[people/stevee/selinux-policy.git] / refpolicy / policy / modules / services / cyrus.te


policy_module(cyrus,1.1.0)

########################################
#
# Declarations
#

type cyrus_t;
type cyrus_exec_t;
init_daemon_domain(cyrus_t,cyrus_exec_t)

type cyrus_tmp_t;
files_tmp_file(cyrus_tmp_t)

type cyrus_var_lib_t;
files_type(cyrus_var_lib_t)

type cyrus_var_run_t;
files_pid_file(cyrus_var_run_t)

########################################
#
# Local policy
#

allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
dontaudit cyrus_t self:capability sys_tty_config;
allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow cyrus_t self:process setrlimit;
allow cyrus_t self:fd use;
allow cyrus_t self:fifo_file rw_file_perms;
allow cyrus_t self:sock_file r_file_perms;
allow cyrus_t self:shm create_shm_perms;
allow cyrus_t self:sem create_sem_perms;
allow cyrus_t self:msgq create_msgq_perms;
allow cyrus_t self:msg { send receive };
allow cyrus_t self:unix_dgram_socket create_socket_perms;
allow cyrus_t self:unix_stream_socket create_stream_socket_perms;
allow cyrus_t self:unix_dgram_socket sendto;
allow cyrus_t self:unix_stream_socket connectto;
allow cyrus_t self:tcp_socket create_stream_socket_perms;
allow cyrus_t self:udp_socket create_socket_perms;

allow cyrus_t cyrus_tmp_t:dir create_dir_perms;
allow cyrus_t cyrus_tmp_t:file create_file_perms;
files_tmp_filetrans(cyrus_t, cyrus_tmp_t, { file dir })

allow cyrus_t cyrus_var_lib_t:dir create_dir_perms;
allow cyrus_t cyrus_var_lib_t:{file sock_file lnk_file} create_file_perms;
files_pid_filetrans(cyrus_t,cyrus_var_run_t,file)

allow cyrus_t cyrus_var_run_t:dir rw_dir_perms;
allow cyrus_t cyrus_var_run_t:sock_file create_file_perms;
allow cyrus_t cyrus_var_run_t:file create_file_perms;
files_pid_filetrans(cyrus_t,cyrus_var_run_t,{ file sock_file })

kernel_read_kernel_sysctls(cyrus_t)
kernel_read_system_state(cyrus_t)
kernel_read_all_sysctls(cyrus_t)

corenet_tcp_sendrecv_all_if(cyrus_t)
corenet_udp_sendrecv_all_if(cyrus_t)
corenet_raw_sendrecv_all_if(cyrus_t)
corenet_tcp_sendrecv_all_nodes(cyrus_t)
corenet_udp_sendrecv_all_nodes(cyrus_t)
corenet_raw_sendrecv_all_nodes(cyrus_t)
corenet_tcp_sendrecv_all_ports(cyrus_t)
corenet_udp_sendrecv_all_ports(cyrus_t)
corenet_non_ipsec_sendrecv(cyrus_t)
corenet_tcp_bind_all_nodes(cyrus_t)
corenet_udp_bind_all_nodes(cyrus_t)
corenet_tcp_bind_mail_port(cyrus_t)
corenet_tcp_bind_pop_port(cyrus_t)
corenet_tcp_connect_all_ports(cyrus_t)

dev_read_rand(cyrus_t)
dev_read_urand(cyrus_t)
dev_read_sysfs(cyrus_t)

fs_getattr_all_fs(cyrus_t)
fs_search_auto_mountpoints(cyrus_t)

term_dontaudit_use_console(cyrus_t)

corecmd_exec_bin(cyrus_t)

domain_use_interactive_fds(cyrus_t)

files_list_var_lib(cyrus_t)
files_read_etc_files(cyrus_t)
files_read_etc_runtime_files(cyrus_t)

init_use_fds(cyrus_t)
init_use_script_ptys(cyrus_t)

libs_use_ld_so(cyrus_t)
libs_use_shared_libs(cyrus_t)
libs_exec_lib_files(cyrus_t)

