1 ## <summary>Cyrus is an IMAP service intended to be run on sealed servers</summary>
3 ########################################
5 ## Allow caller to create, read, write,
6 ## and delete cyrus data files.
8 ## <param name="domain">
10 ## Domain allowed access.
14 interface(`cyrus_manage_data',`
19 files_search_var_lib($1)
20 manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
23 ########################################
25 ## Connect to Cyrus using a unix domain stream socket.
27 ## <param name="domain">
29 ## Domain allowed access.
33 interface(`cyrus_stream_connect',`
35 type cyrus_t, cyrus_var_lib_t;
38 files_search_var_lib($1)
39 stream_connect_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t, cyrus_t)
42 ########################################
44 ## All of the rules required to administrate
45 ## an cyrus environment
47 ## <param name="domain">
49 ## Domain allowed access.
52 ## <param name="role">
54 ## The role to be allowed to manage the cyrus domain.
59 interface(`cyrus_admin',`
61 type cyrus_t, cyrus_tmp_t, cyrus_var_lib_t;
62 type cyrus_var_run_t, cyrus_initrc_exec_t;
65 allow $1 cyrus_t:process signal_perms;
66 ps_process_pattern($1, cyrus_t)
68 tunable_policy(`deny_ptrace',`',`
69 allow $1 cyrus_t:process ptrace;
72 init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
73 domain_system_change_exemption($1)
74 role_transition $2 cyrus_initrc_exec_t system_r;
78 admin_pattern($1, cyrus_tmp_t)
80 files_list_var_lib($1)
81 admin_pattern($1, cyrus_var_lib_t)
84 admin_pattern($1, cyrus_var_run_t)