[redhat-lspp] Re: Feature complete Trusted Printing patch

Matt Anderson mra at hp.com
Thu Oct 19 16:20:24 UTC 2006 

Daniel J Walsh wrote:
> Matt Anderson wrote:
>> module cupsmod 1.4;
>>
>> require {
>>     class chr_file { getattr relabelfrom relabelto };
>>     class file { getattr relabelfrom relabelto };
>>     class file { read rename unlink write };     class
>> unix_stream_socket { getattr getopt };     type cupsd_t;     type
>> cupsd_etc_t;         type cupsd_var_run_t;
>>     type print_spool_t;     type printer_device_t;     type
>> sysadm_lpr_t;         type secadm_t;
>>     type secadm_lpr_t;         type user_lpr_t;
>>     role system_r; };
>>
>> # Needed to allow cupsd modify printers.conf
>> allow cupsd_t cupsd_etc_t:file { rename unlink write };
> 
> printers.conf should be labeled system_u:object_r:cupsd_rw_etc_t

Whoops, looks like my labels were off.  Probably an artifact of some
`make install`  nevermind that allow line then.

>> # Allow sysadm to read print spool files to mange the queue
>> allow sysadm_lpr_t print_spool_t:file read;
> 
> This should already be in policy
<snip>
>> -    allow $1_lpr_t $1_print_spool_t:file create_file_perms;
>> -    allow $1_lpr_t print_spool_t:dir rw_dir_perms;
>> -    type_transition $1_lpr_t print_spool_t:file $1_print_spool_t;
>> -    # Read and write shared files in the spool directory.
>> -    allow $1_lpr_t print_spool_t:file rw_file_perms;

The earlier policy allowed all *_lpr_t access to read the print_spool_t
files.  I was hoping we could remove that, since in the CUPS system the
spool files should never be accessed by users.  If we allow only
sysadm_r the ability to read those files that can be how policy defines
who manages the queue and is able to delete other user's jobs.

In addition to the primary check which attempts to see if the context of
the user that is performing a lpq/lprm is able to read the context that
the job was queued under, I added a secondary access check that allows
an access if the user is able to read the spool file on disk.  Thus
specifying in policy who can manage the queue based on who can read
printer_spool_t.


>> # Allow secadm to change printer device levels
>> allow secadm_t printer_device_t:chr_file { getattr relabelfrom
>> relabelto };
>>
>>
>
> Just added this to latest policy selinux-policy-2.3.19-4
>
>> # Allow for cupsdisable/cupsenable
>> allow sysadm_lpr_t cupsd_var_run_t:file { getattr read };
>>
>
> Just added this to latest policy selinux-policy-2.3.19-4
>

Thanks! I'll give that some testing.

There is one more outstanding issue with CUPS policy.  Chris PeBenito
and I exchanged some mail on the SELinux and LSPP lists about adding a
new MLS constraint.  Something that could be applied to printer_device_t
to specify that write operations should be allowed as long as the
subject is within the MLS range on the object.  mlsfilewrite_in_range or
something was the tentative name.  This hasn't show up in the upstream
reference policy yet, but once it is there printer_device_t will need it.

-matt

More information about the redhat-lspp mailing list