68ac47d8c5
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes.
330 lines
9.7 KiB
Plaintext
330 lines
9.7 KiB
Plaintext
policy_module(dovecot, 1.12.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
type dovecot_t;
|
|
type dovecot_exec_t;
|
|
init_daemon_domain(dovecot_t, dovecot_exec_t)
|
|
|
|
type dovecot_auth_t;
|
|
type dovecot_auth_exec_t;
|
|
domain_type(dovecot_auth_t)
|
|
domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
|
|
role system_r types dovecot_auth_t;
|
|
|
|
type dovecot_auth_tmp_t;
|
|
files_tmp_file(dovecot_auth_tmp_t)
|
|
|
|
type dovecot_cert_t;
|
|
miscfiles_cert_type(dovecot_cert_t)
|
|
|
|
type dovecot_deliver_t;
|
|
type dovecot_deliver_exec_t;
|
|
domain_type(dovecot_deliver_t)
|
|
domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
|
|
role system_r types dovecot_deliver_t;
|
|
|
|
type dovecot_deliver_tmp_t;
|
|
files_tmp_file(dovecot_deliver_tmp_t)
|
|
|
|
type dovecot_etc_t;
|
|
files_config_file(dovecot_etc_t)
|
|
|
|
type dovecot_initrc_exec_t;
|
|
init_script_file(dovecot_initrc_exec_t)
|
|
|
|
type dovecot_passwd_t;
|
|
files_type(dovecot_passwd_t)
|
|
|
|
type dovecot_spool_t;
|
|
files_type(dovecot_spool_t)
|
|
|
|
type dovecot_tmp_t;
|
|
files_tmp_file(dovecot_tmp_t)
|
|
|
|
# /var/lib/dovecot holds SSL parameters file
|
|
type dovecot_var_lib_t;
|
|
files_type(dovecot_var_lib_t)
|
|
|
|
type dovecot_var_log_t;
|
|
logging_log_file(dovecot_var_log_t)
|
|
|
|
type dovecot_var_run_t;
|
|
files_pid_file(dovecot_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
# dovecot local policy
|
|
#
|
|
|
|
allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot };
|
|
dontaudit dovecot_t self:capability sys_tty_config;
|
|
allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
|
|
allow dovecot_t self:fifo_file rw_fifo_file_perms;
|
|
allow dovecot_t self:tcp_socket create_stream_socket_perms;
|
|
allow dovecot_t self:unix_dgram_socket create_socket_perms;
|
|
allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
|
|
domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
|
|
|
|
allow dovecot_t dovecot_auth_t:process signal;
|
|
|
|
allow dovecot_t dovecot_cert_t:dir list_dir_perms;
|
|
read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
|
|
read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
|
|
|
|
allow dovecot_t dovecot_etc_t:dir list_dir_perms;
|
|
read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
|
|
files_search_etc(dovecot_t)
|
|
|
|
can_exec(dovecot_t, dovecot_exec_t)
|
|
|
|
manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
|
|
manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
|
|
files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
|
|
|
|
# Allow dovecot to create and read SSL parameters file
|
|
manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
|
|
files_search_var_lib(dovecot_t)
|
|
files_read_var_symlinks(dovecot_t)
|
|
|
|
manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
|
|
manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
|
|
logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })
|
|
|
|
manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
|
|
manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
|
|
manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
|
|
|
|
manage_dirs_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
|
|
manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
|
|
manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
|
|
manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
|
|
files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file })
|
|
|
|
kernel_read_kernel_sysctls(dovecot_t)
|
|
kernel_read_system_state(dovecot_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(dovecot_t)
|
|
corenet_all_recvfrom_netlabel(dovecot_t)
|
|
corenet_tcp_sendrecv_generic_if(dovecot_t)
|
|
corenet_tcp_sendrecv_generic_node(dovecot_t)
|
|
corenet_tcp_sendrecv_all_ports(dovecot_t)
|
|
corenet_tcp_bind_generic_node(dovecot_t)
|
|
corenet_tcp_bind_mail_port(dovecot_t)
|
|
corenet_tcp_bind_pop_port(dovecot_t)
|
|
corenet_tcp_connect_all_ports(dovecot_t)
|
|
corenet_tcp_connect_postgresql_port(dovecot_t)
|
|
corenet_sendrecv_pop_server_packets(dovecot_t)
|
|
corenet_sendrecv_all_client_packets(dovecot_t)
|
|
|
|
dev_read_sysfs(dovecot_t)
|
|
dev_read_urand(dovecot_t)
|
|
|
|
fs_getattr_all_fs(dovecot_t)
|
|
fs_getattr_all_dirs(dovecot_t)
|
|
fs_search_auto_mountpoints(dovecot_t)
|
|
fs_list_inotifyfs(dovecot_t)
|
|
|
|
corecmd_exec_bin(dovecot_t)
|
|
|
|
domain_use_interactive_fds(dovecot_t)
|
|
|
|
files_read_etc_files(dovecot_t)
|
|
files_search_spool(dovecot_t)
|
|
files_search_tmp(dovecot_t)
|
|
files_dontaudit_list_default(dovecot_t)
|
|
# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
|
|
files_read_etc_runtime_files(dovecot_t)
|
|
files_search_all_mountpoints(dovecot_t)
|
|
|
|
init_getattr_utmp(dovecot_t)
|
|
|
|
auth_use_nsswitch(dovecot_t)
|
|
|
|
logging_send_syslog_msg(dovecot_t)
|
|
|
|
miscfiles_read_generic_certs(dovecot_t)
|
|
miscfiles_read_localization(dovecot_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
|
|
userdom_manage_user_home_content_dirs(dovecot_t)
|
|
userdom_manage_user_home_content_files(dovecot_t)
|
|
userdom_manage_user_home_content_symlinks(dovecot_t)
|
|
