Gentoo Archives: gentoo-commits

From: Sven Vermeulen <sven.vermeulen@××××××.be>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date: Thu, 27 Sep 2012 18:07:04
Message-Id: 1348768493.ab7a58e91cc8306b92be288f15da64fa50c42064.SwifT@gentoo
1 commit: ab7a58e91cc8306b92be288f15da64fa50c42064
2 Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3 AuthorDate: Wed Sep 26 09:32:13 2012 +0000
4 Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5 CommitDate: Thu Sep 27 17:54:53 2012 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ab7a58e9
7
8 Changes to the cups policy module and relevant dependencies
9
10 Ported from Fedor with changes
11 Module clean up
12
13 Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
14 Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
15
16 ---
17 policy/modules/contrib/cups.fc | 85 ++++++-----
18 policy/modules/contrib/cups.if | 68 +++++-----
19 policy/modules/contrib/cups.te | 279 +++++++++++++++++-------------------
20 policy/modules/contrib/kerberos.if | 29 ++++
21 policy/modules/contrib/kerberos.te | 2 +-
22 policy/modules/contrib/samba.if | 21 +++
23 policy/modules/contrib/samba.te | 2 +-
24 7 files changed, 268 insertions(+), 218 deletions(-)
25
26 diff --git a/policy/modules/contrib/cups.fc b/policy/modules/contrib/cups.fc
27 index 848bb92..6f7a1cd 100644
28 --- a/policy/modules/contrib/cups.fc
29 +++ b/policy/modules/contrib/cups.fc
30 @@ -1,69 +1,76 @@
31 +/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
32
33 -/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
34 -
35 -/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
36 -/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
37 -/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
38 -/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
39 -/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
40 +/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
41 +/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
42 +/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
43 +/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
44 +/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
45 /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
46 -/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
47 -/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
48 -/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
49 +/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
50 +/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
51 +/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
52 /etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
53 /etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
54
55 /etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0)
56
57 -/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0)
58 +/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0)
59 +
60 +/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
61 +
62 +/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
63 +/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
64
65 -/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
66 +/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
67 +/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
68
69 -/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
70 +/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
71 +/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0)
72
73 -/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
74 +/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
75 +/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
76 +/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
77
78 -/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
79 -/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0)
80 +/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
81 +/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
82 +/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
83
84 -/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
85 -/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
86 -/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
87 +/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
88 +/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
89
90 -/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
91 -/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
92 +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
93
94 /usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0)
95 -/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
96 -/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
97 -/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0)
98 -/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
99 +/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
100 +/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
101 +/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0)
102 +/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
103 /usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
104 /usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0)
105 /usr/sbin/ptal-photod -- gen_context(system_u:object_r:ptal_exec_t,s0)
106
107 -/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
108 -/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
109 -/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
110 +/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
111 +/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
112 +/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
113
114 -/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
115 -/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
116 -/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
117 +/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
118 +/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
119 +/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
120
121 /var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
122 /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
123
124 -/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
125 +/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
126
127 -/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
128 -/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
129 +/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
130 +/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
131
132 -/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
133 -/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
134 -/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
135 +/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
136 +/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
137 +/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
138 /var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
139 /var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
140 /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
141 /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
142 -/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
143 -/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
144 +/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
145 +/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
146
147 diff --git a/policy/modules/contrib/cups.if b/policy/modules/contrib/cups.if
148 index 305ddf4..06da9a0 100644
149 --- a/policy/modules/contrib/cups.if
150 +++ b/policy/modules/contrib/cups.if
151 @@ -1,12 +1,18 @@
152 -## <summary>Common UNIX printing system</summary>
153 +## <summary>Common UNIX printing system.</summary>
154
155 ########################################
156 ## <summary>
157 -## Setup cups to transtion to the cups backend domain
158 +## Create a domain which can be
159 +## started by cupsd.
160 ## </summary>
161 ## <param name="domain">
162 ## <summary>
163 -## Domain allowed access.
164 +## Domain allowed to transition.
165 +## </summary>
166 +## </param>
167 +## <param name="entry_point">
168 +## <summary>
169 +## Type of the program to be used as an entry point to this domain.
170 ## </summary>
171 ## </param>
172 #
173 @@ -42,12 +48,14 @@ interface(`cups_domtrans',`
174 type cupsd_t, cupsd_exec_t;
175 ')
176
177 + corecmd_search_bin($1)
178 domtrans_pattern($1, cupsd_exec_t, cupsd_t)
179 ')
180
181 ########################################
182 ## <summary>
183 -## Connect to cupsd over an unix domain stream socket.
184 +## Connect to cupsd over an unix
185 +## domain stream socket.
186 ## </summary>
187 ## <param name="domain">
188 ## <summary>
189 @@ -120,7 +128,8 @@ interface(`cups_read_pid_files',`
190
191 ########################################
192 ## <summary>
193 -## Execute cups_config in the cups_config domain.
194 +## Execute cups_config in the
195 +## cups config domain.
