a25335e1fa
Redundant brace nothing to expand here. Redundant brace nothing to expand here. Redundant brace nothing to expand here. Redundant brace nothing to expand here. Redundant brace nothing to expand here.
133 lines
3.0 KiB
Plaintext
133 lines
3.0 KiB
Plaintext
policy_module(zarafa, 1.0.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
attribute zarafa_domain;
|
|
|
|
zarafa_domain_template(monitor)
|
|
zarafa_domain_template(ical)
|
|
zarafa_domain_template(server)
|
|
zarafa_domain_template(spooler)
|
|
zarafa_domain_template(gateway)
|
|
zarafa_domain_template(deliver)
|
|
|
|
type zarafa_deliver_tmp_t;
|
|
files_tmp_file(zarafa_deliver_tmp_t)
|
|
|
|
type zarafa_etc_t;
|
|
files_config_file(zarafa_etc_t)
|
|
|
|
type zarafa_share_t;
|
|
files_type(zarafa_share_t)
|
|
|
|
permissive zarafa_server_t;
|
|
permissive zarafa_spooler_t;
|
|
permissive zarafa_gateway_t;
|
|
permissive zarafa_deliver_t;
|
|
permissive zarafa_ical_t;
|
|
permissive zarafa_monitor_t;
|
|
|
|
########################################
|
|
#
|
|
# zarafa-deliver local policy
|
|
#
|
|
|
|
manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
|
|
manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
|
|
files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir })
|
|
|
|
#temporary
|
|
#allow zarafa_deliver_t port_t:tcp_socket name_bind;
|
|
|
|
########################################
|
|
#
|
|
# zarafa_server local policy
|
|
#
|
|
|
|
allow zarafa_server_t self:capability { chown kill net_bind_service };
|
|
allow zarafa_server_t self:process { setrlimit signal };
|
|
|
|
corenet_tcp_bind_zarafa_port(zarafa_server_t)
|
|
|
|
files_read_usr_files(zarafa_server_t)
|
|
|
|
logging_send_syslog_msg(zarafa_server_t)
|
|
logging_send_audit_msgs(zarafa_server_t)
|
|
|
|
sysnet_dns_name_resolve(zarafa_server_t)
|
|
|
|
optional_policy(`
|
|
mysql_stream_connect(zarafa_server_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
kerberos_use(zarafa_server_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# zarafa_spooler local policy
|
|
#
|
|
|
|
allow zarafa_spooler_t self:capability { chown kill };
|
|
allow zarafa_spooler_t self:process signal;
|
|
|
|
corenet_tcp_connect_smtp_port(zarafa_spooler_t)
|
|
|
|
########################################
|
|
#
|
|
# zarafa_gateway local policy
|
|
#
|
|
|
|
allow zarafa_gateway_t self:capability { chown kill };
|
|
allow zarafa_gateway_t self:process { setrlimit signal };
|
|
|
|
corenet_tcp_bind_pop_port(zarafa_gateway_t)
|
|
|
|
#######################################
|
|
#
|
|
# zarafa-ical local policy
|
|
#
|
|
|
|
allow zarafa_ical_t self:capability chown;
|
|
|
|
corenet_tcp_bind_http_cache_port(zarafa_ical_t)
|
|
|
|
######################################
|
|
#
|
|
# zarafa-monitor local policy
|
|
#
|
|
|
|
allow zarafa_monitor_t self:capability chown;
|
|
|
|
########################################
|
|
#
|
|
# zarafa domains local policy
|
|
#
|
|
|
|
# bad permission on /etc/zarafa
|
|
allow zarafa_domain self:capability { dac_override setgid setuid };
|
|
allow zarafa_domain self:fifo_file rw_fifo_file_perms;
|
|
allow zarafa_domain self:tcp_socket create_stream_socket_perms;
|
|
allow zarafa_domain self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
|
|
|
|
read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t)
|
|
|
|
kernel_read_system_state(zarafa_domain)
|
|
|
|
files_read_etc_files(zarafa_domain)
|
|
|
|
auth_use_nsswitch(zarafa_domain)
|
|
|
|
miscfiles_read_localization(zarafa_domain)
|
|
|
|
# temporary rules
|
|
optional_policy(`
|
|
apache_content_template(zarafa)
|
|
')
|