]>
Commit | Line | Data |
---|---|---|
6f8cda96 CP |
1 | ## <summary>Courier IMAP and POP3 email servers</summary> |
2 | ||
3 | ######################################## | |
4 | ## <summary> | |
5 | ## Template for creating courier server processes. | |
6 | ## </summary> | |
7 | ## <param name="prefix"> | |
8 | ## <summary> | |
9 | ## Prefix name of the server process. | |
10 | ## </summary> | |
11 | ## </param> | |
12 | # | |
13 | template(`courier_domain_template',` | |
14 | ||
15 | ############################## | |
16 | # | |
17 | # Declarations | |
18 | # | |
19 | ||
20 | type courier_$1_t; | |
21 | type courier_$1_exec_t; | |
0bfccda4 | 22 | init_daemon_domain(courier_$1_t, courier_$1_exec_t) |
6f8cda96 CP |
23 | |
24 | ############################## | |
25 | # | |
26 | # Declarations | |
27 | # | |
28 | ||
29 | allow courier_$1_t self:capability dac_override; | |
30 | dontaudit courier_$1_t self:capability sys_tty_config; | |
31 | allow courier_$1_t self:process { setpgid signal_perms }; | |
32 | allow courier_$1_t self:fifo_file { read write getattr }; | |
33 | allow courier_$1_t self:tcp_socket create_stream_socket_perms; | |
34 | allow courier_$1_t self:udp_socket create_socket_perms; | |
35 | ||
36 | can_exec(courier_$1_t, courier_$1_exec_t) | |
37 | ||
3f67f722 | 38 | read_files_pattern(courier_$1_t, courier_etc_t, courier_etc_t) |
c0868a7a | 39 | allow courier_$1_t courier_etc_t:dir list_dir_perms; |
6f8cda96 | 40 | |
0bfccda4 CP |
41 | manage_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) |
42 | manage_lnk_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) | |
43 | manage_sock_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) | |
6f8cda96 CP |
44 | files_search_pids(courier_$1_t) |
45 | ||
46 | kernel_read_system_state(courier_$1_t) | |
47 | kernel_read_kernel_sysctls(courier_$1_t) | |
48 | ||
49 | corecmd_exec_bin(courier_$1_t) | |
50 | ||
19006686 CP |
51 | corenet_all_recvfrom_unlabeled(courier_$1_t) |
52 | corenet_all_recvfrom_netlabel(courier_$1_t) | |
6f8cda96 CP |
53 | corenet_tcp_sendrecv_generic_if(courier_$1_t) |
54 | corenet_udp_sendrecv_generic_if(courier_$1_t) | |
c1262146 CP |
55 | corenet_tcp_sendrecv_generic_node(courier_$1_t) |
56 | corenet_udp_sendrecv_generic_node(courier_$1_t) | |
6f8cda96 CP |
57 | corenet_tcp_sendrecv_all_ports(courier_$1_t) |
58 | corenet_udp_sendrecv_all_ports(courier_$1_t) | |
6f8cda96 CP |
59 | |
60 | dev_read_sysfs(courier_$1_t) | |
61 | ||
62 | domain_use_interactive_fds(courier_$1_t) | |
63 | ||
64 | files_read_etc_files(courier_$1_t) | |
65 | files_read_etc_runtime_files(courier_$1_t) | |
66 | files_read_usr_files(courier_$1_t) | |
67 | ||
68 | fs_getattr_xattr_fs(courier_$1_t) | |
69 | fs_search_auto_mountpoints(courier_$1_t) | |
70 | ||
6f8cda96 CP |
71 | logging_send_syslog_msg(courier_$1_t) |
72 | ||
73 | sysnet_read_config(courier_$1_t) | |
74 | ||
75 | userdom_dontaudit_use_unpriv_user_fds(courier_$1_t) | |
76 | ||
6f8cda96 CP |
77 | optional_policy(` |
78 | seutil_sigchld_newrole(courier_$1_t) | |
79 | ') | |
80 | ||
81 | optional_policy(` | |
82 | udev_read_db(courier_$1_t) | |
83 | ') | |
84 | ') | |
85 | ||
86 | ######################################## | |
87 | ## <summary> | |