196 ## </summary>
197 ## <param name="domain">
198 ## <summary>
199 @@ -133,6 +142,7 @@ interface(`cups_domtrans_config',`
200 type cupsd_config_t, cupsd_config_exec_t;
201 ')
202
203 + corecmd_search_bin($1)
204 domtrans_pattern($1, cupsd_config_exec_t, cupsd_config_t)
205 ')
206
207 @@ -193,8 +203,7 @@ interface(`cups_read_config',`
208 ')
209
210 files_search_etc($1)
211 - read_files_pattern($1, cupsd_etc_t, cupsd_etc_t)
212 - read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
213 + read_files_pattern($1, cupsd_etc_t, { cupsd_etc_t cupsd_rw_etc_t })
214 ')
215
216 ########################################
217 @@ -277,7 +286,8 @@ interface(`cups_write_log',`
218
219 ########################################
220 ## <summary>
221 -## Connect to ptal over an unix domain stream socket.
222 +## Connect to ptal over an unix
223 +## domain stream socket.
224 ## </summary>
225 ## <param name="domain">
226 ## <summary>
227 @@ -296,8 +306,8 @@ interface(`cups_stream_connect_ptal',`
228
229 ########################################
230 ## <summary>
231 -## All of the rules required to administrate
232 -## an cups environment
233 +## All of the rules required to
234 +## administrate an cups environment.
235 ## </summary>
236 ## <param name="domain">
237 ## <summary>
238 @@ -306,7 +316,7 @@ interface(`cups_stream_connect_ptal',`
239 ## </param>
240 ## <param name="role">
241 ## <summary>
242 -## The role to be allowed to manage the cups domain.
243 +## Role allowed access.
244 ## </summary>
245 ## </param>
246 ## <rolecap/>
247 @@ -316,43 +326,35 @@ interface(`cups_admin',`
248 type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
249 type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
250 type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
251 - type cupsd_var_run_t, ptal_etc_t;
252 - type ptal_var_run_t, hplip_var_run_t;
253 - type cupsd_initrc_exec_t;
254 + type cupsd_var_run_t, ptal_etc_t, cupsd_rw_etc_t;
255 + type ptal_var_run_t, hplip_var_run_t, cupsd_initrc_exec_t;
256 + type cupsd_config_t, cupsd_lpd_t, cups_pdf_t;
257 + type hplip_t, ptal_t;
258 ')
259
260 - allow $1 cupsd_t:process { ptrace signal_perms };
261 - ps_process_pattern($1, cupsd_t)
262 + allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { ptrace signal_perms };
263 + allow $1 { cups_pdf_t hplip_t ptal_t }:process { ptrace signal_perms };
264 + ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t })
265 + ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t })
266
267 init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
268 domain_system_change_exemption($1)
269 role_transition $2 cupsd_initrc_exec_t system_r;
270 allow $2 system_r;
271
272 - admin_pattern($1, cupsd_etc_t)
273 files_list_etc($1)
274 + admin_pattern($1, { cupsd_etc_t cupsd_rw_etc_t ptal_etc_t })
275
276 - admin_pattern($1, cupsd_config_var_run_t)
277 -
278 - admin_pattern($1, cupsd_log_t)
279 logging_list_logs($1)
280 + admin_pattern($1, cupsd_log_t)
281
282 - admin_pattern($1, cupsd_lpd_tmp_t)
283 -
284 - admin_pattern($1, cupsd_lpd_var_run_t)
285 -
286 - admin_pattern($1, cupsd_spool_t)
287 files_list_spool($1)
288 + admin_pattern($1, cupsd_spool_t)
289
290 - admin_pattern($1, cupsd_tmp_t)
291 files_list_tmp($1)
292 + admin_pattern($1, { cupsd_tmp_t cupsd_lpd_tmp_t })
293
294 - admin_pattern($1, cupsd_var_run_t)
295 files_list_pids($1)
296 -
297 - admin_pattern($1, hplip_var_run_t)
298 -
299 - admin_pattern($1, ptal_etc_t)
300 -
301 - admin_pattern($1, ptal_var_run_t)
302 + admin_pattern($1, { cupsd_config_var_run_t cupsd_var_run_t hplip_var_run_t })
303 + admin_pattern($1, { ptal_var_run_t cupsd_lpd_var_run_t })
304 ')
305
306 diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
307 index 0f183b6..4565284 100644
308 --- a/policy/modules/contrib/cups.te
309 +++ b/policy/modules/contrib/cups.te
310 @@ -1,4 +1,4 @@
311 -policy_module(cups, 1.15.1)
312 +policy_module(cups, 1.15.2)
313
314 ########################################
315 #
316 @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
317 type cupsd_t;
318 type cupsd_exec_t;
319 init_daemon_domain(cupsd_t, cupsd_exec_t)
320 +mls_trusted_object(cupsd_t)
321
322 type cupsd_etc_t;
323 files_config_file(cupsd_etc_t)
324 @@ -63,7 +64,6 @@ mls_trusted_object(cupsd_var_run_t)
325 type hplip_t;
326 type hplip_exec_t;
327 init_daemon_domain(hplip_t, hplip_exec_t)
328 -# For CUPS to run as a backend
329 cups_backend(hplip_t, hplip_exec_t)
330
331 type hplip_etc_t;
332 @@ -101,27 +101,22 @@ ifdef(`enable_mls',`
333 # Cups local policy
334 #
335
336 -# /usr/lib/cups/backend/serial needs sys_admin(?!)
