[people/stevee/selinux-policy.git] / policy / modules / services / dovecot.te


policy_module(dovecot, 1.12.0)

########################################
#
# Declarations
#
type dovecot_t;
type dovecot_exec_t;
init_daemon_domain(dovecot_t, dovecot_exec_t)

type dovecot_auth_t;
type dovecot_auth_exec_t;
domain_type(dovecot_auth_t)
domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
role system_r types dovecot_auth_t;

type dovecot_auth_tmp_t;
files_tmp_file(dovecot_auth_tmp_t)

type dovecot_cert_t;
files_type(dovecot_cert_t)

type dovecot_deliver_t;
type dovecot_deliver_exec_t;
domain_type(dovecot_deliver_t)
domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
role system_r types dovecot_deliver_t;

type dovecot_etc_t;
files_config_file(dovecot_etc_t)

type dovecot_initrc_exec_t;
init_script_file(dovecot_initrc_exec_t)

type dovecot_passwd_t;
files_type(dovecot_passwd_t)

type dovecot_spool_t;
files_type(dovecot_spool_t)

type dovecot_tmp_t;
files_tmp_file(dovecot_tmp_t)

# /var/lib/dovecot holds SSL parameters file
type dovecot_var_lib_t;
files_type(dovecot_var_lib_t)

type dovecot_var_log_t;
logging_log_file(dovecot_var_log_t)

type dovecot_var_run_t;
files_pid_file(dovecot_var_run_t)

########################################
#
# dovecot local policy
#

allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot };
dontaudit dovecot_t self:capability sys_tty_config;
allow dovecot_t self:process { setrlimit signal_perms getcap setcap };
allow dovecot_t self:fifo_file rw_fifo_file_perms;
allow dovecot_t self:tcp_socket create_stream_socket_perms;
allow dovecot_t self:unix_dgram_socket create_socket_perms;
allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };

domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)

allow dovecot_t dovecot_auth_t:process signal;

allow dovecot_t dovecot_cert_t:dir list_dir_perms;
read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)

allow dovecot_t dovecot_etc_t:file read_file_perms;
files_search_etc(dovecot_t)

can_exec(dovecot_t, dovecot_exec_t)

manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })

# Allow dovecot to create and read SSL parameters file
manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
files_search_var_lib(dovecot_t)
files_read_var_symlinks(dovecot_t)

manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })

manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)

manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
files_pid_filetrans(dovecot_t, dovecot_var_run_t, file)

kernel_read_kernel_sysctls(dovecot_t)
kernel_read_system_state(dovecot_t)

corenet_all_recvfrom_unlabeled(dovecot_t)
corenet_all_recvfrom_netlabel(dovecot_t)
corenet_tcp_sendrecv_generic_if(dovecot_t)
corenet_tcp_sendrecv_generic_node(dovecot_t)
corenet_tcp_sendrecv_all_ports(dovecot_t)
corenet_tcp_bind_generic_node(dovecot_t)
corenet_tcp_bind_mail_port(dovecot_t)
corenet_tcp_bind_pop_port(dovecot_t)
corenet_tcp_connect_all_ports(dovecot_t)
corenet_tcp_connect_postgresql_port(dovecot_t)
corenet_sendrecv_pop_server_packets(dovecot_t)
corenet_sendrecv_all_client_packets(dovecot_t)

dev_read_sysfs(dovecot_t)
dev_read_urand(dovecot_t)

fs_getattr_all_fs(dovecot_t)
fs_getattr_all_dirs(dovecot_t)
fs_search_auto_mountpoints(dovecot_t)
fs_list_inotifyfs(dovecot_t)

corecmd_exec_bin(dovecot_t)

domain_use_interactive_fds(dovecot_t)

files_read_etc_files(dovecot_t)
files_search_spool(dovecot_t)
files_search_tmp(dovecot_t)
files_dontaudit_list_default(dovecot_t)
# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
files_read_etc_runtime_files(dovecot_t)
files_search_all_mountpoints(dovecot_t)

init_getattr_utmp(dovecot_t)

auth_use_nsswitch(dovecot_t)

logging_send_syslog_msg(dovecot_t)

miscfiles_read_certs(dovecot_t)
miscfiles_read_localization(dovecot_t)

userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
userdom_manage_user_home_content_dirs(dovecot_t)
userdom_manage_user_home_content_files(dovecot_t)
userdom_manage_user_home_content_symlinks(dovecot_t)
userdom_manage_user_home_content_pipes(dovecot_t)
userdom_manage_user_home_content_sockets(dovecot_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })

mta_manage_spool(dovecot_t)

optional_policy(`
	kerberos_keytab_template(dovecot, dovecot_t)
')

optional_policy(`
	postgresql_stream_connect(dovecot_t)
')

optional_policy(`
	seutil_sigchld_newrole(dovecot_t)
')

optional_policy(`
	squid_dontaudit_search_cache(dovecot_t)
')

optional_policy(`
	udev_read_db(dovecot_t)
')

