selinux-policy/policy/modules/services/dovecot.if

## <summary>Dovecot POP and IMAP mail server</summary>

########################################
## <summary>
##	Connect to dovecot auth unix domain stream socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`dovecot_stream_connect_auth',`
	gen_require(`
		type dovecot_auth_t, dovecot_var_run_t;
	')

	files_search_pids($1)
	stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t)
')

########################################
## <summary>
##	Execute dovecot_deliver in the dovecot_deliver domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`dovecot_domtrans_deliver',`
	gen_require(`
		type dovecot_deliver_t, dovecot_deliver_exec_t;
	')

	domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t)
')

########################################
## <summary>
##	Create, read, write, and delete the dovecot spool files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`dovecot_manage_spool',`
	gen_require(`
		type dovecot_spool_t;
	')

	files_search_spool($1)
	manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
	manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
')

########################################
## <summary>
##	Do not audit attempts to delete dovecot lib files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`dovecot_dontaudit_unlink_lib_files',`
	gen_require(`
		type dovecot_var_lib_t;
	')

	dontaudit $1 dovecot_var_lib_t:file unlink;
')

########################################
## <summary>
##	All of the rules required to administrate
##	an dovecot environment
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed to manage the dovecot domain.
##	</summary>
## </param>
## <rolecap/>
#
interface(`dovecot_admin',`
	gen_require(`
		type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t;
		type dovecot_spool_t, dovecot_var_lib_t, dovecot_var_log_t;
		type dovecot_var_run_t, dovecot_tmp_t, dovecot_keytab_t;
		type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t;
	')

	allow $1 dovecot_t:process { ptrace signal_perms };
	ps_process_pattern($1, dovecot_t)

	init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
	domain_system_change_exemption($1)
	role_transition $2 dovecot_initrc_exec_t system_r;
	allow $2 system_r;

	files_list_etc($1)
	admin_pattern($1, dovecot_etc_t)

	files_list_tmp($1)
	admin_pattern($1, dovecot_auth_tmp_t)
	admin_pattern($1, dovecot_tmp_t)

	admin_pattern($1, dovecot_keytab_t)

	files_list_spool($1)
	admin_pattern($1, dovecot_spool_t)

	files_list_var_lib($1)
	admin_pattern($1, dovecot_var_lib_t)

	logging_search_logs($1)
	admin_pattern($1, dovecot_var_log_t)

	files_list_pids($1)
	admin_pattern($1, dovecot_var_run_t)

	admin_pattern($1, dovecot_cert_t)

	admin_pattern($1, dovecot_passwd_t)
')
add dovecot 2005-10-21 15:38:22 +00:00			`## <summary>Dovecot POP and IMAP mail server</summary>`

trunk: 3 patches from dan. 2009-06-30 19:27:21 +00:00			`########################################`
			`## <summary>`
			`## Connect to dovecot auth unix domain stream socket.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`dovecot_stream_connect_auth',`
			gen_require(`
			`type dovecot_auth_t, dovecot_var_run_t;`
			`')`

Search parent directory to be able to interact with targets content. Search parent directory to be able to interact with targets content. Search parent directory to be able to interact with targets content. Search parent directory to be able to interact with targets content. Search parent directory to be able to interact with targets content. Search parent directory to be able to interact with targets content. Search parent directory to be able to interact with targets content. Search parent directory to be able to interact with targets content. Search parent directory to be able to interact with targets content. Search parent directory to be able to interact with targets content. 2010-09-17 07:43:44 +00:00			`files_search_pids($1)`
trunk: 3 patches from dan. 2009-06-30 19:27:21 +00:00			`stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t)`
			`')`

			`########################################`
			`## <summary>`
			`## Execute dovecot_deliver in the dovecot_deliver domain.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
Services layer xml files. Signed-off-by: Dominick Grift <domg472@gmail.com> 2010-08-05 13:03:19 +00:00			`## Domain allowed to transition.`
trunk: 3 patches from dan. 2009-06-30 19:27:21 +00:00			`## </summary>`
			`## </param>`
			`#`
			interface(`dovecot_domtrans_deliver',`
			gen_require(`
			`type dovecot_deliver_t, dovecot_deliver_exec_t;`
			`')`

			`domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t)`
			`')`

add dovecot 2005-10-21 15:38:22 +00:00			`########################################`
			`## <summary>`
			`## Create, read, write, and delete the dovecot spool files.`
			`## </summary>`
			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
add dovecot 2005-10-21 15:38:22 +00:00			`## Domain allowed access.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
add dovecot 2005-10-21 15:38:22 +00:00			`## </param>`
			`#`
			interface(`dovecot_manage_spool',`
			gen_require(`
			`type dovecot_spool_t;`
			`')`

