]>
Commit | Line | Data |
---|---|---|
ea557a85 | 1 | |
5ea24be9 | 2 | policy_module(cyrus,1.1.0) |
ea557a85 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | type cyrus_t; | |
10 | type cyrus_exec_t; | |
11 | init_daemon_domain(cyrus_t,cyrus_exec_t) | |
12 | ||
13 | type cyrus_tmp_t; | |
14 | files_tmp_file(cyrus_tmp_t) | |
15 | ||
16 | type cyrus_var_lib_t; | |
17 | files_type(cyrus_var_lib_t) | |
18 | ||
19 | type cyrus_var_run_t; | |
20 | files_pid_file(cyrus_var_run_t) | |
21 | ||
22 | ######################################## | |
23 | # | |
24 | # Local policy | |
25 | # | |
26 | ||
27 | allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource }; | |
28 | dontaudit cyrus_t self:capability sys_tty_config; | |
29 | allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; | |
30 | allow cyrus_t self:process setrlimit; | |
31 | allow cyrus_t self:fd use; | |
32 | allow cyrus_t self:fifo_file rw_file_perms; | |
33acca55 | 33 | allow cyrus_t self:sock_file r_file_perms; |
ea557a85 CP |
34 | allow cyrus_t self:shm create_shm_perms; |
35 | allow cyrus_t self:sem create_sem_perms; | |
36 | allow cyrus_t self:msgq create_msgq_perms; | |
37 | allow cyrus_t self:msg { send receive }; | |
38 | allow cyrus_t self:unix_dgram_socket create_socket_perms; | |
39 | allow cyrus_t self:unix_stream_socket create_stream_socket_perms; | |
40 | allow cyrus_t self:unix_dgram_socket sendto; | |
41 | allow cyrus_t self:unix_stream_socket connectto; | |
42 | allow cyrus_t self:tcp_socket create_stream_socket_perms; | |
43 | allow cyrus_t self:udp_socket create_socket_perms; | |
44 | ||
45 | allow cyrus_t cyrus_tmp_t:dir create_dir_perms; | |
46 | allow cyrus_t cyrus_tmp_t:file create_file_perms; | |
103fe280 | 47 | files_tmp_filetrans(cyrus_t, cyrus_tmp_t, { file dir }) |
ea557a85 CP |
48 | |
49 | allow cyrus_t cyrus_var_lib_t:dir create_dir_perms; | |
50 | allow cyrus_t cyrus_var_lib_t:{file sock_file lnk_file} create_file_perms; | |
1c1ac67f | 51 | files_pid_filetrans(cyrus_t,cyrus_var_run_t,file) |
ea557a85 CP |
52 | |
53 | allow cyrus_t cyrus_var_run_t:dir rw_dir_perms; | |
54 | allow cyrus_t cyrus_var_run_t:sock_file create_file_perms; | |
55 | allow cyrus_t cyrus_var_run_t:file create_file_perms; | |
103fe280 | 56 | files_pid_filetrans(cyrus_t,cyrus_var_run_t,{ file sock_file }) |
ea557a85 | 57 | |
445522dc | 58 | kernel_read_kernel_sysctls(cyrus_t) |
ea557a85 | 59 | kernel_read_system_state(cyrus_t) |
445522dc | 60 | kernel_read_all_sysctls(cyrus_t) |
ea557a85 CP |
61 | |
62 | corenet_tcp_sendrecv_all_if(cyrus_t) | |
63 | corenet_udp_sendrecv_all_if(cyrus_t) | |
64 | corenet_raw_sendrecv_all_if(cyrus_t) | |
