[people/stevee/selinux-policy.git] / policy / modules / services / dovecot.te

policy_module(dovecot, 1.12.0)

########################################
#
# Declarations
#
type dovecot_t;
type dovecot_exec_t;
init_daemon_domain(dovecot_t, dovecot_exec_t)

type dovecot_auth_t;
type dovecot_auth_exec_t;
domain_type(dovecot_auth_t)
domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
role system_r types dovecot_auth_t;

type dovecot_auth_tmp_t;
files_tmp_file(dovecot_auth_tmp_t)

type dovecot_cert_t;
miscfiles_cert_type(dovecot_cert_t)

type dovecot_deliver_t;
type dovecot_deliver_exec_t;
domain_type(dovecot_deliver_t)
domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
role system_r types dovecot_deliver_t;

type dovecot_deliver_tmp_t;
files_tmp_file(dovecot_deliver_tmp_t)

type dovecot_etc_t;
files_config_file(dovecot_etc_t)

type dovecot_initrc_exec_t;
init_script_file(dovecot_initrc_exec_t)

type dovecot_passwd_t;
files_type(dovecot_passwd_t)

type dovecot_spool_t;
files_type(dovecot_spool_t)

type dovecot_tmp_t;
files_tmp_file(dovecot_tmp_t)

# /var/lib/dovecot holds SSL parameters file
type dovecot_var_lib_t;
files_type(dovecot_var_lib_t)

type dovecot_var_log_t;
logging_log_file(dovecot_var_log_t)

type dovecot_var_run_t;
files_pid_file(dovecot_var_run_t)

########################################
#
# dovecot local policy
#

allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot };
dontaudit dovecot_t self:capability sys_tty_config;
allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
allow dovecot_t self:fifo_file rw_fifo_file_perms;
allow dovecot_t self:tcp_socket create_stream_socket_perms;
allow dovecot_t self:unix_dgram_socket create_socket_perms;
allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };

domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)

allow dovecot_t dovecot_auth_t:process signal;

allow dovecot_t dovecot_cert_t:dir list_dir_perms;
read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)

allow dovecot_t dovecot_etc_t:dir list_dir_perms;
read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
files_search_etc(dovecot_t)

can_exec(dovecot_t, dovecot_exec_t)

manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })

# Allow dovecot to create and read SSL parameters file
manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
files_search_var_lib(dovecot_t)
files_read_var_symlinks(dovecot_t)

manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })

manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)

manage_dirs_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file })

kernel_read_kernel_sysctls(dovecot_t)
kernel_read_system_state(dovecot_t)

corenet_all_recvfrom_unlabeled(dovecot_t)
corenet_all_recvfrom_netlabel(dovecot_t)
corenet_tcp_sendrecv_generic_if(dovecot_t)
corenet_tcp_sendrecv_generic_node(dovecot_t)
corenet_tcp_sendrecv_all_ports(dovecot_t)
corenet_tcp_bind_generic_node(dovecot_t)
corenet_tcp_bind_mail_port(dovecot_t)
corenet_tcp_bind_pop_port(dovecot_t)
corenet_tcp_bind_lmtp_port(dovecot_t)
corenet_tcp_bind_sieve_port(dovecot_t)
corenet_tcp_connect_all_ports(dovecot_t)
corenet_tcp_connect_postgresql_port(dovecot_t)
corenet_sendrecv_pop_server_packets(dovecot_t)
corenet_sendrecv_all_client_packets(dovecot_t)

dev_read_sysfs(dovecot_t)
dev_read_urand(dovecot_t)

fs_getattr_all_fs(dovecot_t)
fs_getattr_all_dirs(dovecot_t)
fs_search_auto_mountpoints(dovecot_t)
fs_list_inotifyfs(dovecot_t)

corecmd_exec_bin(dovecot_t)

domain_use_interactive_fds(dovecot_t)

files_read_etc_files(dovecot_t)
files_search_spool(dovecot_t)
files_search_tmp(dovecot_t)
files_dontaudit_list_default(dovecot_t)
# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
files_read_etc_runtime_files(dovecot_t)
files_search_all_mountpoints(dovecot_t)

init_getattr_utmp(dovecot_t)

auth_use_nsswitch(dovecot_t)

