[Posting here for lack of a better place...] Attached is a patch against the current selinux.sourceforge.net repo, along with an archive of additional files that contain the policies for non-CUPS software. The patch fixes incompatibilities with the current CUPS 1.2 software and removes the non-CUPS software rules from the CUPS policy files. The CUPS 1.2 changes involve adding domain socket support and adding the new files and directories introduced in 1.2... I removed the non-CUPS rules because the mix of software makes debugging and validating the CUPS policies that much harder, and it makes sense to maintain the policies for separate projects separately... Anyways, comments welcome! -- ______________________________________________________________________ Michael Sweet, Easy Software Products mike at easysw dot com Internet Printing and Publishing Software http://www.easysw.com
Attachment:
cups-1.2-moved.tar.gz
Description: GNU Zip compressed data
Index: domains/program/unused/cups.te
===================================================================
RCS file: /cvsroot/selinux/nsa/selinux-usr/policy/domains/program/unused/cups.te,v
retrieving revision 1.58
diff -u -r1.58 cups.te
--- domains/program/unused/cups.te 20 Oct 2005 19:53:01 -0000 1.58
+++ domains/program/unused/cups.te 11 Nov 2005 15:34:54 -0000
@@ -1,8 +1,9 @@
-#DESC Cups - Common Unix Printing System
+#DESC CUPS - Common UNIX Printing System
#
# Created cups policy from lpd policy: Russell Coker <russell@xxxxxxxxxxxx>
# X-Debian-Packages: cupsys cupsys-client cupsys-bsd
# Depends: lpd.te lpr.te
+# Moved non-CUPS policies to separate files: Michael Sweet <mike@xxxxxxxxxx>
#################################
#
@@ -16,37 +17,35 @@
type cupsd_rw_etc_t, file_type, sysadmfile, usercanread;
can_network(cupsd_t)
+# Allow TCP and domain socket connections
allow cupsd_t port_type:tcp_socket name_connect;
+allow cupsd_t port_type:unix_stream_socket name_connect;
logdir_domain(cupsd)
tmp_domain(cupsd, `', { file dir fifo_file })
-allow cupsd_t devpts_t:dir search;
-
-allow cupsd_t device_t:lnk_file read;
-allow cupsd_t printer_device_t:chr_file rw_file_perms;
+# cupsd uses /dev/urandom for crypto initialization and local auth certificates
allow cupsd_t urandom_device_t:chr_file { getattr read };
dontaudit cupsd_t random_device_t:chr_file ioctl;
-# temporary solution, we need something better
-allow cupsd_t serial_device:chr_file rw_file_perms;
-
+# CUPS backends will enumerate devices typically through a device file scan.
+allow cupsd_t devpts_t:dir search;
+allow cupsd_t device_t:lnk_file read;
+allow cupsd_t printer_device_t:chr_file rw_file_perms;
r_dir_file(cupsd_t, usbdevfs_t)
r_dir_file(cupsd_t, usbfs_t)
+# temporary solution for serial ports, we need something better
+allow cupsd_t serial_device:chr_file rw_file_perms;
+# Allow cupsd to rotate its log files???
ifdef(`logrotate.te', `
domain_auto_trans(logrotate_t, cupsd_exec_t, cupsd_t)
')
-ifdef(`inetd.te', `
-allow inetd_t printer_port_t:tcp_socket name_bind;
-domain_auto_trans(inetd_t, cupsd_exec_t, cupsd_t)
-')
-
# write to spool
allow cupsd_t var_spool_t:dir search;
-# this is not ideal, and allowing setattr access to cupsd_etc_t is wrong
+# allow cupsd to set file permissions in directories it owns
file_type_auto_trans(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
file_type_auto_trans(cupsd_t, var_t, cupsd_rw_etc_t, file)
allow cupsd_t cupsd_rw_etc_t:dir { setattr rw_dir_perms };
@@ -69,6 +68,8 @@
can_exec(cupsd_t, cupsd_exec_t)
allow cupsd_t cupsd_exec_t:dir search;
allow cupsd_t cupsd_exec_t:lnk_file read;
+
+# LPD backend needs to reserve privileged ports...
