[selinux-policy: 1122/3172] add lpr policy to lpd
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:42:01 UTC 2010
commit 8dca6b9756b69cfa72eea48d349230d4f4f51281
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Jan 18 22:26:26 2006 +0000
add lpr policy to lpd
refpolicy/Changelog | 1 +
refpolicy/policy/modules/kernel/filesystem.if | 1 -
refpolicy/policy/modules/services/cups.if | 37 ++++
refpolicy/policy/modules/services/lpd.fc | 14 ++-
refpolicy/policy/modules/services/lpd.if | 235 +++++++++++++++++++++++++
refpolicy/policy/modules/services/lpd.te | 6 +-
refpolicy/policy/modules/system/userdomain.if | 72 ++++++++-
refpolicy/policy/modules/system/userdomain.te | 5 +-
8 files changed, 364 insertions(+), 7 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 0ac2365..ade7cf7 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,4 @@
+- Add lpr per-userdomain policy to lpd.
- Miscellaneous fixes from Dan Walsh.
- Change initrc_var_run_t interface noun from script_pid to utmp,
for greater clarity.
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index 4eb4cee..a161fb0 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -1738,7 +1738,6 @@ interface(`fs_rw_nfsd_fs',`
allow $1 nfsd_fs_t:file rw_file_perms;
')
-
########################################
## <summary>
## Mount a RAM filesystem.
diff --git a/refpolicy/policy/modules/services/cups.if b/refpolicy/policy/modules/services/cups.if
index c1d77ab..5fbe658 100644
--- a/refpolicy/policy/modules/services/cups.if
+++ b/refpolicy/policy/modules/services/cups.if
@@ -99,6 +99,25 @@ interface(`cups_dbus_chat_config',`
########################################
## <summary>
+## Read cups configuration files.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`cups_read_config',`
+ gen_require(`
+ type cupsd_etc_t, cupsd_rw_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 cupsd_etc_t:dir search_dir_perms;
+ allow $1 cupsd_etc_t:file { getattr read };
+ allow $1 cupsd_rw_etc_t:file { getattr read };
+')
+
+########################################
+## <summary>
## Read cups-writable configuration files.
## </summary>
## <param name="domain">
@@ -150,3 +169,21 @@ interface(`cups_stream_connect_ptal',`
allow $1 ptal_var_run_t:sock_file write;
allow $1 ptal_t:unix_stream_socket connectto;
')
+
+########################################
+## <summary>
+## Connect to cups over TCP.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`cups_tcp_connect',`
+ gen_require(`
+ type cupsd_t;
+ ')
+
+ allow $1 cupsd_t:tcp_socket { connectto recvfrom };
+ allow cupsd_t $1:tcp_socket { acceptfrom recvfrom };
+ kernel_tcp_recvfrom($1)
+')
diff --git a/refpolicy/policy/modules/services/lpd.fc b/refpolicy/policy/modules/services/lpd.fc
index fe8bbcb..e97eb7a 100644
--- a/refpolicy/policy/modules/services/lpd.fc
+++ b/refpolicy/policy/modules/services/lpd.fc
@@ -1,10 +1,20 @@
-
+#
+# /dev
+#
/dev/printer -s gen_context(system_u:object_r:printer_t,s0)
+#
+# /usr
+#
/usr/sbin/checkpc -- gen_context(system_u:object_r:checkpc_exec_t,s0)
/usr/sbin/lpd -- gen_context(system_u:object_r:lpd_exec_t,s0)
-
/usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
+/usr/bin/lpr(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpq(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lprm(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+#
+# /var
+#
/var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0)
/var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/lpd.if b/refpolicy/policy/modules/services/lpd.if
index 05b92f4..35ef521 100644
--- a/refpolicy/policy/modules/services/lpd.if
+++ b/refpolicy/policy/modules/services/lpd.if
@@ -1,5 +1,240 @@
## <summary>Line printer daemon</summary>
+#######################################
+## <summary>
+## The per user domain template for the lpd module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for lpr printing client.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </param>
+## <param name="user_domain">
+## The type of the user domain.
+## </param>
+## <param name="user_role">
+## The role associated with the user domain.
