cups: Remove PTAL.

This is part of the HPOJ, which was superseded by HPLIP in 2006. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2024-02-29 11:04:56 -05:00 · 2024-02-29 11:04:56 -05:00 · 2577feb839
parent 5b02b44e51
commit 2577feb839
4 changed files with 7 additions and 109 deletions
--- a/policy/modules/services/cups.fc
+++ b/policy/modules/services/cups.fc
@ -29,9 +29,6 @@
 /usr/bin/hpijs	--	gen_context(system_u:object_r:hplip_exec_t,s0)
 /usr/bin/hpiod	--	gen_context(system_u:object_r:hplip_exec_t,s0)
 /usr/bin/printconf-backend	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/bin/ptal-printd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
-/usr/bin/ptal-mlcd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
-/usr/bin/ptal-photod	--	gen_context(system_u:object_r:ptal_exec_t,s0)

 /usr/Brother/fax/.*\.log.*	gen_context(system_u:object_r:cupsd_log_t,s0)
 /usr/Brother/(.*/)?inf(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@ -55,9 +52,6 @@
 /usr/sbin/hal_lpadmin	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
 /usr/sbin/hpiod	--	gen_context(system_u:object_r:hplip_exec_t,s0)
 /usr/sbin/printconf-backend	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/sbin/ptal-printd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
-/usr/sbin/ptal-mlcd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
-/usr/sbin/ptal-photod	--	gen_context(system_u:object_r:ptal_exec_t,s0)

 /usr/share/cups(/.*)?	gen_context(system_u:object_r:cupsd_etc_t,s0)
 /usr/share/foomatic/db/oldprinterids	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@ -80,7 +74,5 @@
 /run/cups(/.*)?	gen_context(system_u:object_r:cupsd_runtime_t,s0)
 /run/hp.*\.pid	--	gen_context(system_u:object_r:hplip_runtime_t,s0)
 /run/hp.*\.port	--	gen_context(system_u:object_r:hplip_runtime_t,s0)
-/run/ptal-printd(/.*)?	gen_context(system_u:object_r:ptal_runtime_t,s0)
-/run/ptal-mlcd(/.*)?	gen_context(system_u:object_r:ptal_runtime_t,s0)
 /run/udev-configure-printer(/.*)?	gen_context(system_u:object_r:cupsd_config_runtime_t,s0)
 /var/turboprint(/.*)?	gen_context(system_u:object_r:cupsd_runtime_t,s0)
--- a/policy/modules/services/cups.if
+++ b/policy/modules/services/cups.if
@ -271,26 +271,6 @@ interface(`cups_write_log',`
 	allow $1 cupsd_log_t:file write_file_perms;
 ')

-########################################
-## <summary>
-##	Connect to ptal over an unix
-##	domain stream socket.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`cups_stream_connect_ptal',`
-	gen_require(`
-		type ptal_t, ptal_runtime_t;
-	')
-
-	files_search_runtime($1)
-	stream_connect_pattern($1, ptal_runtime_t, ptal_runtime_t, ptal_t)
-')
-
 ########################################
 ## <summary>
 ##	Read the process state (/proc/pid) of cupsd.
@ -354,21 +334,21 @@ interface(`cups_admin',`
 		type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
 		type cupsd_etc_t, cupsd_log_t;
 		type cupsd_config_runtime_t, cupsd_lpd_runtime_t;
-		type cupsd_runtime_t, ptal_etc_t, cupsd_rw_etc_t;
-		type ptal_runtime_t, hplip_runtime_t, cupsd_initrc_exec_t;
+		type cupsd_runtime_t, cupsd_rw_etc_t;
+		type hplip_runtime_t, cupsd_initrc_exec_t;
 		type cupsd_config_t, cupsd_lpd_t, cups_pdf_t;
-		type hplip_t, ptal_t;
+		type hplip_t;
 	')

 	allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { ptrace signal_perms };
-	allow $1 { cups_pdf_t hplip_t ptal_t }:process { ptrace signal_perms };
+	allow $1 { cups_pdf_t hplip_t }:process { ptrace signal_perms };
 	ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t })
-	ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t })
+	ps_process_pattern($1, { cups_pdf_t hplip_t })

 	init_startstop_service($1, $2, cupsd_t, cupsd_initrc_exec_t)

