Chris PeBenito ab58ad
#DESC Lpd - Print server
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  
Chris PeBenito ab58ad
# Modified by David A. Wheeler <dwheeler@ida.org> for LPRng (Red Hat 7.1)
Chris PeBenito ab58ad
# Modified by Russell Coker <russell@coker.com.au>
Chris PeBenito ab58ad
# X-Debian-Packages: lpr
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
Chris PeBenito ab58ad
#################################
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
# Rules for the lpd_t domain.
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
# lpd_t is the domain of lpd.
Chris PeBenito ab58ad
# lpd_exec_t is the type of the lpd executable.
Chris PeBenito ab58ad
# printer_t is the type of the Unix domain socket created
Chris PeBenito ab58ad
# by lpd.
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
daemon_domain(lpd)
Chris PeBenito ab58ad
Chris PeBenito ab58ad
allow lpd_t lpd_var_run_t:sock_file create_file_perms;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
read_fonts(lpd_t)
Chris PeBenito ab58ad
Chris PeBenito ab58ad
type printer_t, file_type, sysadmfile, dev_fs;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
type printconf_t, file_type, sysadmfile;   # Type for files in /usr/share/printconf.
Chris PeBenito ab58ad
Chris PeBenito ab58ad
tmp_domain(lpd);
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# for postscript include files
Chris PeBenito ab58ad
allow lpd_t usr_t:{ file lnk_file } { getattr read };
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Allow checkpc to access the lpd spool so it can check & fix it.
Chris PeBenito ab58ad
# This requires that /usr/sbin/checkpc have type checkpc_t.
Chris PeBenito ab58ad
type checkpc_t, domain, privlog;
Chris PeBenito ab58ad
role system_r types checkpc_t;
Chris PeBenito ab58ad
uses_shlib(checkpc_t)
Chris PeBenito ab58ad
can_network_client(checkpc_t)
Chris PeBenito ab58ad
allow checkpc_t port_type:tcp_socket name_connect;
Chris PeBenito ab58ad
can_ypbind(checkpc_t)
Chris PeBenito ab58ad
log_domain(checkpc)
Chris PeBenito ab58ad
type checkpc_exec_t, file_type, sysadmfile, exec_type;
Chris PeBenito ab58ad
domain_auto_trans(initrc_t, checkpc_exec_t, checkpc_t)
Chris PeBenito ab58ad
domain_auto_trans(sysadm_t, checkpc_exec_t, checkpc_t)
Chris PeBenito ab58ad
role sysadm_r types checkpc_t;
Chris PeBenito ab58ad
allow checkpc_t admin_tty_type:chr_file { read write };
Chris PeBenito ab58ad
allow checkpc_t privfd:fd use;
Chris PeBenito ab58ad
ifdef(`crond.te', `
Chris PeBenito ab58ad
system_crond_entry(checkpc_exec_t, checkpc_t)
Chris PeBenito ab58ad
')
Chris PeBenito ab58ad
allow checkpc_t self:capability { setgid setuid dac_override };
Chris PeBenito ab58ad
allow checkpc_t self:process { fork signal_perms };
Chris PeBenito ab58ad
Chris PeBenito ab58ad
allow checkpc_t proc_t:dir search;
Chris PeBenito ab58ad
allow checkpc_t proc_t:lnk_file read;
Chris PeBenito ab58ad
allow checkpc_t proc_t:file { getattr read };
Chris PeBenito ab58ad
r_dir_file(checkpc_t, self)
Chris PeBenito ab58ad
allow checkpc_t self:unix_stream_socket create_socket_perms;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
allow checkpc_t { etc_t etc_runtime_t }:file { getattr read };
Chris PeBenito ab58ad
allow checkpc_t etc_t:lnk_file read;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
allow checkpc_t { var_t var_spool_t }:dir { getattr search };
Chris PeBenito ab58ad
allow checkpc_t print_spool_t:file { rw_file_perms unlink };
Chris PeBenito ab58ad
allow checkpc_t print_spool_t:dir { read write search add_name remove_name getattr };
Chris PeBenito ab58ad
allow checkpc_t device_t:dir search;
Chris PeBenito ab58ad
allow checkpc_t printer_device_t:chr_file { getattr append };
Chris PeBenito ab58ad
allow checkpc_t devtty_t:chr_file rw_file_perms;
Chris PeBenito ab58ad
allow checkpc_t initrc_devpts_t:chr_file rw_file_perms;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Allow access to /dev/console through the fd:
Chris PeBenito ab58ad
allow checkpc_t init_t:fd use;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# This is less desirable, but checkpc demands /bin/bash and /bin/chown:
Chris PeBenito ab58ad
allow checkpc_t { bin_t sbin_t }:dir search;
Chris PeBenito ab58ad
allow checkpc_t bin_t:lnk_file read;
Chris PeBenito ab58ad
can_exec(checkpc_t, shell_exec_t)
Chris PeBenito ab58ad
can_exec(checkpc_t, bin_t)
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# bash wants access to /proc/meminfo
Chris PeBenito ab58ad
allow lpd_t proc_t:file { getattr read };
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# gs-gnu wants to read some sysctl entries, it seems to work without though
Chris PeBenito ab58ad
dontaudit lpd_t { sysctl_t sysctl_kernel_t }:dir search;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# for defoma
Chris PeBenito ab58ad
r_dir_file(lpd_t, var_lib_t)
Chris PeBenito ab58ad
Chris PeBenito ab58ad
allow checkpc_t var_run_t:dir search;
Chris PeBenito ab58ad
allow checkpc_t lpd_var_run_t:dir { search getattr };
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# This is needed to permit chown to read /var/spool/lpd/lp.