########################################
#
# dovecot auth local policy
#

allow dovecot_auth_t self:capability { chown dac_override setgid setuid };
allow dovecot_auth_t self:process { signal_perms getcap setcap };
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;

allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };

read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)

manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })

allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
dovecot_stream_connect_auth(dovecot_auth_t)

kernel_read_all_sysctls(dovecot_auth_t)
kernel_read_system_state(dovecot_auth_t)

logging_send_audit_msgs(dovecot_auth_t)
logging_send_syslog_msg(dovecot_auth_t)

dev_read_urand(dovecot_auth_t)

auth_domtrans_chk_passwd(dovecot_auth_t)
auth_use_nsswitch(dovecot_auth_t)

files_read_etc_files(dovecot_auth_t)
files_read_etc_runtime_files(dovecot_auth_t)
files_search_pids(dovecot_auth_t)
files_read_usr_files(dovecot_auth_t)
files_read_usr_symlinks(dovecot_auth_t)
files_read_var_lib_files(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
files_read_var_lib_files(dovecot_t)

init_rw_utmp(dovecot_auth_t)

miscfiles_read_localization(dovecot_auth_t)

seutil_dontaudit_search_config(dovecot_auth_t)

optional_policy(`
	kerberos_use(dovecot_auth_t)

	# for gssapi (kerberos)
	userdom_list_user_tmp(dovecot_auth_t)
	userdom_read_user_tmp_files(dovecot_auth_t)
	userdom_read_user_tmp_symlinks(dovecot_auth_t)
')

optional_policy(`
	mysql_search_db(dovecot_auth_t)
	mysql_stream_connect(dovecot_auth_t)
')

optional_policy(`
	nis_authenticate(dovecot_auth_t)
')

optional_policy(`
	postfix_search_spool(dovecot_auth_t)
')

########################################
#
# dovecot deliver local policy
#
allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;

allow dovecot_deliver_t dovecot_t:process signull;

allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;

kernel_read_all_sysctls(dovecot_deliver_t)
kernel_read_system_state(dovecot_deliver_t)

files_read_etc_files(dovecot_deliver_t)
files_read_etc_runtime_files(dovecot_deliver_t)

auth_use_nsswitch(dovecot_deliver_t)

logging_send_syslog_msg(dovecot_deliver_t)
logging_search_logs(dovecot_auth_t)

miscfiles_read_localization(dovecot_deliver_t)

dovecot_stream_connect_auth(dovecot_deliver_t)

files_search_tmp(dovecot_deliver_t)

fs_getattr_all_fs(dovecot_deliver_t)

userdom_manage_user_home_content_dirs(dovecot_deliver_t)
userdom_manage_user_home_content_files(dovecot_deliver_t)
userdom_manage_user_home_content_symlinks(dovecot_deliver_t)
userdom_manage_user_home_content_pipes(dovecot_deliver_t)
userdom_manage_user_home_content_sockets(dovecot_deliver_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })

tunable_policy(`use_nfs_home_dirs',`
	fs_manage_nfs_dirs(dovecot_deliver_t)
	fs_manage_nfs_files(dovecot_deliver_t)
	fs_manage_nfs_symlinks(dovecot_deliver_t)
	fs_manage_nfs_dirs(dovecot_t)
	fs_manage_nfs_files(dovecot_t)
	fs_manage_nfs_symlinks(dovecot_t)
')

tunable_policy(`use_samba_home_dirs',`
	fs_manage_cifs_dirs(dovecot_deliver_t)
	fs_manage_cifs_files(dovecot_deliver_t)
	fs_manage_cifs_symlinks(dovecot_deliver_t)
	fs_manage_cifs_dirs(dovecot_t)
	fs_manage_cifs_files(dovecot_t)
	fs_manage_cifs_symlinks(dovecot_t)
')

