2 policy_module(courier,1.0.0)
4 ########################################
9 courier_domain_template(authdaemon)
12 files_type(courier_etc_t)
14 courier_domain_template(pcp)
16 courier_domain_template(pop)
18 courier_domain_template(tcpd)
20 type courier_var_lib_t;
21 files_type(courier_var_lib_t)
23 type courier_var_run_t;
24 files_pid_file(courier_var_run_t)
27 files_type(courier_exec_t)
29 courier_domain_template(sqwebmail)
30 typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t;
32 ########################################
34 # Authdaemon local policy
37 allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config };
38 allow courier_authdaemon_t self:unix_stream_socket connectto;
40 can_exec(courier_authdaemon_t, courier_exec_t)
42 allow courier_authdaemon_t courier_tcpd_t:fd use;
43 allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
44 allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
46 allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
47 allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms;
48 allow courier_authdaemon_t courier_tcpd_t:process sigchld;
49 allow courier_authdaemon_t courier_tcpd_t:fd use;
50 allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
51 allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
53 corecmd_search_sbin(courier_authdaemon_t)
56 dev_read_urand(courier_authdaemon_t)
58 files_getattr_tmp_dirs(courier_authdaemon_t)
60 auth_domtrans_chk_passwd(courier_authdaemon_t)
62 libs_read_lib_files(courier_authdaemon_t)
64 miscfiles_read_localization(courier_authdaemon_t)
66 # should not be needed!
67 userdom_search_unpriv_users_home_dirs(courier_authdaemon_t)
68 userdom_dontaudit_search_sysadm_home_dirs(courier_authdaemon_t)
70 courier_domtrans_pop(courier_authdaemon_t)
72 ########################################
74 # Calendar (PCP) local policy
77 allow courier_pcp_t self:capability { setuid setgid };
79 dev_read_rand(courier_pcp_t)
81 ########################################
83 # POP3/IMAP local policy
86 allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
87 allow courier_pop_t courier_authdaemon_t:process sigchld;
89 allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
91 # inherits file handle - should it?
92 allow courier_pop_t courier_var_lib_t:file { read write };
94 miscfiles_read_localization(courier_pop_t)
96 courier_domtrans_authdaemon(courier_pop_t)
98 # do the actual work (read the Maildir)
99 userdom_manage_unpriv_users_home_content_files(courier_pop_t)
100 # cjp: the fact that this is different for pop vs imap means that
101 # there should probably be a courier_pop_t and courier_imap_t
102 # this should also probably be a separate type too instead of
103 # the regular home dir
104 userdom_manage_unpriv_users_home_content_dirs(courier_pop_t)
106 ########################################
111 allow courier_tcpd_t self:capability kill;
113 can_exec(courier_tcpd_t, courier_exec_t)
115 allow courier_tcpd_t courier_var_lib_t:dir rw_dir_perms;
116 allow courier_tcpd_t courier_var_lib_t:file manage_file_perms;
117 allow courier_tcpd_t courier_var_lib_t:lnk_file create_lnk_perms;
118 files_search_var_lib(courier_tcpd_t)
120 corecmd_search_sbin(courier_tcpd_t)
122 corenet_tcp_bind_pop_port(courier_tcpd_t)
125 dev_read_rand(courier_tcpd_t)
126 dev_read_urand(courier_tcpd_t)
128 miscfiles_read_localization(courier_tcpd_t)
130 courier_domtrans_pop(courier_tcpd_t)
132 ########################################
134 # Webmail local policy
137 kernel_read_kernel_sysctls(courier_sqwebmail_t)
140 cron_system_entry(courier_sqwebmail_t,courier_sqwebmail_exec_t)