SELinux policy module for pipslited

Pipslited is the daemon part of the official Linux driver for Epson inkjets. It used to suck quite frankly, but as far as I can tell the latest versions have been improving visibly. Problem is that it hasn't got an SELinux policy module. Oddly I thought there was one but I just realized today that I couldn't print. So I got to work with Slide, the Eclipse-based SELinux policy editor.

This is on Fedora 13, selinux-policy 3.7.19

The code


## <summary>epson cups module</summary>
Yes it's empty, as usual.



require {
 type fs_t;
 type setroubleshootd_t;
 type cupsd_t;
 type printer_device_t;

type pipslite_t;
type pipslite_exec_t;
type pipslite_config_t;
type pipslite_pid_t;
type pipslite_fifo_t;
type pipslite_tmp_t;


# Access to shared libraries



# Type for the daemon
domain_entry_file(pipslite_t, pipslite_exec_t)

# Type for configuration files

allow pipslite_t pipslite_config_t:file { getattr read create_file_perms };
allow pipslite_t pipslite_config_t:dir { create_dir_perms };

# Type for PID file

allow pipslite_t pipslite_pid_t:file manage_file_perms;
allow pipslite_t pipslite_pid_t:dir rw_dir_perms;

# Type for temporary files
# Probably not necessary, but in case pipslite wants to create
# temp files, it's there and it's secure

allow pipslite_t pipslite_tmp_t:file create_file_perms;
allow pipslite_t pipslite_tmp_t:dir create_dir_perms;
files_tmp_filetrans(pipslite_t,pipslite_tmp_t,{file dir})

# We define a new type for the fifo used by cups to connect to pipslite
allow pipslite_t pipslite_fifo_t:fifo_file { read create open };
filetrans_pattern(pipslite_t, var_run_t, pipslite_fifo_t, fifo_file)
allow pipslite_fifo_t fs_t:filesystem associate;
allow pipslite_t pipslite_fifo_t:fifo_file unlink;

# Network connections, incoming
allow pipslite_t self:tcp_socket { bind create setopt listen };

# Makes the init.d script execute in the desired domain
# Without this, it just takes the context of the caller, unconfined typically.
init_daemon_domain(pipslite_t, pipslite_exec_t)

# --- Getting to the point ---
# Pipslite needs to talk to the printer
allow pipslite_t printer_device_t:chr_file { read write open };

# .. and cupsd needs to talk to pipslited
allow cupsd_t pipslite_fifo_t:fifo_file { write open };

# No idea why this is needed, new thing?
allow setroubleshootd_t pipslite_fifo_t:fifo_file getattr;


/usr/lib64/pipslite/pipslited -- gen_context(system_u:object_r:pipslite_exec_t,s0)
/etc/pipslite(/.*)? gen_context(system_u:object_r:pipslite_config_t,s0)
/var/run/pipslited.pid -- gen_context(system_u:object_r:pipslite_pid_t,s0)
# This is needed because pipslited doesn't seem to always delete
# the fifo on exit, and it doesn't recreate it if it's already there
/var/run/pipslite[^/.]* gen_context(system_u:object_r:pipslite_fifo_t,s0)

Compiling and installing the module

# service pipslited stop
# ln -s /usr/share/selinux/devel/Makefile .
# make
Compiling targeted pipslite module
/usr/bin/checkmodule:  loading policy configuration from tmp/pipslite.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/pipslite.mod
Creating targeted pipslite.pp policy package
rm tmp/pipslite.mod tmp/pipslite.mod.fc
# semodule -i pipslite.pp
# restorecon -Rv /etc/pipslite/ /usr/lib64/pipslite/pipslited /var/run/pips* 
# service pipslited start

3 commentaires:

  1. Ce commentaire a été supprimé par un administrateur du blog.

  2. Ce commentaire a été supprimé par un administrateur du blog.

  3. Ce commentaire a été supprimé par un administrateur du blog.