[selinux-policy: 1501/3172] fix most bad rules in cups, bug 1771
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:15:03 UTC 2010
commit 9c1c08e38cb5cf3405d9ce42a970ca147ae46809
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Jun 8 17:18:25 2006 +0000
fix most bad rules in cups, bug 1771
refpolicy/policy/modules/kernel/devices.if | 21 +++++++-
refpolicy/policy/modules/kernel/devices.te | 2 +-
refpolicy/policy/modules/kernel/files.if | 19 ++++++
refpolicy/policy/modules/kernel/files.te | 2 +-
refpolicy/policy/modules/services/cups.te | 86 ++++++++++------------------
refpolicy/policy/modules/system/init.te | 5 +-
6 files changed, 76 insertions(+), 59 deletions(-)
---
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index dad9c0c..5449c4d 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -1777,6 +1777,25 @@ interface(`dev_rw_null',`
########################################
## <summary>
+## Get the attributes of the printer device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_printer_dev',`
+ gen_require(`
+ type device_t, printer_device_t;
+ ')
+
+ allow $1 device_t:dir search_dir_perms;
+ allow $1 printer_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
## Set the attributes of the printer device nodes.
## </summary>
## <param name="domain">
@@ -1790,7 +1809,7 @@ interface(`dev_setattr_printer_dev',`
type device_t, printer_device_t;
')
- allow $1 device_t:dir search;
+ allow $1 device_t:dir search_dir_perms;
allow $1 printer_device_t:chr_file setattr;
')
diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te
index 7ec2f42..8edb0f5 100644
--- a/refpolicy/policy/modules/kernel/devices.te
+++ b/refpolicy/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
-policy_module(devices,1.1.13)
+policy_module(devices,1.1.14)
########################################
#
diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
index bae6158..dd76116 100644
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@@ -1758,6 +1758,24 @@ interface(`files_read_etc_files',`
########################################
## <summary>
+## Do not audit attempts to write generic files in /etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_write_etc_files',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ dontaudit $1 etc_t:file write;
+')
+
+########################################
+## <summary>
## Read and write generic files in /etc.
## </summary>
## <param name="domain">
@@ -4136,6 +4154,7 @@ interface(`files_delete_all_pids',`
allow $1 pidfile:dir rw_dir_perms;
allow $1 pidfile:file { getattr unlink };
allow $1 pidfile:sock_file { getattr unlink };
+ allow $1 pidfile:fifo_file { getattr unlink };
')
########################################
diff --git a/refpolicy/policy/modules/kernel/files.te b/refpolicy/policy/modules/kernel/files.te
index 942046a..ccf74ba 100644
--- a/refpolicy/policy/modules/kernel/files.te
+++ b/refpolicy/policy/modules/kernel/files.te
@@ -1,5 +1,5 @@
-policy_module(files,1.2.10)
+policy_module(files,1.2.11)
########################################
#
diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te
index 932969f..924ce5d 100644
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@@ -1,5 +1,5 @@
-policy_module(cups,1.3.6)
+policy_module(cups,1.3.7)
########################################
#
@@ -156,6 +156,7 @@ fs_search_auto_mountpoints(cupsd_t)
term_dontaudit_use_console(cupsd_t)
term_write_unallocated_ttys(cupsd_t)
+term_search_ptys(cupsd_t)
auth_domtrans_chk_passwd(cupsd_t)
auth_dontaudit_read_pam_pid(cupsd_t)
@@ -176,6 +177,11 @@ files_search_var_lib(cupsd_t)
files_list_world_readable(cupsd_t)
files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
+# Satisfy readahead
+files_read_var_files(cupsd_t)
+files_read_var_symlinks(cupsd_t)
+# for /etc/printcap
+files_dontaudit_write_etc_files(cupsd_t)
init_use_fds(cupsd_t)
