policy/modules/services/dovecot.te

   1
   2 policy_module(dovecot, 1.10.0)
   3
   4 ########################################
   5 #
   6 # Declarations
   7 #
   8 type dovecot_t;
   9 type dovecot_exec_t;
  10 init_daemon_domain(dovecot_t, dovecot_exec_t)
  11
  12 type dovecot_auth_t;
  13 type dovecot_auth_exec_t;
  14 domain_type(dovecot_auth_t)
  15 domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
  16 role system_r types dovecot_auth_t;
  17
  18 type dovecot_cert_t;
  19 files_type(dovecot_cert_t)
  20
  21 type dovecot_etc_t;
  22 files_config_file(dovecot_etc_t)
  23
  24 type dovecot_passwd_t;
  25 files_type(dovecot_passwd_t)
  26
  27 type dovecot_spool_t;
  28 files_type(dovecot_spool_t)
  29
  30 # /var/lib/dovecot holds SSL parameters file
  31 type dovecot_var_lib_t;
  32 files_type(dovecot_var_lib_t)
  33
  34 type dovecot_var_run_t;
  35 files_pid_file(dovecot_var_run_t)
  36
  37 ########################################
  38 #
  39 # dovecot local policy
  40 #
  41
  42 allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
  43 dontaudit dovecot_t self:capability sys_tty_config;
  44 allow dovecot_t self:process { setrlimit signal_perms };
  45 allow dovecot_t self:fifo_file rw_fifo_file_perms;
  46 allow dovecot_t self:tcp_socket create_stream_socket_perms;
  47 allow dovecot_t self:unix_dgram_socket create_socket_perms;
  48 allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
  49
  50 domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
  51
  52 allow dovecot_t dovecot_cert_t:dir list_dir_perms;
  53 read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
  54 read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
  55
  56 allow dovecot_t dovecot_etc_t:file read_file_perms;
  57 files_search_etc(dovecot_t)
  58
  59 can_exec(dovecot_t, dovecot_exec_t)
  60
  61 manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
  62 manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
  63 manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
  64
  65 manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
  66 manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
  67 files_pid_filetrans(dovecot_t, dovecot_var_run_t, file)
  68
  69 kernel_read_kernel_sysctls(dovecot_t)
  70 kernel_read_system_state(dovecot_t)
  71
  72 corenet_all_recvfrom_unlabeled(dovecot_t)
  73 corenet_all_recvfrom_netlabel(dovecot_t)
  74 corenet_tcp_sendrecv_all_if(dovecot_t)
  75 corenet_tcp_sendrecv_all_nodes(dovecot_t)
  76 corenet_tcp_sendrecv_all_ports(dovecot_t)
  77 corenet_tcp_bind_all_nodes(dovecot_t)
  78 corenet_tcp_bind_pop_port(dovecot_t)
  79 corenet_tcp_connect_all_ports(dovecot_t)
  80 corenet_tcp_connect_postgresql_port(dovecot_t)
  81 corenet_sendrecv_pop_server_packets(dovecot_t)
  82 corenet_sendrecv_all_client_packets(dovecot_t)
  83
  84 dev_read_sysfs(dovecot_t)
  85 dev_read_urand(dovecot_t)
  86
  87 fs_getattr_all_fs(dovecot_t)
  88 fs_search_auto_mountpoints(dovecot_t)
  89 fs_list_inotifyfs(dovecot_t)
  90
  91 corecmd_exec_bin(dovecot_t)
  92
  93 domain_use_interactive_fds(dovecot_t)
  94
  95 files_read_etc_files(dovecot_t)
  96 files_search_spool(dovecot_t)
  97 files_search_tmp(dovecot_t)
  98 files_dontaudit_list_default(dovecot_t)
  99 # Dovecot now has quota support and it uses getmntent() to find the mountpoints.
 100 files_read_etc_runtime_files(dovecot_t)
 101 files_getattr_all_mountpoints(dovecot_t)
 102
 103 init_getattr_utmp(dovecot_t)
 104
 105 auth_use_nsswitch(dovecot_t)
 106
 107 logging_send_syslog_msg(dovecot_t)
 108
 109 miscfiles_read_certs(dovecot_t)
 110 miscfiles_read_localization(dovecot_t)
 111
 112 userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
 113 userdom_manage_user_home_content_dirs(dovecot_t)
 114 userdom_manage_user_home_content_files(dovecot_t)
 115 userdom_manage_user_home_content_symlinks(dovecot_t)
 116 userdom_manage_user_home_content_pipes(dovecot_t)
 117 userdom_manage_user_home_content_sockets(dovecot_t)
 118 userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })
 119
 120 mta_manage_spool(dovecot_t)
 121
 122 optional_policy(`
 123         kerberos_use(dovecot_t)
 124 ')
 125
 126 optional_policy(`
 127         seutil_sigchld_newrole(dovecot_t)
 128 ')
 129
 130 optional_policy(`
 131         squid_dontaudit_search_cache(dovecot_t)
 132 ')
 133
 134 optional_policy(`
 135         udev_read_db(dovecot_t)
 136 ')
 137
 138 ########################################
 139 #
 140 # dovecot auth local policy
 141 #
 142
 143 allow dovecot_auth_t self:capability { setgid setuid };
 144 allow dovecot_auth_t self:process signal_perms;
 145 allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
 146 allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
 147 allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
 148
 149 allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
 150
 151 allow dovecot_auth_t dovecot_passwd_t:file read_file_perms;
 152
 153 # Allow dovecot to create and read SSL parameters file
 154 manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
 155 files_search_var_lib(dovecot_t)
 156
 157 allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
 158
 159 kernel_read_all_sysctls(dovecot_auth_t)
 160 kernel_read_system_state(dovecot_auth_t)
 161
 162 dev_read_urand(dovecot_auth_t)
 163
 164 auth_domtrans_chk_passwd(dovecot_auth_t)
 165 auth_use_nsswitch(dovecot_auth_t)
 166
 167 files_read_etc_files(dovecot_auth_t)
 168 files_read_etc_runtime_files(dovecot_auth_t)
 169 files_search_pids(dovecot_auth_t)
 170 files_read_usr_symlinks(dovecot_auth_t)
 171 files_search_tmp(dovecot_auth_t)
 172 files_read_var_lib_files(dovecot_t)
 173
 174 init_rw_utmp(dovecot_auth_t)
 175
 176 miscfiles_read_localization(dovecot_auth_t)
 177
 178 seutil_dontaudit_search_config(dovecot_auth_t)
 179
 180 optional_policy(`
 181         kerberos_use(dovecot_auth_t)
 182 ')
 183
 184 optional_policy(`
 185         logging_send_syslog_msg(dovecot_auth_t)
 186 ')