
Chris PeBenito 0fbfa5
ifdef(`lpd.te', `
Chris PeBenito 0fbfa5
r_dir_file($1_lpr_t, printconf_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
tmp_domain($1_lpr)
Chris PeBenito 0fbfa5
r_dir_file($1_lpr_t, $1_tmp_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Type for spool files.
Chris PeBenito 0fbfa5
type $1_print_spool_t, file_type, sysadmfile;
Chris PeBenito 0fbfa5
# Use this type when creating files in /var/spool/lpd and /var/spool/cups.
Chris PeBenito 0fbfa5
file_type_auto_trans($1_lpr_t, print_spool_t, $1_print_spool_t, file)
Chris PeBenito 0fbfa5
allow $1_lpr_t var_spool_t:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for /dev/null
Chris PeBenito 0fbfa5
allow $1_lpr_t device_t:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Access the terminal.
Chris PeBenito 0fbfa5
access_terminal($1_lpr_t, $1)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Inherit and use descriptors from gnome-pty-helper.
Chris PeBenito 0fbfa5
ifdef(`gnome-pty-helper.te', `allow $1_lpr_t $1_gph_t:fd use;')
Chris PeBenito 0fbfa5
allow $1_lpr_t privfd:fd use;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Read user files. 
Chris PeBenito 0fbfa5
allow sysadm_lpr_t { home_root_t $1_home_t $1_home_dir_t }:dir search;  
Chris PeBenito 0fbfa5
allow sysadm_lpr_t $1_home_t:{ file lnk_file } r_file_perms;  
Chris PeBenito 0fbfa5
allow $1_lpr_t { home_root_t $1_home_t $1_home_dir_t }:dir search;  
Chris PeBenito 0fbfa5
allow $1_lpr_t $1_home_t:{ file lnk_file } r_file_perms;  
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
if (use_nfs_home_dirs) {
Chris PeBenito 0fbfa5
r_dir_file($1_lpr_t, nfs_t)
Chris PeBenito 0fbfa5
}
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
if (use_samba_home_dirs) {
Chris PeBenito 0fbfa5
r_dir_file($1_lpr_t, cifs_t)
Chris PeBenito 0fbfa5
}
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Read and write shared files in the spool directory.
Chris PeBenito 0fbfa5
allow $1_lpr_t print_spool_t:file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# lpr can run in lightweight mode, without a local print spooler. If the
Chris PeBenito 0fbfa5
# lpd policy is present, grant some permissions for this domain and the lpd
Chris PeBenito 0fbfa5
# domain to interact.
Chris PeBenito 0fbfa5
ifdef(`lpd.te', `
Chris PeBenito 0fbfa5
allow $1_lpr_t { var_t var_run_t }:dir search;
Chris PeBenito 0fbfa5
allow $1_lpr_t lpd_var_run_t:dir search;
Chris PeBenito 0fbfa5
allow $1_lpr_t lpd_var_run_t:sock_file write;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow lpd to read, rename, and unlink spool files.
Chris PeBenito 0fbfa5
allow lpd_t $1_print_spool_t:file r_file_perms;
Chris PeBenito 0fbfa5
allow lpd_t $1_print_spool_t:file link_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Connect to lpd via a Unix domain socket.
Chris PeBenito 0fbfa5
allow $1_lpr_t printer_t:sock_file rw_file_perms;
Chris PeBenito 0fbfa5
can_unix_connect($1_lpr_t, lpd_t)
Chris PeBenito 0fbfa5
dontaudit $1_lpr_t $1_t:unix_stream_socket { read write };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Connect to lpd via a TCP socket.
Chris PeBenito 0fbfa5
can_tcp_connect($1_lpr_t, lpd_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow $1_lpr_t fs_t:filesystem getattr;
Chris PeBenito 0fbfa5
# Send SIGHUP to lpd.
Chris PeBenito 0fbfa5
allow $1_lpr_t lpd_t:process signal;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
')dnl end if lpd.te
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`xdm.te', `
Chris PeBenito 0fbfa5
allow $1_lpr_t xdm_t:fd use;
Chris PeBenito 0fbfa5
allow $1_lpr_t xdm_t:fifo_file write;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`cups.te', `
Chris PeBenito 0fbfa5
allow { $1_lpr_t $1_t } cupsd_etc_t:dir search;
Chris PeBenito 0fbfa5
allow $1_lpr_t { cupsd_etc_t cupsd_rw_etc_t }:file { getattr read };
Chris PeBenito 0fbfa5
can_tcp_connect({ $1_lpr_t $1_t }, cupsd_t)
Chris PeBenito 0fbfa5
')dnl end ifdef cups.te
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`hide_broken_symptoms', `
Chris PeBenito 0fbfa5
# thunderbird causes these
Chris PeBenito 0fbfa5
dontaudit $1_lpr_t $1_t:tcp_socket { read write };
Chris PeBenito 0fbfa5
dontaudit $1_lpr_t { $1_home_t $1_tmp_t }:file write;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
')dnl end macro definition
Chris PeBenito 0fbfa5