I've been playing around with the printing portion of the policy a bit
and would like to suggest some changes. Looking at the source for
lpd.if it seems the the policy was originally written with a lpr/lpd in
mind that is not CUPS. There are comments referencing a lightweight
mode, and $1_lpr_t is allowed to read and write to the spool directly.
CUPS does not do these things. Attached is a patch I've applied to my
systems that allows CUPS to work just fine in Targeted and MLS mode with
13 less allow rules.
One side effect of this is that from $1_lpr_t access is no longer given
to print_spool_t. If however we were then to allow access for
administrators (say: sysadm_r) to print_spool_t we can then use that
check to enable lprm and lpq for admins, but still restricting normal
users to only seeing their jobs. This eliminates the need for the
helper program lspp-access.
Do the attached changes make sense?
Does the addition of this rule seem reasonable?
allow sysadm_lpr_t print_spool_t:file read;
Lastly in order to determine if a user is authorized to print to a given
printer based on a comparison of their level to that of the printer I'd
like to propose this rule:
allow $1_lpr_t printer_device_t:file write
Thanks
-matt
--- policy/modules/services/lpd.if 2006-09-25 15:11:36.000000000 -0400
+++ policy/modules/services/lpd.if-new 2006-09-29 18:41:22.000000000 -0400
@@ -65,31 +65,31 @@
allow $1_lpr_t self:netlink_route_socket r_netlink_socket_perms;
# lpr can run in lightweight mode, without a local print spooler.
- allow $1_lpr_t lpd_var_run_t:dir search;
- allow $1_lpr_t lpd_var_run_t:sock_file write;
- files_read_var_files($1_lpr_t)
+ #allow $1_lpr_t lpd_var_run_t:dir search;
+ #allow $1_lpr_t lpd_var_run_t:sock_file write;
+ #files_read_var_files($1_lpr_t)
# Connect to lpd via a Unix domain socket.
- allow $1_lpr_t printer_t:sock_file rw_file_perms;
- allow $1_lpr_t lpd_t:unix_stream_socket connectto;
+ #allow $1_lpr_t printer_t:sock_file rw_file_perms;
+ #allow $1_lpr_t lpd_t:unix_stream_socket connectto;
# Send SIGHUP to lpd.
- allow $1_lpr_t lpd_t:process signal;
+ #allow $1_lpr_t lpd_t:process signal;
can_exec($1_lpr_t,lpr_exec_t)
- allow $1_lpr_t $1_lpr_tmp_t:dir create_dir_perms;
- allow $1_lpr_t $1_lpr_tmp_t:file create_file_perms;
- files_tmp_filetrans($1_lpr_t, $1_lpr_tmp_t, { file dir })
-
- allow $1_lpr_t $1_print_spool_t:file create_file_perms;
- allow $1_lpr_t print_spool_t:dir rw_dir_perms;
- type_transition $1_lpr_t print_spool_t:file $1_print_spool_t;
+ #allow $1_lpr_t $1_lpr_tmp_t:dir create_dir_perms;
+ #allow $1_lpr_t $1_lpr_tmp_t:file create_file_perms;
+ #files_tmp_filetrans($1_lpr_t, $1_lpr_tmp_t, { file dir })
+
+ #allow $1_lpr_t $1_print_spool_t:file create_file_perms;
+ #allow $1_lpr_t print_spool_t:dir rw_dir_perms;
+ #type_transition $1_lpr_t print_spool_t:file $1_print_spool_t;
# Read and write shared files in the spool directory.
- allow $1_lpr_t print_spool_t:file rw_file_perms;
+ #allow $1_lpr_t print_spool_t:file rw_file_perms;
- allow $1_lpr_t printconf_t:dir r_dir_perms;
- allow $1_lpr_t printconf_t:file r_file_perms;
- allow $1_lpr_t printconf_t:lnk_file { getattr read };
+ #allow $1_lpr_t printconf_t:dir r_dir_perms;
+ #allow $1_lpr_t printconf_t:file r_file_perms;
+ #allow $1_lpr_t printconf_t:lnk_file { getattr read };
dontaudit $1_lpr_t $2:unix_stream_socket { read write };
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
