diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 0ac2365..ade7cf7 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -1,3 +1,4 @@ +- Add lpr per-userdomain policy to lpd. - Miscellaneous fixes from Dan Walsh. - Change initrc_var_run_t interface noun from script_pid to utmp, for greater clarity. diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index 4eb4cee..a161fb0 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -1738,7 +1738,6 @@ interface(`fs_rw_nfsd_fs',` allow $1 nfsd_fs_t:file rw_file_perms; ') - ######################################## ## ## Mount a RAM filesystem. diff --git a/refpolicy/policy/modules/services/cups.if b/refpolicy/policy/modules/services/cups.if index c1d77ab..5fbe658 100644 --- a/refpolicy/policy/modules/services/cups.if +++ b/refpolicy/policy/modules/services/cups.if @@ -99,6 +99,25 @@ interface(`cups_dbus_chat_config',` ######################################## ## +## Read cups configuration files. +## +## +## Domain allowed access. +## +# +interface(`cups_read_config',` + gen_require(` + type cupsd_etc_t, cupsd_rw_etc_t; + ') + + files_search_etc($1) + allow $1 cupsd_etc_t:dir search_dir_perms; + allow $1 cupsd_etc_t:file { getattr read }; + allow $1 cupsd_rw_etc_t:file { getattr read }; +') + +######################################## +## ## Read cups-writable configuration files. ## ## @@ -150,3 +169,21 @@ interface(`cups_stream_connect_ptal',` allow $1 ptal_var_run_t:sock_file write; allow $1 ptal_t:unix_stream_socket connectto; ') + +######################################## +## +## Connect to cups over TCP. +## +## +## Domain allowed access. +## +# +interface(`cups_tcp_connect',` + gen_require(` + type cupsd_t; + ') + + allow $1 cupsd_t:tcp_socket { connectto recvfrom }; + allow cupsd_t $1:tcp_socket { acceptfrom recvfrom }; + kernel_tcp_recvfrom($1) +') diff --git a/refpolicy/policy/modules/services/lpd.fc b/refpolicy/policy/modules/services/lpd.fc index fe8bbcb..e97eb7a 100644 --- a/refpolicy/policy/modules/services/lpd.fc +++ b/refpolicy/policy/modules/services/lpd.fc @@ -1,10 +1,20 @@ - +# +# /dev +# /dev/printer -s gen_context(system_u:object_r:printer_t,s0) +# +# /usr +# /usr/sbin/checkpc -- gen_context(system_u:object_r:checkpc_exec_t,s0) /usr/sbin/lpd -- gen_context(system_u:object_r:lpd_exec_t,s0) - /usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0) +/usr/bin/lpr(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) +/usr/bin/lpq(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) +/usr/bin/lprm(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) +# +# /var +# /var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0) /var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0) diff --git a/refpolicy/policy/modules/services/lpd.if b/refpolicy/policy/modules/services/lpd.if index 05b92f4..35ef521 100644 --- a/refpolicy/policy/modules/services/lpd.if +++ b/refpolicy/policy/modules/services/lpd.if @@ -1,5 +1,240 @@ ## Line printer daemon +####################################### +## +## The per user domain template for the lpd module. +## +## +##

+## This template creates a derived domains which are used +## for lpr printing client. +##

+##

+## This template is invoked automatically for each user, and +## generally does not need to be invoked directly +## by policy writers. +##