+## </param>
+#
+template(`lpd_per_userdomain_template',`
+ gen_require(`
+ type lpr_exec_t, lpd_t, print_spool_t, printconf_t, lpd_var_run_t, printer_t;
+ ')
+
+ ##############################
+ #
+ # Declarations
+ #
+ # Derived domain based on the calling user domain and the program
+ type $1_lpr_t;
+ domain_type($1_lpr_t)
+ domain_entry_file($1_lpr_t,lpr_exec_t)
+ role $3 types $1_lpr_t;
+
+ type $1_lpr_tmp_t;
+ files_tmp_file($1_lpr_tmp_t)
+
+ # Type for spool files.
+ type $1_print_spool_t;
+ files_type($1_print_spool_t)
+
+ ##############################
+ #
+ # Local policy
+ #
+ allow $1_lpr_t self:capability { setuid dac_override net_bind_service chown };
+ allow $1_lpr_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_lpr_t self:tcp_socket create_socket_perms;
+ allow $1_lpr_t self:udp_socket create_socket_perms;
+
+ # lpr can run in lightweight mode, without a local print spooler.
+ allow $1_lpr_t lpd_var_run_t:dir search;
+ allow $1_lpr_t lpd_var_run_t:sock_file write;
+ files_read_var_files($1_lpr_t)
+
+ # Connect to lpd via a Unix domain socket.
+ allow $1_lpr_t printer_t:sock_file rw_file_perms;
+ allow $1_lpr_t lpd_t:unix_stream_socket connectto;
+ # connecto to a network lpd
+ allow $1_lpr_t lpd_t:tcp_socket { connectto recvfrom };
+ allow lpd_t $1_lpr_t:tcp_socket { acceptfrom recvfrom };
+ # Send SIGHUP to lpd.
+ allow $1_lpr_t lpd_t:process signal;
+
+ can_exec($1_lpr_t,lpr_exec_t)
+
+ allow $1_lpr_t $1_lpr_tmp_t:dir create_dir_perms;
+ allow $1_lpr_t $1_lpr_tmp_t:file create_file_perms;
+ files_filetrans_tmp($1_lpr_t, $1_lpr_tmp_t, { file dir })
+
+ allow $1_lpr_t $1_print_spool_t:file create_file_perms;
+ allow $1_lpr_t print_spool_t:dir rw_dir_perms;
+ type_transition $1_lpr_t print_spool_t:file $1_print_spool_t;
+ # Read and write shared files in the spool directory.
+ allow $1_lpr_t print_spool_t:file rw_file_perms;
+
+ allow $1_lpr_t printconf_t:dir r_dir_perms;
+ allow $1_lpr_t printconf_t:file r_file_perms;
+ allow $1_lpr_t printconf_t:lnk_file { getattr read };
+
+ dontaudit $1_lpr_t $2:unix_stream_socket { read write };
+
+ # Transition from the user domain to the derived domain.
+ allow $2 $1_lpr_t:fd use;
+ allow $1_lpr_t $2:fd use;
+ allow $1_lpr_t $2:fifo_file rw_file_perms;
+ allow $1_lpr_t $2:process sigchld;
+ domain_auto_trans($2,lpr_exec_t,$1_lpr_t)
+
+ allow $2 $1_lpr_t:process signull;
+
+ # Allow lpd to read, rename, and unlink spool files.
