[people/stevee/selinux-policy.git] / refpolicy / policy / modules / services / uwimap.te


policy_module(uwimap,1.0.0)

########################################
#
# Declarations
#

type imapd_t;
type imapd_exec_t;
init_daemon_domain(imapd_t,imapd_exec_t)
inetd_tcp_service_domain(imapd_t,imapd_exec_t)

type imapd_tmp_t;
files_tmp_file(imapd_tmp_t)

type imapd_var_run_t;
files_pid_file(imapd_var_run_t)

########################################
#
# Local policy
#

allow imapd_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
dontaudit imapd_t self:capability sys_tty_config;
allow imapd_t self:process signal_perms;
allow imapd_t self:fifo_file rw_file_perms;
allow imapd_t self:tcp_socket create_stream_socket_perms;

allow imapd_t imapd_tmp_t:dir create_dir_perms;
allow imapd_t imapd_tmp_t:file create_file_perms;
files_tmp_filetrans(imapd_t, imapd_tmp_t, { file dir })

allow imapd_t imapd_var_run_t:file create_file_perms;
allow imapd_t imapd_var_run_t:dir rw_dir_perms;
files_pid_filetrans(imapd_t,imapd_var_run_t,file)

kernel_read_kernel_sysctls(imapd_t)
kernel_list_proc(imapd_t)
kernel_read_proc_symlinks(imapd_t)

corenet_non_ipsec_sendrecv(imapd_t)
corenet_tcp_sendrecv_generic_if(imapd_t)
corenet_raw_sendrecv_generic_if(imapd_t)
corenet_tcp_sendrecv_all_nodes(imapd_t)
corenet_raw_sendrecv_all_nodes(imapd_t)
corenet_tcp_sendrecv_all_ports(imapd_t)
corenet_tcp_bind_all_nodes(imapd_t)
corenet_tcp_bind_pop_port(imapd_t)
corenet_tcp_connect_all_ports(imapd_t)

dev_read_sysfs(imapd_t)
#urandom, for ssl
dev_read_rand(imapd_t)
dev_read_urand(imapd_t)

domain_use_interactive_fds(imapd_t)

#read /etc/ for hostname nsswitch.conf
files_read_etc_files(imapd_t)

fs_getattr_all_fs(imapd_t)
fs_search_auto_mountpoints(imapd_t)

term_dontaudit_use_console(imapd_t)

auth_domtrans_chk_passwd(imapd_t)

init_use_fds(imapd_t)
init_use_script_ptys(imapd_t)

libs_use_ld_so(imapd_t)
libs_use_shared_libs(imapd_t)

logging_send_syslog_msg(imapd_t)

miscfiles_read_localization(imapd_t)

sysnet_read_config(imapd_t)

userdom_dontaudit_use_unpriv_user_fds(imapd_t)
userdom_dontaudit_search_sysadm_home_dirs(imapd_t)
# cjp: this is excessive, should be limited to the
# mail directories
userdom_priveleged_home_dir_manager(imapd_t)

mta_rw_spool(imapd_t)

ifdef(`targeted_policy',`
	term_dontaudit_use_unallocated_ttys(imapd_t)
	term_dontaudit_use_generic_ptys(imapd_t)
	files_dontaudit_read_root_files(imapd_t)
')

optional_policy(`
	seutil_sigchld_newrole(imapd_t)
')

optional_policy(`
	udev_read_db(imapd_t)
')
Commit	Line	Data
3eec24bd CP	1
	2	policy_module(uwimap,1.0.0)
	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type imapd_t;
	10	type imapd_exec_t;
	11	init_daemon_domain(imapd_t,imapd_exec_t)
	12	inetd_tcp_service_domain(imapd_t,imapd_exec_t)
	13
	14	type imapd_tmp_t;
	15	files_tmp_file(imapd_tmp_t)
	16
	17	type imapd_var_run_t;
	18	files_pid_file(imapd_var_run_t)
	19
	20	########################################
	21	#
	22	# Local policy
	23	#
	24
	25	allow imapd_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
	26	dontaudit imapd_t self:capability sys_tty_config;
	27	allow imapd_t self:process signal_perms;
	28	allow imapd_t self:fifo_file rw_file_perms;
	29	allow imapd_t self:tcp_socket create_stream_socket_perms;
	30
	31	allow imapd_t imapd_tmp_t:dir create_dir_perms;
	32	allow imapd_t imapd_tmp_t:file create_file_perms;
	33	files_tmp_filetrans(imapd_t, imapd_tmp_t, { file dir })
	34
	35	allow imapd_t imapd_var_run_t:file create_file_perms;
	36	allow imapd_t imapd_var_run_t:dir rw_dir_perms;
	37	files_pid_filetrans(imapd_t,imapd_var_run_t,file)
	38
	39	kernel_read_kernel_sysctls(imapd_t)
	40	kernel_list_proc(imapd_t)
	41	kernel_read_proc_symlinks(imapd_t)
	42
	43	corenet_non_ipsec_sendrecv(imapd_t)
	44	corenet_tcp_sendrecv_generic_if(imapd_t)
	45	corenet_raw_sendrecv_generic_if(imapd_t)
	46	corenet_tcp_sendrecv_all_nodes(imapd_t)
	47	corenet_raw_sendrecv_all_nodes(imapd_t)
	48	corenet_tcp_sendrecv_all_ports(imapd_t)
	49	corenet_tcp_bind_all_nodes(imapd_t)
	50	corenet_tcp_bind_pop_port(imapd_t)
	51	corenet_tcp_connect_all_ports(imapd_t)
	52
	53	dev_read_sysfs(imapd_t)
	54	#urandom, for ssl
	55	dev_read_rand(imapd_t)
	56	dev_read_urand(imapd_t)
	57
	58	domain_use_interactive_fds(imapd_t)
	59
	60	#read /etc/ for hostname nsswitch.conf
	61	files_read_etc_files(imapd_t)
	62
	63	fs_getattr_all_fs(imapd_t)
	64	fs_search_auto_mountpoints(imapd_t)
65
66	term_dontaudit_use_console(imapd_t)
67
68	auth_domtrans_chk_passwd(imapd_t)
69
70	init_use_fds(imapd_t)
71	init_use_script_ptys(imapd_t)
72
73	libs_use_ld_so(imapd_t)
74	libs_use_shared_libs(imapd_t)
75
76	logging_send_syslog_msg(imapd_t)
77
78	miscfiles_read_localization(imapd_t)
79
80	sysnet_read_config(imapd_t)
81
82	userdom_dontaudit_use_unpriv_user_fds(imapd_t)
83	userdom_dontaudit_search_sysadm_home_dirs(imapd_t)
84	# cjp: this is excessive, should be limited to the
85	# mail directories
86	userdom_priveleged_home_dir_manager(imapd_t)
87
88	mta_rw_spool(imapd_t)
89
90	ifdef(`targeted_policy',`
91	term_dontaudit_use_unallocated_ttys(imapd_t)
92	term_dontaudit_use_generic_ptys(imapd_t)
93	files_dontaudit_read_root_files(imapd_t)
94	')
95
96	optional_policy(`
97	seutil_sigchld_newrole(imapd_t)
98	')
99
100	optional_policy(`
101	udev_read_db(imapd_t)
102	')