rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity
6929521e0a
selinux-policy/policy/modules/apps/evolution.if
Chris PeBenito 1900668638 trunk: Unified labeled networking policy from Paul Moore. 
The latest revision of the labeled policy patches which enable both labeled 
and unlabeled policy support for NetLabel.  This revision takes into account
Chris' feedback from the first version and reduces the number of interface
calls in each domain down to two at present: one for unlabeled access, one for
NetLabel access.  The older, transport layer specific interfaces, are still  
present for use by third-party modules but are not used in the default policy
modules.

trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.

This patch changes the policy to use the netmsg initial SID as the "base"
SID/context for NetLabel packets which only have MLS security attributes.
Currently we use the unlabeled initial SID which makes it very difficult to
distinquish between actual unlabeled packets and those packets which have MLS
security attributes.
2007-06-27 15:23:21 +00:00

911 lines
30 KiB
Plaintext
Raw Blame History

## <summary>Evolution email client</summary>
#######################################
## <summary>
## The per role template for the evolution module.
## </summary>
## <desc>
## <p>
## This template creates a derived domains which are used
## for evolution email client and other related evolution applications such as webcal and alarm
## type is also created to protect the user evolution keys.
## </p>
## <p>
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
## <param name="user_role">
## <summary>
## The role associated with the user domain.
## </summary>
## </param>
#
template(`evolution_per_role_template',`
########################################
#
# Declarations
#
type $1_evolution_t;
domain_type($1_evolution_t)
domain_entry_file($1_evolution_t,evolution_exec_t)
role $3 types $1_evolution_t;
type $1_evolution_tmpfs_t;
files_tmpfs_file($1_evolution_tmpfs_t)
type $1_evolution_home_t alias $1_evolution_rw_t;
files_poly_member($1_evolution_home_t)
userdom_user_home_content($1,$1_evolution_home_t)
type $1_evolution_orbit_tmp_t;
files_tmp_file($1_evolution_orbit_tmp_t)
type $1_evolution_alarm_t;
domain_type($1_evolution_alarm_t)
domain_entry_file($1_evolution_alarm_t,evolution_alarm_exec_t)
role $3 types $1_evolution_alarm_t;
type $1_evolution_alarm_tmpfs_t;
files_tmpfs_file($1_evolution_alarm_tmpfs_t)
type $1_evolution_alarm_orbit_tmp_t;
files_tmp_file($1_evolution_alarm_orbit_tmp_t)
type $1_evolution_exchange_t;
domain_type($1_evolution_exchange_t)
domain_entry_file($1_evolution_exchange_t,evolution_exchange_exec_t)
role $3 types $1_evolution_exchange_t;
type $1_evolution_exchange_tmpfs_t;
files_tmpfs_file($1_evolution_exchange_tmpfs_t)
type $1_evolution_exchange_tmp_t;
files_tmp_file($1_evolution_exchange_tmp_t)
type $1_evolution_exchange_orbit_tmp_t;
files_tmp_file($1_evolution_exchange_orbit_tmp_t)
type $1_evolution_server_t;
domain_type($1_evolution_server_t)
domain_entry_file($1_evolution_server_t,evolution_server_exec_t)
role $3 types $1_evolution_server_t;
type $1_evolution_server_orbit_tmp_t;
files_tmp_file($1_evolution_server_orbit_tmp_t)
type $1_evolution_webcal_t;
domain_type($1_evolution_webcal_t)
