selinux-policy/policy/modules/services/courier.te

policy_module(courier,1.2.1)

########################################
#
# Declarations
#

courier_domain_template(authdaemon)

type courier_etc_t;
files_type(courier_etc_t)

courier_domain_template(pcp)

courier_domain_template(pop)

courier_domain_template(tcpd)

type courier_var_lib_t;
files_type(courier_var_lib_t)

type courier_var_run_t;
files_pid_file(courier_var_run_t)

type courier_exec_t;
files_type(courier_exec_t)

courier_domain_template(sqwebmail)
typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t;

########################################
#
# Authdaemon local policy
#

allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config };
allow courier_authdaemon_t self:unix_stream_socket connectto;

can_exec(courier_authdaemon_t, courier_exec_t)

allow courier_authdaemon_t courier_tcpd_t:fd use;
allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_fifo_file_perms;

allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms;
allow courier_authdaemon_t courier_tcpd_t:process sigchld;
allow courier_authdaemon_t courier_tcpd_t:fd use;
allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;

corecmd_search_bin(courier_authdaemon_t)

# for SSP
dev_read_urand(courier_authdaemon_t)

files_getattr_tmp_dirs(courier_authdaemon_t)

auth_domtrans_chk_passwd(courier_authdaemon_t)

libs_read_lib_files(courier_authdaemon_t)

miscfiles_read_localization(courier_authdaemon_t)

# should not be needed!
userdom_search_unpriv_users_home_dirs(courier_authdaemon_t)
userdom_dontaudit_search_sysadm_home_dirs(courier_authdaemon_t)

courier_domtrans_pop(courier_authdaemon_t)

########################################
#
# Calendar (PCP) local policy
#

allow courier_pcp_t self:capability { setuid setgid };

dev_read_rand(courier_pcp_t)

########################################
#
# POP3/IMAP local policy
#

allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
allow courier_pop_t courier_authdaemon_t:process sigchld;

allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;

# inherits file handle - should it?
allow courier_pop_t courier_var_lib_t:file { read write };

miscfiles_read_localization(courier_pop_t)

courier_domtrans_authdaemon(courier_pop_t)

# do the actual work (read the Maildir)
userdom_manage_unpriv_users_home_content_files(courier_pop_t)
# cjp: the fact that this is different for pop vs imap means that
# there should probably be a courier_pop_t and courier_imap_t
# this should also probably be a separate type too instead of
# the regular home dir
userdom_manage_unpriv_users_home_content_dirs(courier_pop_t)

########################################
#
# TCPd local policy
#

allow courier_tcpd_t self:capability kill;

can_exec(courier_tcpd_t, courier_exec_t)

manage_files_pattern(courier_tcpd_t,courier_var_lib_t,courier_var_lib_t)
manage_lnk_files_pattern(courier_tcpd_t,courier_var_lib_t,courier_var_lib_t)
files_search_var_lib(courier_tcpd_t)

corecmd_search_bin(courier_tcpd_t)

corenet_tcp_bind_all_nodes(courier_tcpd_t)
corenet_tcp_bind_pop_port(courier_tcpd_t)
corenet_sendrecv_pop_server_packets(courier_tcpd_t)

# for TLS
dev_read_rand(courier_tcpd_t)
dev_read_urand(courier_tcpd_t)

miscfiles_read_localization(courier_tcpd_t)

courier_domtrans_pop(courier_tcpd_t)

########################################
#
# Webmail local policy
#

kernel_read_kernel_sysctls(courier_sqwebmail_t)

optional_policy(`
	cron_system_entry(courier_sqwebmail_t,courier_sqwebmail_exec_t)
')