logging_send_syslog_msg(cyrus_t)

miscfiles_read_localization(cyrus_t)
miscfiles_read_certs(cyrus_t)

sysnet_read_config(cyrus_t)

userdom_dontaudit_use_unpriv_user_fds(cyrus_t)
userdom_dontaudit_search_sysadm_home_dirs(cyrus_t)
userdom_use_unpriv_users_fds(cyrus_t)
userdom_use_sysadm_ptys(cyrus_t)

mta_manage_spool(cyrus_t)

ifdef(`targeted_policy',`
	term_dontaudit_use_unallocated_ttys(cyrus_t)
	term_dontaudit_use_generic_ptys(cyrus_t)
	files_dontaudit_read_root_files(cyrus_t)
')

optional_policy(`
	cron_system_entry(cyrus_t,cyrus_exec_t)
')

optional_policy(`
	mount_send_nfs_client_request(cyrus_t)
')

optional_policy(`
	nis_use_ypbind(cyrus_t)
')

optional_policy(`
	sasl_connect(cyrus_t)
')

optional_policy(`
	seutil_sigchld_newrole(cyrus_t)
')

optional_policy(`
	udev_read_db(cyrus_t)
')
Commit	Line	Data
ea557a85	1
5ea24be9	2	policy_module(cyrus,1.1.0)
ea557a85 CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type cyrus_t;
	10	type cyrus_exec_t;
	11	init_daemon_domain(cyrus_t,cyrus_exec_t)
	12
	13	type cyrus_tmp_t;
	14	files_tmp_file(cyrus_tmp_t)
	15
	16	type cyrus_var_lib_t;
	17	files_type(cyrus_var_lib_t)
	18
	19	type cyrus_var_run_t;
	20	files_pid_file(cyrus_var_run_t)
	21
	22	########################################
	23	#
	24	# Local policy
	25	#
	26
	27	allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
	28	dontaudit cyrus_t self:capability sys_tty_config;
	29	allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
	30	allow cyrus_t self:process setrlimit;
	31	allow cyrus_t self:fd use;
	32	allow cyrus_t self:fifo_file rw_file_perms;
33acca55	33	allow cyrus_t self:sock_file r_file_perms;
ea557a85 CP	34	allow cyrus_t self:shm create_shm_perms;
	35	allow cyrus_t self:sem create_sem_perms;
	36	allow cyrus_t self:msgq create_msgq_perms;
	37	allow cyrus_t self:msg { send receive };
	38	allow cyrus_t self:unix_dgram_socket create_socket_perms;
	39	allow cyrus_t self:unix_stream_socket create_stream_socket_perms;
	40	allow cyrus_t self:unix_dgram_socket sendto;
	41	allow cyrus_t self:unix_stream_socket connectto;
	42	allow cyrus_t self:tcp_socket create_stream_socket_perms;
	43	allow cyrus_t self:udp_socket create_socket_perms;
	44
	45	allow cyrus_t cyrus_tmp_t:dir create_dir_perms;
	46	allow cyrus_t cyrus_tmp_t:file create_file_perms;
103fe280	47	files_tmp_filetrans(cyrus_t, cyrus_tmp_t, { file dir })
ea557a85 CP	48
	49	allow cyrus_t cyrus_var_lib_t:dir create_dir_perms;
	50	allow cyrus_t cyrus_var_lib_t:{file sock_file lnk_file} create_file_perms;
1c1ac67f	51	files_pid_filetrans(cyrus_t,cyrus_var_run_t,file)
ea557a85 CP	52
	53	allow cyrus_t cyrus_var_run_t:dir rw_dir_perms;
	54	allow cyrus_t cyrus_var_run_t:sock_file create_file_perms;