domain_entry_file($1_evolution_webcal_t,evolution_webcal_exec_t)
role $3 types $1_evolution_webcal_t;
type $1_evolution_webcal_tmpfs_t;
files_tmpfs_file($1_evolution_webcal_tmpfs_t)
type $1_orbit_tmp_t;
files_tmp_file($1_orbit_tmp_t)
########################################
#
# Evolution local policy
#
allow $1_evolution_t self:capability { setuid setgid sys_nice };
allow $1_evolution_t self:process { signal getsched setsched };
allow $1_evolution_t self:fifo_file rw_file_perms;
allow $1_evolution_t self:tcp_socket create_socket_perms;
allow $1_evolution_t self:udp_socket create_socket_perms;
allow $1_evolution_t $1_evolution_alarm_t:dir search_dir_perms;
allow $1_evolution_t $1_evolution_alarm_t:file read;
allow $1_evolution_t $1_evolution_alarm_t:unix_stream_socket connectto;
allow $1_evolution_t $1_evolution_alarm_orbit_tmp_t:sock_file write;
can_exec($1_evolution_t,evolution_alarm_exec_t)
allow $1_evolution_t $1_evolution_exchange_t:unix_stream_socket connectto;
allow $1_evolution_t $1_evolution_exchange_orbit_tmp_t:sock_file write;
allow $1_evolution_t $1_evolution_home_t:dir manage_dir_perms;
allow $1_evolution_t $1_evolution_home_t:file manage_file_perms;
allow $1_evolution_t $1_evolution_home_t:lnk_file create_lnk_perms;
allow $1_evolution_t $1_evolution_orbit_tmp_t:dir manage_dir_perms;
allow $1_evolution_t $1_evolution_orbit_tmp_t:file manage_file_perms;
files_tmp_filetrans($1_evolution_t,$1_evolution_orbit_tmp_t,{ dir file })
allow $1_evolution_server_t $1_evolution_orbit_tmp_t:dir manage_dir_perms;
allow $1_evolution_server_t $1_evolution_orbit_tmp_t:file manage_file_perms;
files_tmp_filetrans($1_evolution_server_t,$1_evolution_orbit_tmp_t,{ dir file })
allow $1_evolution_t $1_evolution_server_t:dir search_dir_perms;
allow $1_evolution_t $1_evolution_server_t:file read;
allow $1_evolution_t $1_evolution_server_t:unix_stream_socket connectto;
allow $1_evolution_t $1_evolution_server_orbit_tmp_t:sock_file write;
can_exec($1_evolution_t,evolution_server_exec_t)
allow $1_evolution_t $1_evolution_tmpfs_t:dir rw_dir_perms;
allow $1_evolution_t $1_evolution_tmpfs_t:file manage_file_perms;
allow $1_evolution_t $1_evolution_tmpfs_t:lnk_file create_lnk_perms;
allow $1_evolution_t $1_evolution_tmpfs_t:sock_file manage_file_perms;
allow $1_evolution_t $1_evolution_tmpfs_t:fifo_file manage_file_perms;
fs_tmpfs_filetrans($1_evolution_t,$1_evolution_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
allow $1_evolution_t $2:dir search;
allow $1_evolution_t $2:fd use;
allow $1_evolution_t $2:file read;
allow $1_evolution_t $2:lnk_file read;
allow $1_evolution_t $2:process sigchld;
allow $1_evolution_t $2:unix_stream_socket connectto;
allow $1_evolution_t $2:dir search;
allow $1_evolution_t $2:file read;
domain_auto_trans($2, evolution_exec_t, $1_evolution_t)
allow $2 $1_evolution_t:unix_stream_socket connectto;
allow $2 $1_evolution_t:process noatsecure;
allow $2 $1_evolution_t:process signal_perms;
# Access .evolution
allow $2 $1_evolution_home_t:dir manage_dir_perms;
allow $2 $1_evolution_home_t:file manage_file_perms;
allow $2 $1_evolution_home_t:lnk_file create_lnk_perms;
allow $2 $1_evolution_home_t:{ dir file lnk_file } { relabelfrom relabelto };
userdom_search_user_home_dirs($1,$1_evolution_t)