optional_policy(`
	mta_manage_spool(dovecot_deliver_t)
')
Commit	Line	Data
29ce0009	1
29af4c13	2	policy_module(dovecot, 1.12.0)
29ce0009 CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
784a3bbc	8	type dovecot_t;
29ce0009	9	type dovecot_exec_t;
0bfccda4	10	init_daemon_domain(dovecot_t, dovecot_exec_t)
29ce0009	11
46551033 CP	12	type dovecot_auth_t;
	13	type dovecot_auth_exec_t;
	14	domain_type(dovecot_auth_t)
0bfccda4	15	domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
46551033 CP	16	role system_r types dovecot_auth_t;
46551033 CP	17
bb881612 CP	18	type dovecot_auth_tmp_t;
	19	files_tmp_file(dovecot_auth_tmp_t)
	20
29ce0009 CP	21	type dovecot_cert_t;
	22	files_type(dovecot_cert_t)
	23
bb881612 CP	24	type dovecot_deliver_t;
	25	type dovecot_deliver_exec_t;
	26	domain_type(dovecot_deliver_t)
	27	domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
	28	role system_r types dovecot_deliver_t;
	29
9bbc757a CP	30	type dovecot_etc_t;
9bbc757a CP	31	files_config_file(dovecot_etc_t)
29ce0009	32
bb881612 CP	33	type dovecot_initrc_exec_t;
	34	init_script_file(dovecot_initrc_exec_t)
	35
29ce0009 CP	36	type dovecot_passwd_t;
	37	files_type(dovecot_passwd_t)
	38
	39	type dovecot_spool_t;
	40	files_type(dovecot_spool_t)
	41
d8eb3c71 CP	42	type dovecot_tmp_t;
	43	files_tmp_file(dovecot_tmp_t)
	44
46551033 CP	45	# /var/lib/dovecot holds SSL parameters file
46551033 CP	46	type dovecot_var_lib_t;
4dd84bbf	47	files_type(dovecot_var_lib_t)
46551033	48
bb881612 CP	49	type dovecot_var_log_t;
	50	logging_log_file(dovecot_var_log_t)
	51
29ce0009 CP	52	type dovecot_var_run_t;
	53	files_pid_file(dovecot_var_run_t)
	54
29ce0009 CP	55	########################################
	56	#
	57	# dovecot local policy
	58	#
d828b5ca	59
d8eb3c71	60	allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot };
29ce0009	61	dontaudit dovecot_t self:capability sys_tty_config;
4dd84bbf	62	allow dovecot_t self:process { setrlimit signal_perms getcap setcap };
c0868a7a	63	allow dovecot_t self:fifo_file rw_fifo_file_perms;
29ce0009 CP	64	allow dovecot_t self:tcp_socket create_stream_socket_perms;
29ce0009 CP	65	allow dovecot_t self:unix_dgram_socket create_socket_perms;
2e0a8801	66	allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
29ce0009	67
c0868a7a	68	domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
29ce0009	69
d8eb3c71 CP	70	allow dovecot_t dovecot_auth_t:process signal;
d8eb3c71 CP	71
c0868a7a	72	allow dovecot_t dovecot_cert_t:dir list_dir_perms;
0bfccda4 CP	73	read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
0bfccda4 CP	74	read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
29ce0009	75
c0868a7a	76	allow dovecot_t dovecot_etc_t:file read_file_perms;
29ce0009 CP	77	files_search_etc(dovecot_t)
	78
	79	can_exec(dovecot_t, dovecot_exec_t)
	80
d8eb3c71 CP	81	manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
	82	manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
	83	files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
	84
	85	# Allow dovecot to create and read SSL parameters file
	86	manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
	87	files_search_var_lib(dovecot_t)
	88	files_read_var_symlinks(dovecot_t)
	89
	90	manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
bb881612	91	manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
d8eb3c71	92	logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })
bb881612	93
0bfccda4 CP	94	manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
	95	manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
	96	manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
29ce0009	97
0bfccda4	98	manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
d8eb3c71	99	manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
0bfccda4 CP	100	manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