+##
+## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## The type of the user domain. +## +## +## The role associated with the user domain. +## +# +template(`lpd_per_userdomain_template',` + gen_require(` + type lpr_exec_t, lpd_t, print_spool_t, printconf_t, lpd_var_run_t, printer_t; + ') + + ############################## + # + # Declarations + # + # Derived domain based on the calling user domain and the program + type $1_lpr_t; + domain_type($1_lpr_t) + domain_entry_file($1_lpr_t,lpr_exec_t) + role $3 types $1_lpr_t; + + type $1_lpr_tmp_t; + files_tmp_file($1_lpr_tmp_t) + + # Type for spool files. + type $1_print_spool_t; + files_type($1_print_spool_t) + + ############################## + # + # Local policy + # + allow $1_lpr_t self:capability { setuid dac_override net_bind_service chown }; + allow $1_lpr_t self:unix_stream_socket create_stream_socket_perms; + allow $1_lpr_t self:tcp_socket create_socket_perms; + allow $1_lpr_t self:udp_socket create_socket_perms; + + # lpr can run in lightweight mode, without a local print spooler. + allow $1_lpr_t lpd_var_run_t:dir search; + allow $1_lpr_t lpd_var_run_t:sock_file write; + files_read_var_files($1_lpr_t) + + # Connect to lpd via a Unix domain socket. + allow $1_lpr_t printer_t:sock_file rw_file_perms; + allow $1_lpr_t lpd_t:unix_stream_socket connectto; + # connecto to a network lpd + allow $1_lpr_t lpd_t:tcp_socket { connectto recvfrom }; + allow lpd_t $1_lpr_t:tcp_socket { acceptfrom recvfrom }; + # Send SIGHUP to lpd. + allow $1_lpr_t lpd_t:process signal; + + can_exec($1_lpr_t,lpr_exec_t) + + allow $1_lpr_t $1_lpr_tmp_t:dir create_dir_perms; + allow $1_lpr_t $1_lpr_tmp_t:file create_file_perms; + files_filetrans_tmp($1_lpr_t, $1_lpr_tmp_t, { file dir }) + + allow $1_lpr_t $1_print_spool_t:file create_file_perms; + allow $1_lpr_t print_spool_t:dir rw_dir_perms; + type_transition $1_lpr_t print_spool_t:file $1_print_spool_t; + # Read and write shared files in the spool directory. + allow $1_lpr_t print_spool_t:file rw_file_perms; + + allow $1_lpr_t printconf_t:dir r_dir_perms; + allow $1_lpr_t printconf_t:file r_file_perms; + allow $1_lpr_t printconf_t:lnk_file { getattr read }; + + dontaudit $1_lpr_t $2:unix_stream_socket { read write }; + + # Transition from the user domain to the derived domain. + allow $2 $1_lpr_t:fd use; + allow $1_lpr_t $2:fd use; + allow $1_lpr_t $2:fifo_file rw_file_perms; + allow $1_lpr_t $2:process sigchld; + domain_auto_trans($2,lpr_exec_t,$1_lpr_t) + + allow $2 $1_lpr_t:process signull; + + # Allow lpd to read, rename, and unlink spool files. + allow lpd_t $1_print_spool_t:file r_file_perms; + allow lpd_t $1_print_spool_t:file link_file_perms; + + kernel_tcp_recvfrom($1_lpr_t) + + corenet_tcp_sendrecv_generic_if($1_lpr_t) + corenet_udp_sendrecv_generic_if($1_lpr_t) + corenet_raw_sendrecv_generic_if($1_lpr_t) + corenet_tcp_sendrecv_all_nodes($1_lpr_t) + corenet_udp_sendrecv_all_nodes($1_lpr_t) + corenet_raw_sendrecv_all_nodes($1_lpr_t) + corenet_tcp_sendrecv_all_ports($1_lpr_t) + corenet_udp_sendrecv_all_ports($1_lpr_t) + corenet_tcp_bind_all_nodes($1_lpr_t) + corenet_udp_bind_all_nodes($1_lpr_t) + corenet_tcp_connect_all_ports($1_lpr_t) + + # for /dev/null + dev_list_all_dev_nodes($1_lpr_t) + + domain_use_wide_inherit_fd($1_lpr_t) + + files_search_spool($1_lpr_t) + # for lpd config files (should have a new type) + files_read_etc_files($1_lpr_t) + # for test print + files_read_usr_files($1_lpr_t) + #Added to cover read_content macro + files_list_home($1_lpr_t) + files_read_generic_tmp_files($1_lpr_t) + + fs_getattr_xattr_fs($1_lpr_t) + + # Access the terminal. + term_use_controlling_term($1_lpr_t) + term_use_generic_pty($1_lpr_t) + + libs_use_ld_so($1_lpr_t) + libs_use_shared_libs($1_lpr_t) + + miscfiles_read_localization($1_lpr_t) + + sysnet_read_config($1_lpr_t) + + userdom_read_user_tmp_symlinks($1,$1_lpr_t) + # Write to the user domain tty. + userdom_use_user_terminals($1,$1_lpr_t) + + tunable_policy(`read_default_t',` + files_list_default($1_lpr_t) + files_read_default_symlinks($1_lpr_t) + files_read_default_files($1_lpr_t) + ') + + tunable_policy(`read_untrusted_content',` + #list and read user specific untrusted content + files_list_home($1_lpr_t) + userdom_list_user_home($1,$1_lpr_t) + userdom_read_user_untrusted_content_files($1,$1_lpr_t) + + #list and read user specific temporary untrusted content + files_list_tmp($1_lpr_t) + userdom_read_user_tmp_untrusted_content_files($1,$1_lpr_t) + ') + + tunable_policy(`use_nfs_home_dirs',` + files_list_home($1_lpr_t) + fs_list_auto_mountpoints($1_lpr_t) + fs_read_nfs_files($1_lpr_t) + fs_read_nfs_symlinks($1_lpr_t) + ') + + tunable_policy(`use_samba_home_dirs',` + files_list_home($1_lpr_t) + fs_list_auto_mountpoints($1_lpr_t) + fs_read_cifs_files($1_lpr_t) + fs_read_cifs_symlinks($1_lpr_t) + ') + + optional_policy(`cups',` + cups_read_config($1_lpr_t) + cups_tcp_connect($1_lpr_t) + cups_read_config($2) + cups_tcp_connect($2) + ') + + optional_policy(`logging',` + logging_send_syslog_msg($1_lpr_t) + ') + + optional_policy(`nscd',` + nscd_use_socket($1_lpr_t) + ') + + optional_policy(`nis',` + nis_use_ypbind($1_lpr_t) + ') + + ifdef(`TODO',` + optional_policy(`xdm', ` + allow $1_lpr_t xdm_t:fd use; + allow $1_lpr_t xdm_var_run_t:dir search; + allow $1_lpr_t xdm_t:fifo_file { getattr read write ioctl }; + ') + ') dnl end TODO +') + +####################################### +## +## The administrative functions template for the lpd module. +## +## +##