 	files_list_etc($1)
-	admin_pattern($1, { cupsd_etc_t cupsd_rw_etc_t ptal_etc_t })
+	admin_pattern($1, { cupsd_etc_t cupsd_rw_etc_t })

 	logging_list_logs($1)
 	admin_pattern($1, cupsd_log_t)
@ -380,5 +360,5 @@ interface(`cups_admin',`

 	files_list_runtime($1)
 	admin_pattern($1, { cupsd_config_runtime_t cupsd_runtime_t hplip_runtime_t })
-	admin_pattern($1, { ptal_runtime_t cupsd_lpd_runtime_t })
+	admin_pattern($1, cupsd_lpd_runtime_t)
 ')
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@ -86,16 +86,6 @@ files_tmp_file(hplip_tmp_t)
 type hplip_var_lib_t;
 files_type(hplip_var_lib_t)

-type ptal_t;
-type ptal_exec_t;
-init_daemon_domain(ptal_t, ptal_exec_t)
-
-type ptal_etc_t;
-files_config_file(ptal_etc_t)
-
-type ptal_runtime_t alias ptal_var_run_t;
-files_runtime_file(ptal_runtime_t)
-
 ifdef(`enable_mls',`
 	init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh)
 ')
@ -161,9 +151,6 @@ allow cupsd_t hplip_runtime_t:file read_file_perms;
 read_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t)
 read_lnk_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t)

-stream_connect_pattern(cupsd_t, ptal_runtime_t, ptal_runtime_t, ptal_t)
-allow cupsd_t ptal_runtime_t:sock_file setattr_sock_file_perms;
-
 can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })

 kernel_read_system_state(cupsd_t)
@ -695,63 +682,3 @@ optional_policy(`
 optional_policy(`
 	udev_read_runtime_files(hplip_t)
 ')
-
-########################################
-#
-# PTAL local policy
-#
-
-allow ptal_t self:capability { chown sys_rawio };
-dontaudit ptal_t self:capability sys_tty_config;
-allow ptal_t self:fifo_file rw_fifo_file_perms;
-allow ptal_t self:unix_stream_socket { accept listen };
-allow ptal_t self:tcp_socket create_stream_socket_perms;
-
-allow ptal_t ptal_etc_t:dir list_dir_perms;
-read_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t)
-read_lnk_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t)
-
-manage_dirs_pattern(ptal_t, ptal_runtime_t, ptal_runtime_t)
-manage_files_pattern(ptal_t, ptal_runtime_t, ptal_runtime_t)
-manage_lnk_files_pattern(ptal_t, ptal_runtime_t, ptal_runtime_t)
-manage_fifo_files_pattern(ptal_t, ptal_runtime_t, ptal_runtime_t)
-manage_sock_files_pattern(ptal_t, ptal_runtime_t, ptal_runtime_t)
-files_runtime_filetrans(ptal_t, ptal_runtime_t, { dir file lnk_file sock_file fifo_file })
-
-kernel_read_kernel_sysctls(ptal_t)
-kernel_list_proc(ptal_t)
-kernel_read_proc_symlinks(ptal_t)
-
-corenet_all_recvfrom_netlabel(ptal_t)
-corenet_tcp_sendrecv_generic_if(ptal_t)
-corenet_tcp_sendrecv_generic_node(ptal_t)
-corenet_tcp_bind_generic_node(ptal_t)
-
-corenet_sendrecv_ptal_server_packets(ptal_t)
-corenet_tcp_bind_ptal_port(ptal_t)
-
-dev_read_sysfs(ptal_t)
-dev_read_usbfs(ptal_t)
-dev_rw_printer(ptal_t)
-
-domain_use_interactive_fds(ptal_t)
-
-files_read_etc_files(ptal_t)
-files_read_etc_runtime_files(ptal_t)
-
-fs_getattr_all_fs(ptal_t)
-fs_search_auto_mountpoints(ptal_t)
-
-logging_send_syslog_msg(ptal_t)
-
-miscfiles_read_localization(ptal_t)
-
-sysnet_read_config(ptal_t)
-
-userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-userdom_dontaudit_search_user_home_content(ptal_t)
-
-optional_policy(`
-	seutil_sigchld_newrole(ptal_t)
-')
-
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@ -1039,7 +1039,6 @@ template(`userdom_login_user_template', `
 	optional_policy(`
 		cups_read_config($1_t)
 		cups_stream_connect($1_t)
-		cups_stream_connect_ptal($1_t)
 	')

 	optional_policy(`