[people/stevee/selinux-policy.git] / policy / modules / services / courier.if

## <summary>Courier IMAP and POP3 email servers</summary>

########################################
## <summary>
##	Template for creating courier server processes.
## </summary>
## <param name="prefix">
##	<summary>
##	Prefix name of the server process.
##	</summary>
## </param>
#
template(`courier_domain_template',`

	##############################
	#
	# Declarations
	#

	type courier_$1_t;
	type courier_$1_exec_t;
	init_daemon_domain(courier_$1_t, courier_$1_exec_t)

	##############################
	#
	# Declarations
	#

	allow courier_$1_t self:capability dac_override;
	dontaudit courier_$1_t self:capability sys_tty_config;
	allow courier_$1_t self:process { setpgid signal_perms };
	allow courier_$1_t self:fifo_file { read write getattr };
	allow courier_$1_t self:tcp_socket create_stream_socket_perms;
	allow courier_$1_t self:udp_socket create_socket_perms;

	can_exec(courier_$1_t, courier_$1_exec_t)

	read_files_pattern(courier_$1_t, courier_etc_t, courier_etc_t)
	allow courier_$1_t courier_etc_t:dir list_dir_perms;

	manage_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
	manage_lnk_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
	manage_sock_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
	files_search_pids(courier_$1_t)

	kernel_read_system_state(courier_$1_t)
	kernel_read_kernel_sysctls(courier_$1_t)

	corecmd_exec_bin(courier_$1_t)

	corenet_all_recvfrom_unlabeled(courier_$1_t)
	corenet_all_recvfrom_netlabel(courier_$1_t)
	corenet_tcp_sendrecv_generic_if(courier_$1_t)
	corenet_udp_sendrecv_generic_if(courier_$1_t)
	corenet_tcp_sendrecv_generic_node(courier_$1_t)
	corenet_udp_sendrecv_generic_node(courier_$1_t)
	corenet_tcp_sendrecv_all_ports(courier_$1_t)
	corenet_udp_sendrecv_all_ports(courier_$1_t)

	dev_read_sysfs(courier_$1_t)

	domain_use_interactive_fds(courier_$1_t)

	files_read_etc_files(courier_$1_t)
	files_read_etc_runtime_files(courier_$1_t)
	files_read_usr_files(courier_$1_t)

	fs_getattr_xattr_fs(courier_$1_t)
	fs_search_auto_mountpoints(courier_$1_t)

	logging_send_syslog_msg(courier_$1_t)

	sysnet_read_config(courier_$1_t)

	userdom_dontaudit_use_unpriv_user_fds(courier_$1_t)

	optional_policy(`
		seutil_sigchld_newrole(courier_$1_t)
	')

	optional_policy(`
		udev_read_db(courier_$1_t)
	')
')

########################################
## <summary>
##	Execute the courier authentication daemon with
##	a domain transition.
## </summary>
## <param name="prefix">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`courier_domtrans_authdaemon',`
	gen_require(`
		type courier_authdaemon_t, courier_authdaemon_exec_t;
	')

	domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t)
')

########################################
## <summary>
##	Execute the courier POP3 and IMAP server with
##	a domain transition.
## </summary>
## <param name="prefix">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`courier_domtrans_pop',`
	gen_require(`
		type courier_pop_t, courier_pop_exec_t;
	')

	domtrans_pattern($1, courier_pop_exec_t, courier_pop_t)
')

########################################
## <summary>
##	Read courier config files
## </summary>
## <param name="prefix">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`courier_read_config',`
	gen_require(`
		type courier_etc_t;
	')

	read_files_pattern($1, courier_etc_t, courier_etc_t)
')

########################################
## <summary>
##	Create, read, write, and delete courier
##	spool directories.
## </summary>
## <param name="prefix">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`courier_manage_spool_dirs',`
	gen_require(`
		type courier_spool_t;
	')

	manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
')

########################################
## <summary>
##	Create, read, write, and delete courier
##	spool files.
## </summary>
## <param name="prefix">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`courier_manage_spool_files',`
	gen_require(`
		type courier_spool_t;
	')

	manage_files_pattern($1, courier_spool_t, courier_spool_t)
')

########################################
## <summary>
##	Read and write to courier spool pipes.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`courier_rw_spool_pipes',`
	gen_require(`
		type courier_spool_t;
	')