# Allow the user domain to signal/ps.
allow $2 $1_evolution_t:dir { search getattr read };
allow $2 $1_evolution_t:{ file lnk_file } { read getattr };
allow $2 $1_evolution_t:process getattr;
domain_dontaudit_read_all_domains_state($1_evolution_t)
#FIXME check to see if really needed
kernel_read_kernel_sysctls($1_evolution_t)
kernel_read_system_state($1_evolution_t)
# Allow netstat
kernel_read_network_state($1_evolution_t)
kernel_read_net_sysctls($1_evolution_t)
corecmd_exec_shell($1_evolution_t)
# Run various programs
corecmd_exec_bin($1_evolution_t)
corenet_all_recvfrom_unlabeled($1_evolution_t)
corenet_all_recvfrom_netlabel($1_evolution_t)
corenet_tcp_sendrecv_generic_if($1_evolution_t)
corenet_udp_sendrecv_generic_if($1_evolution_t)
corenet_raw_sendrecv_generic_if($1_evolution_t)
corenet_tcp_sendrecv_all_nodes($1_evolution_t)
corenet_udp_sendrecv_all_nodes($1_evolution_t)
corenet_tcp_sendrecv_pop_port($1_evolution_t)
corenet_udp_sendrecv_pop_port($1_evolution_t)
corenet_tcp_sendrecv_smtp_port($1_evolution_t)
corenet_udp_sendrecv_smtp_port($1_evolution_t)
corenet_tcp_sendrecv_innd_port($1_evolution_t)
corenet_udp_sendrecv_innd_port($1_evolution_t)
corenet_tcp_sendrecv_ldap_port($1_evolution_t)
corenet_udp_sendrecv_ldap_port($1_evolution_t)
corenet_tcp_sendrecv_ipp_port($1_evolution_t)
corenet_udp_sendrecv_ipp_port($1_evolution_t)
corenet_tcp_connect_pop_port($1_evolution_t)
corenet_tcp_connect_smtp_port($1_evolution_t)
corenet_tcp_connect_innd_port($1_evolution_t)
corenet_tcp_connect_ldap_port($1_evolution_t)
corenet_tcp_connect_ipp_port($1_evolution_t)
corenet_sendrecv_pop_client_packets($1_evolution_t)
corenet_sendrecv_smtp_client_packets($1_evolution_t)
corenet_sendrecv_innd_client_packets($1_evolution_t)
corenet_sendrecv_ldap_client_packets($1_evolution_t)
corenet_sendrecv_ipp_client_packets($1_evolution_t)
# not sure about this bind
corenet_udp_bind_all_nodes($1_evolution_t)
corenet_udp_bind_generic_port($1_evolution_t)
dev_read_urand($1_evolution_t)
files_read_etc_files($1_evolution_t)
files_read_usr_files($1_evolution_t)
files_read_usr_symlinks($1_evolution_t)
files_read_var_files($1_evolution_t)
fs_search_auto_mountpoints($1_evolution_t)
libs_use_ld_so($1_evolution_t)
libs_use_shared_libs($1_evolution_t)
logging_send_syslog_msg($1_evolution_t)
miscfiles_read_localization($1_evolution_t)
sysnet_read_config($1_evolution_t)
sysnet_dns_name_resolve($1_evolution_t)
udev_read_state($1_evolution_t)
userdom_rw_user_tmp_files($1,$1_evolution_t)
userdom_manage_user_tmp_dirs($1,$1_evolution_t)
userdom_manage_user_tmp_sockets($1,$1_evolution_t)
userdom_manage_user_tmp_files($1,$1_evolution_t)
userdom_use_user_terminals($1, $1_evolution_t)
# FIXME: suppress access to .local/.icons/.themes until properly implemented
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
# until properly implemented
userdom_dontaudit_read_user_home_content_files($1,$1_evolution_t)
mta_read_config($1_evolution_t)
xserver_user_client_template($1,$1_evolution_t,$1_evolution_tmpfs_t)
xserver_read_xdm_tmp_files($1_evolution_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_evolution_t)
fs_manage_nfs_files($1_evolution_t)
fs_manage_nfs_symlinks($1_evolution_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs($1_evolution_t)
fs_manage_cifs_files($1_evolution_t)
fs_manage_cifs_symlinks($1_evolution_t)
')
tunable_policy(`mail_read_content && use_nfs_home_dirs',`
fs_list_auto_mountpoints($1_evolution_t)
files_list_home($1_evolution_t)
fs_read_nfs_files($1_evolution_t)
fs_read_nfs_symlinks($1_evolution_t)
',`
files_dontaudit_list_home($1_evolution_t)
fs_dontaudit_list_auto_mountpoints($1_evolution_t)
fs_dontaudit_read_nfs_files($1_evolution_t)
fs_dontaudit_list_nfs($1_evolution_t)
')
tunable_policy(`mail_read_content && use_samba_home_dirs',`
fs_list_auto_mountpoints($1_evolution_t)
files_list_home($1_evolution_t)