88 | ## Execute the courier authentication daemon with | |
89 | ## a domain transition. | |
90 | ## </summary> | |
91 | ## <param name="prefix"> | |
92 | ## <summary> | |
93 | ## Domain allowed access. | |
94 | ## </summary> | |
95 | ## </param> | |
96 | # | |
97 | interface(`courier_domtrans_authdaemon',` | |
98 | gen_require(` | |
99 | type courier_authdaemon_t, courier_authdaemon_exec_t; | |
100 | ') | |
101 | ||
c0868a7a | 102 | domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t) |
6f8cda96 CP |
103 | ') |
104 | ||
105 | ######################################## | |
106 | ## <summary> | |
107 | ## Execute the courier POP3 and IMAP server with | |
108 | ## a domain transition. | |
109 | ## </summary> | |
110 | ## <param name="prefix"> | |
111 | ## <summary> | |
112 | ## Domain allowed access. | |
113 | ## </summary> | |
114 | ## </param> | |
115 | # | |
116 | interface(`courier_domtrans_pop',` | |
117 | gen_require(` | |
118 | type courier_pop_t, courier_pop_exec_t; | |
119 | ') | |
120 | ||
c0868a7a | 121 | domtrans_pattern($1, courier_pop_exec_t, courier_pop_t) |
6f8cda96 | 122 | ') |
3e598765 CP |
123 | |
124 | ######################################## | |
125 | ## <summary> | |
126 | ## Read courier config files | |
127 | ## </summary> | |
128 | ## <param name="prefix"> | |
129 | ## <summary> | |
130 | ## Domain allowed access. | |
131 | ## </summary> | |
132 | ## </param> | |
133 | # | |
134 | interface(`courier_read_config',` | |
135 | gen_require(` | |
136 | type courier_etc_t; | |
137 | ') | |
138 | ||
139 | read_files_pattern($1, courier_etc_t, courier_etc_t) | |
140 | ') | |
141 | ||
142 | ######################################## | |
143 | ## <summary> | |
144 | ## Create, read, write, and delete courier | |
145 | ## spool directories. | |
146 | ## </summary> | |
147 | ## <param name="prefix"> | |
148 | ## <summary> | |
149 | ## Domain allowed access. | |
150 | ## </summary> | |
151 | ## </param> | |
152 | # | |
153 | interface(`courier_manage_spool_dirs',` | |
154 | gen_require(` | |
155 | type courier_spool_t; | |
156 | ') | |
157 | ||
158 | manage_dirs_pattern($1, courier_spool_t, courier_spool_t) | |
159 | ') | |
160 | ||
161 | ######################################## | |
162 | ## <summary> | |
163 | ## Create, read, write, and delete courier | |
164 | ## spool files. | |
165 | ## </summary> | |
166 | ## <param name="prefix"> | |
167 | ## <summary> | |
168 | ## Domain allowed access. | |
169 | ## </summary> | |
170 | ## </param> | |
171 | # | |
172 | interface(`courier_manage_spool_files',` | |
173 | gen_require(` | |
174 | type courier_spool_t; | |
175 | ') | |
176 | ||
177 | manage_files_pattern($1, courier_spool_t, courier_spool_t) | |
178 | ') | |
179 | ||
180 | ######################################## | |
181 | ## <summary> | |
182 | ## Read and write to courier spool pipes. | |
183 | ## </summary> | |
184 | ## <param name="domain"> | |
185 | ## <summary> | |
186 | ## Domain to not audit. | |
187 | ## </summary> | |
188 | ## </param> | |
189 | # | |
190 | interface(`courier_rw_spool_pipes',` | |
191 | gen_require(` | |
192 | type courier_spool_t; | |
193 | ') | |
194 | ||
195 | allow $1 courier_spool_t:fifo_file rw_fifo_file_perms; | |
196 | ') |