	allow $1 courier_spool_t:fifo_file rw_fifo_file_perms;
')
Commit	Line	Data
6f8cda96 CP	1	## <summary>Courier IMAP and POP3 email servers</summary>
	2
	3	########################################
	4	## <summary>
	5	## Template for creating courier server processes.
	6	## </summary>
	7	## <param name="prefix">
	8	## <summary>
	9	## Prefix name of the server process.
	10	## </summary>
	11	## </param>
	12	#
	13	template(`courier_domain_template',`
	14
	15	##############################
	16	#
	17	# Declarations
	18	#
	19
	20	type courier_$1_t;
	21	type courier_$1_exec_t;
0bfccda4	22	init_daemon_domain(courier_$1_t, courier_$1_exec_t)
6f8cda96 CP	23
	24	##############################
	25	#
	26	# Declarations
	27	#
	28
	29	allow courier_$1_t self:capability dac_override;
	30	dontaudit courier_$1_t self:capability sys_tty_config;
	31	allow courier_$1_t self:process { setpgid signal_perms };
	32	allow courier_$1_t self:fifo_file { read write getattr };
	33	allow courier_$1_t self:tcp_socket create_stream_socket_perms;
	34	allow courier_$1_t self:udp_socket create_socket_perms;
	35
	36	can_exec(courier_$1_t, courier_$1_exec_t)
	37
3f67f722	38	read_files_pattern(courier_$1_t, courier_etc_t, courier_etc_t)
c0868a7a	39	allow courier_$1_t courier_etc_t:dir list_dir_perms;
6f8cda96	40
0bfccda4 CP	41	manage_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
	42	manage_lnk_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
	43	manage_sock_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
6f8cda96 CP	44	files_search_pids(courier_$1_t)
	45
	46	kernel_read_system_state(courier_$1_t)
	47	kernel_read_kernel_sysctls(courier_$1_t)
	48
	49	corecmd_exec_bin(courier_$1_t)
	50
19006686 CP	51	corenet_all_recvfrom_unlabeled(courier_$1_t)
19006686 CP	52	corenet_all_recvfrom_netlabel(courier_$1_t)
6f8cda96 CP	53	corenet_tcp_sendrecv_generic_if(courier_$1_t)
6f8cda96 CP	54	corenet_udp_sendrecv_generic_if(courier_$1_t)
c1262146 CP	55	corenet_tcp_sendrecv_generic_node(courier_$1_t)
c1262146 CP	56	corenet_udp_sendrecv_generic_node(courier_$1_t)
6f8cda96 CP	57	corenet_tcp_sendrecv_all_ports(courier_$1_t)
6f8cda96 CP	58	corenet_udp_sendrecv_all_ports(courier_$1_t)
6f8cda96 CP	59
	60	dev_read_sysfs(courier_$1_t)
	61
	62	domain_use_interactive_fds(courier_$1_t)
	63
	64	files_read_etc_files(courier_$1_t)
	65	files_read_etc_runtime_files(courier_$1_t)
	66	files_read_usr_files(courier_$1_t)
	67
	68	fs_getattr_xattr_fs(courier_$1_t)
	69	fs_search_auto_mountpoints(courier_$1_t)
	70
6f8cda96 CP	71	logging_send_syslog_msg(courier_$1_t)
	72
	73	sysnet_read_config(courier_$1_t)
	74
	75	userdom_dontaudit_use_unpriv_user_fds(courier_$1_t)
	76
6f8cda96 CP	77	optional_policy(`
	78	seutil_sigchld_newrole(courier_$1_t)
	79	')
	80
	81	optional_policy(`
	82	udev_read_db(courier_$1_t)
	83	')
	84	')
	85
	86	########################################
	87	## <summary>
	88	## Execute the courier authentication daemon with
	89	## a domain transition.
	90	## </summary>
	91	## <param name="prefix">
	92	## <summary>
	93	## Domain allowed access.
	94	## </summary>
	95	## </param>
	96	#
	97	interface(`courier_domtrans_authdaemon',`
	98	gen_require(`
	99	type courier_authdaemon_t, courier_authdaemon_exec_t;
	100	')
	101
c0868a7a	102	domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t)
6f8cda96 CP	103	')
	104
	105	########################################
	106	## <summary>
	107	## Execute the courier POP3 and IMAP server with
	108	## a domain transition.
	109	## </summary>
	110	## <param name="prefix">
	111	## <summary>
	112	## Domain allowed access.
	113	## </summary>
	114	## </param>
	115	#
	116	interface(`courier_domtrans_pop',`
	117	gen_require(`
	118	type courier_pop_t, courier_pop_exec_t;
	119	')
	120
c0868a7a	121	domtrans_pattern($1, courier_pop_exec_t, courier_pop_t)
6f8cda96	122	')
3e598765 CP	123
	124	########################################
	125	## <summary>
	126	## Read courier config files
	127	## </summary>
	128	## <param name="prefix">
	129	## <summary>
	130	## Domain allowed access.
	131	## </summary>
	132	## </param>
	133	#
	134	interface(`courier_read_config',`
	135	gen_require(`
	136	type courier_etc_t;
	137	')
	138
	139	read_files_pattern($1, courier_etc_t, courier_etc_t)
	140	')
	141
	142	########################################
	143	## <summary>
	144	## Create, read, write, and delete courier
	145	## spool directories.
	146	## </summary>
	147	## <param name="prefix">
	148	## <summary>
	149	## Domain allowed access.
	150	## </summary>
	151	## </param>
	152	#
	153	interface(`courier_manage_spool_dirs',`
	154	gen_require(`
	155	type courier_spool_t;
	156	')
	157
	158	manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
	159	')
	160
	161	########################################
	162	## <summary>
	163	## Create, read, write, and delete courier
	164	## spool files.
	165	## </summary>
	166	## <param name="prefix">
	167	## <summary>
	168	## Domain allowed access.
	169	## </summary>
	170	## </param>
	171	#
	172	interface(`courier_manage_spool_files',`
	173	gen_require(`
	174	type courier_spool_t;
	175	')
	176
	177	manage_files_pattern($1, courier_spool_t, courier_spool_t)
	178	')
	179
	180	########################################
	181	## <summary>
	182	## Read and write to courier spool pipes.
	183	## </summary>
	184	## <param name="domain">
	185	## <summary>
	186	## Domain to not audit.
187	## </summary>
188	## </param>
189	#
190	interface(`courier_rw_spool_pipes',`
191	gen_require(`
192	type courier_spool_t;
193	')
194
195	allow $1 courier_spool_t:fifo_file rw_fifo_file_perms;
196	')