fs_read_cifs_files($1_evolution_t)
fs_read_cifs_symlinks($1_evolution_t)
',`
files_dontaudit_list_home($1_evolution_t)
fs_dontaudit_list_auto_mountpoints($1_evolution_t)
fs_dontaudit_read_cifs_files($1_evolution_t)
fs_dontaudit_list_cifs($1_evolution_t)
')
tunable_policy(`mail_read_content',`
userdom_list_user_tmp($1,$1_evolution_t)
userdom_read_user_tmp_files($1,$1_evolution_t)
userdom_read_user_tmp_symlinks($1,$1_evolution_t)
userdom_search_user_home_dirs($1,$1_evolution_t)
userdom_read_user_home_content_files($1,$1_evolution_t)
userdom_read_user_home_content_symlinks($1,$1_evolution_t)
ifndef(`enable_mls',`
fs_search_removable($1_evolution_t)
fs_read_removable_files($1_evolution_t)
fs_read_removable_symlinks($1_evolution_t)
')
',`
files_dontaudit_list_tmp($1_evolution_t)
files_dontaudit_list_home($1_evolution_t)
fs_dontaudit_list_removable($1_evolution_t)
fs_dontaudit_read_removable_files($1_evolution_t)
userdom_dontaudit_list_user_tmp($1,$1_evolution_t)
userdom_dontaudit_read_user_tmp_files($1,$1_evolution_t)
userdom_dontaudit_list_user_home_dirs($1,$1_evolution_t)
userdom_dontaudit_read_user_home_content_files($1,$1_evolution_t)
')
tunable_policy(`mail_read_content && read_default_t',`
files_list_default($1_evolution_t)
files_read_default_files($1_evolution_t)
files_read_default_symlinks($1_evolution_t)
',`
files_dontaudit_read_default_files($1_evolution_t)
files_dontaudit_list_default($1_evolution_t)
')
tunable_policy(`mail_read_content && read_untrusted_content',`
files_list_tmp($1_evolution_t)
files_list_home($1_evolution_t)
userdom_search_user_home_dirs($1,$1_evolution_t)
userdom_list_user_untrusted_content($1,$1_evolution_t)
userdom_read_user_untrusted_content_files($1,$1_evolution_t)
userdom_read_user_untrusted_content_symlinks($1,$1_evolution_t)
userdom_list_user_tmp_untrusted_content($1,$1_evolution_t)
userdom_read_user_tmp_untrusted_content_files($1,$1_evolution_t)
userdom_read_user_tmp_untrusted_content_symlinks($1,$1_evolution_t)
',`
files_dontaudit_list_tmp($1_evolution_t)
files_dontaudit_list_home($1_evolution_t)
userdom_dontaudit_list_user_home_dirs($1,$1_evolution_t)
userdom_dontaudit_list_user_untrusted_content($1,$1_evolution_t)
userdom_dontaudit_read_user_untrusted_content_files($1,$1_evolution_t)
userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_evolution_t)
userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_evolution_t)
')
tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
files_search_home($1_evolution_t)
fs_search_auto_mountpoints($1_evolution_t)
fs_manage_nfs_dirs($1_evolution_t)
fs_manage_nfs_files($1_evolution_t)
fs_manage_nfs_symlinks($1_evolution_t)
',`
fs_dontaudit_list_auto_mountpoints($1_evolution_t)
fs_dontaudit_manage_nfs_dirs($1_evolution_t)
fs_dontaudit_manage_nfs_files($1_evolution_t)
')
tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
files_search_home($1_evolution_t)
fs_search_auto_mountpoints($1_evolution_t)
fs_manage_cifs_dirs($1_evolution_t)
fs_manage_cifs_files($1_evolution_t)
fs_manage_cifs_symlinks($1_evolution_t)
',`
fs_dontaudit_list_auto_mountpoints($1_evolution_t)
fs_dontaudit_manage_cifs_dirs($1_evolution_t)
fs_dontaudit_manage_cifs_files($1_evolution_t)
')
tunable_policy(`write_untrusted_content',`
files_search_home($1_evolution_t)
userdom_manage_user_untrusted_content_files($1,$1_evolution_t)
userdom_user_home_dir_filetrans($1,$1_evolution_t,$1_untrusted_content_tmp_t, { file dir })
userdom_user_home_content_filetrans($1,$1_evolution_t,$1_untrusted_content_tmp_t, { file dir })
',`
files_dontaudit_list_home($1_evolution_t)
files_dontaudit_list_tmp($1_evolution_t)
userdom_dontaudit_list_user_home_dirs($1,$1_evolution_t)
#userdom_dontaudit_manage_user_tmp($1,$1_evolution_t)
#userdom_dontaudit_manage_user_tmp_files($1,$1_evolution_t)
#userdom_dontaudit_manage_user_home_subdirs($1,$1_evolution_t)
')
optional_policy(`
automount_read_state($1_evolution_t)