allow cupsd_t reserved_port_t:tcp_socket name_bind;
dontaudit cupsd_t reserved_port_type:tcp_socket name_bind;
@@ -77,22 +78,22 @@
allow cupsd_t self:fifo_file rw_file_perms;
# Use capabilities.
-allow cupsd_t self:capability { dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write };
+allow cupsd_t self:capability { dac_read_search kill setgid setuid seteuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write };
dontaudit cupsd_t self:capability net_admin;
-#
# /usr/lib/cups/backend/serial needs sys_admin
# Need new context to run under???
allow cupsd_t self:capability sys_admin;
allow cupsd_t self:process setsched;
-# for /var/lib/defoma
+# for /var/lib/defoma (what is this???)
allow cupsd_t var_lib_t:dir search;
r_dir_file(cupsd_t, readable_t)
-# Bind to the cups/ipp port (631).
+# Bind to the CUPS/ipp TCP port (631) or the CUPS domain socket
allow cupsd_t ipp_port_t:{ udp_socket tcp_socket } name_bind;
+allow cupsd_t unix_stream_socket name_bind;
can_tcp_connect(web_client_domain, cupsd_t)
can_tcp_connect(cupsd_t, cupsd_t)
@@ -116,12 +117,6 @@
# They will also invoke ghostscript, which needs to read fonts
read_fonts(cupsd_t)
-# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
-allow cupsd_t lib_t:file { read getattr };
-
-# read python modules
-allow cupsd_t usr_t:{ file lnk_file } { read getattr ioctl };
-
#
# lots of errors generated requiring the following
#
@@ -144,172 +139,13 @@
dontaudit cupsd_t pam_var_run_t:file { getattr read };
')
dontaudit cupsd_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
-# PTAL
-daemon_domain(ptal)
-etcdir_domain(ptal)
-
-file_type_auto_trans(ptal_t, var_run_t, ptal_var_run_t)
-allow ptal_t self:capability { chown sys_rawio };
-allow ptal_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
-allow ptal_t self:unix_stream_socket { listen accept };
-can_network_server_tcp(ptal_t)
-allow ptal_t ptal_port_t:tcp_socket name_bind;
-allow userdomain ptal_t:unix_stream_socket connectto;
-allow userdomain ptal_var_run_t:sock_file write;
-allow userdomain ptal_var_run_t:dir search;
-allow ptal_t self:fifo_file rw_file_perms;
-allow ptal_t device_t:dir read;
-allow ptal_t printer_device_t:chr_file rw_file_perms;
-allow initrc_t printer_device_t:chr_file getattr;
-allow ptal_t { etc_t etc_runtime_t }:file { getattr read };
-r_dir_file(ptal_t, usbdevfs_t)
-rw_dir_file(ptal_t, usbfs_t)
-allow cupsd_t ptal_var_run_t:sock_file { write setattr };
-allow cupsd_t ptal_t:unix_stream_socket connectto;
-allow cupsd_t ptal_var_run_t:dir search;
-dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
-
-allow initrc_t ptal_var_run_t:dir rmdir;
-allow initrc_t ptal_var_run_t:fifo_file unlink;
-
-
-# HPLIP
-daemon_domain(hplip)
-etcdir_domain(hplip)
-allow hplip_t etc_t:file r_file_perms;
-allow hplip_t etc_runtime_t:file { read getattr };
-allow hplip_t printer_device_t:chr_file rw_file_perms;
-allow cupsd_t hplip_var_run_t:file { read getattr };
-allow hplip_t cupsd_etc_t:dir search;
-can_network(hplip_t)
-allow hplip_t { hplip_port_t ipp_port_t }:tcp_socket name_connect;
-allow hplip_t hplip_port_t:tcp_socket name_bind;
-
-# Uses networking to talk to the daemons
-allow hplip_t self:unix_dgram_socket create_socket_perms;
