trunk: add bitlbee from devin carraway and add tcpd_wrapped_domain().

This commit is contained in:
Chris PeBenito 2007-09-17 14:33:40 +00:00
parent 14add30d03
commit 8242f5a68d
12 changed files with 194 additions and 74 deletions

View File

@ -1,3 +1,4 @@
- Add tcpd_wrapped_domain() for services that use tcp wrappers.
- Update MLS constraints from LSPP evaluated policy. - Update MLS constraints from LSPP evaluated policy.
- Allow initrc_t file descriptors to be inherited regardless of MLS level. - Allow initrc_t file descriptors to be inherited regardless of MLS level.
Accordingly drop MLS permissions from daemons that inherit from any level. Accordingly drop MLS permissions from daemons that inherit from any level.
@ -16,6 +17,7 @@
- Add debian apcupsd binary location, from Stefan Schulze Frielinghaus. - Add debian apcupsd binary location, from Stefan Schulze Frielinghaus.
- Added modules: - Added modules:
application application
bitlbee (Devin Carraway)
brctl (Dan Walsh) brctl (Dan Walsh)
* Fri Jun 29 2007 Chris PeBenito <selinux@tresys.com> - 20070629 * Fri Jun 29 2007 Chris PeBenito <selinux@tresys.com> - 20070629

View File

@ -1,5 +1,5 @@
policy_module(corenetwork,1.2.10) policy_module(corenetwork,1.2.11)
######################################## ########################################
# #
@ -67,6 +67,7 @@ network_port(afs_vl, udp,7003,s0)
network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0) network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
network_port(amavisd_recv, tcp,10024,s0) network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0) network_port(amavisd_send, tcp,10025,s0)
network_port(aol, tcp,5190,s0, udp,5190,s0)
network_port(apcupsd, tcp,3551,s0, udp,3551,s0) network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0) network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
network_port(auth, tcp,113,s0) network_port(auth, tcp,113,s0)
@ -112,6 +113,8 @@ network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
network_port(lmtp, tcp,24,s0, udp,24,s0) network_port(lmtp, tcp,24,s0, udp,24,s0)
network_port(mail, tcp,2000,s0) network_port(mail, tcp,2000,s0)
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(monopd, tcp,1234,s0) network_port(monopd, tcp,1234,s0)
network_port(mysqld, tcp,3306,s0) network_port(mysqld, tcp,3306,s0)
network_port(nessus, tcp,1241,s0) network_port(nessus, tcp,1241,s0)

View File

@ -0,0 +1,3 @@
/usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
/etc/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_conf_t,s0)
/var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0)

View File

@ -0,0 +1,22 @@
## <summary>Bitlbee service</summary>
########################################
## <summary>
## Read bitlbee configuration files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed accesss.
## </summary>
## </param>
#
interface(`bitlbee_read_config',`
gen_require(`
type bitlbee_conf_t;
')
files_search_etc($1)
allow $1 bitlbee_conf_t:dir { getattr read search };
allow $1 bitlbee_conf_t:file { read getattr };
')

View File

@ -0,0 +1,70 @@
policy_module(bitlbee, 1.0.0)
########################################
#
# Declarations
#
type bitlbee_t;
type bitlbee_exec_t;
init_daemon_domain(bitlbee_t, bitlbee_exec_t)
inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t)
type bitlbee_conf_t;
files_config_file(bitlbee_conf_t)
type bitlbee_var_t;
files_type(bitlbee_var_t)
########################################
#
# Local policy
#
#
allow bitlbee_t self:udp_socket create_socket_perms;
allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
bitlbee_read_config(bitlbee_t)
# user account information is read and edited at runtime; give the usual
# r/w access to bitlbee_var_t
manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
corenet_all_recvfrom_unlabeled(bitlbee_t)
corenet_udp_sendrecv_generic_if(bitlbee_t)
corenet_udp_sendrecv_generic_node(bitlbee_t)
corenet_udp_sendrecv_lo_node(bitlbee_t)
corenet_tcp_sendrecv_generic_if(bitlbee_t)
corenet_tcp_sendrecv_generic_node(bitlbee_t)
corenet_tcp_sendrecv_lo_node(bitlbee_t)
# Allow bitlbee to connect to jabber servers
corenet_tcp_connect_jabber_client_port(bitlbee_t)
corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
# to AIM servers:
corenet_tcp_connect_aol_port(bitlbee_t)
corenet_tcp_sendrecv_aol_port(bitlbee_t)
# and to MMCC (Yahoo IM) servers:
corenet_tcp_connect_mmcc_port(bitlbee_t)
corenet_tcp_sendrecv_mmcc_port(bitlbee_t)
# and to MSNP (MSN Messenger) servers:
corenet_tcp_connect_msnp_port(bitlbee_t)
corenet_tcp_sendrecv_msnp_port(bitlbee_t)
files_read_etc_files(bitlbee_t)
files_search_pids(bitlbee_t)
# grant read-only access to the user help files
files_read_usr_files(bitlbee_t)
libs_legacy_use_shared_libs(bitlbee_t)
libs_use_ld_so(bitlbee_t)
sysnet_dns_name_resolve(bitlbee_t)
optional_policy(`
# normally started from inetd using tcpwrappers, so use those entry points
tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
')

