selinux-policy/policy/modules/services/courier.te
Dominick Grift 1dfc76f76b Use permission sets where possible.
Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.
2010-09-22 15:39:43 +02:00

147 lines
3.8 KiB
Plaintext

policy_module(courier, 1.9.1)
########################################
#
# Declarations
#
courier_domain_template(authdaemon)
type courier_etc_t;
files_config_file(courier_etc_t)
courier_domain_template(pcp)
courier_domain_template(pop)
type courier_spool_t;
files_type(courier_spool_t)
courier_domain_template(tcpd)
type courier_var_lib_t;
files_type(courier_var_lib_t)
type courier_var_run_t;
files_pid_file(courier_var_run_t)
type courier_exec_t;
mta_agent_executable(courier_exec_t)
courier_domain_template(sqwebmail)
typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t;
########################################
#
# Authdaemon local policy
#
allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config };
allow courier_authdaemon_t self:unix_stream_socket connectto;
can_exec(courier_authdaemon_t, courier_exec_t)
allow courier_authdaemon_t courier_tcpd_t:fd use;
allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_fifo_file_perms;
allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms;
allow courier_authdaemon_t courier_tcpd_t:process sigchld;
allow courier_authdaemon_t courier_tcpd_t:fd use;
allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
files_search_spool(courier_authdaemon_t)
corecmd_search_bin(courier_authdaemon_t)
# for SSP
dev_read_urand(courier_authdaemon_t)
files_getattr_tmp_dirs(courier_authdaemon_t)
auth_domtrans_chk_passwd(courier_authdaemon_t)
libs_read_lib_files(courier_authdaemon_t)
miscfiles_read_localization(courier_authdaemon_t)
# should not be needed!
userdom_search_user_home_dirs(courier_authdaemon_t)
courier_domtrans_pop(courier_authdaemon_t)
########################################
#
# Calendar (PCP) local policy
#
allow courier_pcp_t self:capability { setuid setgid };
dev_read_rand(courier_pcp_t)
########################################
#
# POP3/IMAP local policy
#
allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
allow courier_pop_t courier_authdaemon_t:process sigchld;
allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
# inherits file handle - should it?
allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
miscfiles_read_localization(courier_pop_t)
courier_domtrans_authdaemon(courier_pop_t)
# do the actual work (read the Maildir)
userdom_manage_user_home_content_files(courier_pop_t)
# cjp: the fact that this is different for pop vs imap means that
# there should probably be a courier_pop_t and courier_imap_t
# this should also probably be a separate type too instead of
# the regular home dir
userdom_manage_user_home_content_dirs(courier_pop_t)
########################################
#
# TCPd local policy
#
allow courier_tcpd_t self:capability kill;
can_exec(courier_tcpd_t, courier_exec_t)
manage_files_pattern(courier_tcpd_t, courier_var_lib_t, courier_var_lib_t)
manage_lnk_files_pattern(courier_tcpd_t, courier_var_lib_t, courier_var_lib_t)
files_search_var_lib(courier_tcpd_t)
corecmd_search_bin(courier_tcpd_t)
corenet_tcp_bind_generic_node(courier_tcpd_t)
corenet_tcp_bind_pop_port(courier_tcpd_t)
corenet_sendrecv_pop_server_packets(courier_tcpd_t)
# for TLS
dev_read_rand(courier_tcpd_t)
dev_read_urand(courier_tcpd_t)
miscfiles_read_localization(courier_tcpd_t)
courier_domtrans_pop(courier_tcpd_t)
########################################
#
# Webmail local policy
#
kernel_read_kernel_sysctls(courier_sqwebmail_t)
optional_policy(`
cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t)
')