-allow hplip_t self:unix_stream_socket create_socket_perms;
-allow hplip_t self:rawip_socket create_socket_perms;
-
-# for python
-can_exec(hplip_t, bin_t)
-allow hplip_t { sbin_t bin_t }:dir search;
-allow hplip_t self:file { getattr read };
-allow hplip_t proc_t:file r_file_perms;
-allow hplip_t urandom_device_t:chr_file { getattr read };
-allow hplip_t usr_t:{ file lnk_file } r_file_perms;
-allow hplip_t devpts_t:dir search;
-allow hplip_t devpts_t:chr_file { getattr ioctl };
-
-
-dontaudit cupsd_t selinux_config_t:dir search;
-dontaudit cupsd_t selinux_config_t:file { getattr read };
-
-allow cupsd_t printconf_t:file { getattr read };
-
-ifdef(`dbusd.te', `
-dbusd_client(system, cupsd)
-allow cupsd_t system_dbusd_t:dbus send_msg;
-allow cupsd_t userdomain:dbus send_msg;
-')
-
-# CUPS configuration daemon
-daemon_domain(cupsd_config)
-
-allow cupsd_config_t devpts_t:dir search;
-allow cupsd_config_t devpts_t:chr_file { getattr ioctl };
-
-ifdef(`distro_redhat', `
-ifdef(`rpm.te', `
-allow cupsd_config_t rpm_var_lib_t:dir { getattr search };
-allow cupsd_config_t rpm_var_lib_t:file { getattr read };
-')
-allow cupsd_config_t initrc_exec_t:file getattr;
-')dnl end distro_redhat
-allow cupsd_config_t { etc_t etc_runtime_t net_conf_t }:file { getattr read };
-allow cupsd_config_t self:file { getattr read };
-
-allow cupsd_config_t proc_t:file { getattr read };
-allow cupsd_config_t cupsd_var_run_t:file { getattr read };
-allow cupsd_config_t cupsd_t:process { signal };
-allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
-can_ps(cupsd_config_t, cupsd_t)
-
-allow cupsd_config_t self:capability { chown sys_tty_config };
-
-rw_dir_create_file(cupsd_config_t, cupsd_etc_t)
-rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t)
-file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
-file_type_auto_trans(cupsd_config_t, var_t, cupsd_rw_etc_t, file)
-allow cupsd_config_t var_t:lnk_file read;
-
-can_network_tcp(cupsd_config_t)
-can_ypbind(cupsd_config_t)
-allow cupsd_config_t port_type:tcp_socket name_connect;
-can_tcp_connect(cupsd_config_t, cupsd_t)
-allow cupsd_config_t self:fifo_file rw_file_perms;
-
-allow cupsd_config_t self:unix_stream_socket create_socket_perms;
-allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
-ifdef(`dbusd.te', `
-dbusd_client(system, cupsd_config)
-allow cupsd_config_t userdomain:dbus send_msg;
-allow cupsd_config_t system_dbusd_t:dbus { send_msg acquire_svc };
-allow userdomain cupsd_config_t:dbus send_msg;
-')dnl end if dbusd.te
-
-ifdef(`hald.te', `
-
-ifdef(`dbusd.te', `
-allow cupsd_t hald_t:dbus send_msg;
-allow cupsd_config_t hald_t:dbus send_msg;
-allow hald_t cupsd_t:dbus send_msg;
-')dnl end if dbusd.te
-
-allow hald_t cupsd_config_t:process signal;
-domain_auto_trans(hald_t, cupsd_config_exec_t, cupsd_config_t)
-
-') dnl end if hald.te
-
-
-can_exec(cupsd_config_t, { bin_t sbin_t shell_exec_t })
-ifdef(`hostname.te', `
-can_exec(cupsd_t, hostname_exec_t)
-can_exec(cupsd_config_t, hostname_exec_t)
+# cups-lpd inherits cupsd privileges
+ifdef(`inetd.te', `
+allow inetd_t printer_port_t:tcp_socket name_bind;
+domain_auto_trans(inetd_t, cupsd_exec_t, cupsd_t)
