[people/stevee/selinux-policy.git] / policy / modules / services / dovecot.te

policy_module(dovecot, 1.12.1)

########################################
#
# Declarations
#
type dovecot_t;
type dovecot_exec_t;
init_daemon_domain(dovecot_t, dovecot_exec_t)

type dovecot_auth_t;
type dovecot_auth_exec_t;
domain_type(dovecot_auth_t)
domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
role system_r types dovecot_auth_t;

type dovecot_auth_tmp_t;
files_tmp_file(dovecot_auth_tmp_t)

type dovecot_cert_t;
miscfiles_cert_type(dovecot_cert_t)

type dovecot_deliver_t;
type dovecot_deliver_exec_t;
domain_type(dovecot_deliver_t)
domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
role system_r types dovecot_deliver_t;

type dovecot_deliver_tmp_t;
files_tmp_file(dovecot_deliver_tmp_t)

type dovecot_etc_t;
files_config_file(dovecot_etc_t)

type dovecot_initrc_exec_t;
init_script_file(dovecot_initrc_exec_t)

type dovecot_passwd_t;
files_type(dovecot_passwd_t)

type dovecot_spool_t;
files_spool_file(dovecot_spool_t)

type dovecot_tmp_t;
files_tmp_file(dovecot_tmp_t)

# /var/lib/dovecot holds SSL parameters file
type dovecot_var_lib_t;
files_type(dovecot_var_lib_t)

type dovecot_var_log_t;
logging_log_file(dovecot_var_log_t)

type dovecot_var_run_t;
files_pid_file(dovecot_var_run_t)

########################################
#
# dovecot local policy
#

allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot };
dontaudit dovecot_t self:capability sys_tty_config;
allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
allow dovecot_t self:fifo_file rw_fifo_file_perms;
allow dovecot_t self:tcp_socket create_stream_socket_perms;
allow dovecot_t self:unix_dgram_socket create_socket_perms;
allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };

domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)

allow dovecot_t dovecot_auth_t:process signal;

allow dovecot_t dovecot_cert_t:dir list_dir_perms;
read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)

allow dovecot_t dovecot_etc_t:dir list_dir_perms;
read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
read_lnk_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
files_search_etc(dovecot_t)

can_exec(dovecot_t, dovecot_exec_t)

manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })

# Allow dovecot to create and read SSL parameters file
manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
files_search_var_lib(dovecot_t)
files_read_var_symlinks(dovecot_t)

manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })

manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)

manage_dirs_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file })

kernel_read_kernel_sysctls(dovecot_t)
kernel_read_system_state(dovecot_t)

corenet_all_recvfrom_unlabeled(dovecot_t)
corenet_all_recvfrom_netlabel(dovecot_t)
corenet_tcp_sendrecv_generic_if(dovecot_t)
corenet_tcp_sendrecv_generic_node(dovecot_t)
corenet_tcp_sendrecv_all_ports(dovecot_t)
corenet_tcp_bind_generic_node(dovecot_t)
corenet_tcp_bind_mail_port(dovecot_t)
corenet_tcp_bind_pop_port(dovecot_t)
corenet_tcp_bind_lmtp_port(dovecot_t)
corenet_tcp_bind_sieve_port(dovecot_t)
corenet_tcp_connect_all_ports(dovecot_t)
corenet_tcp_connect_postgresql_port(dovecot_t)
corenet_sendrecv_pop_server_packets(dovecot_t)
corenet_sendrecv_all_client_packets(dovecot_t)

dev_read_sysfs(dovecot_t)
dev_read_urand(dovecot_t)

fs_getattr_all_fs(dovecot_t)
fs_getattr_all_dirs(dovecot_t)
fs_search_auto_mountpoints(dovecot_t)
fs_list_inotifyfs(dovecot_t)

corecmd_exec_bin(dovecot_t)

domain_use_interactive_fds(dovecot_t)

files_read_etc_files(dovecot_t)
files_search_spool(dovecot_t)
files_search_tmp(dovecot_t)
files_dontaudit_list_default(dovecot_t)
# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
files_read_etc_runtime_files(dovecot_t)
files_search_all_mountpoints(dovecot_t)
files_read_var_lib_files(dovecot_t)