Chris PeBenito ab58ad
# This is opens up security more than necessary; this means that ANYTHING
Chris PeBenito ab58ad
# running in the initrc_t domain can read the printer spool directory.
Chris PeBenito ab58ad
# Perhaps executing /etc/rc.d/init.d/lpd should transition
Chris PeBenito ab58ad
# to domain lpd_t, instead of waiting for executing lpd.
Chris PeBenito ab58ad
allow initrc_t print_spool_t:dir read;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# for defoma
Chris PeBenito ab58ad
r_dir_file(lpd_t, readable_t)
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Use capabilities.
Chris PeBenito ab58ad
allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner };
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Use the network.
Chris PeBenito ab58ad
can_network_server(lpd_t)
Chris PeBenito ab58ad
can_ypbind(lpd_t)
Chris PeBenito ab58ad
allow lpd_t self:fifo_file rw_file_perms;
Chris PeBenito ab58ad
allow lpd_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito ab58ad
allow lpd_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
allow lpd_t self:file { getattr read };
Chris PeBenito ab58ad
allow lpd_t etc_runtime_t:file { getattr read };
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Bind to the printer port.
Chris PeBenito ab58ad
allow lpd_t printer_port_t:tcp_socket name_bind;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Send to portmap.
Chris PeBenito ab58ad
ifdef(`portmap.te', `can_udp_send(lpd_t, portmap_t)')
Chris PeBenito ab58ad
Chris PeBenito ab58ad
ifdef(`ypbind.te',
Chris PeBenito ab58ad
`# Connect to ypbind.
Chris PeBenito ab58ad
can_tcp_connect(lpd_t, ypbind_t)')
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Create and bind to /dev/printer.
Chris PeBenito ab58ad
file_type_auto_trans(lpd_t, device_t, printer_t, lnk_file)
Chris PeBenito ab58ad
allow lpd_t printer_t:unix_stream_socket name_bind;
Chris PeBenito ab58ad
allow lpd_t printer_t:unix_dgram_socket name_bind;
Chris PeBenito ab58ad
allow lpd_t printer_device_t:chr_file rw_file_perms;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Write to /var/spool/lpd.
Chris PeBenito ab58ad
allow lpd_t var_spool_t:dir search;
Chris PeBenito ab58ad
allow lpd_t print_spool_t:dir rw_dir_perms;
Chris PeBenito ab58ad
allow lpd_t print_spool_t:file create_file_perms;
Chris PeBenito ab58ad
allow lpd_t print_spool_t:file rw_file_perms;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Execute filter scripts.
Chris PeBenito ab58ad
# can_exec(lpd_t, print_spool_t)
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
Chris PeBenito ab58ad
allow lpd_t bin_t:dir search;
Chris PeBenito ab58ad
allow lpd_t bin_t:lnk_file read;
Chris PeBenito ab58ad
can_exec(lpd_t, { bin_t sbin_t shell_exec_t })
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# lpd must be able to execute the filter utilities in /usr/share/printconf.
Chris PeBenito ab58ad
can_exec(lpd_t, printconf_t)
Chris PeBenito ab58ad
allow lpd_t printconf_t:file rx_file_perms;
Chris PeBenito ab58ad
allow lpd_t printconf_t:dir { getattr search read };
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# config files for lpd are of type etc_t, probably should change this
Chris PeBenito ab58ad
allow lpd_t etc_t:file { getattr read };
Chris PeBenito ab58ad
allow lpd_t etc_t:lnk_file read;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# checkpc needs similar permissions.
Chris PeBenito ab58ad
allow checkpc_t printconf_t:file getattr;
Chris PeBenito ab58ad
allow checkpc_t printconf_t:dir { getattr search read };
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Read printconf files.
Chris PeBenito ab58ad
allow initrc_t printconf_t:dir r_dir_perms;
Chris PeBenito ab58ad
allow initrc_t printconf_t:file r_file_perms;
Chris PeBenito ab58ad