+ allow lpd_t $1_print_spool_t:file r_file_perms;
+ allow lpd_t $1_print_spool_t:file link_file_perms;
+
+ kernel_tcp_recvfrom($1_lpr_t)
+
+ corenet_tcp_sendrecv_generic_if($1_lpr_t)
+ corenet_udp_sendrecv_generic_if($1_lpr_t)
+ corenet_raw_sendrecv_generic_if($1_lpr_t)
+ corenet_tcp_sendrecv_all_nodes($1_lpr_t)
+ corenet_udp_sendrecv_all_nodes($1_lpr_t)
+ corenet_raw_sendrecv_all_nodes($1_lpr_t)
+ corenet_tcp_sendrecv_all_ports($1_lpr_t)
+ corenet_udp_sendrecv_all_ports($1_lpr_t)
+ corenet_tcp_bind_all_nodes($1_lpr_t)
+ corenet_udp_bind_all_nodes($1_lpr_t)
+ corenet_tcp_connect_all_ports($1_lpr_t)
+
+ # for /dev/null
+ dev_list_all_dev_nodes($1_lpr_t)
+
+ domain_use_wide_inherit_fd($1_lpr_t)
+
+ files_search_spool($1_lpr_t)
+ # for lpd config files (should have a new type)
+ files_read_etc_files($1_lpr_t)
+ # for test print
+ files_read_usr_files($1_lpr_t)
+ #Added to cover read_content macro
+ files_list_home($1_lpr_t)
+ files_read_generic_tmp_files($1_lpr_t)
+
+ fs_getattr_xattr_fs($1_lpr_t)
+
+ # Access the terminal.
+ term_use_controlling_term($1_lpr_t)
+ term_use_generic_pty($1_lpr_t)
+
+ libs_use_ld_so($1_lpr_t)
+ libs_use_shared_libs($1_lpr_t)
+
+ miscfiles_read_localization($1_lpr_t)
+
+ sysnet_read_config($1_lpr_t)
+
+ userdom_read_user_tmp_symlinks($1,$1_lpr_t)
+ # Write to the user domain tty.
+ userdom_use_user_terminals($1,$1_lpr_t)
+
+ tunable_policy(`read_default_t',`
+ files_list_default($1_lpr_t)
+ files_read_default_symlinks($1_lpr_t)
+ files_read_default_files($1_lpr_t)
+ ')
+
+ tunable_policy(`read_untrusted_content',`
+ #list and read user specific untrusted content
+ files_list_home($1_lpr_t)
+ userdom_list_user_home($1,$1_lpr_t)
+ userdom_read_user_untrusted_content_files($1,$1_lpr_t)
+
+ #list and read user specific temporary untrusted content
+ files_list_tmp($1_lpr_t)
+ userdom_read_user_tmp_untrusted_content_files($1,$1_lpr_t)
+ ')
+
+ tunable_policy(`use_nfs_home_dirs',`
+ files_list_home($1_lpr_t)
+ fs_list_auto_mountpoints($1_lpr_t)
+ fs_read_nfs_files($1_lpr_t)
+ fs_read_nfs_symlinks($1_lpr_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ files_list_home($1_lpr_t)
+ fs_list_auto_mountpoints($1_lpr_t)
+ fs_read_cifs_files($1_lpr_t)
+ fs_read_cifs_symlinks($1_lpr_t)
+ ')
+
+ optional_policy(`cups',`
+ cups_read_config($1_lpr_t)
+ cups_tcp_connect($1_lpr_t)
+ cups_read_config($2)
+ cups_tcp_connect($2)
+ ')
+
+ optional_policy(`logging',`
+ logging_send_syslog_msg($1_lpr_t)
+ ')
+
+ optional_policy(`nscd',`
+ nscd_use_socket($1_lpr_t)
+ ')
+
+ optional_policy(`nis',`
+ nis_use_ypbind($1_lpr_t)
+ ')
+
+ ifdef(`TODO',`
+ optional_policy(`xdm', `
+ allow $1_lpr_t xdm_t:fd use;
+ allow $1_lpr_t xdm_var_run_t:dir search;
+ allow $1_lpr_t xdm_t:fifo_file { getattr read write ioctl };
+ ')
+ ') dnl end TODO
+')
+
+#######################################
+## <summary>
+## The administrative functions template for the lpd module.
+## </summary>
+## <desc>
+## <p>
+## This template creates rules for administrating the ldp service,
+## allowing the specified user to manage lpr files.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </param>
+#
+template(`lpr_admin_template',`
+ gen_require(`
+ type $1_lpr_t;
+ ')
+
+ userdom_read_all_user_files($1_lpr_t)
+
+ # Allow per user lpr domain read acces for specific user.
