]>
Commit | Line | Data |
---|---|---|
3eec24bd CP |
1 | |
2 | policy_module(uwimap,1.0.0) | |
3 | ||
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | type imapd_t; | |
10 | type imapd_exec_t; | |
11 | init_daemon_domain(imapd_t,imapd_exec_t) | |
12 | inetd_tcp_service_domain(imapd_t,imapd_exec_t) | |
13 | ||
14 | type imapd_tmp_t; | |
15 | files_tmp_file(imapd_tmp_t) | |
16 | ||
17 | type imapd_var_run_t; | |
18 | files_pid_file(imapd_var_run_t) | |
19 | ||
20 | ######################################## | |
21 | # | |
22 | # Local policy | |
23 | # | |
24 | ||
25 | allow imapd_t self:capability { dac_override net_bind_service setgid setuid sys_resource }; | |
26 | dontaudit imapd_t self:capability sys_tty_config; | |
27 | allow imapd_t self:process signal_perms; | |
28 | allow imapd_t self:fifo_file rw_file_perms; | |
29 | allow imapd_t self:tcp_socket create_stream_socket_perms; | |
30 | ||
31 | allow imapd_t imapd_tmp_t:dir create_dir_perms; | |
32 | allow imapd_t imapd_tmp_t:file create_file_perms; | |
33 | files_tmp_filetrans(imapd_t, imapd_tmp_t, { file dir }) | |
34 | ||
35 | allow imapd_t imapd_var_run_t:file create_file_perms; | |
36 | allow imapd_t imapd_var_run_t:dir rw_dir_perms; | |
37 | files_pid_filetrans(imapd_t,imapd_var_run_t,file) | |
38 | ||
39 | kernel_read_kernel_sysctls(imapd_t) | |
40 | kernel_list_proc(imapd_t) | |
41 | kernel_read_proc_symlinks(imapd_t) | |
42 | ||
43 | corenet_non_ipsec_sendrecv(imapd_t) | |
44 | corenet_tcp_sendrecv_generic_if(imapd_t) | |
45 | corenet_raw_sendrecv_generic_if(imapd_t) | |
46 | corenet_tcp_sendrecv_all_nodes(imapd_t) | |
47 | corenet_raw_sendrecv_all_nodes(imapd_t) | |
48 | corenet_tcp_sendrecv_all_ports(imapd_t) | |
49 | corenet_tcp_bind_all_nodes(imapd_t) | |
50 | corenet_tcp_bind_pop_port(imapd_t) | |
51 | corenet_tcp_connect_all_ports(imapd_t) | |
52 | ||
53 | dev_read_sysfs(imapd_t) | |
54 | #urandom, for ssl | |
55 | dev_read_rand(imapd_t) | |
56 | dev_read_urand(imapd_t) | |
57 | ||
58 | domain_use_interactive_fds(imapd_t) | |
59 | ||
60 | #read /etc/ for hostname nsswitch.conf | |
61 | files_read_etc_files(imapd_t) | |
62 | ||
63 | fs_getattr_all_fs(imapd_t) | |
64 | fs_search_auto_mountpoints(imapd_t) | |
65 | ||
66 | term_dontaudit_use_console(imapd_t) | |
67 | ||
68 | auth_domtrans_chk_passwd(imapd_t) | |
69 | ||
70 | init_use_fds(imapd_t) | |
71 | init_use_script_ptys(imapd_t) | |
72 | ||
73 | libs_use_ld_so(imapd_t) | |
74 | libs_use_shared_libs(imapd_t) | |
75 | ||
76 | logging_send_syslog_msg(imapd_t) | |
77 | ||
78 | miscfiles_read_localization(imapd_t) | |
79 | ||
80 | sysnet_read_config(imapd_t) | |
81 | ||
82 | userdom_dontaudit_use_unpriv_user_fds(imapd_t) | |
83 | userdom_dontaudit_search_sysadm_home_dirs(imapd_t) | |
84 | # cjp: this is excessive, should be limited to the | |
85 | # mail directories | |
86 | userdom_priveleged_home_dir_manager(imapd_t) | |
87 | ||
88 | mta_rw_spool(imapd_t) | |
89 | ||
90 | ifdef(`targeted_policy',` | |
91 | term_dontaudit_use_unallocated_ttys(imapd_t) | |
92 | term_dontaudit_use_generic_ptys(imapd_t) | |
93 | files_dontaudit_read_root_files(imapd_t) | |
94 | ') | |
95 | ||
96 | optional_policy(` | |
97 | seutil_sigchld_newrole(imapd_t) | |
98 | ') | |
99 | ||
100 | optional_policy(` | |
101 | udev_read_db(imapd_t) | |
102 | ') |