0bfccda4 CP	101	files_pid_filetrans(dovecot_t, dovecot_var_run_t, file)
29ce0009	102
445522dc	103	kernel_read_kernel_sysctls(dovecot_t)
29ce0009 CP	104	kernel_read_system_state(dovecot_t)
29ce0009 CP	105
19006686 CP	106	corenet_all_recvfrom_unlabeled(dovecot_t)
19006686 CP	107	corenet_all_recvfrom_netlabel(dovecot_t)
668b3093	108	corenet_tcp_sendrecv_generic_if(dovecot_t)
c1262146	109	corenet_tcp_sendrecv_generic_node(dovecot_t)
29ce0009	110	corenet_tcp_sendrecv_all_ports(dovecot_t)
c1262146	111	corenet_tcp_bind_generic_node(dovecot_t)
d8eb3c71	112	corenet_tcp_bind_mail_port(dovecot_t)
e6a2eaff	113	corenet_tcp_bind_pop_port(dovecot_t)
da4fc9ce	114	corenet_tcp_connect_all_ports(dovecot_t)
72492557	115	corenet_tcp_connect_postgresql_port(dovecot_t)
3d03a4f4 CP	116	corenet_sendrecv_pop_server_packets(dovecot_t)
3d03a4f4 CP	117	corenet_sendrecv_all_client_packets(dovecot_t)
29ce0009 CP	118
	119	dev_read_sysfs(dovecot_t)
	120	dev_read_urand(dovecot_t)
	121
	122	fs_getattr_all_fs(dovecot_t)
d8eb3c71	123	fs_getattr_all_dirs(dovecot_t)
29ce0009	124	fs_search_auto_mountpoints(dovecot_t)
72492557	125	fs_list_inotifyfs(dovecot_t)
29ce0009	126
29ce0009 CP	127	corecmd_exec_bin(dovecot_t)
29ce0009 CP	128
15722ec9	129	domain_use_interactive_fds(dovecot_t)
29ce0009 CP	130
	131	files_read_etc_files(dovecot_t)
	132	files_search_spool(dovecot_t)
	133	files_search_tmp(dovecot_t)
bf080a46	134	files_dontaudit_list_default(dovecot_t)
165b42d2 CP	135	# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
165b42d2 CP	136	files_read_etc_runtime_files(dovecot_t)
bb881612	137	files_search_all_mountpoints(dovecot_t)
29ce0009	138
68228b33	139	init_getattr_utmp(dovecot_t)
29ce0009	140
c0cf6e0a CP	141	auth_use_nsswitch(dovecot_t)
c0cf6e0a CP	142
29ce0009 CP	143	logging_send_syslog_msg(dovecot_t)
	144
	145	miscfiles_read_certs(dovecot_t)
	146	miscfiles_read_localization(dovecot_t)
	147
15722ec9	148	userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
296273a7 CP	149	userdom_manage_user_home_content_dirs(dovecot_t)
	150	userdom_manage_user_home_content_files(dovecot_t)
	151	userdom_manage_user_home_content_symlinks(dovecot_t)
	152	userdom_manage_user_home_content_pipes(dovecot_t)
	153	userdom_manage_user_home_content_sockets(dovecot_t)
	154	userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })
29ce0009	155
704327e8	156	mta_manage_spool(dovecot_t)
29ce0009	157
bb7170f6	158	optional_policy(`
bb881612	159	kerberos_keytab_template(dovecot, dovecot_t)
29ce0009 CP	160	')
29ce0009 CP	161
d8eb3c71 CP	162	optional_policy(`
	163	postgresql_stream_connect(dovecot_t)
	164	')
	165
bb7170f6	166	optional_policy(`
29ce0009 CP	167	seutil_sigchld_newrole(dovecot_t)
	168	')
	169
b129e200 CP	170	optional_policy(`
	171	squid_dontaudit_search_cache(dovecot_t)
	172	')
	173
bb7170f6	174	optional_policy(`
29ce0009 CP	175	udev_read_db(dovecot_t)
	176	')
	177
	178	########################################
	179	#
	180	# dovecot auth local policy
	181	#
d828b5ca	182
bb881612	183	allow dovecot_auth_t self:capability { chown dac_override setgid setuid };
4dd84bbf	184	allow dovecot_auth_t self:process { signal_perms getcap setcap };
c0868a7a	185	allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
29ce0009 CP	186	allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
	187	allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
	188
bb881612 CP	189	allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
	190
	191	read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
29ce0009	192
bb881612 CP	193	manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
	194	manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
	195	files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
29ce0009	196
ef659a47	197	allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