logging_send_syslog_msg(dovecot_t)

miscfiles_read_generic_certs(dovecot_t)
miscfiles_read_localization(dovecot_t)

userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
userdom_manage_user_home_content_dirs(dovecot_t)
userdom_manage_user_home_content_files(dovecot_t)
userdom_manage_user_home_content_symlinks(dovecot_t)
userdom_manage_user_home_content_pipes(dovecot_t)
userdom_manage_user_home_content_sockets(dovecot_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })

mta_manage_spool(dovecot_t)

optional_policy(`
	kerberos_keytab_template(dovecot, dovecot_t)
')

optional_policy(`
	gnome_manage_data(dovecot_t)
')

optional_policy(`
	postfix_manage_private_sockets(dovecot_t)
	postfix_search_spool(dovecot_t)
')

optional_policy(`
	postgresql_stream_connect(dovecot_t)
')

optional_policy(`
	seutil_sigchld_newrole(dovecot_t)
')

optional_policy(`
	squid_dontaudit_search_cache(dovecot_t)
')

optional_policy(`
	udev_read_db(dovecot_t)
')

########################################
#
# dovecot auth local policy
#

allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid };
allow dovecot_auth_t self:process { signal_perms getcap setcap };
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;

allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };

read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)

read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)

manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })

allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
dovecot_stream_connect_auth(dovecot_auth_t)

kernel_read_all_sysctls(dovecot_auth_t)
kernel_read_system_state(dovecot_auth_t)

logging_send_audit_msgs(dovecot_auth_t)
logging_send_syslog_msg(dovecot_auth_t)

dev_read_urand(dovecot_auth_t)

auth_domtrans_chk_passwd(dovecot_auth_t)
auth_use_nsswitch(dovecot_auth_t)

files_read_etc_files(dovecot_auth_t)
files_read_etc_runtime_files(dovecot_auth_t)
files_search_pids(dovecot_auth_t)
files_read_usr_files(dovecot_auth_t)
files_read_usr_symlinks(dovecot_auth_t)
files_read_var_lib_files(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
files_read_var_lib_files(dovecot_t)

init_rw_utmp(dovecot_auth_t)

miscfiles_read_localization(dovecot_auth_t)

seutil_dontaudit_search_config(dovecot_auth_t)

optional_policy(`
	kerberos_use(dovecot_auth_t)

	# for gssapi (kerberos)
	userdom_list_user_tmp(dovecot_auth_t)
	userdom_read_user_tmp_files(dovecot_auth_t)
	userdom_read_user_tmp_symlinks(dovecot_auth_t)
')

optional_policy(`
	mysql_search_db(dovecot_auth_t)
	mysql_stream_connect(dovecot_auth_t)
')

optional_policy(`
	nis_authenticate(dovecot_auth_t)
')

optional_policy(`
	postfix_manage_private_sockets(dovecot_auth_t)
	postfix_search_spool(dovecot_auth_t)
')

########################################
#
# dovecot deliver local policy
#

allow dovecot_deliver_t self:fifo_file rw_fifo_file_perms;
allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;

allow dovecot_deliver_t dovecot_t:process signull;

allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms;
read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)

allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;

allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;

append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)

manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })

can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)

kernel_read_all_sysctls(dovecot_deliver_t)
kernel_read_system_state(dovecot_deliver_t)

corecmd_exec_bin(dovecot_deliver_t)

files_read_etc_files(dovecot_deliver_t)
files_read_etc_runtime_files(dovecot_deliver_t)

auth_use_nsswitch(dovecot_deliver_t)

logging_send_syslog_msg(dovecot_deliver_t)
logging_append_all_logs(dovecot_deliver_t)

miscfiles_read_localization(dovecot_deliver_t)

dovecot_stream_connect_auth(dovecot_deliver_t)

files_search_tmp(dovecot_deliver_t)

fs_getattr_all_fs(dovecot_deliver_t)

userdom_manage_user_home_content_dirs(dovecot_deliver_t)
userdom_manage_user_home_content_files(dovecot_deliver_t)
userdom_manage_user_home_content_symlinks(dovecot_deliver_t)
userdom_manage_user_home_content_pipes(dovecot_deliver_t)
userdom_manage_user_home_content_sockets(dovecot_deliver_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })

tunable_policy(`use_nfs_home_dirs',`
	fs_manage_nfs_dirs(dovecot_deliver_t)
	fs_manage_nfs_files(dovecot_deliver_t)
	fs_manage_nfs_symlinks(dovecot_deliver_t)
	fs_manage_nfs_dirs(dovecot_t)
	fs_manage_nfs_files(dovecot_t)
	fs_manage_nfs_symlinks(dovecot_t)
')

tunable_policy(`use_samba_home_dirs',`
	fs_manage_cifs_dirs(dovecot_deliver_t)
	fs_manage_cifs_files(dovecot_deliver_t)
	fs_manage_cifs_symlinks(dovecot_deliver_t)
	fs_manage_cifs_dirs(dovecot_t)
	fs_manage_cifs_files(dovecot_t)
	fs_manage_cifs_symlinks(dovecot_t)
')

optional_policy(`
	gnome_manage_data(dovecot_deliver_t)
')

optional_policy(`
	mta_manage_spool(dovecot_deliver_t)
	mta_read_queue(dovecot_deliver_t)
')

optional_policy(`
	# Handle sieve scripts
	sendmail_domtrans(dovecot_deliver_t)
')
Commit	Line	Data
29af4c13	1	policy_module(dovecot, 1.12.0)
29ce0009 CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
784a3bbc	7	type dovecot_t;
29ce0009	8	type dovecot_exec_t;
0bfccda4	9	init_daemon_domain(dovecot_t, dovecot_exec_t)
29ce0009	10
46551033 CP	11	type dovecot_auth_t;
	12	type dovecot_auth_exec_t;
	13	domain_type(dovecot_auth_t)
0bfccda4	14	domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
46551033 CP	15	role system_r types dovecot_auth_t;
46551033 CP	16
bb881612 CP	17	type dovecot_auth_tmp_t;
	18	files_tmp_file(dovecot_auth_tmp_t)
	19
29ce0009	20	type dovecot_cert_t;
3eaa9939	21	miscfiles_cert_type(dovecot_cert_t)
29ce0009	22
bb881612 CP	23	type dovecot_deliver_t;
	24	type dovecot_deliver_exec_t;
	25	domain_type(dovecot_deliver_t)
	26	domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
	27	role system_r types dovecot_deliver_t;
	28
3a321261 MG	29	type dovecot_deliver_tmp_t;
	30	files_tmp_file(dovecot_deliver_tmp_t)
	31
9bbc757a CP	32	type dovecot_etc_t;
9bbc757a CP	33	files_config_file(dovecot_etc_t)
29ce0009	34
bb881612 CP	35	type dovecot_initrc_exec_t;
	36	init_script_file(dovecot_initrc_exec_t)
	37
29ce0009 CP	38	type dovecot_passwd_t;
	39	files_type(dovecot_passwd_t)
	40
	41	type dovecot_spool_t;
	42	files_type(dovecot_spool_t)
	43
d8eb3c71 CP	44	type dovecot_tmp_t;
	45	files_tmp_file(dovecot_tmp_t)
	46
46551033 CP	47	# /var/lib/dovecot holds SSL parameters file
46551033 CP	48	type dovecot_var_lib_t;
4dd84bbf	49	files_type(dovecot_var_lib_t)
46551033	50
bb881612 CP	51	type dovecot_var_log_t;
	52	logging_log_file(dovecot_var_log_t)
	53
29ce0009 CP	54	type dovecot_var_run_t;
	55	files_pid_file(dovecot_var_run_t)
	56
29ce0009 CP	57	########################################
	58	#
	59	# dovecot local policy
	60	#
d828b5ca	61
dfa6eba1	62	allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot };
29ce0009	63	dontaudit dovecot_t self:capability sys_tty_config;
3eaa9939	64	allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
c0868a7a	65	allow dovecot_t self:fifo_file rw_fifo_file_perms;
29ce0009 CP	66	allow dovecot_t self:tcp_socket create_stream_socket_perms;
29ce0009 CP	67	allow dovecot_t self:unix_dgram_socket create_socket_perms;
2e0a8801	68	allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
29ce0009	69
c0868a7a	70	domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
29ce0009	71
d8eb3c71 CP	72	allow dovecot_t dovecot_auth_t:process signal;
d8eb3c71 CP	73
c0868a7a	74	allow dovecot_t dovecot_cert_t:dir list_dir_perms;
0bfccda4 CP	75	read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
0bfccda4 CP	76	read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
29ce0009	77
3eaa9939 DW	78	allow dovecot_t dovecot_etc_t:dir list_dir_perms;
