]>
Commit | Line | Data |
---|---|---|
29ce0009 | 1 | |
29af4c13 | 2 | policy_module(dovecot, 1.12.0) |
29ce0009 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
784a3bbc | 8 | type dovecot_t; |
29ce0009 | 9 | type dovecot_exec_t; |
0bfccda4 | 10 | init_daemon_domain(dovecot_t, dovecot_exec_t) |
29ce0009 | 11 | |
46551033 CP |
12 | type dovecot_auth_t; |
13 | type dovecot_auth_exec_t; | |
14 | domain_type(dovecot_auth_t) | |
0bfccda4 | 15 | domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t) |
46551033 CP |
16 | role system_r types dovecot_auth_t; |
17 | ||
bb881612 CP |
18 | type dovecot_auth_tmp_t; |
19 | files_tmp_file(dovecot_auth_tmp_t) | |
20 | ||
29ce0009 CP |
21 | type dovecot_cert_t; |
22 | files_type(dovecot_cert_t) | |
23 | ||
bb881612 CP |
24 | type dovecot_deliver_t; |
25 | type dovecot_deliver_exec_t; | |
26 | domain_type(dovecot_deliver_t) | |
27 | domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t) | |
28 | role system_r types dovecot_deliver_t; | |
29 | ||
9bbc757a CP |
30 | type dovecot_etc_t; |
31 | files_config_file(dovecot_etc_t) | |
29ce0009 | 32 | |
bb881612 CP |
33 | type dovecot_initrc_exec_t; |
34 | init_script_file(dovecot_initrc_exec_t) | |
35 | ||
29ce0009 CP |
36 | type dovecot_passwd_t; |
37 | files_type(dovecot_passwd_t) | |
38 | ||
39 | type dovecot_spool_t; | |
40 | files_type(dovecot_spool_t) | |
41 | ||
d8eb3c71 CP |
42 | type dovecot_tmp_t; |
43 | files_tmp_file(dovecot_tmp_t) | |
44 | ||
46551033 CP |
45 | # /var/lib/dovecot holds SSL parameters file |
46 | type dovecot_var_lib_t; | |
4dd84bbf | 47 | files_type(dovecot_var_lib_t) |
46551033 | 48 | |
bb881612 CP |
49 | type dovecot_var_log_t; |
50 | logging_log_file(dovecot_var_log_t) | |
51 | ||
29ce0009 CP |
52 | type dovecot_var_run_t; |
53 | files_pid_file(dovecot_var_run_t) | |
54 | ||
29ce0009 CP |
55 | ######################################## |
56 | # | |
57 | # dovecot local policy | |
58 | # | |
d828b5ca | 59 | |
d8eb3c71 | 60 | allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot }; |
29ce0009 | 61 | dontaudit dovecot_t self:capability sys_tty_config; |
4dd84bbf | 62 | allow dovecot_t self:process { setrlimit signal_perms getcap setcap }; |
c0868a7a | 63 | allow dovecot_t self:fifo_file rw_fifo_file_perms; |
29ce0009 CP |
64 | allow dovecot_t self:tcp_socket create_stream_socket_perms; |
65 | allow dovecot_t self:unix_dgram_socket create_socket_perms; | |
2e0a8801 | 66 | allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto }; |
29ce0009 | 67 | |
c0868a7a | 68 | domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t) |
29ce0009 | 69 | |
d8eb3c71 CP |
70 | allow dovecot_t dovecot_auth_t:process signal; |
71 | ||
c0868a7a | 72 | allow dovecot_t dovecot_cert_t:dir list_dir_perms; |
0bfccda4 CP |
73 | read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) |
74 | read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) | |
29ce0009 | 75 | |
c0868a7a | 76 | allow dovecot_t dovecot_etc_t:file read_file_perms; |
29ce0009 CP |
77 | files_search_etc(dovecot_t) |
78 | ||
79 | can_exec(dovecot_t, dovecot_exec_t) | |
80 | ||
d8eb3c71 CP |
81 | manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t) |