+## This template creates rules for administrating the ldp service, +## allowing the specified user to manage lpr files. +##

+##
+## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +# +template(`lpr_admin_template',` + gen_require(` + type $1_lpr_t; + ') + + userdom_read_all_user_files($1_lpr_t) + + # Allow per user lpr domain read acces for specific user. + tunable_policy(`read_untrusted_content',` + userdom_read_all_untrusted_content($1_lpr_t) + userdom_read_all_tmp_untrusted_content($1_lpr_t) + ') +') + ######################################## ## ## Execute lpd in the lpd domain. diff --git a/refpolicy/policy/modules/services/lpd.te b/refpolicy/policy/modules/services/lpd.te index d4d916a..238f761 100644 --- a/refpolicy/policy/modules/services/lpd.te +++ b/refpolicy/policy/modules/services/lpd.te @@ -1,5 +1,5 @@ -policy_module(lpd,1.1.0) +policy_module(lpd,1.1.1) ######################################## # @@ -24,6 +24,9 @@ files_tmp_file(lpd_tmp_t) type lpd_var_run_t; files_pid_file(lpd_var_run_t) +type lpr_exec_t; +files_type(lpr_exec_t) + type print_spool_t; files_tmp_file(print_spool_t) @@ -152,6 +155,7 @@ allow lpd_t printer_t:unix_stream_socket name_bind; allow lpd_t printer_t:unix_dgram_socket name_bind; kernel_read_kernel_sysctl(lpd_t) +kernel_tcp_recvfrom(lpd_t) # bash wants access to /proc/meminfo kernel_read_system_state(lpd_t) diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 92e377a..1a6cbe4 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -57,11 +57,11 @@ template(`base_user_template',` files_tmpfs_file($1_tmpfs_t) # types for network-obtained content - type $1_untrusted_content_t, $1_file_type; #, customizable + type $1_untrusted_content_t, $1_file_type, untrusted_content_type; #, customizable files_type($1_untrusted_content_t) files_poly_member($1_untrusted_content_t) - type $1_untrusted_content_tmp_t, $1_file_type; # customizable + type $1_untrusted_content_tmp_t, $1_file_type, untrusted_content_tmp_type; # customizable files_tmp_file($1_untrusted_content_tmp_t) type $1_tty_device_t; @@ -915,6 +915,10 @@ template(`admin_user_template',` cron_admin_template($1,$1_t,$1_r) ') + optional_policy(`lpd',` + lpr_admin_template($1,$1_t,$1_r) + ') + optional_policy(`mta',` mta_admin_template($1,$1_t,$1_r) ') @@ -1119,6 +1123,36 @@ template(`userdom_search_user_home',` ######################################## ## +## List user home directories. +## +## +##

+## List user home directories. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## Domain allowed access. +## +# +template(`userdom_list_user_home',` + gen_require(` + type $1_home_dir_t; + ') + + files_search_home($2) + allow $2 $1_home_dir_t:dir r_dir_perms; +') + +######################################## +## ## Do a domain transition to the specified ## domain when executing a program in the ## user home directory. @@ -2253,6 +2287,40 @@ template(`userdom_read_user_tmp_untrusted_content_symlinks',` ######################################## ## +## Read all user untrusted content files. +## +## +## Domain allowed access. +## +# +interface(`userdom_read_all_untrusted_content',` + gen_require(` + attribute untrusted_content_type; + ') + + allow $1 untrusted_content_type:dir r_dir_perms; + allow $1 untrusted_content_type:{ file lnk_file } r_file_perms; +') + +######################################## +## +## Read all user temporary untrusted content files. +## +## +## Domain allowed access. +## +# +interface(`userdom_read_all_tmp_untrusted_content',` + gen_require(` + attribute untrusted_content_tmp_type; + ') + + allow $1 untrusted_content_tmp_type:dir r_dir_perms; + allow $1 untrusted_content_tmp_type:{ file lnk_file } r_file_perms; +') + +######################################## +## ## Read and write a user domain tty and pty. ## ## diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 5431df0..4fdac5f 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -1,5 +1,5 @@ -policy_module(userdomain,1.2.1) +policy_module(userdomain,1.2.2) gen_require(` role sysadm_r, staff_r, user_r, secadm_r; @@ -43,6 +43,9 @@ attribute userdomain; # unprivileged user domains attribute unpriv_userdomain; +attribute untrusted_content_type; +attribute untrusted_content_tmp_type; + ######################################## # # Local policy