')
# Allow printing the mail
optional_policy(`
cups_read_rw_config($1_evolution_t)
')
optional_policy(`
dbus_system_bus_client_template($1_evolution,$1_evolution_t)
dbus_send_system_bus($1_evolution_t)
dbus_user_bus_client_template($1,$1_evolution,$1_evolution_t)
dbus_send_user_bus($1,$1_evolution_t)
')
optional_policy(`
gnome_stream_connect_gconf_template($1, $1_evolution_t)
')
# Encrypt mail
optional_policy(`
gpg_domtrans_user_gpg($1,$1_evolution_t)
gpg_signal_user_gpg($1,$1_evolution_t)
')
optional_policy(`
lpd_domtrans_user_lpr($1,$1_evolution_t)
')
optional_policy(`
mozilla_read_user_home_files($1, $1_evolution_t)
mozilla_domtrans_user_mozilla($1, $1_evolution_t)
')
# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
optional_policy(`
nis_use_ypbind($1_evolution_t)
')
optional_policy(`
nscd_socket_use($1_evolution_t)
')
### Junk mail filtering (start spamd)
optional_policy(`
spamassassin_exec_spamd($1_evolution_t)
spamassassin_domtrans_user_client($1,$1_evolution_t)
spamassassin_domtrans_user_local_client($1,$1_evolution_t)
# Allow evolution to signal the daemon
# FIXME: Now evolution can read spamd temp files
spamassassin_read_spamd_tmp_files($1_evolution_t)
spamassassin_signal_spamd($1_evolution_t)
spamassassin_dontaudit_getattr_spamd_tmp_sockets($1_evolution_t)
')
ifdef(`TODO',`
# Gnome common stuff
gnome_application($1_evolution, $1)
#TODO gnome stuff
# Store passwords in .gnome2_private
# Type for storing secret data
# (different from home, not directly accessible from ROLE_t)
type $1_evolutioin_secret_t;
userdom_user_home_content($1,$1_evolutioin_secret_t)
# Put secret files in .gnome2_private
allow $1_evolution_t $1_gnome_secret_t:dir rw_dir_perms;
allow $1_evolution_t $1_evolutioin_secret_t:file manage_file_perms;
type_transition $1_evolution_t $1_gnome_secret_t:file $1_evolutioin_secret_t;
allow $2 $1_evolution_secret_t:file unlink;
ifdef(`TODO',`
gnome_file_dialog($1_evolution, $1)
')
')
########################################
#
# Evolution alarm local policy
#
allow $1_evolution_alarm_t self:process { signal getsched };
allow $1_evolution_alarm_t self:fifo_file rw_fifo_file_perms;
allow $1_evolution_alarm_t $1_evolution_t:unix_stream_socket connectto;
allow $1_evolution_alarm_t $1_evolution_orbit_tmp_t:sock_file write;
allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:dir rw_dir_perms;
allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:file manage_file_perms;
allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:lnk_file create_lnk_perms;
allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:sock_file manage_file_perms;
allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:fifo_file manage_file_perms;
fs_tmpfs_filetrans($1_evolution_alarm_t,$1_evolution_alarm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
allow $1_evolution_alarm_t $1_evolution_exchange_t:unix_stream_socket connectto;
allow $1_evolution_alarm_t $1_evolution_exchange_orbit_tmp_t:sock_file write;
# Access evolution home
allow $1_evolution_alarm_t $1_evolution_home_t:dir manage_dir_perms;
allow $1_evolution_alarm_t $1_evolution_home_t:file manage_file_perms;
allow $1_evolution_alarm_t $1_evolution_home_t:lnk_file create_lnk_perms;
allow $1_evolution_alarm_t $1_evolution_server_t:unix_stream_socket connectto;
allow $1_evolution_alarm_t $1_evolution_server_orbit_tmp_t:sock_file write;
domain_auto_trans($2, evolution_alarm_exec_t, $1_evolution_alarm_t)
allow $1_evolution_alarm_t $2:fd use;
dev_read_urand($1_evolution_alarm_t)
files_read_etc_files($1_evolution_alarm_t)
files_read_usr_files($1_evolution_alarm_t)
fs_search_auto_mountpoints($1_evolution_alarm_t)
libs_use_ld_so($1_evolution_alarm_t)
libs_use_shared_libs($1_evolution_alarm_t)
miscfiles_read_localization($1_evolution_alarm_t)
# Access evolution home
userdom_search_user_home_dirs($1,$1_evolution_alarm_t)