View File

@ -1,5 +1,5 @@
policy_module(finger,1.4.0) policy_module(finger,1.4.1)
######################################## ########################################
# #
@ -8,8 +8,8 @@ policy_module(finger,1.4.0)
type fingerd_t; type fingerd_t;
type fingerd_exec_t; type fingerd_exec_t;
init_daemon_domain(fingerd_t,fingerd_exec_t) init_daemon_domain(fingerd_t, fingerd_exec_t)
inetd_tcp_service_domain(fingerd_t,fingerd_exec_t) inetd_tcp_service_domain(fingerd_t, fingerd_exec_t)
type fingerd_etc_t; type fingerd_etc_t;
files_config_file(fingerd_etc_t) files_config_file(fingerd_etc_t)
@ -34,15 +34,15 @@ allow fingerd_t self:udp_socket create_socket_perms;
allow fingerd_t self:unix_dgram_socket create_socket_perms; allow fingerd_t self:unix_dgram_socket create_socket_perms;
allow fingerd_t self:unix_stream_socket create_socket_perms; allow fingerd_t self:unix_stream_socket create_socket_perms;
manage_files_pattern(fingerd_t,fingerd_var_run_t,fingerd_var_run_t) manage_files_pattern(fingerd_t, fingerd_var_run_t, fingerd_var_run_t)
files_pid_filetrans(fingerd_t,fingerd_var_run_t,file) files_pid_filetrans(fingerd_t, fingerd_var_run_t, file)
allow fingerd_t fingerd_etc_t:dir r_dir_perms; allow fingerd_t fingerd_etc_t:dir list_dir_perms;
read_files_pattern(fingerd_t,fingerd_etc_t,fingerd_etc_t) read_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t)
read_lnk_files_pattern(fingerd_t,fingerd_etc_t,fingerd_etc_t) read_lnk_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t)
allow fingerd_t fingerd_log_t:file manage_file_perms; allow fingerd_t fingerd_log_t:file manage_file_perms;
logging_log_filetrans(fingerd_t,fingerd_log_t,file) logging_log_filetrans(fingerd_t, fingerd_log_t, file)
kernel_read_kernel_sysctls(fingerd_t) kernel_read_kernel_sysctls(fingerd_t)
kernel_read_system_state(fingerd_t) kernel_read_system_state(fingerd_t)
@ -105,7 +105,7 @@ ifdef(`targeted_policy',`
') ')
optional_policy(` optional_policy(`
cron_system_entry(fingerd_t,fingerd_exec_t) cron_system_entry(fingerd_t, fingerd_exec_t)
') ')
optional_policy(` optional_policy(`
@ -124,6 +124,10 @@ optional_policy(`
seutil_sigchld_newrole(fingerd_t) seutil_sigchld_newrole(fingerd_t)
') ')
optional_policy(`
tcpd_wrapped_domain(fingerd_t, fingerd_exec_t)
')
optional_policy(` optional_policy(`
udev_read_db(fingerd_t) udev_read_db(fingerd_t)
') ')

