141 lines
5.0 KiB
Plaintext
141 lines
5.0 KiB
Plaintext
|
#DESC Courier - POP and IMAP servers
|
||
|
#
|
||
|
# Author: Russell Coker <russell@coker.com.au>
|
||
|
# X-Debian-Packages: courier-base
|
||
|
#
|
||
|
|
||
|
# Type for files created during execution of courier.
|
||
|
type courier_var_run_t, file_type, sysadmfile, pidfile;
|
||
|
type courier_var_lib_t, file_type, sysadmfile;
|
||
|
|
||
|
type courier_etc_t, file_type, sysadmfile;
|
||
|
typealias courier_etc_t alias etc_courier_t;
|
||
|
|
||
|
# allow start scripts to read the config
|
||
|
allow initrc_t courier_etc_t:file r_file_perms;
|
||
|
|
||
|
type courier_exec_t, file_type, sysadmfile, exec_type;
|
||
|
type sqwebmail_cron_exec_t, file_type, sysadmfile, exec_type;
|
||
|
|
||
|
define(`courier_domain', `
|
||
|
#################################
|
||
|
#
|
||
|
# Rules for the courier_$1_t domain.
|
||
|
#
|
||
|
# courier_$1_exec_t is the type of the courier_$1 executables.
|
||
|
#
|
||
|
daemon_base_domain(courier_$1, `$2')
|
||
|
|
||
|
allow courier_$1_t var_run_t:dir search;
|
||
|
rw_dir_create_file(courier_$1_t, courier_var_run_t)
|
||
|
allow courier_$1_t courier_var_run_t:sock_file create_file_perms;
|
||
|
|
||
|
# allow it to read config files etc
|
||
|
allow courier_$1_t { courier_etc_t var_t }:dir r_dir_perms;
|
||
|
allow courier_$1_t courier_etc_t:file r_file_perms;
|
||
|
allow courier_$1_t etc_t:dir r_dir_perms;
|
||
|
allow courier_$1_t etc_t:file r_file_perms;
|
||
|
|
||
|
# execute scripts etc
|
||
|
allow courier_$1_t { bin_t courier_$1_exec_t }:file rx_file_perms;
|
||
|
allow courier_$1_t bin_t:dir r_dir_perms;
|
||
|
allow courier_$1_t fs_t:filesystem getattr;
|
||
|
|
||
|
# set process group and allow permissions over-ride
|
||
|
allow courier_$1_t self:process setpgid;
|
||
|
allow courier_$1_t self:capability dac_override;
|
||
|
|
||
|
# Use the network.
|
||
|
can_network_server(courier_$1_t)
|
||
|
allow courier_$1_t self:fifo_file { read write getattr };
|
||
|
allow courier_$1_t self:unix_stream_socket create_stream_socket_perms;
|
||
|
allow courier_$1_t self:unix_dgram_socket create_socket_perms;
|
||
|
|
||
|
allow courier_$1_t null_device_t:chr_file rw_file_perms;
|
||
|
|
||
|
# allow it to log to /dev/tty
|
||
|
allow courier_$1_t devtty_t:chr_file rw_file_perms;
|
||
|
|
||
|
allow courier_$1_t { usr_t etc_runtime_t }:file r_file_perms;
|
||
|
allow courier_$1_t usr_t:dir r_dir_perms;
|
||
|
allow courier_$1_t root_t:dir r_dir_perms;
|
||
|
can_exec(courier_$1_t, courier_$1_exec_t)
|
||
|
can_exec(courier_$1_t, bin_t)
|
||
|
allow courier_$1_t bin_t:dir search;
|
||
|
|
||
|
allow courier_$1_t proc_t:dir r_dir_perms;
|
||
|
allow courier_$1_t proc_t:file r_file_perms;
|
||
|
|
||
|
')dnl
|
||
|
|
||
|
courier_domain(authdaemon, `, auth_chkpwd')
|
||
|
allow courier_authdaemon_t sbin_t:dir search;
|
||
|
allow courier_authdaemon_t lib_t:file { read getattr };
|
||
|
allow courier_authdaemon_t tmp_t:dir getattr;
|
||
|
allow courier_authdaemon_t self:file { getattr read };
|
||
|
read_locale(courier_authdaemon_t)
|
||
|
can_exec(courier_authdaemon_t, courier_exec_t)
|
||
|
dontaudit courier_authdaemon_t selinux_config_t:dir search;
|
||
|
|
||
|
# for SSP
|
||
|
allow courier_authdaemon_t urandom_device_t:chr_file read;
|
||
|
|
||
|
# should not be needed!
|
||
|
allow courier_authdaemon_t home_root_t:dir search;
|
||
|
allow courier_authdaemon_t user_home_dir_type:dir search;
|
||
|
dontaudit courier_authdaemon_t sysadm_home_dir_t:dir search;
|
||
|
allow courier_authdaemon_t self:unix_stream_socket connectto;
|
||
|
allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config };
|
||
|
|
||
|
courier_domain(tcpd)
|
||
|
allow courier_tcpd_t self:capability { kill net_bind_service };
|
||
|
allow courier_tcpd_t pop_port_t:tcp_socket name_bind;
|
||
|
allow courier_tcpd_t sbin_t:dir search;
|
||
|
allow courier_tcpd_t var_lib_t:dir search;
|
||
|
# for TLS
|
||
|
allow courier_tcpd_t urandom_device_t:chr_file read;
|
||
|
read_locale(courier_tcpd_t)
|
||
|
can_exec(courier_tcpd_t, courier_exec_t)
|
||
|
allow courier_authdaemon_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
|
||
|
allow courier_authdaemon_t courier_tcpd_t:process sigchld;
|
||
|
|
||
|
can_tcp_connect(userdomain, courier_tcpd_t)
|
||
|
rw_dir_create_file(courier_tcpd_t, courier_var_lib_t)
|
||
|
|
||
|
# domain for pop and imap
|
||
|
courier_domain(pop)
|
||
|
read_locale(courier_pop_t)
|
||
|
domain_auto_trans(courier_tcpd_t, courier_pop_exec_t, courier_pop_t)
|
||
|
allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
|
||
|
domain_auto_trans(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
|
||
|
allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
|
||
|
allow courier_authdaemon_t courier_tcpd_t:fd use;
|
||
|
allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
|
||
|
allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
|
||
|
allow courier_pop_t courier_authdaemon_t:process sigchld;
|
||
|
domain_auto_trans(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t)
|
||
|
|
||
|
# inherits file handle - should it?
|
||
|
allow courier_pop_t courier_var_lib_t:file { read write };
|
||
|
|
||
|
# do the actual work (read the Maildir)
|
||
|
# imap needs to write files
|
||
|
allow courier_pop_t home_root_t:dir { getattr search };
|
||
|
allow courier_pop_t user_home_dir_type:dir { getattr search };
|
||
|
# pop does not need to create subdirs, IMAP does
|
||
|
#rw_dir_create_file(courier_pop_t, user_home_type)
|
||
|
create_dir_file(courier_pop_t, user_home_type)
|
||
|
|
||
|
# for calendaring
|
||
|
courier_domain(pcp)
|
||
|
|
||
|
allow courier_pcp_t self:capability { setuid setgid };
|
||
|
allow courier_pcp_t random_device_t:chr_file r_file_perms;
|
||
|
|
||
|
# for webmail
|
||
|
courier_domain(sqwebmail)
|
||
|
ifdef(`crond.te', `
|
||
|
system_crond_entry(sqwebmail_cron_exec_t, courier_sqwebmail_t)
|
||
|
')
|
||
|
read_sysctl(courier_sqwebmail_t)
|