policy/modules/services/cyrus.if

   1 ## <summary>Cyrus is an IMAP service intended to be run on sealed servers</summary>
   2
   3 ########################################
   4 ## <summary>
   5 ##      Allow caller to create, read, write,
   6 ##      and delete cyrus data files.
   7 ## </summary>
   8 ## <param name="domain">
   9 ##      <summary>
  10 ##      Domain allowed access.
  11 ##      </summary>
  12 ## </param>
  13 #
  14 interface(`cyrus_manage_data',`
  15         gen_require(`
  16                 type cyrus_var_lib_t;
  17         ')
  18
  19         files_search_var_lib($1)
  20         manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
  21 ')
  22
  23 ########################################
  24 ## <summary>
  25 ##      Connect to Cyrus using a unix domain stream socket.
  26 ## </summary>
  27 ## <param name="domain">
  28 ##      <summary>
  29 ##      Domain allowed access.
  30 ##      </summary>
  31 ## </param>
  32 #
  33 interface(`cyrus_stream_connect',`
  34         gen_require(`
  35                 type cyrus_t, cyrus_var_lib_t;
  36         ')
  37
  38         files_search_var_lib($1)
  39         stream_connect_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t, cyrus_t)
  40 ')
  41
  42 ########################################
  43 ## <summary>
  44 ##      All of the rules required to administrate
  45 ##      an cyrus environment
  46 ## </summary>
  47 ## <param name="domain">
  48 ##      <summary>
  49 ##      Domain allowed access.
  50 ##      </summary>
  51 ## </param>
  52 ## <param name="role">
  53 ##      <summary>
  54 ##      The role to be allowed to manage the cyrus domain.
  55 ##      </summary>
  56 ## </param>
  57 ## <rolecap/>
  58 #
  59 interface(`cyrus_admin',`
  60         gen_require(`
  61                 type cyrus_t, cyrus_tmp_t, cyrus_var_lib_t;
  62                 type cyrus_var_run_t, cyrus_initrc_exec_t;
  63         ')
  64
  65         allow $1 cyrus_t:process signal_perms;
  66         ps_process_pattern($1, cyrus_t)
  67
  68         tunable_policy(`deny_ptrace',`',`
  69                 allow $1 cyrus_t:process ptrace;
  70         ')
  71
  72         init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
  73         domain_system_change_exemption($1)
  74         role_transition $2 cyrus_initrc_exec_t system_r;
  75         allow $2 system_r;
  76
  77         files_list_tmp($1)
  78         admin_pattern($1, cyrus_tmp_t)
  79
  80         files_list_var_lib($1)
  81         admin_pattern($1, cyrus_var_lib_t)
  82
  83         files_list_pids($1)
  84         admin_pattern($1, cyrus_var_run_t)
  85 ')