82 | manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t) | |
83 | files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir }) | |
84 | ||
85 | # Allow dovecot to create and read SSL parameters file | |
86 | manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t) | |
87 | files_search_var_lib(dovecot_t) | |
88 | files_read_var_symlinks(dovecot_t) | |
89 | ||
90 | manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) | |
bb881612 | 91 | manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) |
d8eb3c71 | 92 | logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir }) |
bb881612 | 93 | |
0bfccda4 CP |
94 | manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) |
95 | manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) | |
96 | manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) | |
29ce0009 | 97 | |
0bfccda4 | 98 | manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) |
d8eb3c71 | 99 | manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) |
0bfccda4 CP |
100 | manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) |
101 | files_pid_filetrans(dovecot_t, dovecot_var_run_t, file) | |
29ce0009 | 102 | |
445522dc | 103 | kernel_read_kernel_sysctls(dovecot_t) |
29ce0009 CP |
104 | kernel_read_system_state(dovecot_t) |
105 | ||
19006686 CP |
106 | corenet_all_recvfrom_unlabeled(dovecot_t) |
107 | corenet_all_recvfrom_netlabel(dovecot_t) | |
668b3093 | 108 | corenet_tcp_sendrecv_generic_if(dovecot_t) |
c1262146 | 109 | corenet_tcp_sendrecv_generic_node(dovecot_t) |
29ce0009 | 110 | corenet_tcp_sendrecv_all_ports(dovecot_t) |
c1262146 | 111 | corenet_tcp_bind_generic_node(dovecot_t) |
d8eb3c71 | 112 | corenet_tcp_bind_mail_port(dovecot_t) |
e6a2eaff | 113 | corenet_tcp_bind_pop_port(dovecot_t) |
da4fc9ce | 114 | corenet_tcp_connect_all_ports(dovecot_t) |
72492557 | 115 | corenet_tcp_connect_postgresql_port(dovecot_t) |
3d03a4f4 CP |
116 | corenet_sendrecv_pop_server_packets(dovecot_t) |
117 | corenet_sendrecv_all_client_packets(dovecot_t) | |
29ce0009 CP |
118 | |
119 | dev_read_sysfs(dovecot_t) | |
120 | dev_read_urand(dovecot_t) | |
121 | ||
122 | fs_getattr_all_fs(dovecot_t) | |
d8eb3c71 | 123 | fs_getattr_all_dirs(dovecot_t) |
29ce0009 | 124 | fs_search_auto_mountpoints(dovecot_t) |
72492557 | 125 | fs_list_inotifyfs(dovecot_t) |
29ce0009 | 126 | |
29ce0009 CP |
127 | corecmd_exec_bin(dovecot_t) |
128 | ||
15722ec9 | 129 | domain_use_interactive_fds(dovecot_t) |
29ce0009 CP |
130 | |
131 | files_read_etc_files(dovecot_t) | |
132 | files_search_spool(dovecot_t) | |
133 | files_search_tmp(dovecot_t) | |
bf080a46 | 134 | files_dontaudit_list_default(dovecot_t) |
165b42d2 CP |
135 | # Dovecot now has quota support and it uses getmntent() to find the mountpoints. |
136 | files_read_etc_runtime_files(dovecot_t) | |
bb881612 | 137 | files_search_all_mountpoints(dovecot_t) |
29ce0009 | 138 | |
68228b33 | 139 | init_getattr_utmp(dovecot_t) |
29ce0009 | 140 | |
c0cf6e0a CP |
141 | auth_use_nsswitch(dovecot_t) |
142 | ||
29ce0009 CP |
143 | logging_send_syslog_msg(dovecot_t) |
144 | ||
145 | miscfiles_read_certs(dovecot_t) | |
146 | miscfiles_read_localization(dovecot_t) | |
147 | ||
15722ec9 | 148 | userdom_dontaudit_use_unpriv_user_fds(dovecot_t) |