init_getattr_utmp(dovecot_t)

auth_use_nsswitch(dovecot_t)

logging_send_syslog_msg(dovecot_t)

miscfiles_read_generic_certs(dovecot_t)
miscfiles_read_localization(dovecot_t)

userdom_home_manager(dovecot_t)
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
userdom_manage_user_home_content_dirs(dovecot_t)
userdom_manage_user_home_content_files(dovecot_t)
userdom_manage_user_home_content_symlinks(dovecot_t)
userdom_manage_user_home_content_pipes(dovecot_t)
userdom_manage_user_home_content_sockets(dovecot_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })

mta_manage_spool(dovecot_t)

optional_policy(`
	kerberos_keytab_template(dovecot, dovecot_t)
')

optional_policy(`
	gnome_manage_data(dovecot_t)
')

optional_policy(`
	postfix_manage_private_sockets(dovecot_t)
	postfix_search_spool(dovecot_t)
')

optional_policy(`
	postgresql_stream_connect(dovecot_t)
')

optional_policy(`
	seutil_sigchld_newrole(dovecot_t)
')

optional_policy(`
	squid_dontaudit_search_cache(dovecot_t)
')

optional_policy(`
	udev_read_db(dovecot_t)
')

########################################
#
# dovecot auth local policy
#

allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice };
allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap };
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;

allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };

read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)

read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
read_lnk_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)

manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })

allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
dovecot_stream_connect_auth(dovecot_auth_t)

kernel_read_all_sysctls(dovecot_auth_t)
kernel_read_system_state(dovecot_auth_t)

corecmd_exec_bin(dovecot_auth_t)

logging_send_audit_msgs(dovecot_auth_t)
logging_send_syslog_msg(dovecot_auth_t)

dev_search_sysfs(dovecot_auth_t)
dev_read_urand(dovecot_auth_t)

auth_domtrans_chk_passwd(dovecot_auth_t)
auth_use_nsswitch(dovecot_auth_t)

files_read_etc_files(dovecot_auth_t)
files_read_etc_runtime_files(dovecot_auth_t)
files_search_pids(dovecot_auth_t)
files_read_usr_files(dovecot_auth_t)
files_read_usr_symlinks(dovecot_auth_t)
files_read_var_lib_files(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)

fs_getattr_xattr_fs(dovecot_auth_t)

init_rw_utmp(dovecot_auth_t)

miscfiles_read_localization(dovecot_auth_t)

seutil_dontaudit_search_config(dovecot_auth_t)

optional_policy(`
	kerberos_use(dovecot_auth_t)

	# for gssapi (kerberos)
	userdom_list_user_tmp(dovecot_auth_t)
	userdom_read_user_tmp_files(dovecot_auth_t)
	userdom_read_user_tmp_symlinks(dovecot_auth_t)
')

optional_policy(`
	mysql_search_db(dovecot_auth_t)
	mysql_stream_connect(dovecot_auth_t)
	mysql_read_config(dovecot_auth_t)
	mysql_tcp_connect(dovecot_auth_t)
')

optional_policy(`
	nis_authenticate(dovecot_auth_t)
')

optional_policy(`
	postfix_manage_private_sockets(dovecot_auth_t)
	postfix_rw_master_pipes(dovecot_deliver_t)
	postfix_search_spool(dovecot_auth_t)
')

########################################
#
# dovecot deliver local policy
#

allow dovecot_deliver_t self:fifo_file rw_fifo_file_perms;
allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;

allow dovecot_deliver_t dovecot_t:process signull;

allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms;
read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
read_lnk_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)

allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;

append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)

manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })

allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
read_sock_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
dovecot_stream_connect(dovecot_deliver_t)

can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)

kernel_read_all_sysctls(dovecot_deliver_t)
kernel_read_system_state(dovecot_deliver_t)

corecmd_exec_bin(dovecot_deliver_t)

files_read_etc_files(dovecot_deliver_t)
files_read_etc_runtime_files(dovecot_deliver_t)

auth_use_nsswitch(dovecot_deliver_t)

logging_send_syslog_msg(dovecot_deliver_t)
logging_append_all_logs(dovecot_deliver_t)

miscfiles_read_localization(dovecot_deliver_t)