3eaa9939 DW	79	read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
29ce0009 CP	80	files_search_etc(dovecot_t)
	81
	82	can_exec(dovecot_t, dovecot_exec_t)
	83
d8eb3c71 CP	84	manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
	85	manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
	86	files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
	87
	88	# Allow dovecot to create and read SSL parameters file
	89	manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
	90	files_search_var_lib(dovecot_t)
	91	files_read_var_symlinks(dovecot_t)
	92
	93	manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
bb881612	94	manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
d8eb3c71	95	logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })
bb881612	96
0bfccda4 CP	97	manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
	98	manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
	99	manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
29ce0009	100
3eaa9939	101	manage_dirs_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
0bfccda4	102	manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
d8eb3c71	103	manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
0bfccda4	104	manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
3eaa9939	105	files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file })
29ce0009	106
445522dc	107	kernel_read_kernel_sysctls(dovecot_t)
29ce0009 CP	108	kernel_read_system_state(dovecot_t)
29ce0009 CP	109
19006686 CP	110	corenet_all_recvfrom_unlabeled(dovecot_t)
19006686 CP	111	corenet_all_recvfrom_netlabel(dovecot_t)
668b3093	112	corenet_tcp_sendrecv_generic_if(dovecot_t)
c1262146	113	corenet_tcp_sendrecv_generic_node(dovecot_t)
29ce0009	114	corenet_tcp_sendrecv_all_ports(dovecot_t)
c1262146	115	corenet_tcp_bind_generic_node(dovecot_t)
d8eb3c71	116	corenet_tcp_bind_mail_port(dovecot_t)
e6a2eaff	117	corenet_tcp_bind_pop_port(dovecot_t)
12a6885c DW	118	corenet_tcp_bind_lmtp_port(dovecot_t)
12a6885c DW	119	corenet_tcp_bind_sieve_port(dovecot_t)
da4fc9ce	120	corenet_tcp_connect_all_ports(dovecot_t)
72492557	121	corenet_tcp_connect_postgresql_port(dovecot_t)
3d03a4f4 CP	122	corenet_sendrecv_pop_server_packets(dovecot_t)
3d03a4f4 CP	123	corenet_sendrecv_all_client_packets(dovecot_t)
29ce0009 CP	124
	125	dev_read_sysfs(dovecot_t)
	126	dev_read_urand(dovecot_t)
	127
	128	fs_getattr_all_fs(dovecot_t)
d8eb3c71	129	fs_getattr_all_dirs(dovecot_t)
29ce0009	130	fs_search_auto_mountpoints(dovecot_t)
72492557	131	fs_list_inotifyfs(dovecot_t)
29ce0009	132
29ce0009 CP	133	corecmd_exec_bin(dovecot_t)
29ce0009 CP	134
15722ec9	135	domain_use_interactive_fds(dovecot_t)
29ce0009 CP	136
	137	files_read_etc_files(dovecot_t)
	138	files_search_spool(dovecot_t)
	139	files_search_tmp(dovecot_t)
bf080a46	140	files_dontaudit_list_default(dovecot_t)
165b42d2 CP	141	# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
165b42d2 CP	142	files_read_etc_runtime_files(dovecot_t)
bb881612	143	files_search_all_mountpoints(dovecot_t)
29ce0009	144
68228b33	145	init_getattr_utmp(dovecot_t)
29ce0009	146
c0cf6e0a CP	147	auth_use_nsswitch(dovecot_t)
c0cf6e0a CP	148
29ce0009 CP	149	logging_send_syslog_msg(dovecot_t)
29ce0009 CP	150
83406219	151	miscfiles_read_generic_certs(dovecot_t)
29ce0009 CP	152	miscfiles_read_localization(dovecot_t)
29ce0009 CP	153
15722ec9	154	userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
296273a7 CP	155	userdom_manage_user_home_content_dirs(dovecot_t)
	156	userdom_manage_user_home_content_files(dovecot_t)