View File

@ -1,5 +1,5 @@
policy_module(nagios,1.3.0) policy_module(nagios,1.3.1)
######################################## ########################################
# #
@ -8,11 +8,11 @@ policy_module(nagios,1.3.0)
type nagios_t; type nagios_t;
type nagios_exec_t; type nagios_exec_t;
init_daemon_domain(nagios_t,nagios_exec_t) init_daemon_domain(nagios_t, nagios_exec_t)
type nagios_cgi_t; type nagios_cgi_t;
type nagios_cgi_exec_t; type nagios_cgi_exec_t;
init_system_domain(nagios_cgi_t,nagios_cgi_exec_t) init_system_domain(nagios_cgi_t, nagios_cgi_exec_t)
type nagios_etc_t; type nagios_etc_t;
files_config_file(nagios_etc_t) files_config_file(nagios_etc_t)
@ -28,7 +28,7 @@ files_pid_file(nagios_var_run_t)
type nrpe_t; type nrpe_t;
type nrpe_exec_t; type nrpe_exec_t;
init_daemon_domain(nrpe_t,nrpe_exec_t) init_daemon_domain(nrpe_t, nrpe_exec_t)
type nrpe_etc_t; type nrpe_etc_t;
files_config_file(nrpe_etc_t) files_config_file(nrpe_etc_t)
@ -45,20 +45,20 @@ allow nagios_t self:fifo_file rw_file_perms;
allow nagios_t self:tcp_socket create_stream_socket_perms; allow nagios_t self:tcp_socket create_stream_socket_perms;
allow nagios_t self:udp_socket create_socket_perms; allow nagios_t self:udp_socket create_socket_perms;
read_files_pattern(nagios_t,nagios_etc_t,nagios_etc_t) read_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t)
read_lnk_files_pattern(nagios_t,nagios_etc_t,nagios_etc_t) read_lnk_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t)
allow nagios_t nagios_etc_t:dir list_dir_perms; allow nagios_t nagios_etc_t:dir list_dir_perms;
manage_files_pattern(nagios_t,nagios_log_t,nagios_log_t) manage_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
manage_fifo_files_pattern(nagios_t,nagios_log_t,nagios_log_t) manage_fifo_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
logging_log_filetrans(nagios_t,nagios_log_t,{ file dir }) logging_log_filetrans(nagios_t, nagios_log_t, { file dir })
manage_dirs_pattern(nagios_t,nagios_tmp_t,nagios_tmp_t) manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
manage_files_pattern(nagios_t,nagios_tmp_t,nagios_tmp_t) manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
files_tmp_filetrans(nagios_t, nagios_tmp_t, { file dir }) files_tmp_filetrans(nagios_t, nagios_tmp_t, { file dir })
manage_files_pattern(nagios_t,nagios_var_run_t,nagios_var_run_t) manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
files_pid_filetrans(nagios_t,nagios_var_run_t,file) files_pid_filetrans(nagios_t, nagios_var_run_t, file)
kernel_read_system_state(nagios_t) kernel_read_system_state(nagios_t)
kernel_read_kernel_sysctls(nagios_t) kernel_read_kernel_sysctls(nagios_t)
@ -142,16 +142,16 @@ optional_policy(`
allow nagios_cgi_t self:process signal_perms; allow nagios_cgi_t self:process signal_perms;
allow nagios_cgi_t self:fifo_file rw_fifo_file_perms; allow nagios_cgi_t self:fifo_file rw_fifo_file_perms;
read_files_pattern(nagios_cgi_t,nagios_t,nagios_t) read_files_pattern(nagios_cgi_t, nagios_t, nagios_t)
read_lnk_files_pattern(nagios_cgi_t,nagios_t,nagios_t) read_lnk_files_pattern(nagios_cgi_t, nagios_t, nagios_t)
allow nagios_cgi_t nagios_etc_t:dir list_dir_perms; allow nagios_cgi_t nagios_etc_t:dir list_dir_perms;
read_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_etc_t) read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t)
read_lnk_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_etc_t) read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t)
allow nagios_cgi_t nagios_log_t:dir list_dir_perms; allow nagios_cgi_t nagios_log_t:dir list_dir_perms;
read_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_log_t) read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t)
read_lnk_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_log_t) read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t)
kernel_read_system_state(nagios_cgi_t) kernel_read_system_state(nagios_cgi_t)
@ -218,13 +218,17 @@ ifdef(`targeted_policy',`
') ')
optional_policy(` optional_policy(`
inetd_tcp_service_domain(nrpe_t,nrpe_exec_t) inetd_tcp_service_domain(nrpe_t, nrpe_exec_t)
') ')
optional_policy(` optional_policy(`
seutil_sigchld_newrole(nrpe_t) seutil_sigchld_newrole(nrpe_t)
') ')
optional_policy(`
tcpd_wrapped_domain(nrpe_t, nrpe_exec_t)
')
optional_policy(` optional_policy(`
udev_read_db(nrpe_t) udev_read_db(nrpe_t)
') ')