337 allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_rawio sys_resource sys_tty_config };
338 dontaudit cupsd_t self:capability { sys_tty_config net_admin };
339 allow cupsd_t self:capability2 block_suspend;
340 allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
341 allow cupsd_t self:fifo_file rw_fifo_file_perms;
342 -allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
343 -allow cupsd_t self:unix_dgram_socket create_socket_perms;
344 +allow cupsd_t self:unix_stream_socket { accept connectto listen };
345 allow cupsd_t self:netlink_selinux_socket create_socket_perms;
346 allow cupsd_t self:shm create_shm_perms;
347 allow cupsd_t self:sem create_sem_perms;
348 -allow cupsd_t self:tcp_socket create_stream_socket_perms;
349 -allow cupsd_t self:udp_socket create_socket_perms;
350 +allow cupsd_t self:tcp_socket { accept listen };
351 allow cupsd_t self:appletalk_socket create_socket_perms;
352 -# generic socket here until appletalk socket is available in kernels
353 -allow cupsd_t self:socket create_socket_perms;
354
355 -allow cupsd_t cupsd_etc_t:{ dir file } setattr;
356 +allow cupsd_t cupsd_etc_t:dir setattr_dir_perms;
357 +allow cupsd_t cupsd_etc_t:file setattr_file_perms;
358 read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
359 read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
360 -files_search_etc(cupsd_t)
361
362 manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
363
364 @@ -130,28 +125,28 @@ manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
365 filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
366 files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file })
367
368 -# allow cups to execute its backend scripts
369 -can_exec(cupsd_t, cupsd_exec_t)
370 allow cupsd_t cupsd_exec_t:dir search_dir_perms;
371 allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
372
373 allow cupsd_t cupsd_lock_t:file manage_file_perms;
374 files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
375
376 -manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
377 -allow cupsd_t cupsd_log_t:dir setattr;
378 +manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
379 +append_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
380 +create_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
381 +setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
382 logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
383
384 manage_dirs_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
385 manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
386 manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
387 -files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
388 +files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file })
389
390 -allow cupsd_t cupsd_var_run_t:dir setattr;
391 +manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
392 manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
393 manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
394 manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
395 -files_pid_filetrans(cupsd_t, cupsd_var_run_t, { file fifo_file })
396 +files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir fifo_file file })
397
398 allow cupsd_t hplip_t:process { signal sigkill };
399
400 @@ -160,7 +155,9 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
401 allow cupsd_t hplip_var_run_t:file read_file_perms;
402
403 stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
404 -allow cupsd_t ptal_var_run_t : sock_file setattr;
405 +allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
406 +
407 +can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
408
409 kernel_read_system_state(cupsd_t)
410 kernel_read_network_state(cupsd_t)
411 @@ -179,6 +176,9 @@ corenet_tcp_sendrecv_all_ports(cupsd_t)