dovecot_stream_connect_auth(dovecot_deliver_t)

files_search_tmp(dovecot_deliver_t)

fs_getattr_all_fs(dovecot_deliver_t)

userdom_manage_user_home_content_dirs(dovecot_deliver_t)
userdom_manage_user_home_content_files(dovecot_deliver_t)
userdom_manage_user_home_content_symlinks(dovecot_deliver_t)
userdom_manage_user_home_content_pipes(dovecot_deliver_t)
userdom_manage_user_home_content_sockets(dovecot_deliver_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })

userdom_home_manager(dovecot_deliver_t)

optional_policy(`
	gnome_manage_data(dovecot_deliver_t)
')

optional_policy(`
	mta_manage_spool(dovecot_deliver_t)
	mta_read_queue(dovecot_deliver_t)
')

optional_policy(`
	postfix_use_fds_master(dovecot_deliver_t)
')

optional_policy(`
	# Handle sieve scripts
	sendmail_domtrans(dovecot_deliver_t)
')
Commit	Line	Data
2b5cb1ff	1	policy_module(dovecot, 1.12.1)
29ce0009 CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
784a3bbc	7	type dovecot_t;
29ce0009	8	type dovecot_exec_t;
0bfccda4	9	init_daemon_domain(dovecot_t, dovecot_exec_t)
29ce0009	10
46551033 CP	11	type dovecot_auth_t;
	12	type dovecot_auth_exec_t;
	13	domain_type(dovecot_auth_t)
0bfccda4	14	domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
46551033 CP	15	role system_r types dovecot_auth_t;
46551033 CP	16
bb881612 CP	17	type dovecot_auth_tmp_t;
	18	files_tmp_file(dovecot_auth_tmp_t)
	19
29ce0009	20	type dovecot_cert_t;
3eaa9939	21	miscfiles_cert_type(dovecot_cert_t)
29ce0009	22
bb881612 CP	23	type dovecot_deliver_t;
	24	type dovecot_deliver_exec_t;
	25	domain_type(dovecot_deliver_t)
	26	domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
	27	role system_r types dovecot_deliver_t;
	28
3a321261 MG	29	type dovecot_deliver_tmp_t;
	30	files_tmp_file(dovecot_deliver_tmp_t)
	31
9bbc757a CP	32	type dovecot_etc_t;
9bbc757a CP	33	files_config_file(dovecot_etc_t)
29ce0009	34
bb881612 CP	35	type dovecot_initrc_exec_t;
	36	init_script_file(dovecot_initrc_exec_t)
	37
29ce0009 CP	38	type dovecot_passwd_t;
	39	files_type(dovecot_passwd_t)
	40
	41	type dovecot_spool_t;
0059652b	42	files_spool_file(dovecot_spool_t)
29ce0009	43
d8eb3c71 CP	44	type dovecot_tmp_t;
	45	files_tmp_file(dovecot_tmp_t)
	46
46551033 CP	47	# /var/lib/dovecot holds SSL parameters file
46551033 CP	48	type dovecot_var_lib_t;
4dd84bbf	49	files_type(dovecot_var_lib_t)
46551033	50
bb881612 CP	51	type dovecot_var_log_t;
	52	logging_log_file(dovecot_var_log_t)
	53
29ce0009 CP	54	type dovecot_var_run_t;
	55	files_pid_file(dovecot_var_run_t)
	56
29ce0009 CP	57	########################################
	58	#
	59	# dovecot local policy
	60	#
d828b5ca	61
dfa6eba1	62	allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot };
29ce0009	63	dontaudit dovecot_t self:capability sys_tty_config;
3eaa9939	64	allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
c0868a7a	65	allow dovecot_t self:fifo_file rw_fifo_file_perms;
29ce0009 CP	66	allow dovecot_t self:tcp_socket create_stream_socket_perms;
29ce0009 CP	67	allow dovecot_t self:unix_dgram_socket create_socket_perms;
2e0a8801	68	allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
29ce0009	69
c0868a7a	70	domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
29ce0009	71
d8eb3c71 CP	72	allow dovecot_t dovecot_auth_t:process signal;
d8eb3c71 CP	73
c0868a7a	74	allow dovecot_t dovecot_cert_t:dir list_dir_perms;
0bfccda4 CP	75	read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
0bfccda4 CP	76	read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
29ce0009	77
3eaa9939 DW	78	allow dovecot_t dovecot_etc_t:dir list_dir_perms;