')
-allow cupsd_config_t { bin_t sbin_t }:dir { search getattr };
-allow cupsd_config_t { bin_t sbin_t }:lnk_file read;
-# killall causes the following
-dontaudit cupsd_config_t domain:dir { getattr search };
-dontaudit cupsd_config_t selinux_config_t:dir search;
-
-can_exec(cupsd_config_t, cupsd_config_exec_t)
-
-allow cupsd_config_t usr_t:file { getattr read };
-allow cupsd_config_t var_lib_t:dir { getattr search };
-allow cupsd_config_t rpm_var_lib_t:file { getattr read };
-allow cupsd_config_t printconf_t:file { getattr read };
-allow cupsd_config_t urandom_device_t:chr_file { getattr read };
-
-ifdef(`logrotate.te', `
-allow cupsd_config_t logrotate_t:fd use;
-')dnl end if logrotate.te
-allow cupsd_config_t system_crond_t:fd use;
-allow cupsd_config_t crond_t:fifo_file r_file_perms;
-allow cupsd_t crond_t:fifo_file read;
-allow cupsd_t crond_t:fd use;
-
-# Alternatives asks for this
-allow cupsd_config_t initrc_exec_t:file getattr;
-ifdef(`targeted_policy', `
-can_unix_connect(cupsd_t, initrc_t)
-allow cupsd_t initrc_t:dbus send_msg;
-allow initrc_t cupsd_t:dbus send_msg;
-allow { cupsd_config_t cupsd_t } unconfined_t:dbus send_msg;
-allow unconfined_t cupsd_config_t:dbus send_msg;
-allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file read;
-')
typealias printer_port_t alias cupsd_lpd_port_t;
inetd_child_domain(cupsd_lpd)
allow inetd_t printer_port_t:tcp_socket name_bind;
@@ -319,4 +155,3 @@
ifdef(`use_mcs', `
range_transition initrc_t cupsd_exec_t s0 - s0:c0.c127;
')
-
Index: file_contexts/program/cups.fc
===================================================================
RCS file: /cvsroot/selinux/nsa/selinux-usr/policy/file_contexts/program/cups.fc,v
retrieving revision 1.22
diff -u -r1.22 cups.fc
--- file_contexts/program/cups.fc 15 Sep 2005 20:13:04 -0000 1.22
+++ file_contexts/program/cups.fc 11 Nov 2005 15:34:54 -0000
@@ -1,46 +1,39 @@
-# cups printing
-/etc/cups(/.*)? system_u:object_r:cupsd_etc_t
-/usr/share/cups(/.*)? system_u:object_r:cupsd_etc_t
-/etc/alchemist/namespace/printconf(/.*)? system_u:object_r:cupsd_rw_etc_t
-/var/cache/alchemist/printconf.* system_u:object_r:cupsd_rw_etc_t
-/etc/cups/client\.conf -- system_u:object_r:etc_t
-/etc/cups/cupsd\.conf.* -- system_u:object_r:cupsd_rw_etc_t
-/etc/cups/classes\.conf.* -- system_u:object_r:cupsd_rw_etc_t
-/etc/cups/lpoptions -- system_u:object_r:cupsd_rw_etc_t
-/etc/cups/printers\.conf.* -- system_u:object_r:cupsd_rw_etc_t
-/etc/cups/ppd/.* -- system_u:object_r:cupsd_rw_etc_t
-/etc/cups/certs -d system_u:object_r:cupsd_rw_etc_t
-/etc/cups/certs/.* -- system_u:object_r:cupsd_rw_etc_t
-/var/lib/cups/certs -d system_u:object_r:cupsd_rw_etc_t
-/var/lib/cups/certs/.* -- system_u:object_r:cupsd_rw_etc_t
-/etc/cups/ppds\.dat -- system_u:object_r:cupsd_rw_etc_t
-/etc/cups/lpoptions.* -- system_u:object_r:cupsd_rw_etc_t
-/etc/printcap.* -- system_u:object_r:cupsd_rw_etc_t
-/usr/lib(64)?/cups/backend/.* -- system_u:object_r:cupsd_exec_t
-/usr/lib(64)?/cups/daemon/.* -- system_u:object_r:cupsd_exec_t
+# Base CUPS printing support - see the related files foomatic.fc, hpilp.fc,
+# printconf.fc, and turboprint.fc which apply to separate add-on packages
+# for CUPS.