# FIXME: suppress access to .local/.icons/.themes until properly implemented
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
# until properly implemented
userdom_dontaudit_read_user_home_content_files($1,$1_evolution_alarm_t)
xserver_user_client_template($1,$1_evolution_alarm_t,$1_evolution_alarm_tmpfs_t)
# Access evolution home
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_evolution_alarm_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files($1_evolution_alarm_t)
')
optional_policy(`
dbus_user_bus_client_template($1,$1_evolution_alarm,$1_evolution_alarm_t)
dbus_send_user_bus($1,$1_evolution_alarm_t)
')
optional_policy(`
gnome_stream_connect_gconf_template($1, $1_evolution_alarm_t)
')
optional_policy(`
nscd_socket_use($1_evolution_alarm_t)
')
ifdef(`TODO',`
# Gnome common stuff
gnome_application($1_evolution_alarm,$1)
')
########################################
#
# Evolution exchange connector local policy
#
allow $1_evolution_exchange_t self:process getsched;
allow $1_evolution_exchange_t self:fifo_file rw_fifo_file_perms;
allow $1_evolution_exchange_t self:tcp_socket create_socket_perms;
allow $1_evolution_exchange_t self:udp_socket create_socket_perms;
allow $1_evolution_exchange_t $1_evolution_t:unix_stream_socket connectto;
allow $1_evolution_exchange_t $1_evolution_orbit_tmp_t:sock_file write;
allow $1_evolution_exchange_t $1_evolution_alarm_t:unix_stream_socket connectto;
allow $1_evolution_exchange_t $1_evolution_alarm_orbit_tmp_t:sock_file write;
# Access evolution home
allow $1_evolution_exchange_t $1_evolution_home_t:dir manage_dir_perms;
allow $1_evolution_exchange_t $1_evolution_home_t:file manage_file_perms;
allow $1_evolution_exchange_t $1_evolution_home_t:lnk_file create_lnk_perms;
allow $1_evolution_exchange_t $1_evolution_server_t:unix_stream_socket connectto;
allow $1_evolution_exchange_t $1_evolution_server_orbit_tmp_t:sock_file write;
# /tmp/.exchange-$USER
allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:dir manage_dir_perms;
allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:file manage_file_perms;
files_tmp_filetrans($1_evolution_exchange_t, $1_evolution_exchange_tmp_t, { file dir })
allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:dir rw_dir_perms;
allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:file manage_file_perms;
allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:lnk_file create_lnk_perms;
allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:sock_file manage_file_perms;
allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:fifo_file manage_file_perms;
fs_tmpfs_filetrans($1_evolution_exchange_t,$1_evolution_exchange_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
allow $1_evolution_exchange_t $2:unix_stream_socket connectto;
#FIXME, who should own this. I dont think this module should
allow $1_evolution_exchange_t $1_orbit_tmp_t:sock_file write;
# Clock applet talks to exchange (FIXME: Needs policy)
allow $2 $1_evolution_exchange_t:unix_stream_socket connectto;
allow $2 $1_evolution_exchange_orbit_tmp_t:sock_file write;
# Transition from user domain
domain_auto_trans($2, evolution_exchange_exec_t, $1_evolution_exchange_t)
kernel_read_network_state($1_evolution_exchange_t)
kernel_read_net_sysctls($1_evolution_exchange_t)
# Allow netstat
corecmd_exec_bin($1_evolution_exchange_t)
dev_read_urand($1_evolution_exchange_t)
files_read_etc_files($1_evolution_exchange_t)
files_read_usr_files($1_evolution_exchange_t)
# Access evolution home
fs_search_auto_mountpoints($1_evolution_exchange_t)
libs_use_ld_so($1_evolution_exchange_t)
libs_use_shared_libs($1_evolution_exchange_t)
miscfiles_read_localization($1_evolution_exchange_t)
# Access evolution home
userdom_search_user_home_dirs($1,$1_evolution_exchange_t)
# FIXME: suppress access to .local/.icons/.themes until properly implemented
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