412 corenet_udp_sendrecv_all_ports(cupsd_t)
413 corenet_tcp_bind_generic_node(cupsd_t)
414 corenet_udp_bind_generic_node(cupsd_t)
415 +
416 +corenet_sendrecv_all_server_packets(cupsd_t)
417 +corenet_sendrecv_all_client_packets(cupsd_t)
418 corenet_tcp_bind_ipp_port(cupsd_t)
419 corenet_udp_bind_ipp_port(cupsd_t)
420 corenet_udp_bind_howl_port(cupsd_t)
421 @@ -190,56 +190,52 @@ corenet_sendrecv_hplip_client_packets(cupsd_t)
422 corenet_sendrecv_ipp_client_packets(cupsd_t)
423 corenet_sendrecv_ipp_server_packets(cupsd_t)
424
425 +corecmd_exec_bin(cupsd_t)
426 +corecmd_exec_shell(cupsd_t)
427 +
428 dev_rw_printer(cupsd_t)
429 dev_read_urand(cupsd_t)
430 dev_read_sysfs(cupsd_t)
431 -dev_rw_input_dev(cupsd_t) #447878
432 +dev_rw_input_dev(cupsd_t)
433 dev_rw_generic_usb_dev(cupsd_t)
434 dev_rw_usbfs(cupsd_t)
435 dev_getattr_printer_dev(cupsd_t)
436
437 domain_read_all_domains_state(cupsd_t)
438 -
439 -fs_getattr_all_fs(cupsd_t)
440 -fs_search_auto_mountpoints(cupsd_t)
441 -fs_search_fusefs(cupsd_t)
442 -fs_read_anon_inodefs_files(cupsd_t)
443 -
444 -mls_file_downgrade(cupsd_t)
445 -mls_file_write_all_levels(cupsd_t)
446 -mls_file_read_all_levels(cupsd_t)
447 -mls_rangetrans_target(cupsd_t)
448 -mls_socket_write_all_levels(cupsd_t)
449 -mls_fd_use_all_levels(cupsd_t)
450 -
451 -term_use_unallocated_ttys(cupsd_t)
452 -term_search_ptys(cupsd_t)
453 -
454 -# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
455 -corecmd_exec_shell(cupsd_t)
456 -corecmd_exec_bin(cupsd_t)
457 -
458 domain_use_interactive_fds(cupsd_t)
459
460 +files_getattr_boot_dirs(cupsd_t)
461 files_list_spool(cupsd_t)
462 -files_read_etc_files(cupsd_t)
463 files_read_etc_runtime_files(cupsd_t)
464 -# read python modules
465 files_read_usr_files(cupsd_t)
466 +files_exec_usr_files(cupsd_t)
467 # for /var/lib/defoma
468 files_read_var_lib_files(cupsd_t)
469 files_list_world_readable(cupsd_t)
470 files_read_world_readable_files(cupsd_t)
471 files_read_world_readable_symlinks(cupsd_t)
472 -# Satisfy readahead
473 files_read_var_files(cupsd_t)
474 files_read_var_symlinks(cupsd_t)
475 +files_write_generic_pid_pipes(cupsd_t)
476 +files_dontaudit_getattr_all_tmp_files(cupsd_t)
477 +files_dontaudit_list_home(cupsd_t)
478 # for /etc/printcap
479 files_dontaudit_write_etc_files(cupsd_t)
480 -# smbspool seems to be iterating through all existing tmp files.
481 -# redhat bug #214953
482 -# cjp: this might be a broken behavior
483 -files_dontaudit_getattr_all_tmp_files(cupsd_t)
484 +
485 +fs_getattr_all_fs(cupsd_t)
486 +fs_search_auto_mountpoints(cupsd_t)
487 +fs_search_fusefs(cupsd_t)
488 +fs_read_anon_inodefs_files(cupsd_t)
489 +
490 +mls_fd_use_all_levels(cupsd_t)
491 +mls_file_downgrade(cupsd_t)
492 +mls_file_write_all_levels(cupsd_t)
493 +mls_file_read_all_levels(cupsd_t)
494 +mls_rangetrans_target(cupsd_t)
495 +mls_socket_write_all_levels(cupsd_t)
496 +
497 +term_search_ptys(cupsd_t)
498 +term_use_unallocated_ttys(cupsd_t)
499
500 selinux_compute_access_vector(cupsd_t)
501 selinux_validate_context(cupsd_t)
502 @@ -252,7 +248,6 @@ auth_dontaudit_read_pam_pid(cupsd_t)
503 auth_rw_faillog(cupsd_t)
504 auth_use_nsswitch(cupsd_t)
505
506 -# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
507 libs_read_lib_files(cupsd_t)
508 libs_exec_lib_files(cupsd_t)
509
510 @@ -260,23 +255,16 @@ logging_send_audit_msgs(cupsd_t)
511 logging_send_syslog_msg(cupsd_t)
512
513 miscfiles_read_localization(cupsd_t)
514 -# invoking ghostscript needs to read fonts
515 miscfiles_read_fonts(cupsd_t)
516 miscfiles_setattr_fonts_cache_dirs(cupsd_t)
517
518 seutil_read_config(cupsd_t)
519 +
520 sysnet_exec_ifconfig(cupsd_t)
521
522 -files_dontaudit_list_home(cupsd_t)
523 userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
524 userdom_dontaudit_search_user_home_content(cupsd_t)
525
526 -# Write to /var/spool/cups.