	157	userdom_manage_user_home_content_symlinks(dovecot_t)
	158	userdom_manage_user_home_content_pipes(dovecot_t)
	159	userdom_manage_user_home_content_sockets(dovecot_t)
	160	userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })
29ce0009	161
704327e8	162	mta_manage_spool(dovecot_t)
29ce0009	163
bb7170f6	164	optional_policy(`
bb881612	165	kerberos_keytab_template(dovecot, dovecot_t)
29ce0009 CP	166	')
29ce0009 CP	167
4d1378a4 DW	168	optional_policy(`
	169	gnome_manage_data(dovecot_t)
	170	')
	171
3eaa9939	172	optional_policy(`
68ac47d8 DG	173	postfix_manage_private_sockets(dovecot_t)
68ac47d8 DG	174	postfix_search_spool(dovecot_t)
3eaa9939 DW	175	')
3eaa9939 DW	176
d8eb3c71 CP	177	optional_policy(`
	178	postgresql_stream_connect(dovecot_t)
	179	')
	180
bb7170f6	181	optional_policy(`
29ce0009 CP	182	seutil_sigchld_newrole(dovecot_t)
	183	')
	184
b129e200 CP	185	optional_policy(`
	186	squid_dontaudit_search_cache(dovecot_t)
	187	')
	188
bb7170f6	189	optional_policy(`
29ce0009 CP	190	udev_read_db(dovecot_t)
	191	')
	192
	193	########################################
	194	#
	195	# dovecot auth local policy
	196	#
d828b5ca	197
d255399f	198	allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid };
4dd84bbf	199	allow dovecot_auth_t self:process { signal_perms getcap setcap };
c0868a7a	200	allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
29ce0009 CP	201	allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
	202	allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
	203
bb881612 CP	204	allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
	205
	206	read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
29ce0009	207
ef394695 DW	208	read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
ef394695 DW	209
bb881612 CP	210	manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
	211	manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
	212	files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
29ce0009	213
ef659a47	214	allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
bb881612 CP	215	manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
bb881612 CP	216	dovecot_stream_connect_auth(dovecot_auth_t)
9cca1cd5	217
445522dc	218	kernel_read_all_sysctls(dovecot_auth_t)
29ce0009 CP	219	kernel_read_system_state(dovecot_auth_t)
29ce0009 CP	220
bb881612 CP	221	logging_send_audit_msgs(dovecot_auth_t)
	222	logging_send_syslog_msg(dovecot_auth_t)
	223
29ce0009 CP	224	dev_read_urand(dovecot_auth_t)
	225
	226	auth_domtrans_chk_passwd(dovecot_auth_t)
78510c55	227	auth_use_nsswitch(dovecot_auth_t)
29ce0009 CP	228
29ce0009 CP	229	files_read_etc_files(dovecot_auth_t)
78510c55	230	files_read_etc_runtime_files(dovecot_auth_t)
29ce0009	231	files_search_pids(dovecot_auth_t)
bb881612	232	files_read_usr_files(dovecot_auth_t)
9cca1cd5	233	files_read_usr_symlinks(dovecot_auth_t)
d8eb3c71	234	files_read_var_lib_files(dovecot_auth_t)
9cca1cd5	235	files_search_tmp(dovecot_auth_t)
eac818f0	236	files_read_var_lib_files(dovecot_t)
29ce0009	237
d9845ae9 CP	238	init_rw_utmp(dovecot_auth_t)
d9845ae9 CP	239
29ce0009 CP	240	miscfiles_read_localization(dovecot_auth_t)
	241
	242	seutil_dontaudit_search_config(dovecot_auth_t)
	243
bb7170f6	244	optional_policy(`
29ce0009	245	kerberos_use(dovecot_auth_t)
4dd84bbf CP	246
	247	# for gssapi (kerberos)
	248	userdom_list_user_tmp(dovecot_auth_t)
	249	userdom_read_user_tmp_files(dovecot_auth_t)
	250	userdom_read_user_tmp_symlinks(dovecot_auth_t)
29ce0009 CP	251	')
29ce0009 CP	252