# until properly implemented
userdom_dontaudit_read_user_home_content_files($1,$1_evolution_exchange_t)
xserver_user_client_template($1,$1_evolution_exchange_t,$1_evolution_exchange_tmpfs_t)
# Access evolution home
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_evolution_exchange_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files($1_evolution_exchange_t)
')
optional_policy(`
gnome_stream_connect_gconf_template($1, $1_evolution_exchange_t)
')
optional_policy(`
nscd_socket_use($1_evolution_exchange_t)
')
ifdef(`TODO',`
# Gnome common stuff
gnome_application($1_evolution_exchange, $1)
')
########################################
#
# Evolution data server local policy
#
allow $1_evolution_server_t self:process { getsched signal };
allow $1_evolution_server_t self:fifo_file { read write };
allow $1_evolution_server_t self:unix_stream_socket { accept connectto };
# Talk to ldap (address book),
# Obtain weather data via http (read server name from xml file in /usr)
allow $1_evolution_server_t self:tcp_socket create_socket_perms;
allow $1_evolution_server_t $1_evolution_t:unix_stream_socket connectto;
allow $1_evolution_server_t $1_evolution_orbit_tmp_t:sock_file write;
allow $1_evolution_server_t $1_evolution_exchange_t:unix_stream_socket connectto;
allow $1_evolution_server_t $1_evolution_exchange_orbit_tmp_t:sock_file write;
# Access evolution home
allow $1_evolution_server_t $1_evolution_home_t:dir manage_dir_perms;
allow $1_evolution_server_t $1_evolution_home_t:file manage_file_perms;
allow $1_evolution_server_t $1_evolution_home_t:lnk_file create_lnk_perms;
allow $1_evolution_server_t $1_evolution_alarm_t:unix_stream_socket connectto;
allow $1_evolution_server_t $1_evolution_alarm_orbit_tmp_t:sock_file write;
# Transition from user type
domain_auto_trans($2, evolution_server_exec_t, $1_evolution_server_t)
kernel_read_system_state($1_evolution_server_t)
corecmd_exec_shell($1_evolution_server_t)
# Obtain weather data via http (read server name from xml file in /usr)
corenet_all_recvfrom_unlabeled($1_evolution_server_t)
corenet_all_recvfrom_netlabel($1_evolution_server_t)
corenet_tcp_sendrecv_generic_if($1_evolution_server_t)
corenet_tcp_sendrecv_all_nodes($1_evolution_server_t)
corenet_tcp_sendrecv_http_port($1_evolution_server_t)
corenet_tcp_sendrecv_http_cache_port($1_evolution_server_t)
corenet_tcp_connect_http_cache_port($1_evolution_server_t)
corenet_tcp_connect_http_port($1_evolution_server_t)
corenet_sendrecv_http_client_packets($1_evolution_server_t)
corenet_sendrecv_http_cache_client_packets($1_evolution_server_t)
dev_read_urand($1_evolution_server_t)
files_read_etc_files($1_evolution_server_t)
# Obtain weather data via http (read server name from xml file in /usr)
files_read_usr_files($1_evolution_server_t)
fs_search_auto_mountpoints($1_evolution_server_t)
libs_use_ld_so($1_evolution_server_t)
libs_use_shared_libs($1_evolution_server_t)
miscfiles_read_localization($1_evolution_server_t)
# Look in /etc/pki
miscfiles_read_certs($1_evolution_server_t)
# Talk to ldap (address book)
sysnet_read_config($1_evolution_server_t)
sysnet_dns_name_resolve($1_evolution_server_t)
sysnet_use_ldap($1_evolution_server_t)
# Access evolution home
userdom_search_user_home_dirs($1,$1_evolution_server_t)
# FIXME: suppress access to .local/.icons/.themes until properly implemented
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
# until properly implemented
userdom_dontaudit_read_user_home_content_files($1,$1_evolution_server_t)
# Access evolution home
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_evolution_server_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files($1_evolution_server_t)
')
optional_policy(`
gnome_stream_connect_gconf_template($1, $1_evolution_server_t)
')
optional_policy(`
nscd_socket_use($1_evolution_server_t)
')
ifdef(`TODO',`