296273a7 CP |
149 | userdom_manage_user_home_content_dirs(dovecot_t) |
150 | userdom_manage_user_home_content_files(dovecot_t) | |
151 | userdom_manage_user_home_content_symlinks(dovecot_t) | |
152 | userdom_manage_user_home_content_pipes(dovecot_t) | |
153 | userdom_manage_user_home_content_sockets(dovecot_t) | |
154 | userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file }) | |
29ce0009 | 155 | |
704327e8 | 156 | mta_manage_spool(dovecot_t) |
29ce0009 | 157 | |
bb7170f6 | 158 | optional_policy(` |
bb881612 | 159 | kerberos_keytab_template(dovecot, dovecot_t) |
29ce0009 CP |
160 | ') |
161 | ||
d8eb3c71 CP |
162 | optional_policy(` |
163 | postgresql_stream_connect(dovecot_t) | |
164 | ') | |
165 | ||
bb7170f6 | 166 | optional_policy(` |
29ce0009 CP |
167 | seutil_sigchld_newrole(dovecot_t) |
168 | ') | |
169 | ||
b129e200 CP |
170 | optional_policy(` |
171 | squid_dontaudit_search_cache(dovecot_t) | |
172 | ') | |
173 | ||
bb7170f6 | 174 | optional_policy(` |
29ce0009 CP |
175 | udev_read_db(dovecot_t) |
176 | ') | |
177 | ||
178 | ######################################## | |
179 | # | |
180 | # dovecot auth local policy | |
181 | # | |
d828b5ca | 182 | |
bb881612 | 183 | allow dovecot_auth_t self:capability { chown dac_override setgid setuid }; |
4dd84bbf | 184 | allow dovecot_auth_t self:process { signal_perms getcap setcap }; |
c0868a7a | 185 | allow dovecot_auth_t self:fifo_file rw_fifo_file_perms; |
29ce0009 CP |
186 | allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; |
187 | allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; | |
188 | ||
bb881612 CP |
189 | allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; |
190 | ||
191 | read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) | |
29ce0009 | 192 | |
bb881612 CP |
193 | manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) |
194 | manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) | |
195 | files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) | |
29ce0009 | 196 | |
ef659a47 | 197 | allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms; |
bb881612 CP |
198 | manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) |
199 | dovecot_stream_connect_auth(dovecot_auth_t) | |
9cca1cd5 | 200 | |
445522dc | 201 | kernel_read_all_sysctls(dovecot_auth_t) |
29ce0009 CP |
202 | kernel_read_system_state(dovecot_auth_t) |
203 | ||
bb881612 CP |
204 | logging_send_audit_msgs(dovecot_auth_t) |
205 | logging_send_syslog_msg(dovecot_auth_t) | |
206 | ||
29ce0009 CP |
207 | dev_read_urand(dovecot_auth_t) |
208 | ||
209 | auth_domtrans_chk_passwd(dovecot_auth_t) | |
78510c55 | 210 | auth_use_nsswitch(dovecot_auth_t) |
29ce0009 CP |
211 | |
212 | files_read_etc_files(dovecot_auth_t) | |
78510c55 | 213 | files_read_etc_runtime_files(dovecot_auth_t) |
29ce0009 | 214 | files_search_pids(dovecot_auth_t) |
bb881612 | 215 | files_read_usr_files(dovecot_auth_t) |
9cca1cd5 | 216 | files_read_usr_symlinks(dovecot_auth_t) |
d8eb3c71 | 217 | files_read_var_lib_files(dovecot_auth_t) |
9cca1cd5 | 218 | files_search_tmp(dovecot_auth_t) |
eac818f0 | 219 | files_read_var_lib_files(dovecot_t) |
29ce0009 | 220 | |
d9845ae9 CP |
221 | init_rw_utmp(dovecot_auth_t) |
222 | ||