bb7170f6	253	optional_policy(`
bb881612 CP	254	mysql_search_db(dovecot_auth_t)
	255	mysql_stream_connect(dovecot_auth_t)
	256	')
	257
	258	optional_policy(`
	259	nis_authenticate(dovecot_auth_t)
	260	')
	261
	262	optional_policy(`
3eaa9939	263	postfix_manage_private_sockets(dovecot_auth_t)
bb881612 CP	264	postfix_search_spool(dovecot_auth_t)
	265	')
	266
	267	########################################
	268	#
	269	# dovecot deliver local policy
	270	#
5a1cc7f0 MG	271
5a1cc7f0 MG	272	allow dovecot_deliver_t self:fifo_file rw_fifo_file_perms;
bb881612 CP	273	allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
bb881612 CP	274
d8eb3c71 CP	275	allow dovecot_deliver_t dovecot_t:process signull;
d8eb3c71 CP	276
ae4084fc	277	allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms;
3eaa9939	278	read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
ae4084fc	279
bb881612 CP	280	allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
bb881612 CP	281
3eaa9939	282	allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
ef98a374 DW	283
ef98a374 DW	284	append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
3eaa9939	285
3a321261 MG	286	manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
	287	manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
	288	files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
	289
3eaa9939 DW	290	can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
3eaa9939 DW	291
bb881612 CP	292	kernel_read_all_sysctls(dovecot_deliver_t)
	293	kernel_read_system_state(dovecot_deliver_t)
	294
3eaa9939 DW	295	corecmd_exec_bin(dovecot_deliver_t)
3eaa9939 DW	296
bb881612 CP	297	files_read_etc_files(dovecot_deliver_t)
	298	files_read_etc_runtime_files(dovecot_deliver_t)
	299
	300	auth_use_nsswitch(dovecot_deliver_t)
	301
	302	logging_send_syslog_msg(dovecot_deliver_t)
f4dc1988	303	logging_append_all_logs(dovecot_deliver_t)
bb881612 CP	304
	305	miscfiles_read_localization(dovecot_deliver_t)
	306
	307	dovecot_stream_connect_auth(dovecot_deliver_t)
	308
	309	files_search_tmp(dovecot_deliver_t)
	310
	311	fs_getattr_all_fs(dovecot_deliver_t)
	312
	313	userdom_manage_user_home_content_dirs(dovecot_deliver_t)
	314	userdom_manage_user_home_content_files(dovecot_deliver_t)
	315	userdom_manage_user_home_content_symlinks(dovecot_deliver_t)
	316	userdom_manage_user_home_content_pipes(dovecot_deliver_t)
	317	userdom_manage_user_home_content_sockets(dovecot_deliver_t)
	318	userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
	319
4dd84bbf	320	tunable_policy(`use_nfs_home_dirs',`
d8eb3c71 CP	321	fs_manage_nfs_dirs(dovecot_deliver_t)
	322	fs_manage_nfs_files(dovecot_deliver_t)
	323	fs_manage_nfs_symlinks(dovecot_deliver_t)
	324	fs_manage_nfs_dirs(dovecot_t)
4dd84bbf CP	325	fs_manage_nfs_files(dovecot_t)
	326	fs_manage_nfs_symlinks(dovecot_t)
	327	')
	328
	329	tunable_policy(`use_samba_home_dirs',`
d8eb3c71 CP	330	fs_manage_cifs_dirs(dovecot_deliver_t)
	331	fs_manage_cifs_files(dovecot_deliver_t)
	332	fs_manage_cifs_symlinks(dovecot_deliver_t)
	333	fs_manage_cifs_dirs(dovecot_t)
4dd84bbf CP	334	fs_manage_cifs_files(dovecot_t)
	335	fs_manage_cifs_symlinks(dovecot_t)
	336	')
	337
4b7fe5b4 DW	338	optional_policy(`
	339	gnome_manage_data(dovecot_deliver_t)
	340	')
	341
bb881612 CP	342	optional_policy(`
bb881612 CP	343	mta_manage_spool(dovecot_deliver_t)
3eaa9939	344	mta_read_queue(dovecot_deliver_t)
29ce0009	345	')
5a1cc7f0 MG	346
	347	optional_policy(`
	348	# Handle sieve scripts
	349	sendmail_domtrans(dovecot_deliver_t)
	350	')