3eaa9939 DW	79	read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
1ff72b4f	80	read_lnk_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
29ce0009 CP	81	files_search_etc(dovecot_t)
	82
	83	can_exec(dovecot_t, dovecot_exec_t)
	84
d8eb3c71 CP	85	manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
	86	manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
	87	files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
	88
	89	# Allow dovecot to create and read SSL parameters file
	90	manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
	91	files_search_var_lib(dovecot_t)
	92	files_read_var_symlinks(dovecot_t)
	93
	94	manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
bb881612	95	manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
d8eb3c71	96	logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })
bb881612	97
0bfccda4 CP	98	manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
	99	manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
	100	manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
29ce0009	101
3eaa9939	102	manage_dirs_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
0bfccda4	103	manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
d8eb3c71	104	manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
0bfccda4	105	manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
dbbc62f3 DW	106	manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
dbbc62f3 DW	107	files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file })
29ce0009	108
445522dc	109	kernel_read_kernel_sysctls(dovecot_t)
29ce0009 CP	110	kernel_read_system_state(dovecot_t)
29ce0009 CP	111
19006686 CP	112	corenet_all_recvfrom_unlabeled(dovecot_t)
19006686 CP	113	corenet_all_recvfrom_netlabel(dovecot_t)
668b3093	114	corenet_tcp_sendrecv_generic_if(dovecot_t)
c1262146	115	corenet_tcp_sendrecv_generic_node(dovecot_t)
29ce0009	116	corenet_tcp_sendrecv_all_ports(dovecot_t)
c1262146	117	corenet_tcp_bind_generic_node(dovecot_t)
d8eb3c71	118	corenet_tcp_bind_mail_port(dovecot_t)
e6a2eaff	119	corenet_tcp_bind_pop_port(dovecot_t)
12a6885c DW	120	corenet_tcp_bind_lmtp_port(dovecot_t)
12a6885c DW	121	corenet_tcp_bind_sieve_port(dovecot_t)
da4fc9ce	122	corenet_tcp_connect_all_ports(dovecot_t)
72492557	123	corenet_tcp_connect_postgresql_port(dovecot_t)
3d03a4f4 CP	124	corenet_sendrecv_pop_server_packets(dovecot_t)
3d03a4f4 CP	125	corenet_sendrecv_all_client_packets(dovecot_t)
29ce0009 CP	126
	127	dev_read_sysfs(dovecot_t)
	128	dev_read_urand(dovecot_t)
	129
	130	fs_getattr_all_fs(dovecot_t)
d8eb3c71	131	fs_getattr_all_dirs(dovecot_t)
29ce0009	132	fs_search_auto_mountpoints(dovecot_t)
72492557	133	fs_list_inotifyfs(dovecot_t)
29ce0009	134
29ce0009 CP	135	corecmd_exec_bin(dovecot_t)
29ce0009 CP	136
15722ec9	137	domain_use_interactive_fds(dovecot_t)
29ce0009 CP	138
	139	files_read_etc_files(dovecot_t)
	140	files_search_spool(dovecot_t)
	141	files_search_tmp(dovecot_t)
bf080a46	142	files_dontaudit_list_default(dovecot_t)
165b42d2 CP	143	# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
165b42d2 CP	144	files_read_etc_runtime_files(dovecot_t)
bb881612	145	files_search_all_mountpoints(dovecot_t)
ed2ac112	146	files_read_var_lib_files(dovecot_t)
29ce0009	147
68228b33	148	init_getattr_utmp(dovecot_t)
29ce0009	149
c0cf6e0a CP	150	auth_use_nsswitch(dovecot_t)
c0cf6e0a CP	151
29ce0009 CP	152	logging_send_syslog_msg(dovecot_t)
29ce0009 CP	153
83406219	154	miscfiles_read_generic_certs(dovecot_t)
29ce0009 CP	155	miscfiles_read_localization(dovecot_t)
29ce0009 CP	156
ed2ac112	157	userdom_home_manager(dovecot_t)
15722ec9	158	userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
