2006-04-11 15:28:37 +00:00
|
|
|
## <summary>Courier IMAP and POP3 email servers</summary>
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Template for creating courier server processes.
|
|
|
|
## </summary>
|
|
|
|
## <param name="prefix">
|
|
|
|
## <summary>
|
|
|
|
## Prefix name of the server process.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
template(`courier_domain_template',`
|
|
|
|
|
|
|
|
##############################
|
|
|
|
#
|
|
|
|
# Declarations
|
|
|
|
#
|
|
|
|
|
|
|
|
type courier_$1_t;
|
|
|
|
type courier_$1_exec_t;
|
|
|
|
init_daemon_domain(courier_$1_t,courier_$1_exec_t)
|
|
|
|
|
|
|
|
##############################
|
|
|
|
#
|
|
|
|
# Declarations
|
|
|
|
#
|
|
|
|
|
|
|
|
allow courier_$1_t self:capability dac_override;
|
|
|
|
dontaudit courier_$1_t self:capability sys_tty_config;
|
|
|
|
allow courier_$1_t self:process { setpgid signal_perms };
|
|
|
|
allow courier_$1_t self:fifo_file { read write getattr };
|
|
|
|
allow courier_$1_t self:tcp_socket create_stream_socket_perms;
|
|
|
|
allow courier_$1_t self:udp_socket create_socket_perms;
|
|
|
|
|
|
|
|
can_exec(courier_$1_t, courier_$1_exec_t)
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
read_files_pattern(courier_$1_t,courier_etc_t,courier_etc_t)
|
|
|
|
allow courier_$1_t courier_etc_t:dir list_dir_perms;
|
2006-04-11 15:28:37 +00:00
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
manage_files_pattern(courier_$1_t,courier_var_run_t,courier_var_run_t)
|
|
|
|
manage_lnk_files_pattern(courier_$1_t,courier_var_run_t,courier_var_run_t)
|
|
|
|
manage_sock_files_pattern(courier_$1_t,courier_var_run_t,courier_var_run_t)
|
2006-04-11 15:28:37 +00:00
|
|
|
files_search_pids(courier_$1_t)
|
|
|
|
|
|
|
|
kernel_read_system_state(courier_$1_t)
|
|
|
|
kernel_read_kernel_sysctls(courier_$1_t)
|
|
|
|
|
|
|
|
corecmd_exec_bin(courier_$1_t)
|
|
|
|
|
2006-05-17 20:55:12 +00:00
|
|
|
corenet_non_ipsec_sendrecv(courier_$1_t)
|
2006-04-11 15:28:37 +00:00
|
|
|
corenet_tcp_sendrecv_generic_if(courier_$1_t)
|
|
|
|
corenet_udp_sendrecv_generic_if(courier_$1_t)
|
|
|
|
corenet_tcp_sendrecv_all_nodes(courier_$1_t)
|
|
|
|
corenet_udp_sendrecv_all_nodes(courier_$1_t)
|
|
|
|
corenet_tcp_sendrecv_all_ports(courier_$1_t)
|
|
|
|
corenet_udp_sendrecv_all_ports(courier_$1_t)
|
|
|
|
|
|
|
|
dev_read_sysfs(courier_$1_t)
|
|
|
|
|
|
|
|
domain_use_interactive_fds(courier_$1_t)
|
|
|
|
|
|
|
|
files_read_etc_files(courier_$1_t)
|
|
|
|
files_read_etc_runtime_files(courier_$1_t)
|
|
|
|
files_read_usr_files(courier_$1_t)
|
|
|
|
|
|
|
|
fs_getattr_xattr_fs(courier_$1_t)
|
|
|
|
fs_search_auto_mountpoints(courier_$1_t)
|
|
|
|
|
|
|
|
term_dontaudit_use_console(courier_$1_t)
|
|
|
|
|
|
|
|
init_use_fds(courier_$1_t)
|
|
|
|
init_use_script_ptys(courier_$1_t)
|
|
|
|
|
|
|
|
libs_use_ld_so(courier_$1_t)
|
|
|
|
libs_use_shared_libs(courier_$1_t)
|
|
|
|
|
|
|
|
logging_send_syslog_msg(courier_$1_t)
|
|
|
|
|
|
|
|
sysnet_read_config(courier_$1_t)
|
|
|
|
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(courier_$1_t)
|
|
|
|
|
|
|
|
ifdef(`targeted_policy',`
|
|
|
|
term_dontaudit_use_unallocated_ttys(courier_$1_t)
|
|
|
|
term_dontaudit_use_generic_ptys(courier_$1_t)
|
|
|
|
files_dontaudit_read_root_files(courier_$1_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
seutil_sigchld_newrole(courier_$1_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
udev_read_db(courier_$1_t)
|
|
|
|
')
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Execute the courier authentication daemon with
|
|
|
|
## a domain transition.
|
|
|
|
## </summary>
|
|
|
|
## <param name="prefix">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`courier_domtrans_authdaemon',`
|
|
|
|
gen_require(`
|
|
|
|
type courier_authdaemon_t, courier_authdaemon_exec_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t)
|
2006-04-11 15:28:37 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Execute the courier POP3 and IMAP server with
|
|
|
|
## a domain transition.
|
|
|
|
## </summary>
|
|
|
|
## <param name="prefix">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`courier_domtrans_pop',`
|
|
|
|
gen_require(`
|
|
|
|
type courier_pop_t, courier_pop_exec_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
domtrans_pattern($1, courier_pop_exec_t, courier_pop_t)
|
2006-04-11 15:28:37 +00:00
|
|
|
')
|