527 -lpd_manage_spool(cupsd_t)
528 -lpd_read_config(cupsd_t)
529 -lpd_exec_lpr(cupsd_t)
530 -lpd_relabel_spool(cupsd_t)
531 -
532 optional_policy(`
533 apm_domtrans_client(cupsd_t)
534 ')
535 @@ -312,17 +300,29 @@ optional_policy(`
536 ')
537
538 optional_policy(`
539 + kerberos_manage_host_rcache(cupsd_t)
540 + kerberos_tmp_filetrans_host_rcache(cupsd_t, file, "host_0")
541 +')
542 +
543 +optional_policy(`
544 logrotate_domtrans(cupsd_t)
545 ')
546
547 optional_policy(`
548 + lpd_exec_lpr(cupsd_t)
549 + lpd_manage_spool(cupsd_t)
550 + lpd_read_config(cupsd_t)
551 + lpd_relabel_spool(cupsd_t)
552 +')
553 +
554 +optional_policy(`
555 mta_send_mail(cupsd_t)
556 ')
557
558 optional_policy(`
559 - # cups execs smbtool which reads samba_etc_t files
560 samba_read_config(cupsd_t)
561 samba_rw_var_files(cupsd_t)
562 + samba_stream_connect_nmbd(cupsd_t)
563 ')
564
565 optional_policy(`
566 @@ -339,16 +339,14 @@ optional_policy(`
567
568 ########################################
569 #
570 -# Cups configuration daemon local policy
571 +# Configuration daemon local policy
572 #
573
574 allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
575 dontaudit cupsd_config_t self:capability sys_tty_config;
576 allow cupsd_config_t self:process { getsched signal_perms };
577 allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
578 -allow cupsd_config_t self:unix_stream_socket create_socket_perms;
579 -allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
580 -allow cupsd_config_t self:tcp_socket create_stream_socket_perms;
581 +allow cupsd_config_t self:tcp_socket { accept listen };
582
583 allow cupsd_config_t cupsd_t:process signal;
584 ps_process_pattern(cupsd_config_t, cupsd_t)
585 @@ -361,8 +359,6 @@ manage_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
586 manage_lnk_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
587 files_var_filetrans(cupsd_config_t, cupsd_rw_etc_t, file)
588
589 -can_exec(cupsd_config_t, cupsd_config_exec_t)
590 -
591 allow cupsd_config_t cupsd_log_t:file rw_file_perms;
592
593 manage_lnk_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
594 @@ -372,8 +368,13 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
595
596 allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
597
598 +manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
599 manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
600 -files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
601 +files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
602 +
603 +stream_connect_pattern(cupsd_config_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
604 +
605 +can_exec(cupsd_config_t, cupsd_config_exec_t)
606
607 domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
608
609 @@ -387,32 +388,29 @@ corenet_all_recvfrom_netlabel(cupsd_config_t)
610 corenet_tcp_sendrecv_generic_if(cupsd_config_t)
611 corenet_tcp_sendrecv_generic_node(cupsd_config_t)
612 corenet_tcp_sendrecv_all_ports(cupsd_config_t)
613 -corenet_tcp_connect_all_ports(cupsd_config_t)
614 +
615 corenet_sendrecv_all_client_packets(cupsd_config_t)
616 +corenet_tcp_connect_all_ports(cupsd_config_t)
617 +
618 +corecmd_exec_bin(cupsd_config_t)
619 +corecmd_exec_shell(cupsd_config_t)
620
621 dev_read_sysfs(cupsd_config_t)
622 dev_read_urand(cupsd_config_t)
623 dev_read_rand(cupsd_config_t)
624 dev_rw_generic_usb_dev(cupsd_config_t)
625
626 +files_read_etc_runtime_files(cupsd_config_t)
627 +files_read_usr_files(cupsd_config_t)
628 +files_read_var_symlinks(cupsd_config_t)
629 files_search_all_mountpoints(cupsd_config_t)
630
631 fs_getattr_all_fs(cupsd_config_t)
632 fs_search_auto_mountpoints(cupsd_config_t)
633
634 -corecmd_exec_bin(cupsd_config_t)
635 -corecmd_exec_shell(cupsd_config_t)
636 -
637 domain_use_interactive_fds(cupsd_config_t)
638 -# killall causes the following
639 domain_dontaudit_search_all_domains_state(cupsd_config_t)
640
641 -files_read_usr_files(cupsd_config_t)
642 -files_read_etc_files(cupsd_config_t)
643 -files_read_etc_runtime_files(cupsd_config_t)
644 -files_read_var_symlinks(cupsd_config_t)
645 -
646 -# Alternatives asks for this
647 init_getattr_all_script_files(cupsd_config_t)
648
649 auth_use_nsswitch(cupsd_config_t)
650 @@ -426,16 +424,9 @@ seutil_dontaudit_search_config(cupsd_config_t)
651
652 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
653 userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
654 -
655 -cups_stream_connect(cupsd_config_t)
656 -
657 -lpd_read_config(cupsd_config_t)
658 -
659 -ifdef(`distro_redhat',`
660 - optional_policy(`
661 - rpm_read_db(cupsd_config_t)
662 - ')
663 -')
664 +userdom_read_all_users_state(cupsd_config_t)
665 +userdom_read_user_tmp_symlinks(cupsd_config_t)
666 +userdom_rw_user_tmp_files(cupsd_config_t)
667
668 optional_policy(`
669 term_use_generic_ptys(cupsd_config_t)
670 @@ -451,6 +442,10 @@ optional_policy(`
671 optional_policy(`
672 hal_dbus_chat(cupsd_config_t)
673 ')
674 +
675 + optional_policy(`
676 + policykit_dbus_chat(cupsd_config_t)
677 + ')
678 ')
679
680 optional_policy(`
681 @@ -468,8 +463,7 @@ optional_policy(`
682 ')
683
684 optional_policy(`
685 - policykit_dbus_chat(cupsd_config_t)
686 - userdom_read_all_users_state(cupsd_config_t)
687 + lpd_read_config(cupsd_config_t)
688 ')
689
690 optional_policy(`
691 @@ -490,23 +484,14 @@ optional_policy(`
692
693 ########################################
694 #
695 -# Cups lpd support
696 +# Lpd local policy
697 #
698
699 +allow cupsd_lpd_t self:capability { setuid setgid };
700 allow cupsd_lpd_t self:process signal_perms;
701 allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms;
702 -allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms;
703 -allow cupsd_lpd_t self:udp_socket create_socket_perms;
704 -
705 -# for identd
706 -# cjp: this should probably only be inetd_child rules?