View File

@ -1,5 +1,5 @@
policy_module(rlogin,1.4.0) policy_module(rlogin,1.4.1)
######################################## ########################################
# #
@ -8,7 +8,7 @@ policy_module(rlogin,1.4.0)
type rlogind_t; type rlogind_t;
type rlogind_exec_t; type rlogind_exec_t;
inetd_service_domain(rlogind_t,rlogind_exec_t) inetd_service_domain(rlogind_t, rlogind_exec_t)
role system_r types rlogind_t; role system_r types rlogind_t;
type rlogind_devpts_t; #, userpty_type; type rlogind_devpts_t; #, userpty_type;
@ -39,12 +39,12 @@ term_create_pty(rlogind_t,rlogind_devpts_t)
# for /usr/lib/telnetlogin # for /usr/lib/telnetlogin
can_exec(rlogind_t, rlogind_exec_t) can_exec(rlogind_t, rlogind_exec_t)
manage_dirs_pattern(rlogind_t,rlogind_tmp_t,rlogind_tmp_t) manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
manage_files_pattern(rlogind_t,rlogind_tmp_t,rlogind_tmp_t) manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { file dir }) files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { file dir })
manage_files_pattern(rlogind_t,rlogind_var_run_t,rlogind_var_run_t) manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t)
files_pid_filetrans(rlogind_t,rlogind_var_run_t,file) files_pid_filetrans(rlogind_t, rlogind_var_run_t, file)
kernel_read_kernel_sysctls(rlogind_t) kernel_read_kernel_sysctls(rlogind_t)
kernel_read_system_state(rlogind_t) kernel_read_system_state(rlogind_t)
@ -96,6 +96,10 @@ optional_policy(`
kerberos_read_keytab(rlogind_t) kerberos_read_keytab(rlogind_t)
') ')
optional_policy(`
tcpd_wrapped_domain(rlogind_t, rlogind_exec_t)
')
ifdef(`TODO',` ifdef(`TODO',`
# Allow krb5 rlogind to use fork and open /dev/tty for use # Allow krb5 rlogind to use fork and open /dev/tty for use
allow rlogind_t userpty_type:chr_file setattr; allow rlogind_t userpty_type:chr_file setattr;

View File

@ -1,5 +1,5 @@
policy_module(rshd,1.3.1) policy_module(rshd,1.3.2)
######################################## ########################################
# #
@ -7,7 +7,7 @@ policy_module(rshd,1.3.1)
# #
type rshd_t; type rshd_t;
type rshd_exec_t; type rshd_exec_t;
inetd_tcp_service_domain(rshd_t,rshd_exec_t) inetd_tcp_service_domain(rshd_t, rshd_exec_t)
domain_subj_id_change_exemption(rshd_t) domain_subj_id_change_exemption(rshd_t)
domain_role_change_exemption(rshd_t) domain_role_change_exemption(rshd_t)
role system_r types rshd_t; role system_r types rshd_t;
@ -88,8 +88,6 @@ optional_policy(`
nscd_socket_use(rshd_t) nscd_socket_use(rshd_t)
') ')
ifdef(`TODO',`
optional_policy(` optional_policy(`
allow rshd_t rlogind_tmp_t:file rw_file_perms; tcpd_wrapped_domain(rshd_t,rshd_exec_t)
')
') ')

View File

@ -15,5 +15,31 @@ interface(`tcpd_domtrans',`
type tcpd_t, tcpd_exec_t; type tcpd_t, tcpd_exec_t;
') ')
domtrans_pattern($1,tcpd_exec_t,tcpd_t) domtrans_pattern($1, tcpd_exec_t, tcpd_t)
')
########################################
## <summary>
## Create a domain for services that
## utilize tcp wrappers.
## </summary>
## <param name="domain">
## <summary>
## Type to be used as a domain.
## </summary>
## </param>
## <param name="entry_point">
## <summary>
## Type of the program to be used as an entry point to this domain.
## </summary>
## </param>
#
interface(`tcpd_wrapped_domain',`
gen_require(`
type tcpd_t;
role system_r;
')
domtrans_pattern(tcpd_t, $2, $1)
role system_r types $1;
') ')

