refpolicy/policy/modules/services/courier.if

   1 ## <summary>Courier IMAP and POP3 email servers</summary>
   2
   3 ########################################
   4 ## <summary>
   5 ##      Template for creating courier server processes.
   6 ## </summary>
   7 ## <param name="prefix">
   8 ##      <summary>
   9 ##      Prefix name of the server process.
  10 ##      </summary>
  11 ## </param>
  12 #
  13 template(`courier_domain_template',`
  14
  15         ##############################
  16         #
  17         # Declarations
  18         #
  19
  20         type courier_$1_t;
  21         type courier_$1_exec_t;
  22         init_daemon_domain(courier_$1_t,courier_$1_exec_t)
  23
  24         ##############################
  25         #
  26         # Declarations
  27         #
  28
  29         allow courier_$1_t self:capability dac_override;
  30         dontaudit courier_$1_t self:capability sys_tty_config;
  31         allow courier_$1_t self:process { setpgid signal_perms };
  32         allow courier_$1_t self:fifo_file { read write getattr };
  33         allow courier_$1_t self:tcp_socket create_stream_socket_perms;
  34         allow courier_$1_t self:udp_socket create_socket_perms;
  35
  36         can_exec(courier_$1_t, courier_$1_exec_t)
  37
  38         allow courier_$1_t courier_etc_t:file r_file_perms;
  39         allow courier_$1_t courier_etc_t:dir r_dir_perms;
  40
  41         allow courier_$1_t courier_var_run_t:dir rw_dir_perms;
  42         allow courier_$1_t courier_var_run_t:file create_file_perms;
  43         allow courier_$1_t courier_var_run_t:lnk_file create_lnk_perms;
  44         allow courier_$1_t courier_var_run_t:sock_file create_file_perms;
  45         files_search_pids(courier_$1_t)
  46
  47         kernel_read_system_state(courier_$1_t)
  48         kernel_read_kernel_sysctls(courier_$1_t)
  49
  50         corecmd_exec_bin(courier_$1_t)
  51
  52         corenet_tcp_sendrecv_generic_if(courier_$1_t)
  53         corenet_udp_sendrecv_generic_if(courier_$1_t)
  54         corenet_raw_sendrecv_generic_if(courier_$1_t)
  55         corenet_tcp_sendrecv_all_nodes(courier_$1_t)
  56         corenet_udp_sendrecv_all_nodes(courier_$1_t)
  57         corenet_raw_sendrecv_all_nodes(courier_$1_t)
  58         corenet_tcp_sendrecv_all_ports(courier_$1_t)
  59         corenet_udp_sendrecv_all_ports(courier_$1_t)
  60         corenet_non_ipsec_sendrecv(courier_$1_t)
  61         corenet_tcp_bind_all_nodes(courier_$1_t)
  62         corenet_udp_bind_all_nodes(courier_$1_t)
  63
  64         dev_read_sysfs(courier_$1_t)
  65
  66         domain_use_interactive_fds(courier_$1_t)
  67
  68         files_read_etc_files(courier_$1_t)
  69         files_read_etc_runtime_files(courier_$1_t)
  70         files_read_usr_files(courier_$1_t)
  71
  72         fs_getattr_xattr_fs(courier_$1_t)
  73         fs_search_auto_mountpoints(courier_$1_t)
  74
  75         term_dontaudit_use_console(courier_$1_t)
  76
  77         init_use_fds(courier_$1_t)
  78         init_use_script_ptys(courier_$1_t)
  79
  80         libs_use_ld_so(courier_$1_t)
  81         libs_use_shared_libs(courier_$1_t)
  82
  83         logging_send_syslog_msg(courier_$1_t)
  84
  85         sysnet_read_config(courier_$1_t)
  86
  87         userdom_dontaudit_use_unpriv_user_fds(courier_$1_t)
  88
  89         ifdef(`targeted_policy',`
  90                 term_dontaudit_use_unallocated_ttys(courier_$1_t)
  91                 term_dontaudit_use_generic_ptys(courier_$1_t)
  92                 files_dontaudit_read_root_files(courier_$1_t)
  93         ')
  94
  95         optional_policy(`
  96                 seutil_sigchld_newrole(courier_$1_t)
  97         ')
  98
  99         optional_policy(`
 100                 udev_read_db(courier_$1_t)
 101         ')
 102 ')
 103
 104 ########################################
 105 ## <summary>
 106 ##      Execute the courier authentication daemon with
 107 ##      a domain transition.
 108 ## </summary>
 109 ## <param name="prefix">
 110 ##      <summary>
 111 ##      Domain allowed access.
 112 ##      </summary>
 113 ## </param>
 114 #
 115 interface(`courier_domtrans_authdaemon',`
 116         gen_require(`
 117                 type courier_authdaemon_t, courier_authdaemon_exec_t;
 118         ')
 119
 120         domain_auto_trans($1, courier_authdaemon_exec_t, courier_authdaemon_t)
 121         allow courier_authdaemon_t $1:fd use;
 122         allow courier_authdaemon_t $1:fifo_file rw_file_perms;
 123         allow courier_authdaemon_t $1:process sigchld;
 124 ')
 125
 126 ########################################
 127 ## <summary>
 128 ##      Execute the courier POP3 and IMAP server with
 129 ##      a domain transition.
 130 ## </summary>
 131 ## <param name="prefix">
 132 ##      <summary>
 133 ##      Domain allowed access.
 134 ##      </summary>
 135 ## </param>
 136 #
 137 interface(`courier_domtrans_pop',`
 138         gen_require(`
 139                 type courier_pop_t, courier_pop_exec_t;
 140         ')
 141
 142         domain_auto_trans($1, courier_pop_exec_t, courier_pop_t)
 143         allow courier_pop_t $1:fd use;
 144         allow courier_pop_t $1:fifo_file rw_file_perms;
 145         allow courier_pop_t $1:process sigchld;
 146 ')