707 +allow cupsd_lpd_t self:tcp_socket { accept listen };
708 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
709 -allow cupsd_lpd_t self:capability { setuid setgid };
710 -files_search_home(cupsd_lpd_t)
711 -optional_policy(`
712 - kerberos_use(cupsd_lpd_t)
713 -')
714 -#end for identd
715
716 allow cupsd_lpd_t cupsd_etc_t:dir list_dir_perms;
717 read_files_pattern(cupsd_lpd_t, cupsd_etc_t, cupsd_etc_t)
718 @@ -518,11 +503,13 @@ read_lnk_files_pattern(cupsd_lpd_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
719
720 manage_dirs_pattern(cupsd_lpd_t, cupsd_lpd_tmp_t, cupsd_lpd_tmp_t)
721 manage_files_pattern(cupsd_lpd_t, cupsd_lpd_tmp_t, cupsd_lpd_tmp_t)
722 -files_tmp_filetrans(cupsd_lpd_t, cupsd_lpd_tmp_t, { file dir })
723 +files_tmp_filetrans(cupsd_lpd_t, cupsd_lpd_tmp_t, { dir file })
724
725 manage_files_pattern(cupsd_lpd_t, cupsd_lpd_var_run_t, cupsd_lpd_var_run_t)
726 files_pid_filetrans(cupsd_lpd_t, cupsd_lpd_var_run_t, file)
727
728 +stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
729 +
730 kernel_read_kernel_sysctls(cupsd_lpd_t)
731 kernel_read_system_state(cupsd_lpd_t)
732 kernel_read_network_state(cupsd_lpd_t)
733 @@ -530,21 +517,18 @@ kernel_read_network_state(cupsd_lpd_t)
734 corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
735 corenet_all_recvfrom_netlabel(cupsd_lpd_t)
736 corenet_tcp_sendrecv_generic_if(cupsd_lpd_t)
737 -corenet_udp_sendrecv_generic_if(cupsd_lpd_t)
738 corenet_tcp_sendrecv_generic_node(cupsd_lpd_t)
739 -corenet_udp_sendrecv_generic_node(cupsd_lpd_t)
740 -corenet_tcp_sendrecv_all_ports(cupsd_lpd_t)
741 -corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
742 -corenet_tcp_bind_generic_node(cupsd_lpd_t)
743 -corenet_udp_bind_generic_node(cupsd_lpd_t)
744 +
745 +corenet_sendrecv_ipp_client_packets(cupsd_lpd_t)
746 corenet_tcp_connect_ipp_port(cupsd_lpd_t)
747 +corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
748
749 dev_read_urand(cupsd_lpd_t)
750 dev_read_rand(cupsd_lpd_t)
751
752 fs_getattr_xattr_fs(cupsd_lpd_t)
753
754 -files_read_etc_files(cupsd_lpd_t)
755 +files_search_home(cupsd_lpd_t)
756
757 auth_use_nsswitch(cupsd_lpd_t)
758
759 @@ -553,48 +537,43 @@ logging_send_syslog_msg(cupsd_lpd_t)
760 miscfiles_read_localization(cupsd_lpd_t)
761 miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
762
763 -cups_stream_connect(cupsd_lpd_t)
764 -
765 optional_policy(`
766 inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
767 ')
768
769 ########################################
770 #
771 -# cups_pdf local policy
772 +# Pdf local policy
773 #
774
775 allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
776 -allow cups_pdf_t self:fifo_file rw_file_perms;
777 +allow cups_pdf_t self:fifo_file rw_fifo_file_perms;
778 allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
779
780 manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
781
782 manage_files_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
783 manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
784 -files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
785 +files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { dir file })
786
787 fs_rw_anon_inodefs_files(cups_pdf_t)
788
789 kernel_read_system_state(cups_pdf_t)
790
791 -files_read_etc_files(cups_pdf_t)
792 files_read_usr_files(cups_pdf_t)
793
794 -corecmd_exec_shell(cups_pdf_t)
795 corecmd_exec_bin(cups_pdf_t)
796 +corecmd_exec_shell(cups_pdf_t)
797
798 auth_use_nsswitch(cups_pdf_t)
799
800 miscfiles_read_localization(cups_pdf_t)
801 miscfiles_read_fonts(cups_pdf_t)
802 +miscfiles_setattr_fonts_cache_dirs(cups_pdf_t)
803
804 -userdom_home_filetrans_user_home_dir(cups_pdf_t)
805 userdom_manage_user_home_content_dirs(cups_pdf_t)
806 userdom_manage_user_home_content_files(cups_pdf_t)
807 -
808 -lpd_manage_spool(cups_pdf_t)
809 -
810 +userdom_home_filetrans_user_home_dir(cups_pdf_t)
811
812 tunable_policy(`use_nfs_home_dirs',`
813 fs_search_auto_mountpoints(cups_pdf_t)
814 @@ -607,6 +586,10 @@ tunable_policy(`use_samba_home_dirs',`
815 fs_manage_cifs_files(cups_pdf_t)
816 ')
817
818 +optional_policy(`
819 + lpd_manage_spool(cups_pdf_t)
820 +')
821 +
822 ########################################
823 #