	55	allow cyrus_t cyrus_var_run_t:file create_file_perms;
103fe280	56	files_pid_filetrans(cyrus_t,cyrus_var_run_t,{ file sock_file })
ea557a85	57
445522dc	58	kernel_read_kernel_sysctls(cyrus_t)
ea557a85	59	kernel_read_system_state(cyrus_t)
445522dc	60	kernel_read_all_sysctls(cyrus_t)
ea557a85 CP	61
	62	corenet_tcp_sendrecv_all_if(cyrus_t)
	63	corenet_udp_sendrecv_all_if(cyrus_t)
	64	corenet_raw_sendrecv_all_if(cyrus_t)
	65	corenet_tcp_sendrecv_all_nodes(cyrus_t)
	66	corenet_udp_sendrecv_all_nodes(cyrus_t)
	67	corenet_raw_sendrecv_all_nodes(cyrus_t)
	68	corenet_tcp_sendrecv_all_ports(cyrus_t)
	69	corenet_udp_sendrecv_all_ports(cyrus_t)
bd70373d	70	corenet_non_ipsec_sendrecv(cyrus_t)
ea557a85 CP	71	corenet_tcp_bind_all_nodes(cyrus_t)
	72	corenet_udp_bind_all_nodes(cyrus_t)
	73	corenet_tcp_bind_mail_port(cyrus_t)
	74	corenet_tcp_bind_pop_port(cyrus_t)
	75	corenet_tcp_connect_all_ports(cyrus_t)
	76
	77	dev_read_rand(cyrus_t)
	78	dev_read_urand(cyrus_t)
	79	dev_read_sysfs(cyrus_t)
	80
	81	fs_getattr_all_fs(cyrus_t)
	82	fs_search_auto_mountpoints(cyrus_t)
	83
	84	term_dontaudit_use_console(cyrus_t)
	85
	86	corecmd_exec_bin(cyrus_t)
	87
15722ec9	88	domain_use_interactive_fds(cyrus_t)
ea557a85 CP	89
	90	files_list_var_lib(cyrus_t)
	91	files_read_etc_files(cyrus_t)
	92	files_read_etc_runtime_files(cyrus_t)
ea557a85	93
1c1ac67f	94	init_use_fds(cyrus_t)
1815bad1	95	init_use_script_ptys(cyrus_t)
ea557a85 CP	96
	97	libs_use_ld_so(cyrus_t)
	98	libs_use_shared_libs(cyrus_t)
	99	libs_exec_lib_files(cyrus_t)
	100
	101	logging_send_syslog_msg(cyrus_t)
	102
	103	miscfiles_read_localization(cyrus_t)
	104	miscfiles_read_certs(cyrus_t)
	105
	106	sysnet_read_config(cyrus_t)
	107
15722ec9	108	userdom_dontaudit_use_unpriv_user_fds(cyrus_t)
103fe280 CP	109	userdom_dontaudit_search_sysadm_home_dirs(cyrus_t)
103fe280 CP	110	userdom_use_unpriv_users_fds(cyrus_t)
1815bad1	111	userdom_use_sysadm_ptys(cyrus_t)
ea557a85 CP	112
	113	mta_manage_spool(cyrus_t)
	114
	115	ifdef(`targeted_policy',`
1815bad1 CP	116	term_dontaudit_use_unallocated_ttys(cyrus_t)
1815bad1 CP	117	term_dontaudit_use_generic_ptys(cyrus_t)
9e04f5c5	118	files_dontaudit_read_root_files(cyrus_t)
ea557a85 CP	119	')
ea557a85 CP	120
bb7170f6	121	optional_policy(`
ea557a85 CP	122	cron_system_entry(cyrus_t,cyrus_exec_t)
	123	')
	124
bb7170f6	125	optional_policy(`
ea557a85 CP	126	mount_send_nfs_client_request(cyrus_t)
	127	')
	128
bb7170f6	129	optional_policy(`
ea557a85 CP	130	nis_use_ypbind(cyrus_t)
	131	')
	132
bb7170f6	133	optional_policy(`
ea557a85 CP	134	sasl_connect(cyrus_t)
	135	')
	136
bb7170f6	137	optional_policy(`
ea557a85 CP	138	seutil_sigchld_newrole(cyrus_t)
	139	')
	140
bb7170f6	141	optional_policy(`
ea557a85 CP	142	udev_read_db(cyrus_t)
ea557a85 CP	143	')