policy_module(courier, 1.6.0) ######################################## # # Declarations # courier_domain_template(authdaemon) type courier_etc_t; files_config_file(courier_etc_t) courier_domain_template(pcp) courier_domain_template(pop) type courier_spool_t; files_type(courier_spool_t) courier_domain_template(tcpd) type courier_var_lib_t; files_type(courier_var_lib_t) type courier_var_run_t; files_pid_file(courier_var_run_t) type courier_exec_t; mta_agent_executable(courier_exec_t) courier_domain_template(sqwebmail) typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t; ######################################## # # Authdaemon local policy # allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config }; allow courier_authdaemon_t self:unix_stream_socket connectto; can_exec(courier_authdaemon_t, courier_exec_t) allow courier_authdaemon_t courier_tcpd_t:fd use; allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_fifo_file_perms; allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms; allow courier_authdaemon_t courier_tcpd_t:process sigchld; allow courier_authdaemon_t courier_tcpd_t:fd use; allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms; corecmd_search_bin(courier_authdaemon_t) # for SSP dev_read_urand(courier_authdaemon_t) files_getattr_tmp_dirs(courier_authdaemon_t) auth_domtrans_chk_passwd(courier_authdaemon_t) libs_read_lib_files(courier_authdaemon_t) miscfiles_read_localization(courier_authdaemon_t) # should not be needed! userdom_search_unpriv_users_home_dirs(courier_authdaemon_t) courier_domtrans_pop(courier_authdaemon_t) sysadm_dontaudit_search_home_dirs(courier_authdaemon_t) ######################################## # # Calendar (PCP) local policy # allow courier_pcp_t self:capability { setuid setgid }; dev_read_rand(courier_pcp_t) ######################################## # # POP3/IMAP local policy # allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms; allow courier_pop_t courier_authdaemon_t:process sigchld; allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; # inherits file handle - should it? allow courier_pop_t courier_var_lib_t:file { read write }; miscfiles_read_localization(courier_pop_t) courier_domtrans_authdaemon(courier_pop_t) # do the actual work (read the Maildir) userdom_manage_unpriv_users_home_content_files(courier_pop_t) # cjp: the fact that this is different for pop vs imap means that # there should probably be a courier_pop_t and courier_imap_t # this should also probably be a separate type too instead of # the regular home dir userdom_manage_unpriv_users_home_content_dirs(courier_pop_t) ######################################## # # TCPd local policy # allow courier_tcpd_t self:capability kill; can_exec(courier_tcpd_t, courier_exec_t) manage_files_pattern(courier_tcpd_t, courier_var_lib_t, courier_var_lib_t) manage_lnk_files_pattern(courier_tcpd_t, courier_var_lib_t, courier_var_lib_t) files_search_var_lib(courier_tcpd_t) corecmd_search_bin(courier_tcpd_t) corenet_tcp_bind_all_nodes(courier_tcpd_t) corenet_tcp_bind_pop_port(courier_tcpd_t) corenet_sendrecv_pop_server_packets(courier_tcpd_t) # for TLS dev_read_rand(courier_tcpd_t) dev_read_urand(courier_tcpd_t) miscfiles_read_localization(courier_tcpd_t) courier_domtrans_pop(courier_tcpd_t) ######################################## # # Webmail local policy # kernel_read_kernel_sysctls(courier_sqwebmail_t) optional_policy(` cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t) ')