296273a7 CP	159	userdom_manage_user_home_content_dirs(dovecot_t)
	160	userdom_manage_user_home_content_files(dovecot_t)
	161	userdom_manage_user_home_content_symlinks(dovecot_t)
	162	userdom_manage_user_home_content_pipes(dovecot_t)
	163	userdom_manage_user_home_content_sockets(dovecot_t)
	164	userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })
29ce0009	165
704327e8	166	mta_manage_spool(dovecot_t)
29ce0009	167
bb7170f6	168	optional_policy(`
bb881612	169	kerberos_keytab_template(dovecot, dovecot_t)
29ce0009 CP	170	')
29ce0009 CP	171
4d1378a4 DW	172	optional_policy(`
	173	gnome_manage_data(dovecot_t)
	174	')
	175
3eaa9939	176	optional_policy(`
68ac47d8 DG	177	postfix_manage_private_sockets(dovecot_t)
68ac47d8 DG	178	postfix_search_spool(dovecot_t)
3eaa9939 DW	179	')
3eaa9939 DW	180
d8eb3c71 CP	181	optional_policy(`
	182	postgresql_stream_connect(dovecot_t)
	183	')
	184
bb7170f6	185	optional_policy(`
29ce0009 CP	186	seutil_sigchld_newrole(dovecot_t)
	187	')
	188
b129e200 CP	189	optional_policy(`
	190	squid_dontaudit_search_cache(dovecot_t)
	191	')
	192
bb7170f6	193	optional_policy(`
29ce0009 CP	194	udev_read_db(dovecot_t)
	195	')
	196
	197	########################################
	198	#
	199	# dovecot auth local policy
	200	#
d828b5ca	201
d8360889 DW	202	allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice };
d8360889 DW	203	allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap };
c0868a7a	204	allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
29ce0009 CP	205	allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
	206	allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
	207
bb881612 CP	208	allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
	209
	210	read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
29ce0009	211
ef394695	212	read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
1ff72b4f	213	read_lnk_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
ef394695	214
bb881612 CP	215	manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
	216	manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
	217	files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
29ce0009	218
ef659a47	219	allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
bb881612 CP	220	manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
bb881612 CP	221	dovecot_stream_connect_auth(dovecot_auth_t)
9cca1cd5	222
445522dc	223	kernel_read_all_sysctls(dovecot_auth_t)
29ce0009 CP	224	kernel_read_system_state(dovecot_auth_t)
29ce0009 CP	225
0e27962b MG	226	corecmd_exec_bin(dovecot_auth_t)
0e27962b MG	227
bb881612 CP	228	logging_send_audit_msgs(dovecot_auth_t)
	229	logging_send_syslog_msg(dovecot_auth_t)
	230
0daf404d	231	dev_search_sysfs(dovecot_auth_t)
29ce0009 CP	232	dev_read_urand(dovecot_auth_t)
	233
	234	auth_domtrans_chk_passwd(dovecot_auth_t)
78510c55	235	auth_use_nsswitch(dovecot_auth_t)
29ce0009 CP	236
29ce0009 CP	237	files_read_etc_files(dovecot_auth_t)
78510c55	238	files_read_etc_runtime_files(dovecot_auth_t)
29ce0009	239	files_search_pids(dovecot_auth_t)
bb881612	240	files_read_usr_files(dovecot_auth_t)
9cca1cd5	241	files_read_usr_symlinks(dovecot_auth_t)
d8eb3c71	242	files_read_var_lib_files(dovecot_auth_t)
9cca1cd5	243	files_search_tmp(dovecot_auth_t)
29ce0009	244
2d941d16 DG	245	fs_getattr_xattr_fs(dovecot_auth_t)
2d941d16 DG	246
d9845ae9 CP	247	init_rw_utmp(dovecot_auth_t)
d9845ae9 CP	248
29ce0009 CP	249	miscfiles_read_localization(dovecot_auth_t)
	250
	251	seutil_dontaudit_search_config(dovecot_auth_t)
	252
bb7170f6	253	optional_policy(`
29ce0009	254	kerberos_use(dovecot_auth_t)
