2010-06-24

SELinux policy module for pipslited

Pipslited is the daemon part of the official Linux driver for Epson inkjets. It used to suck quite frankly, but as far as I can tell the latest versions have been improving visibly. Problem is that it hasn't got an SELinux policy module. Oddly I thought there was one but I just realized today that I couldn't print. So I got to work with Slide, the Eclipse-based SELinux policy editor.

This is on Fedora 13, selinux-policy 3.7.19

The code

pipslite.if

## <summary>epson cups module</summary>
Yes it's empty, as usual.

pipslite.te

policy_module(pipslite,1.0.12)

require {
 type fs_t;
 type setroubleshootd_t;
 type cupsd_t;
 type printer_device_t;
}

type pipslite_t;
type pipslite_exec_t;
type pipslite_config_t;
type pipslite_pid_t;
type pipslite_fifo_t;
type pipslite_tmp_t;

domain_type(pipslite_t)

# Access to shared libraries
libs_use_ld_so(pipslite_t)
libs_use_shared_libs(pipslite_t)

miscfiles_read_localization(pipslite_t)

dev_read_urand(pipslite_t)

# Type for the daemon
files_type(pipslite_exec_t)
domain_entry_file(pipslite_t, pipslite_exec_t)

# Type for configuration files
files_config_file(pipslite_config_t)

allow pipslite_t pipslite_config_t:file { getattr read create_file_perms };
allow pipslite_t pipslite_config_t:dir { create_dir_perms };

# Type for PID file
files_pid_file(pipslite_pid_t)

allow pipslite_t pipslite_pid_t:file manage_file_perms;
allow pipslite_t pipslite_pid_t:dir rw_dir_perms;
files_pid_filetrans(pipslite_t,pipslite_pid_t,file)


# Type for temporary files
#
# Probably not necessary, but in case pipslite wants to create
# temp files, it's there and it's secure
files_tmp_file(pipslite_tmp_t)

allow pipslite_t pipslite_tmp_t:file create_file_perms;
allow pipslite_t pipslite_tmp_t:dir create_dir_perms;
files_tmp_filetrans(pipslite_t,pipslite_tmp_t,{file dir})

# We define a new type for the fifo used by cups to connect to pipslite
allow pipslite_t pipslite_fifo_t:fifo_file { read create open };
filetrans_pattern(pipslite_t, var_run_t, pipslite_fifo_t, fifo_file)
allow pipslite_fifo_t fs_t:filesystem associate;
allow pipslite_t pipslite_fifo_t:fifo_file unlink;

# Network connections, incoming
allow pipslite_t self:tcp_socket { bind create setopt listen };
corenet_tcp_bind_generic_node(pipslite_t)

# Makes the init.d script execute in the desired domain
# Without this, it just takes the context of the caller, unconfined typically.
init_daemon_domain(pipslite_t, pipslite_exec_t)

# --- Getting to the point ---
# Pipslite needs to talk to the printer
allow pipslite_t printer_device_t:chr_file { read write open };

# .. and cupsd needs to talk to pipslited
allow cupsd_t pipslite_fifo_t:fifo_file { write open };

# No idea why this is needed, new thing?
allow setroubleshootd_t pipslite_fifo_t:fifo_file getattr;

pipslite.fc

/usr/lib64/pipslite/pipslited -- gen_context(system_u:object_r:pipslite_exec_t,s0)
/etc/pipslite(/.*)? gen_context(system_u:object_r:pipslite_config_t,s0)
/var/run/pipslited.pid -- gen_context(system_u:object_r:pipslite_pid_t,s0)
# This is needed because pipslited doesn't seem to always delete
# the fifo on exit, and it doesn't recreate it if it's already there
/var/run/pipslite[^/.]* gen_context(system_u:object_r:pipslite_fifo_t,s0)

Compiling and installing the module

# service pipslited stop
# ln -s /usr/share/selinux/devel/Makefile .
# make
Compiling targeted pipslite module
/usr/bin/checkmodule:  loading policy configuration from tmp/pipslite.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/pipslite.mod
Creating targeted pipslite.pp policy package
rm tmp/pipslite.mod tmp/pipslite.mod.fc
# semodule -i pipslite.pp
# restorecon -Rv /etc/pipslite/ /usr/lib64/pipslite/pipslited /var/run/pips* 
# service pipslited start