29ce0009 CP |
223 | miscfiles_read_localization(dovecot_auth_t) |
224 | ||
225 | seutil_dontaudit_search_config(dovecot_auth_t) | |
226 | ||
bb7170f6 | 227 | optional_policy(` |
29ce0009 | 228 | kerberos_use(dovecot_auth_t) |
4dd84bbf CP |
229 | |
230 | # for gssapi (kerberos) | |
231 | userdom_list_user_tmp(dovecot_auth_t) | |
232 | userdom_read_user_tmp_files(dovecot_auth_t) | |
233 | userdom_read_user_tmp_symlinks(dovecot_auth_t) | |
29ce0009 CP |
234 | ') |
235 | ||
bb7170f6 | 236 | optional_policy(` |
bb881612 CP |
237 | mysql_search_db(dovecot_auth_t) |
238 | mysql_stream_connect(dovecot_auth_t) | |
239 | ') | |
240 | ||
241 | optional_policy(` | |
242 | nis_authenticate(dovecot_auth_t) | |
243 | ') | |
244 | ||
245 | optional_policy(` | |
246 | postfix_search_spool(dovecot_auth_t) | |
247 | ') | |
248 | ||
249 | ######################################## | |
250 | # | |
251 | # dovecot deliver local policy | |
252 | # | |
253 | allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; | |
254 | ||
d8eb3c71 CP |
255 | allow dovecot_deliver_t dovecot_t:process signull; |
256 | ||
bb881612 CP |
257 | allow dovecot_deliver_t dovecot_etc_t:file read_file_perms; |
258 | allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; | |
259 | ||
260 | kernel_read_all_sysctls(dovecot_deliver_t) | |
261 | kernel_read_system_state(dovecot_deliver_t) | |
262 | ||
263 | files_read_etc_files(dovecot_deliver_t) | |
264 | files_read_etc_runtime_files(dovecot_deliver_t) | |
265 | ||
266 | auth_use_nsswitch(dovecot_deliver_t) | |
267 | ||
268 | logging_send_syslog_msg(dovecot_deliver_t) | |
d8eb3c71 | 269 | logging_search_logs(dovecot_auth_t) |
bb881612 CP |
270 | |
271 | miscfiles_read_localization(dovecot_deliver_t) | |
272 | ||
273 | dovecot_stream_connect_auth(dovecot_deliver_t) | |
274 | ||
275 | files_search_tmp(dovecot_deliver_t) | |
276 | ||
277 | fs_getattr_all_fs(dovecot_deliver_t) | |
278 | ||
279 | userdom_manage_user_home_content_dirs(dovecot_deliver_t) | |
280 | userdom_manage_user_home_content_files(dovecot_deliver_t) | |
281 | userdom_manage_user_home_content_symlinks(dovecot_deliver_t) | |
282 | userdom_manage_user_home_content_pipes(dovecot_deliver_t) | |
283 | userdom_manage_user_home_content_sockets(dovecot_deliver_t) | |
284 | userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file }) | |
285 | ||
4dd84bbf | 286 | tunable_policy(`use_nfs_home_dirs',` |
d8eb3c71 CP |
287 | fs_manage_nfs_dirs(dovecot_deliver_t) |
288 | fs_manage_nfs_files(dovecot_deliver_t) | |
289 | fs_manage_nfs_symlinks(dovecot_deliver_t) | |
290 | fs_manage_nfs_dirs(dovecot_t) | |
4dd84bbf CP |
291 | fs_manage_nfs_files(dovecot_t) |
292 | fs_manage_nfs_symlinks(dovecot_t) | |
293 | ') | |
294 | ||
295 | tunable_policy(`use_samba_home_dirs',` | |
d8eb3c71 CP |
296 | fs_manage_cifs_dirs(dovecot_deliver_t) |
297 | fs_manage_cifs_files(dovecot_deliver_t) | |
298 | fs_manage_cifs_symlinks(dovecot_deliver_t) | |
299 | fs_manage_cifs_dirs(dovecot_t) | |
4dd84bbf CP |
300 | fs_manage_cifs_files(dovecot_t) |
301 | fs_manage_cifs_symlinks(dovecot_t) | |
302 | ') | |
303 | ||
bb881612 CP |
304 | optional_policy(` |
305 | mta_manage_spool(dovecot_deliver_t) | |
29ce0009 | 306 | ') |