bb881612 CP	198	manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
bb881612 CP	199	dovecot_stream_connect_auth(dovecot_auth_t)
9cca1cd5	200
445522dc	201	kernel_read_all_sysctls(dovecot_auth_t)
29ce0009 CP	202	kernel_read_system_state(dovecot_auth_t)
29ce0009 CP	203
bb881612 CP	204	logging_send_audit_msgs(dovecot_auth_t)
	205	logging_send_syslog_msg(dovecot_auth_t)
	206
29ce0009 CP	207	dev_read_urand(dovecot_auth_t)
	208
	209	auth_domtrans_chk_passwd(dovecot_auth_t)
78510c55	210	auth_use_nsswitch(dovecot_auth_t)
29ce0009 CP	211
29ce0009 CP	212	files_read_etc_files(dovecot_auth_t)
78510c55	213	files_read_etc_runtime_files(dovecot_auth_t)
29ce0009	214	files_search_pids(dovecot_auth_t)
bb881612	215	files_read_usr_files(dovecot_auth_t)
9cca1cd5	216	files_read_usr_symlinks(dovecot_auth_t)
d8eb3c71	217	files_read_var_lib_files(dovecot_auth_t)
9cca1cd5	218	files_search_tmp(dovecot_auth_t)
eac818f0	219	files_read_var_lib_files(dovecot_t)
29ce0009	220
d9845ae9 CP	221	init_rw_utmp(dovecot_auth_t)
d9845ae9 CP	222
29ce0009 CP	223	miscfiles_read_localization(dovecot_auth_t)
	224
	225	seutil_dontaudit_search_config(dovecot_auth_t)
	226
bb7170f6	227	optional_policy(`
29ce0009	228	kerberos_use(dovecot_auth_t)
4dd84bbf CP	229
	230	# for gssapi (kerberos)
	231	userdom_list_user_tmp(dovecot_auth_t)
	232	userdom_read_user_tmp_files(dovecot_auth_t)
	233	userdom_read_user_tmp_symlinks(dovecot_auth_t)
29ce0009 CP	234	')
29ce0009 CP	235
bb7170f6	236	optional_policy(`
bb881612 CP	237	mysql_search_db(dovecot_auth_t)
	238	mysql_stream_connect(dovecot_auth_t)
	239	')
	240
	241	optional_policy(`
	242	nis_authenticate(dovecot_auth_t)
	243	')
	244
	245	optional_policy(`
	246	postfix_search_spool(dovecot_auth_t)
	247	')
	248
	249	########################################
	250	#
	251	# dovecot deliver local policy
	252	#
	253	allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
	254
d8eb3c71 CP	255	allow dovecot_deliver_t dovecot_t:process signull;
d8eb3c71 CP	256
bb881612 CP	257	allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
	258	allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
	259
	260	kernel_read_all_sysctls(dovecot_deliver_t)
	261	kernel_read_system_state(dovecot_deliver_t)
	262
	263	files_read_etc_files(dovecot_deliver_t)
	264	files_read_etc_runtime_files(dovecot_deliver_t)
	265
	266	auth_use_nsswitch(dovecot_deliver_t)
	267
	268	logging_send_syslog_msg(dovecot_deliver_t)
d8eb3c71	269	logging_search_logs(dovecot_auth_t)
bb881612 CP	270
	271	miscfiles_read_localization(dovecot_deliver_t)
	272
	273	dovecot_stream_connect_auth(dovecot_deliver_t)
	274
	275	files_search_tmp(dovecot_deliver_t)
	276
	277	fs_getattr_all_fs(dovecot_deliver_t)
	278
	279	userdom_manage_user_home_content_dirs(dovecot_deliver_t)
	280	userdom_manage_user_home_content_files(dovecot_deliver_t)
	281	userdom_manage_user_home_content_symlinks(dovecot_deliver_t)
	282	userdom_manage_user_home_content_pipes(dovecot_deliver_t)
	283	userdom_manage_user_home_content_sockets(dovecot_deliver_t)
	284	userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
	285
4dd84bbf	286	tunable_policy(`use_nfs_home_dirs',`
d8eb3c71 CP	287	fs_manage_nfs_dirs(dovecot_deliver_t)
	288	fs_manage_nfs_files(dovecot_deliver_t)
	289	fs_manage_nfs_symlinks(dovecot_deliver_t)
	290	fs_manage_nfs_dirs(dovecot_t)
4dd84bbf CP	291	fs_manage_nfs_files(dovecot_t)
	292	fs_manage_nfs_symlinks(dovecot_t)
	293	')
	294
	295	tunable_policy(`use_samba_home_dirs',`
d8eb3c71 CP	296	fs_manage_cifs_dirs(dovecot_deliver_t)
	297	fs_manage_cifs_files(dovecot_deliver_t)
	298	fs_manage_cifs_symlinks(dovecot_deliver_t)
	299	fs_manage_cifs_dirs(dovecot_t)
4dd84bbf CP	300	fs_manage_cifs_files(dovecot_t)
	301	fs_manage_cifs_symlinks(dovecot_t)
	302	')
	303
bb881612 CP	304	optional_policy(`
bb881612 CP	305	mta_manage_spool(dovecot_deliver_t)
29ce0009	306	')