65 | corenet_tcp_sendrecv_all_nodes(cyrus_t) | |
66 | corenet_udp_sendrecv_all_nodes(cyrus_t) | |
67 | corenet_raw_sendrecv_all_nodes(cyrus_t) | |
68 | corenet_tcp_sendrecv_all_ports(cyrus_t) | |
69 | corenet_udp_sendrecv_all_ports(cyrus_t) | |
bd70373d | 70 | corenet_non_ipsec_sendrecv(cyrus_t) |
ea557a85 CP |
71 | corenet_tcp_bind_all_nodes(cyrus_t) |
72 | corenet_udp_bind_all_nodes(cyrus_t) | |
73 | corenet_tcp_bind_mail_port(cyrus_t) | |
74 | corenet_tcp_bind_pop_port(cyrus_t) | |
75 | corenet_tcp_connect_all_ports(cyrus_t) | |
76 | ||
77 | dev_read_rand(cyrus_t) | |
78 | dev_read_urand(cyrus_t) | |
79 | dev_read_sysfs(cyrus_t) | |
80 | ||
81 | fs_getattr_all_fs(cyrus_t) | |
82 | fs_search_auto_mountpoints(cyrus_t) | |
83 | ||
84 | term_dontaudit_use_console(cyrus_t) | |
85 | ||
86 | corecmd_exec_bin(cyrus_t) | |
87 | ||
15722ec9 | 88 | domain_use_interactive_fds(cyrus_t) |
ea557a85 CP |
89 | |
90 | files_list_var_lib(cyrus_t) | |
91 | files_read_etc_files(cyrus_t) | |
92 | files_read_etc_runtime_files(cyrus_t) | |
ea557a85 | 93 | |
1c1ac67f | 94 | init_use_fds(cyrus_t) |
1815bad1 | 95 | init_use_script_ptys(cyrus_t) |
ea557a85 CP |
96 | |
97 | libs_use_ld_so(cyrus_t) | |
98 | libs_use_shared_libs(cyrus_t) | |
99 | libs_exec_lib_files(cyrus_t) | |
100 | ||
101 | logging_send_syslog_msg(cyrus_t) | |
102 | ||
103 | miscfiles_read_localization(cyrus_t) | |
104 | miscfiles_read_certs(cyrus_t) | |
105 | ||
106 | sysnet_read_config(cyrus_t) | |
107 | ||
15722ec9 | 108 | userdom_dontaudit_use_unpriv_user_fds(cyrus_t) |
103fe280 CP |
109 | userdom_dontaudit_search_sysadm_home_dirs(cyrus_t) |
110 | userdom_use_unpriv_users_fds(cyrus_t) | |
1815bad1 | 111 | userdom_use_sysadm_ptys(cyrus_t) |
ea557a85 CP |
112 | |
113 | mta_manage_spool(cyrus_t) | |
114 | ||
115 | ifdef(`targeted_policy',` | |
1815bad1 CP |
116 | term_dontaudit_use_unallocated_ttys(cyrus_t) |
117 | term_dontaudit_use_generic_ptys(cyrus_t) | |
9e04f5c5 | 118 | files_dontaudit_read_root_files(cyrus_t) |
ea557a85 CP |
119 | ') |
120 | ||
bb7170f6 | 121 | optional_policy(` |
ea557a85 CP |
122 | cron_system_entry(cyrus_t,cyrus_exec_t) |
123 | ') | |
124 | ||
bb7170f6 | 125 | optional_policy(` |
ea557a85 CP |
126 | mount_send_nfs_client_request(cyrus_t) |
127 | ') | |
128 | ||
bb7170f6 | 129 | optional_policy(` |
ea557a85 CP |
130 | nis_use_ypbind(cyrus_t) |
131 | ') | |
132 | ||
bb7170f6 | 133 | optional_policy(` |
ea557a85 CP |
134 | sasl_connect(cyrus_t) |
135 | ') | |
136 | ||
bb7170f6 | 137 | optional_policy(` |
ea557a85 CP |
138 | seutil_sigchld_newrole(cyrus_t) |
139 | ') | |
140 | ||
bb7170f6 | 141 | optional_policy(` |
ea557a85 CP |
142 | udev_read_db(cyrus_t) |
143 | ') |