userdom_manage_user_home_content_pipes(dovecot_t)
|
|
userdom_manage_user_home_content_sockets(dovecot_t)
|
|
userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })
|
|
|
|
mta_manage_spool(dovecot_t)
|
|
|
|
optional_policy(`
|
|
kerberos_keytab_template(dovecot, dovecot_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
postfix_manage_private_sockets(dovecot_t)
|
|
postfix_search_spool(dovecot_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
postgresql_stream_connect(dovecot_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(dovecot_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
squid_dontaudit_search_cache(dovecot_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(dovecot_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# dovecot auth local policy
|
|
#
|
|
|
|
allow dovecot_auth_t self:capability { chown dac_override setgid setuid };
|
|
allow dovecot_auth_t self:process { signal_perms getcap setcap };
|
|
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
|
|
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
|
|
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
|
|
|
|
read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
|
|
|
|
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
|
|
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
|
|
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
|
|
|
|
allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
|
|
manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
|
|
dovecot_stream_connect_auth(dovecot_auth_t)
|
|
|
|
kernel_read_all_sysctls(dovecot_auth_t)
|
|
kernel_read_system_state(dovecot_auth_t)
|
|
|
|
logging_send_audit_msgs(dovecot_auth_t)
|
|
logging_send_syslog_msg(dovecot_auth_t)
|
|
|
|
dev_read_urand(dovecot_auth_t)
|
|
|
|
auth_domtrans_chk_passwd(dovecot_auth_t)
|
|
auth_use_nsswitch(dovecot_auth_t)
|
|
|
|
files_read_etc_files(dovecot_auth_t)
|
|
files_read_etc_runtime_files(dovecot_auth_t)
|
|
files_search_pids(dovecot_auth_t)
|
|
files_read_usr_files(dovecot_auth_t)
|
|
files_read_usr_symlinks(dovecot_auth_t)
|
|
files_read_var_lib_files(dovecot_auth_t)
|
|
files_search_tmp(dovecot_auth_t)
|
|
files_read_var_lib_files(dovecot_t)
|
|
|
|
init_rw_utmp(dovecot_auth_t)
|
|
|
|
miscfiles_read_localization(dovecot_auth_t)
|
|
|
|
seutil_dontaudit_search_config(dovecot_auth_t)
|
|
|
|
optional_policy(`
|
|
kerberos_use(dovecot_auth_t)
|
|
|
|
# for gssapi (kerberos)
|
|
userdom_list_user_tmp(dovecot_auth_t)
|
|
userdom_read_user_tmp_files(dovecot_auth_t)
|
|
userdom_read_user_tmp_symlinks(dovecot_auth_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mysql_search_db(dovecot_auth_t)
|
|
mysql_stream_connect(dovecot_auth_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nis_authenticate(dovecot_auth_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
postfix_manage_private_sockets(dovecot_auth_t)
|
|
postfix_search_spool(dovecot_auth_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# dovecot deliver local policy
|
|
#
|
|
allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
|
|
|
|
allow dovecot_deliver_t dovecot_t:process signull;
|
|
|
|
read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
|
|
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
|
|
|
|
allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
|
|
|
|
append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
|
|
|
|
manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
|
|
manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
|
|
files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
|
|
|
|
can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
|
|
|
|
kernel_read_all_sysctls(dovecot_deliver_t)
|
|
kernel_read_system_state(dovecot_deliver_t)
|
|
|
|
corecmd_exec_bin(dovecot_deliver_t)
|
|
|
|
files_read_etc_files(dovecot_deliver_t)
|
|
files_read_etc_runtime_files(dovecot_deliver_t)
|
|
|
|
auth_use_nsswitch(dovecot_deliver_t)
|
|
|
|
logging_send_syslog_msg(dovecot_deliver_t)
|
|
logging_search_logs(dovecot_deliver_t)
|
|
|
|
miscfiles_read_localization(dovecot_deliver_t)
|
|
|
|
dovecot_stream_connect_auth(dovecot_deliver_t)
|
|
|
|
files_search_tmp(dovecot_deliver_t)
|
|
|
|
fs_getattr_all_fs(dovecot_deliver_t)
|
|
|
|
userdom_manage_user_home_content_dirs(dovecot_deliver_t)
|
|
userdom_manage_user_home_content_files(dovecot_deliver_t)
|
|
userdom_manage_user_home_content_symlinks(dovecot_deliver_t)
|
|
userdom_manage_user_home_content_pipes(dovecot_deliver_t)
|
|
userdom_manage_user_home_content_sockets(dovecot_deliver_t)
|
|
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
|
|
|
|
tunable_policy(`use_nfs_home_dirs',`
|
|
fs_manage_nfs_dirs(dovecot_deliver_t)
|
|
fs_manage_nfs_files(dovecot_deliver_t)
|
|
fs_manage_nfs_symlinks(dovecot_deliver_t)
|
|
fs_manage_nfs_dirs(dovecot_t)
|
|
fs_manage_nfs_files(dovecot_t)
|
|
fs_manage_nfs_symlinks(dovecot_t)
|
|
')
|
|
|
|
tunable_policy(`use_samba_home_dirs',`
|
|
fs_manage_cifs_dirs(dovecot_deliver_t)
|
|
fs_manage_cifs_files(dovecot_deliver_t)
|
|
fs_manage_cifs_symlinks(dovecot_deliver_t)
|
|
fs_manage_cifs_dirs(dovecot_t)
|
|
fs_manage_cifs_files(dovecot_t)
|
|
fs_manage_cifs_symlinks(dovecot_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mta_manage_spool(dovecot_deliver_t)
|
|
mta_read_queue(dovecot_deliver_t)
|
|
')
|