824 # HPLIP local policy
825 @@ -617,34 +600,32 @@ allow hplip_t self:capability { dac_override dac_read_search net_raw };
826 dontaudit hplip_t self:capability sys_tty_config;
827 allow hplip_t self:fifo_file rw_fifo_file_perms;
828 allow hplip_t self:process signal_perms;
829 -allow hplip_t self:unix_dgram_socket create_socket_perms;
830 -allow hplip_t self:unix_stream_socket create_socket_perms;
831 allow hplip_t self:netlink_route_socket r_netlink_socket_perms;
832 allow hplip_t self:tcp_socket create_stream_socket_perms;
833 allow hplip_t self:udp_socket create_socket_perms;
834 allow hplip_t self:rawip_socket create_socket_perms;
835
836 allow hplip_t cupsd_etc_t:dir search_dir_perms;
837 +
838 manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
839 manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
840 -files_tmp_filetrans(hplip_t, cupsd_tmp_t, { file dir })
841 -
842 -cups_stream_connect(hplip_t)
843 +files_tmp_filetrans(hplip_t, cupsd_tmp_t, { dir file })
844
845 allow hplip_t hplip_etc_t:dir list_dir_perms;
846 read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
847 read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
848 -files_search_etc(hplip_t)
849
850 manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
851 manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
852
853 manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
854 -files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
855 +files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file)
856
857 manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
858 files_pid_filetrans(hplip_t, hplip_var_run_t, file)
859
860 +stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
861 +
862 kernel_read_system_state(hplip_t)
863 kernel_read_kernel_sysctls(hplip_t)
864
865 @@ -660,13 +641,20 @@ corenet_tcp_sendrecv_all_ports(hplip_t)
866 corenet_udp_sendrecv_all_ports(hplip_t)
867 corenet_tcp_bind_generic_node(hplip_t)
868 corenet_udp_bind_generic_node(hplip_t)
869 +
870 +corenet_sendrecv_hplip_client_packets(hplip_t)
871 +corenet_receive_hplip_server_packets(hplip_t)
872 corenet_tcp_bind_hplip_port(hplip_t)
873 corenet_tcp_connect_hplip_port(hplip_t)
874 +
875 +corenet_sendrecv_ipp_client_packets(hplip_t)
876 corenet_tcp_connect_ipp_port(hplip_t)
877 -corenet_sendrecv_hplip_client_packets(hplip_t)
878 -corenet_receive_hplip_server_packets(hplip_t)
879 +
880 +corenet_sendrecv_howl_server_packets(hplip_t)
881 corenet_udp_bind_howl_port(hplip_t)
882
883 +corecmd_exec_bin(hplip_t)
884 +
885 dev_read_sysfs(hplip_t)
886 dev_rw_printer(hplip_t)
887 dev_read_urand(hplip_t)
888 @@ -674,19 +662,16 @@ dev_read_rand(hplip_t)
889 dev_rw_generic_usb_dev(hplip_t)
890 dev_rw_usbfs(hplip_t)
891
892 -fs_getattr_all_fs(hplip_t)
893 -fs_search_auto_mountpoints(hplip_t)
894 -fs_rw_anon_inodefs_files(hplip_t)
895 -
896 -# for python
897 -corecmd_exec_bin(hplip_t)
898 -
899 domain_use_interactive_fds(hplip_t)
900
901 files_read_etc_files(hplip_t)
902 files_read_etc_runtime_files(hplip_t)
903 files_read_usr_files(hplip_t)
904
905 +fs_getattr_all_fs(hplip_t)
906 +fs_search_auto_mountpoints(hplip_t)
907 +fs_rw_anon_inodefs_files(hplip_t)
908 +
909 logging_send_syslog_msg(hplip_t)
910
911 miscfiles_read_localization(hplip_t)
912 @@ -697,11 +682,17 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
913 userdom_dontaudit_search_user_home_dirs(hplip_t)
914 userdom_dontaudit_search_user_home_content(hplip_t)
915
916 -lpd_read_config(hplip_t)
917 -lpd_manage_spool(hplip_t)
918 -
919 optional_policy(`
920 dbus_system_bus_client(hplip_t)
921 +
922 + optional_policy(`
923 + userdom_dbus_send_all_users(hplip_t)
924 + ')
925 +')
926 +
927 +optional_policy(`
928 + lpd_read_config(hplip_t)
929 + lpd_manage_spool(hplip_t)
930 ')
931
932 optional_policy(`
933 @@ -724,14 +715,12 @@ optional_policy(`
934 allow ptal_t self:capability { chown sys_rawio };
935 dontaudit ptal_t self:capability sys_tty_config;
936 allow ptal_t self:fifo_file rw_fifo_file_perms;
937 -allow ptal_t self:unix_dgram_socket create_socket_perms;
938 -allow ptal_t self:unix_stream_socket create_stream_socket_perms;
939 +allow ptal_t self:unix_stream_socket { accept listen };
