#DESC uw-imapd-ssl server
#
# Author:  Ed Street <edstreet@street-tek.com>
# X-Debian-Packages: uw-imapd (was uw-imapd-ssl)
# Depends: inetd.te
#

daemon_domain(imapd, `, auth_chkpwd, privhome')
tmp_domain(imapd)

can_network_server_tcp(imapd_t)

#declare our own services
allow imapd_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
allow imapd_t pop_port_t:tcp_socket name_bind;

#declare this a socket from inetd
allow imapd_t self:unix_dgram_socket { sendto create_socket_perms };
allow imapd_t self:unix_stream_socket create_socket_perms;
domain_auto_trans(inetd_t, imapd_exec_t, imapd_t)
ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, imapd_exec_t, imapd_t)')

#friendly stuff we dont want to see :)
dontaudit imapd_t bin_t:dir search;

#read /etc/ for hostname nsswitch.conf
allow imapd_t etc_t:file { getattr read };

#socket i/o stuff
allow imapd_t inetd_t:tcp_socket { read write ioctl getattr };

#read resolv.conf
allow imapd_t net_conf_t:file { getattr read };

#urandom, for ssl
allow imapd_t random_device_t:chr_file read;
allow imapd_t urandom_device_t:chr_file { read getattr };

allow imapd_t self:fifo_file rw_file_perms;

#mail directory
rw_dir_file(imapd_t, mail_spool_t)

#home directory
allow imapd_t home_root_t:dir search;
allow imapd_t self:file { read getattr };