4dd84bbf CP	255
	256	# for gssapi (kerberos)
	257	userdom_list_user_tmp(dovecot_auth_t)
	258	userdom_read_user_tmp_files(dovecot_auth_t)
	259	userdom_read_user_tmp_symlinks(dovecot_auth_t)
29ce0009 CP	260	')
29ce0009 CP	261
bb7170f6	262	optional_policy(`
bb881612 CP	263	mysql_search_db(dovecot_auth_t)
bb881612 CP	264	mysql_stream_connect(dovecot_auth_t)
bd0a7f42 DW	265	mysql_read_config(dovecot_auth_t)
bd0a7f42 DW	266	mysql_tcp_connect(dovecot_auth_t)
bb881612 CP	267	')
	268
	269	optional_policy(`
	270	nis_authenticate(dovecot_auth_t)
	271	')
	272
	273	optional_policy(`
3eaa9939	274	postfix_manage_private_sockets(dovecot_auth_t)
f52efc83	275	postfix_rw_master_pipes(dovecot_deliver_t)
bb881612 CP	276	postfix_search_spool(dovecot_auth_t)
	277	')
	278
	279	########################################
	280	#
	281	# dovecot deliver local policy
	282	#
5a1cc7f0 MG	283
5a1cc7f0 MG	284	allow dovecot_deliver_t self:fifo_file rw_fifo_file_perms;
bb881612 CP	285	allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
bb881612 CP	286
d8eb3c71 CP	287	allow dovecot_deliver_t dovecot_t:process signull;
d8eb3c71 CP	288
ae4084fc	289	allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms;
3eaa9939	290	read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
1ff72b4f	291	read_lnk_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
ae4084fc	292
3eaa9939	293	allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
ef98a374 DW	294
ef98a374 DW	295	append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
3eaa9939	296
3a321261 MG	297	manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
	298	manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
	299	files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
	300
3985ee8b DG	301	allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
	302	read_sock_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
	303	dovecot_stream_connect(dovecot_deliver_t)
	304
3eaa9939 DW	305	can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
3eaa9939 DW	306
bb881612 CP	307	kernel_read_all_sysctls(dovecot_deliver_t)
	308	kernel_read_system_state(dovecot_deliver_t)
	309
3eaa9939 DW	310	corecmd_exec_bin(dovecot_deliver_t)
3eaa9939 DW	311
bb881612 CP	312	files_read_etc_files(dovecot_deliver_t)
	313	files_read_etc_runtime_files(dovecot_deliver_t)
	314
	315	auth_use_nsswitch(dovecot_deliver_t)
	316
	317	logging_send_syslog_msg(dovecot_deliver_t)
f4dc1988	318	logging_append_all_logs(dovecot_deliver_t)
bb881612 CP	319
	320	miscfiles_read_localization(dovecot_deliver_t)
	321
	322	dovecot_stream_connect_auth(dovecot_deliver_t)
	323
	324	files_search_tmp(dovecot_deliver_t)
	325
	326	fs_getattr_all_fs(dovecot_deliver_t)
	327
	328	userdom_manage_user_home_content_dirs(dovecot_deliver_t)
	329	userdom_manage_user_home_content_files(dovecot_deliver_t)
	330	userdom_manage_user_home_content_symlinks(dovecot_deliver_t)
	331	userdom_manage_user_home_content_pipes(dovecot_deliver_t)
	332	userdom_manage_user_home_content_sockets(dovecot_deliver_t)
	333	userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
	334
ed2ac112	335	userdom_home_manager(dovecot_deliver_t)
4dd84bbf	336
4b7fe5b4 DW	337	optional_policy(`
	338	gnome_manage_data(dovecot_deliver_t)
	339	')
	340
bb881612 CP	341	optional_policy(`
bb881612 CP	342	mta_manage_spool(dovecot_deliver_t)
3eaa9939	343	mta_read_queue(dovecot_deliver_t)
29ce0009	344	')
5a1cc7f0	345
2265b98c DG	346	optional_policy(`
	347	postfix_use_fds_master(dovecot_deliver_t)
	348	')
	349
5a1cc7f0 MG	350	optional_policy(`
	351	# Handle sieve scripts
	352	sendmail_domtrans(dovecot_deliver_t)
	353	')