View File

@ -1,5 +1,5 @@
policy_module(tcpd,1.2.0) policy_module(tcpd,1.2.1)
######################################## ########################################
# #
@ -7,7 +7,7 @@ policy_module(tcpd,1.2.0)
# #
type tcpd_t; type tcpd_t;
type tcpd_exec_t; type tcpd_exec_t;
inetd_tcp_service_domain(tcpd_t,tcpd_exec_t) inetd_tcp_service_domain(tcpd_t, tcpd_exec_t)
role system_r types tcpd_t; role system_r types tcpd_t;
type tcpd_tmp_t; type tcpd_tmp_t;
@ -19,8 +19,8 @@ files_tmp_file(tcpd_tmp_t)
# #
allow tcpd_t self:tcp_socket create_stream_socket_perms; allow tcpd_t self:tcp_socket create_stream_socket_perms;
manage_dirs_pattern(tcpd_t,tcpd_tmp_t,tcpd_tmp_t) manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
manage_files_pattern(tcpd_t,tcpd_tmp_t,tcpd_tmp_t) manage_files_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir }) files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir })
corenet_all_recvfrom_unlabeled(tcpd_t) corenet_all_recvfrom_unlabeled(tcpd_t)
@ -49,26 +49,6 @@ sysnet_read_config(tcpd_t)
inetd_domtrans_child(tcpd_t) inetd_domtrans_child(tcpd_t)
optional_policy(`
finger_domtrans(tcpd_t)
')
optional_policy(` optional_policy(`
nis_use_ypbind(tcpd_t) nis_use_ypbind(tcpd_t)
') ')
optional_policy(`
nagios_domtrans_nrpe(tcpd_t)
')
optional_policy(`
rlogin_domtrans(tcpd_t)
')
optional_policy(`
rshd_domtrans(tcpd_t)
')
optional_policy(`
uwimap_domtrans(tcpd_t)
')

View File

@ -1,5 +1,5 @@
policy_module(uwimap,1.3.0) policy_module(uwimap,1.3.1)
######################################## ########################################
# #
@ -8,8 +8,8 @@ policy_module(uwimap,1.3.0)
type imapd_t; type imapd_t;
type imapd_exec_t; type imapd_exec_t;
init_daemon_domain(imapd_t,imapd_exec_t) init_daemon_domain(imapd_t, imapd_exec_t)
inetd_tcp_service_domain(imapd_t,imapd_exec_t) inetd_tcp_service_domain(imapd_t, imapd_exec_t)
type imapd_tmp_t; type imapd_tmp_t;
files_tmp_file(imapd_tmp_t) files_tmp_file(imapd_tmp_t)
@ -28,12 +28,12 @@ allow imapd_t self:process signal_perms;
allow imapd_t self:fifo_file rw_fifo_file_perms; allow imapd_t self:fifo_file rw_fifo_file_perms;
allow imapd_t self:tcp_socket create_stream_socket_perms; allow imapd_t self:tcp_socket create_stream_socket_perms;
manage_dirs_pattern(imapd_t,imapd_tmp_t,imapd_tmp_t) manage_dirs_pattern(imapd_t, imapd_tmp_t, imapd_tmp_t)
manage_files_pattern(imapd_t,imapd_tmp_t,imapd_tmp_t) manage_files_pattern(imapd_t, imapd_tmp_t, imapd_tmp_t)
files_tmp_filetrans(imapd_t, imapd_tmp_t, { file dir }) files_tmp_filetrans(imapd_t, imapd_tmp_t, { file dir })
manage_files_pattern(imapd_t,imapd_var_run_t,imapd_var_run_t) manage_files_pattern(imapd_t, imapd_var_run_t, imapd_var_run_t)
files_pid_filetrans(imapd_t,imapd_var_run_t,file) files_pid_filetrans(imapd_t, imapd_var_run_t, file)
kernel_read_kernel_sysctls(imapd_t) kernel_read_kernel_sysctls(imapd_t)
kernel_list_proc(imapd_t) kernel_list_proc(imapd_t)
@ -92,6 +92,10 @@ optional_policy(`
seutil_sigchld_newrole(imapd_t) seutil_sigchld_newrole(imapd_t)
') ')
optional_policy(`
tcpd_wrapped_domain(imapd_t, imapd_exec_t)
')
optional_policy(` optional_policy(`
udev_read_db(imapd_t) udev_read_db(imapd_t)
') ')