Search parent directory to be able to interact with targets content. Search parent directory to be able to interact with targets content. Search parent directory to be able to interact with targets content. Search parent directory to be able to interact with targets content. Search parent directory to be able to interact with targets content. Search parent directory to be able to interact with targets content. Search parent directory to be able to interact with targets content. Search parent directory to be able to interact with targets content. Search parent directory to be able to interact with targets content. Search parent directory to be able to interact with targets content. 2010-09-17 07:43:44 +00:00			`files_search_spool($1)`
trunk: massive whitespace cleanup from dominick grift. 2008-07-23 21:38:39 +00:00			`manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)`
			`manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)`
add dovecot 2005-10-21 15:38:22 +00:00			`')`
trunk: dovecot fix from Stefan Schulze Frielinghaus. 2008-02-25 19:31:03 +00:00
			`########################################`
			`## <summary>`
trunk: whitespace fixes in xml blocks. 2008-12-03 19:16:20 +00:00			`## Do not audit attempts to delete dovecot lib files.`
trunk: dovecot fix from Stefan Schulze Frielinghaus. 2008-02-25 19:31:03 +00:00			`## </summary>`
			`## <param name="domain">`
trunk: whitespace fixes in xml blocks. 2008-12-03 19:16:20 +00:00			`## <summary>`
			`## Domain to not audit.`
			`## </summary>`
trunk: dovecot fix from Stefan Schulze Frielinghaus. 2008-02-25 19:31:03 +00:00			`## </param>`
			`#`
			interface(`dovecot_dontaudit_unlink_lib_files',`
			gen_require(`
			`type dovecot_var_lib_t;`
			`')`

			`dontaudit $1 dovecot_var_lib_t:file unlink;`
			`')`
trunk: 3 patches from dan. 2009-06-30 19:27:21 +00:00
			`########################################`
			`## <summary>`
Dovecot patch from Dan Walsh. 2010-05-03 18:37:19 +00:00			`## All of the rules required to administrate`
trunk: 3 patches from dan. 2009-06-30 19:27:21 +00:00			`## an dovecot environment`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`## <param name="role">`
			`## <summary>`
			`## The role to be allowed to manage the dovecot domain.`
			`## </summary>`
			`## </param>`
			`## <rolecap/>`
			`#`
			interface(`dovecot_admin',`
			gen_require(`
UPdate for f14 policy 2010-08-26 13:41:21 +00:00			`type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t;`
Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. 2010-09-17 07:49:15 +00:00			`type dovecot_spool_t, dovecot_var_lib_t, dovecot_var_log_t;`
			`type dovecot_var_run_t, dovecot_tmp_t, dovecot_keytab_t;`
			`type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t;`
trunk: 3 patches from dan. 2009-06-30 19:27:21 +00:00			`')`

			`allow $1 dovecot_t:process { ptrace signal_perms };`
			`ps_process_pattern($1, dovecot_t)`

			`init_labeled_script_domtrans($1, dovecot_initrc_exec_t)`
			`domain_system_change_exemption($1)`
			`role_transition $2 dovecot_initrc_exec_t system_r;`
			`allow $2 system_r;`

			`files_list_etc($1)`
			`admin_pattern($1, dovecot_etc_t)`

UPdate for f14 policy 2010-08-26 13:41:21 +00:00			`files_list_tmp($1)`
			`admin_pattern($1, dovecot_auth_tmp_t)`
			`admin_pattern($1, dovecot_tmp_t)`

			`admin_pattern($1, dovecot_keytab_t)`
trunk: 3 patches from dan. 2009-06-30 19:27:21 +00:00
			`files_list_spool($1)`
			`admin_pattern($1, dovecot_spool_t)`

			`files_list_var_lib($1)`
			`admin_pattern($1, dovecot_var_lib_t)`

UPdate for f14 policy 2010-08-26 13:41:21 +00:00			`logging_search_logs($1)`
			`admin_pattern($1, dovecot_var_log_t)`

trunk: 3 patches from dan. 2009-06-30 19:27:21 +00:00			`files_list_pids($1)`
			`admin_pattern($1, dovecot_var_run_t)`

			`admin_pattern($1, dovecot_cert_t)`

			`admin_pattern($1, dovecot_passwd_t)`
			`')`