940 allow ptal_t self:tcp_socket create_stream_socket_perms;
941
942 allow ptal_t ptal_etc_t:dir list_dir_perms;
943 read_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t)
944 read_lnk_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t)
945 -files_search_etc(ptal_t)
946
947 manage_dirs_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
948 manage_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
949 @@ -748,22 +737,24 @@ corenet_all_recvfrom_unlabeled(ptal_t)
950 corenet_all_recvfrom_netlabel(ptal_t)
951 corenet_tcp_sendrecv_generic_if(ptal_t)
952 corenet_tcp_sendrecv_generic_node(ptal_t)
953 -corenet_tcp_sendrecv_all_ports(ptal_t)
954 corenet_tcp_bind_generic_node(ptal_t)
955 +
956 +corenet_sendrecv_ptal_server_packets(ptal_t)
957 corenet_tcp_bind_ptal_port(ptal_t)
958 +corenet_tcp_sendrecv_ptal_port(ptal_t)
959
960 dev_read_sysfs(ptal_t)
961 dev_read_usbfs(ptal_t)
962 dev_rw_printer(ptal_t)
963
964 -fs_getattr_all_fs(ptal_t)
965 -fs_search_auto_mountpoints(ptal_t)
966 -
967 domain_use_interactive_fds(ptal_t)
968
969 files_read_etc_files(ptal_t)
970 files_read_etc_runtime_files(ptal_t)
971
972 +fs_getattr_all_fs(ptal_t)
973 +fs_search_auto_mountpoints(ptal_t)
974 +
975 logging_send_syslog_msg(ptal_t)
976
977 miscfiles_read_localization(ptal_t)
978
979 diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if
980 index 604f67b..399b604 100644
981 --- a/policy/modules/contrib/kerberos.if
982 +++ b/policy/modules/contrib/kerberos.if
983 @@ -296,6 +296,35 @@ interface(`kerberos_manage_host_rcache',`
984
985 ########################################
986 ## <summary>
987 +## Create objects in generic temporary
988 +## directories with host rcache type.
989 +## </summary>
990 +## <param name="domain">
991 +## <summary>
992 +## Domain allowed to transition.
993 +## </summary>
994 +## </param>
995 +## <param name="object_class">
996 +## <summary>
997 +## Class of the object being created.
998 +## </summary>
999 +## </param>
1000 +## <param name="name" optional="true">
1001 +## <summary>
1002 +## The name of the object being created.
1003 +## </summary>
1004 +## </param>
1005 +#
1006 +interface(`kerberos_tmp_filetrans_host_rcache',`
1007 + gen_require(`
1008 + type krb5_host_rcache_t;
1009 + ')
1010 +
1011 + files_tmp_filetrans($1, krb5_host_rcache_t, $2, $3)
1012 +')
1013 +
1014 +########################################
1015 +## <summary>
1016 ## Connect to krb524 service
1017 ## </summary>
1018 ## <param name="domain">
1019
1020 diff --git a/policy/modules/contrib/kerberos.te b/policy/modules/contrib/kerberos.te
1021 index 6a95faf..794c90d 100644
1022 --- a/policy/modules/contrib/kerberos.te
1023 +++ b/policy/modules/contrib/kerberos.te
1024 @@ -1,4 +1,4 @@
1025 -policy_module(kerberos, 1.11.0)
1026 +policy_module(kerberos, 1.11.1)
1027
1028 ########################################
1029 #
1030
1031 diff --git a/policy/modules/contrib/samba.if b/policy/modules/contrib/samba.if
1032 index 82cb169..ce060c5 100644
1033 --- a/policy/modules/contrib/samba.if
1034 +++ b/policy/modules/contrib/samba.if
1035 @@ -42,6 +42,27 @@ interface(`samba_signal_nmbd',`
1036
1037 ########################################
1038 ## <summary>
1039 +## Connect to nmbd with a unix domain
1040 +## stream socket.
1041 +## </summary>
1042 +## <param name="domain">
1043 +## <summary>
1044 +## Domain allowed access.
1045 +## </summary>
1046 +## </param>
1047 +#
1048 +interface(`samba_stream_connect_nmbd',`
1049 + gen_require(`
1050 + type samba_var_t, nmbd_t, nmbd_var_run_t;
1051 + ')
1052 +
1053 + files_search_pids($1)
1054 + allow $1 samba_var_t:dir search_dir_perms;
1055 + stream_connect_pattern($1, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
1056 +')
1057 +
1058 +########################################
1059 +## <summary>
1060 ## Execute samba server in the samba domain.
1061 ## </summary>
1062 ## <param name="domain">
1063
1064 diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
1065 index 905883f..6a97c25 100644
1066 --- a/policy/modules/contrib/samba.te
1067 +++ b/policy/modules/contrib/samba.te
1068 @@ -1,4 +1,4 @@
1069 -policy_module(samba, 1.15.0)
1070 +policy_module(samba, 1.15.1)
1071
1072 #################################
1073 #