+/etc/cups(/.*)? system_u:object_r:cupsd_etc_t
+/usr/share/cups(/.*)? system_u:object_r:cupsd_etc_t
+/etc/cups/client\.conf -- system_u:object_r:etc_t
+/etc/cups/cupsd\.conf.* -- system_u:object_r:cupsd_rw_etc_t
+/etc/cups/classes\.conf.* -- system_u:object_r:cupsd_rw_etc_t
+/etc/cups/lpoptions -- system_u:object_r:cupsd_rw_etc_t
+/etc/cups/printers\.conf.* -- system_u:object_r:cupsd_rw_etc_t
+/etc/cups/ppd/.* -- system_u:object_r:cupsd_rw_etc_t
+/etc/cups/ssl/.* -- system_u:object_r:cupsd_rw_etc_t
+/etc/cups/lpoptions.* -- system_u:object_r:cupsd_rw_etc_t
+/etc/printcap.* -- system_u:object_r:cupsd_rw_etc_t
+/usr/lib(64)?/cups/backend/.* -- system_u:object_r:cupsd_exec_t
+/usr/lib(64)?/cups/daemon/.* -- system_u:object_r:cupsd_exec_t
/usr/lib(64)?/cups/daemon/cups-lpd -- system_u:object_r:cupsd_lpd_exec_t
-/usr/sbin/cupsd -- system_u:object_r:cupsd_exec_t
-ifdef(`hald.te', `
-# cupsd_config depends on hald
-/usr/bin/cups-config-daemon -- system_u:object_r:cupsd_config_exec_t
-/usr/sbin/hal_lpadmin -- system_u:object_r:cupsd_config_exec_t
-/usr/sbin/printconf-backend -- system_u:object_r:cupsd_config_exec_t
-')
-/var/log/cups(/.*)? system_u:object_r:cupsd_log_t
-/var/log/turboprint_cups\.log.* -- system_u:object_r:cupsd_log_t
-/var/spool/cups(/.*)? system_u:object_r:print_spool_t
-/var/run/cups/printcap -- system_u:object_r:cupsd_var_run_t
+/usr/sbin/cupsd -- system_u:object_r:cupsd_exec_t
+/var/log/cups(/.*)? system_u:object_r:cupsd_log_t
+/var/spool/cups(/.*)? system_u:object_r:print_spool_t
/usr/lib(64)?/cups/filter/.* -- system_u:object_r:bin_t
-/usr/lib(64)?/cups/cgi-bin/.* -- system_u:object_r:bin_t
-/usr/sbin/ptal-printd -- system_u:object_r:ptal_exec_t
-/usr/sbin/ptal-mlcd -- system_u:object_r:ptal_exec_t
-/usr/sbin/ptal-photod -- system_u:object_r:ptal_exec_t
-/var/run/ptal-printd(/.*)? system_u:object_r:ptal_var_run_t
-/var/run/ptal-mlcd(/.*)? system_u:object_r:ptal_var_run_t
-/etc/hp(/.*)? system_u:object_r:hplip_etc_t
-/usr/sbin/hpiod -- system_u:object_r:hplip_exec_t
-/usr/share/hplip/hpssd.py -- system_u:object_r:hplip_exec_t
-/usr/share/foomatic/db/oldprinterids -- system_u:object_r:cupsd_rw_etc_t
-/var/cache/foomatic(/.*)? -- system_u:object_r:cupsd_rw_etc_t
-/var/run/hp.*\.pid -- system_u:object_r:hplip_var_run_t
-/var/run/hp.*\.port -- system_u:object_r:hplip_var_run_t
+/usr/lib(64)?/cups/cgi-bin/.* -- system_u:object_r:bin_t
+
+# Files specific to CUPS 1.1.x and earlier
+/etc/cups/certs -d system_u:object_r:cupsd_rw_etc_t
+/etc/cups/certs/.* -- system_u:object_r:cupsd_rw_etc_t
+/etc/cups/ppds\.dat -- system_u:object_r:cupsd_rw_etc_t
+
+# Files introduced in CUPS 1.2
+/etc/cups/subscriptions\.conf.* -- system_u:object_r:cupsd_rw_etc_t
+/usr/lib(64)?/cups/driver/.* -- system_u:object_r:bin_t
+/var/cache/cups/ppds\.dat -- system_u:object_r:cupsd_rw_etc_t
+/var/cache/cups/remote\.cache -- system_u:object_r:cupsd_rw_etc_t
+/var/run/cups/certs -d system_u:object_r:cupsd_rw_etc_t
+/var/run/cups/certs/.* -- system_u:object_r:cupsd_rw_etc_t
+
+# Linux-distribution-specific files that the standard cupsd generates
+# (add third-party files to separate .fc files!)
+/var/run/cups/printcap -- system_u:object_r:cupsd_var_run_t
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
