]>
Commit | Line | Data |
---|---|---|
6f8cda96 CP |
1 | ## <summary>Courier IMAP and POP3 email servers</summary> |
2 | ||
3 | ######################################## | |
4 | ## <summary> | |
5 | ## Template for creating courier server processes. | |
6 | ## </summary> | |
7 | ## <param name="prefix"> | |
8 | ## <summary> | |
9 | ## Prefix name of the server process. | |
10 | ## </summary> | |
11 | ## </param> | |
12 | # | |
13 | template(`courier_domain_template',` | |
14 | ||
15 | ############################## | |
16 | # | |
17 | # Declarations | |
18 | # | |
19 | ||
20 | type courier_$1_t; | |
21 | type courier_$1_exec_t; | |
22 | init_daemon_domain(courier_$1_t,courier_$1_exec_t) | |
23 | ||
24 | ############################## | |
25 | # | |
26 | # Declarations | |
27 | # | |
28 | ||
29 | allow courier_$1_t self:capability dac_override; | |
30 | dontaudit courier_$1_t self:capability sys_tty_config; | |
31 | allow courier_$1_t self:process { setpgid signal_perms }; | |
32 | allow courier_$1_t self:fifo_file { read write getattr }; | |
33 | allow courier_$1_t self:tcp_socket create_stream_socket_perms; | |
34 | allow courier_$1_t self:udp_socket create_socket_perms; | |
35 | ||
36 | can_exec(courier_$1_t, courier_$1_exec_t) | |
37 | ||
38 | allow courier_$1_t courier_etc_t:file r_file_perms; | |
39 | allow courier_$1_t courier_etc_t:dir r_dir_perms; | |
40 | ||
41 | allow courier_$1_t courier_var_run_t:dir rw_dir_perms; | |
42 | allow courier_$1_t courier_var_run_t:file create_file_perms; | |
43 | allow courier_$1_t courier_var_run_t:lnk_file create_lnk_perms; | |
44 | allow courier_$1_t courier_var_run_t:sock_file create_file_perms; | |
45 | files_search_pids(courier_$1_t) | |
46 | ||
47 | kernel_read_system_state(courier_$1_t) | |
48 | kernel_read_kernel_sysctls(courier_$1_t) | |
49 | ||
50 | corecmd_exec_bin(courier_$1_t) | |
51 | ||
52 | corenet_tcp_sendrecv_generic_if(courier_$1_t) | |
53 | corenet_udp_sendrecv_generic_if(courier_$1_t) | |
54 | corenet_raw_sendrecv_generic_if(courier_$1_t) | |
55 | corenet_tcp_sendrecv_all_nodes(courier_$1_t) | |
56 | corenet_udp_sendrecv_all_nodes(courier_$1_t) | |
57 | corenet_raw_sendrecv_all_nodes(courier_$1_t) | |
58 | corenet_tcp_sendrecv_all_ports(courier_$1_t) | |
59 | corenet_udp_sendrecv_all_ports(courier_$1_t) | |
60 | corenet_non_ipsec_sendrecv(courier_$1_t) | |
61 | corenet_tcp_bind_all_nodes(courier_$1_t) | |
62 | corenet_udp_bind_all_nodes(courier_$1_t) | |
63 | ||
64 | dev_read_sysfs(courier_$1_t) | |
65 | ||
66 | domain_use_interactive_fds(courier_$1_t) | |
67 | ||
68 | files_read_etc_files(courier_$1_t) | |
69 | files_read_etc_runtime_files(courier_$1_t) | |
70 | files_read_usr_files(courier_$1_t) | |
71 | ||
72 | fs_getattr_xattr_fs(courier_$1_t) | |
73 | fs_search_auto_mountpoints(courier_$1_t) | |
74 | ||
75 | term_dontaudit_use_console(courier_$1_t) | |
76 | ||
77 | init_use_fds(courier_$1_t) | |
78 | init_use_script_ptys(courier_$1_t) | |
79 | ||
80 | libs_use_ld_so(courier_$1_t) | |
81 | libs_use_shared_libs(courier_$1_t) | |
82 | ||
83 | logging_send_syslog_msg(courier_$1_t) | |
84 | ||
85 | sysnet_read_config(courier_$1_t) | |
86 | ||
87 | userdom_dontaudit_use_unpriv_user_fds(courier_$1_t) | |
88 | ||
89 | ifdef(`targeted_policy',` | |
90 | term_dontaudit_use_unallocated_ttys(courier_$1_t) | |
91 | term_dontaudit_use_generic_ptys(courier_$1_t) | |
92 | files_dontaudit_read_root_files(courier_$1_t) | |
93 | ') | |
94 | ||
95 | optional_policy(` | |
96 | seutil_sigchld_newrole(courier_$1_t) | |
97 | ') | |
98 | ||
99 | optional_policy(` | |
100 | udev_read_db(courier_$1_t) | |
101 | ') | |
102 | ') | |
103 | ||
104 | ######################################## | |
105 | ## <summary> | |
106 | ## Execute the courier authentication daemon with | |
107 | ## a domain transition. | |
108 | ## </summary> | |
109 | ## <param name="prefix"> | |
110 | ## <summary> | |
111 | ## Domain allowed access. | |
112 | ## </summary> | |
113 | ## </param> | |
114 | # | |
115 | interface(`courier_domtrans_authdaemon',` | |
116 | gen_require(` | |
117 | type courier_authdaemon_t, courier_authdaemon_exec_t; | |
118 | ') | |
119 | ||
120 | domain_auto_trans($1, courier_authdaemon_exec_t, courier_authdaemon_t) | |
121 | allow courier_authdaemon_t $1:fd use; | |
122 | allow courier_authdaemon_t $1:fifo_file rw_file_perms; | |
123 | allow courier_authdaemon_t $1:process sigchld; | |
124 | ') | |
125 | ||
126 | ######################################## | |
127 | ## <summary> | |
128 | ## Execute the courier POP3 and IMAP server with | |
129 | ## a domain transition. | |
130 | ## </summary> | |
131 | ## <param name="prefix"> | |
132 | ## <summary> | |
133 | ## Domain allowed access. | |
134 | ## </summary> | |
135 | ## </param> | |
136 | # | |
137 | interface(`courier_domtrans_pop',` | |
138 | gen_require(` | |
139 | type courier_pop_t, courier_pop_exec_t; | |
140 | ') | |
141 | ||
142 | domain_auto_trans($1, courier_pop_exec_t, courier_pop_t) | |
143 | allow courier_pop_t $1:fd use; | |
144 | allow courier_pop_t $1:fifo_file rw_file_perms; | |
145 | allow courier_pop_t $1:process sigchld; | |
146 | ') |