+ tunable_policy(`read_untrusted_content',`
+ userdom_read_all_untrusted_content($1_lpr_t)
+ userdom_read_all_tmp_untrusted_content($1_lpr_t)
+ ')
+')
+
########################################
## <summary>
## Execute lpd in the lpd domain.
diff --git a/refpolicy/policy/modules/services/lpd.te b/refpolicy/policy/modules/services/lpd.te
index d4d916a..238f761 100644
--- a/refpolicy/policy/modules/services/lpd.te
+++ b/refpolicy/policy/modules/services/lpd.te
@@ -1,5 +1,5 @@
-policy_module(lpd,1.1.0)
+policy_module(lpd,1.1.1)
########################################
#
@@ -24,6 +24,9 @@ files_tmp_file(lpd_tmp_t)
type lpd_var_run_t;
files_pid_file(lpd_var_run_t)
+type lpr_exec_t;
+files_type(lpr_exec_t)
+
type print_spool_t;
files_tmp_file(print_spool_t)
@@ -152,6 +155,7 @@ allow lpd_t printer_t:unix_stream_socket name_bind;
allow lpd_t printer_t:unix_dgram_socket name_bind;
kernel_read_kernel_sysctl(lpd_t)
+kernel_tcp_recvfrom(lpd_t)
# bash wants access to /proc/meminfo
kernel_read_system_state(lpd_t)
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 92e377a..1a6cbe4 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -57,11 +57,11 @@ template(`base_user_template',`
files_tmpfs_file($1_tmpfs_t)
# types for network-obtained content
- type $1_untrusted_content_t, $1_file_type; #, customizable
+ type $1_untrusted_content_t, $1_file_type, untrusted_content_type; #, customizable
files_type($1_untrusted_content_t)
files_poly_member($1_untrusted_content_t)
- type $1_untrusted_content_tmp_t, $1_file_type; # customizable
+ type $1_untrusted_content_tmp_t, $1_file_type, untrusted_content_tmp_type; # customizable
files_tmp_file($1_untrusted_content_tmp_t)
type $1_tty_device_t;
@@ -915,6 +915,10 @@ template(`admin_user_template',`
cron_admin_template($1,$1_t,$1_r)
')
+ optional_policy(`lpd',`
+ lpr_admin_template($1,$1_t,$1_r)
+ ')
+
optional_policy(`mta',`
mta_admin_template($1,$1_t,$1_r)
')
@@ -1119,6 +1123,36 @@ template(`userdom_search_user_home',`
########################################
## <summary>
+## List user home directories.
+## </summary>
+## <desc>
+## <p>
+## List user home directories.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </param>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+template(`userdom_list_user_home',`
+ gen_require(`
+ type $1_home_dir_t;
+ ')
+
+ files_search_home($2)
+ allow $2 $1_home_dir_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
## Do a domain transition to the specified
## domain when executing a program in the
## user home directory.
@@ -2253,6 +2287,40 @@ template(`userdom_read_user_tmp_untrusted_content_symlinks',`
########################################
## <summary>
+## Read all user untrusted content files.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`userdom_read_all_untrusted_content',`
+ gen_require(`
+ attribute untrusted_content_type;
+ ')
+
+ allow $1 untrusted_content_type:dir r_dir_perms;
+ allow $1 untrusted_content_type:{ file lnk_file } r_file_perms;
+')
+
+########################################
+## <summary>
+## Read all user temporary untrusted content files.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`userdom_read_all_tmp_untrusted_content',`
+ gen_require(`
+ attribute untrusted_content_tmp_type;
+ ')
+
+ allow $1 untrusted_content_tmp_type:dir r_dir_perms;
+ allow $1 untrusted_content_tmp_type:{ file lnk_file } r_file_perms;
+')
+
+########################################
+## <summary>
## Read and write a user domain tty and pty.
## </summary>
## <desc>
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 5431df0..4fdac5f 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain,1.2.1)
+policy_module(userdomain,1.2.2)
gen_require(`
role sysadm_r, staff_r, user_r, secadm_r;
@@ -43,6 +43,9 @@ attribute userdomain;
# unprivileged user domains
attribute unpriv_userdomain;
+attribute untrusted_content_type;
+attribute untrusted_content_tmp_type;
+
########################################
#
# Local policy
More information about the scm-commits
mailing list