refpolicy/policy/modules/services/courier.te

   1
   2 policy_module(courier,1.0.0)
   3
   4 ########################################
   5 #
   6 # Declarations
   7 #
   8
   9 courier_domain_template(authdaemon)
  10
  11 type courier_etc_t;
  12 files_type(courier_etc_t)
  13
  14 courier_domain_template(pcp)
  15
  16 courier_domain_template(pop)
  17
  18 courier_domain_template(tcpd)
  19
  20 type courier_var_lib_t;
  21 files_type(courier_var_lib_t)
  22
  23 type courier_var_run_t;
  24 files_pid_file(courier_var_run_t)
  25
  26 type courier_exec_t;
  27 files_type(courier_exec_t)
  28
  29 courier_domain_template(sqwebmail)
  30 typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t;
  31
  32 ########################################
  33 #
  34 # Authdaemon local policy
  35 #
  36
  37 allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config };
  38 allow courier_authdaemon_t self:unix_stream_socket connectto;
  39
  40 can_exec(courier_authdaemon_t, courier_exec_t)
  41
  42 allow courier_authdaemon_t courier_tcpd_t:fd use;
  43 allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
  44 allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
  45
  46 allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
  47 allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms;
  48 allow courier_authdaemon_t courier_tcpd_t:process sigchld;
  49 allow courier_authdaemon_t courier_tcpd_t:fd use;
  50 allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
  51 allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
  52
  53 corecmd_search_sbin(courier_authdaemon_t)
  54
  55 # for SSP
  56 dev_read_urand(courier_authdaemon_t)
  57
  58 files_getattr_tmp_dirs(courier_authdaemon_t)
  59
  60 auth_domtrans_chk_passwd(courier_authdaemon_t)
  61
  62 libs_read_lib_files(courier_authdaemon_t)
  63
  64 miscfiles_read_localization(courier_authdaemon_t)
  65
  66 # should not be needed!
  67 userdom_search_unpriv_users_home_dirs(courier_authdaemon_t)
  68 userdom_dontaudit_search_sysadm_home_dirs(courier_authdaemon_t)
  69
  70 courier_domtrans_pop(courier_authdaemon_t)
  71
  72 ########################################
  73 #
  74 # Calendar (PCP) local policy
  75 #
  76
  77 allow courier_pcp_t self:capability { setuid setgid };
  78
  79 dev_read_rand(courier_pcp_t)
  80
  81 ########################################
  82 #
  83 # POP3/IMAP local policy
  84 #
  85
  86 allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
  87 allow courier_pop_t courier_authdaemon_t:process sigchld;
  88
  89 allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
  90
  91 # inherits file handle - should it?
  92 allow courier_pop_t courier_var_lib_t:file { read write };
  93
  94 miscfiles_read_localization(courier_pop_t)
  95
  96 courier_domtrans_authdaemon(courier_pop_t)
  97
  98 # do the actual work (read the Maildir)
  99 userdom_manage_unpriv_users_home_content_files(courier_pop_t)
 100 # cjp: the fact that this is different for pop vs imap means that
 101 # there should probably be a courier_pop_t and courier_imap_t
 102 # this should also probably be a separate type too instead of
 103 # the regular home dir
 104 userdom_manage_unpriv_users_home_content_dirs(courier_pop_t)
 105
 106 ########################################
 107 #
 108 # TCPd local policy
 109 #
 110
 111 allow courier_tcpd_t self:capability kill;
 112
 113 can_exec(courier_tcpd_t, courier_exec_t)
 114
 115 allow courier_tcpd_t courier_var_lib_t:dir rw_dir_perms;
 116 allow courier_tcpd_t courier_var_lib_t:file manage_file_perms;
 117 allow courier_tcpd_t courier_var_lib_t:lnk_file create_lnk_perms;
 118 files_search_var_lib(courier_tcpd_t)
 119
 120 corecmd_search_sbin(courier_tcpd_t)
 121
 122 corenet_tcp_bind_pop_port(courier_tcpd_t)
 123
 124 # for TLS
 125 dev_read_rand(courier_tcpd_t)
 126 dev_read_urand(courier_tcpd_t)
 127
 128 miscfiles_read_localization(courier_tcpd_t)
 129
 130 courier_domtrans_pop(courier_tcpd_t)
 131
 132 ########################################
 133 #
 134 # Webmail local policy
 135 #
 136
 137 kernel_read_kernel_sysctls(courier_sqwebmail_t)
 138
 139 optional_policy(`
 140         cron_system_entry(courier_sqwebmail_t,courier_sqwebmail_exec_t)
 141 ')