init_use_script_ptys(cupsd_t)
@@ -203,9 +209,22 @@ userdom_dontaudit_search_all_users_home_content(cupsd_t)
lpd_manage_spool(cupsd_t)
ifdef(`targeted_policy',`
+ files_dontaudit_read_root_files(cupsd_t)
+
term_dontaudit_use_unallocated_ttys(cupsd_t)
term_dontaudit_use_generic_ptys(cupsd_t)
- files_dontaudit_read_root_files(cupsd_t)
+
+ init_stream_connect_script(cupsd_t)
+
+ unconfined_read_pipes(cupsd_t)
+
+ optional_policy(`
+ init_dbus_chat_script(cupsd_t)
+
+ unconfined_dbus_send(cupsd_t)
+
+ dbus_stub(cupsd_t)
+ ')
')
optional_policy(`
@@ -267,23 +286,6 @@ allow cupsd_t usercanread:dir r_dir_perms;
allow cupsd_t usercanread:file r_file_perms;
allow cupsd_t usercanread:lnk_file { getattr read };
-allow cupsd_t devpts_t:dir search;
-
-dontaudit cupsd_t random_device_t:chr_file ioctl;
-
-# temporary solution, we need something better
-#allow cupsd_t serial_device:chr_file rw_file_perms;
-
-# for /etc/printcap
-dontaudit cupsd_t etc_t:file write;
-
-#
-# Satisfy readahead
-#
-allow cupsd_t var_t:dir { getattr read search };
-allow cupsd_t var_t:file r_file_perms;
-allow cupsd_t var_t:lnk_file { getattr read };
-
########################################
#
# Cups configuration daemon local policy
@@ -364,9 +366,12 @@ domain_dontaudit_search_all_domains_state(cupsd_config_t)
files_read_usr_files(cupsd_config_t)
files_read_etc_files(cupsd_config_t)
files_read_etc_runtime_files(cupsd_config_t)
+files_read_var_symlinks(cupsd_config_t)
init_use_fds(cupsd_config_t)
init_use_script_ptys(cupsd_config_t)
+# Alternatives asks for this
+init_getattr_script_files(cupsd_config_t)
libs_use_ld_so(cupsd_config_t)
libs_use_shared_libs(cupsd_config_t)
@@ -382,6 +387,8 @@ sysnet_read_config(cupsd_config_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_sysadm_home_dirs(cupsd_config_t)
+lpd_read_config(cupsd_config_t)
+
ifdef(`distro_redhat',`
init_getattr_script_files(cupsd_config_t)
@@ -391,9 +398,12 @@ ifdef(`distro_redhat',`
')
ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(cupsd_config_t)
- term_dontaudit_use_generic_ptys(cupsd_config_t)
files_dontaudit_read_root_files(cupsd_config_t)
+
+ term_dontaudit_use_unallocated_ttys(cupsd_config_t)
+ term_use_generic_ptys(cupsd_config_t)
+
+ unconfined_rw_pipes(cupsd_config_t)
')
optional_policy(`
@@ -442,33 +452,6 @@ optional_policy(`
udev_read_db(cupsd_config_t)
')
-allow cupsd_config_t var_t:lnk_file read;
-
-allow cupsd_config_t printconf_t:file { getattr read };
-
-# Alternatives asks for this
-allow cupsd_config_t initrc_exec_t:file getattr;
-
-ifdef(`targeted_policy', `
- init_stream_connect_script(cupsd_t)
-
- unconfined_read_pipes(cupsd_t)
-
- optional_policy(`
- init_dbus_chat_script(cupsd_t)
-
- unconfined_dbus_send(cupsd_t)
-
- dbus_stub(cupsd_t)
- ')
-')
-
-ifdef(`targeted_policy',`
- term_use_generic_ptys(cupsd_config_t)
-
- unconfined_rw_pipes(cupsd_config_t)
-')
-
########################################
#
# Cups lpd support
@@ -658,7 +641,6 @@ optional_policy(`
udev_read_db(hplip_t)
')
-allow hplip_t devpts_t:dir search;
allow hplip_t devpts_t:chr_file { getattr ioctl };
########################################
@@ -744,9 +726,3 @@ optional_policy(`
optional_policy(`
udev_read_db(ptal_t)
')
-
-allow initrc_t printer_device_t:chr_file getattr;
-
-allow initrc_t ptal_var_run_t:dir rmdir;
-allow initrc_t ptal_var_run_t:fifo_file unlink;
-allow initrc_t cupsd_rw_etc_t:file r_file_perms;
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 0c39a20..65cf3de 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -1,5 +1,5 @@
-policy_module(init,1.3.16)
+policy_module(init,1.3.17)
gen_require(`
class passwd rootok;
@@ -531,7 +531,10 @@ optional_policy(`
')
optional_policy(`
+ dev_getattr_printer_dev(initrc_t)
+
cups_read_log(initrc_t)
+ cups_read_rw_config(initrc_t)
')
optional_policy(`
More information about the scm-commits
mailing list