# Gnome common stuff
gnome_application($1_evolution_server, $1)
')
########################################
#
# Evolution webcal local policy
#
allow $1_evolution_webcal_t self:tcp_socket create_socket_perms;
# X/evolution common stuff
allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:dir rw_dir_perms;
allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:file manage_file_perms;
allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:lnk_file create_lnk_perms;
allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:sock_file manage_file_perms;
allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:fifo_file manage_file_perms;
fs_tmpfs_filetrans($1_evolution_webcal_t,$1_evolution_webcal_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
# Transition from user type
domain_auto_trans($2, evolution_webcal_exec_t, $1_evolution_webcal_t)
corenet_all_recvfrom_unlabeled($1_evolution_webcal_t)
corenet_all_recvfrom_netlabel($1_evolution_webcal_t)
corenet_tcp_sendrecv_generic_if($1_evolution_webcal_t)
corenet_raw_sendrecv_generic_if($1_evolution_webcal_t)
corenet_tcp_sendrecv_all_nodes($1_evolution_webcal_t)
corenet_raw_sendrecv_all_nodes($1_evolution_webcal_t)
corenet_tcp_sendrecv_http_port($1_evolution_webcal_t)
corenet_tcp_sendrecv_http_cache_port($1_evolution_webcal_t)
corenet_tcp_connect_http_cache_port($1_evolution_webcal_t)
corenet_tcp_connect_http_port($1_evolution_webcal_t)
corenet_sendrecv_http_client_packets($1_evolution_webcal_t)
corenet_sendrecv_http_cache_client_packets($1_evolution_webcal_t)
# Networking capability - connect to website and handle ics link
sysnet_read_config($1_evolution_webcal_t)
sysnet_dns_name_resolve($1_evolution_webcal_t)
# Search home directory (?)
userdom_search_user_home_dirs($1,$1_evolution_webcal_t)
# FIXME: suppress access to .local/.icons/.themes until properly implemented
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
# until properly implemented
userdom_dontaudit_read_user_home_content_files($1,$1_evolution_webcal_t)
xserver_user_client_template($1,$1_evolution_webcal_t,$1_evolution_webcal_tmpfs_t)
optional_policy(`
nscd_socket_use($1_evolution_webcal_t)
')
ifdef(`TODO',`
# Gnome common stuff
gnome_application($1_evolution_webcal, $1)
')
')
########################################
## <summary>
## Create objects in users evolution home folders.
## </summary>
## <desc>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="object">
## <summary>
## The object class of the object being created. If
## no class is specified, dir will be used.
## </summary>
## </param>
#
template(`evolution_home_filetrans',`
gen_require(`
type $1_evolution_home_t;
')
allow $2 $1_evolution_home_t:dir rw_dir_perms;
type_transition $2 $1_evolution_home_t:$4 $3;
')
########################################
## <summary>
## Connect to user evolution unix stream socket.
## </summary>
## <desc>
## <p>
## Connect to user evolution unix stream socket.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
template(`evolution_stream_connect',`
gen_require(`
type $1_evolution_t, $1_evolution_home_t;
')
allow $2 $1_evolution_t:unix_stream_socket connectto;
allow $2 $1_evolution_home_t:dir search;
')
########################################
## <summary>
## Send and receive messages from
## evolution over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`evolution_dbus_chat',`
gen_require(`
type $1_evolution_t;
class dbus send_msg;
')
allow $2 $1_evolution_t:dbus send_msg;
allow $1_evolution_t $2:dbus send_msg;
')
########################################
## <summary>
## Send and receive messages from
## evolution_alarm over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`evolution_alarm_dbus_chat',`
gen_require(`
type $1_evolution_alarm_t;
class dbus send_msg;
')
allow $2 $1_evolution_alarm_t:dbus send_msg;
allow $1_evolution_alarm_t $2:dbus send_msg;
')
Reference in New Issue View Git Blame Copy Permalink