From 01e7daf034e53184bb62d60b62bf5bb4fe4cf86b Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Fri, 6 Jan 2012 22:17:48 +0100 Subject: [PATCH] Remove module for evolution. --- policy/modules/apps/evolution.fc | 21 - policy/modules/apps/evolution.if | 153 ------ policy/modules/apps/evolution.te | 598 ------------------------ policy/modules/roles/staff.te | 4 - policy/modules/roles/sysadm.te | 4 - policy/modules/roles/unprivuser.te | 4 - policy/modules/services/spamassassin.te | 10 - policy/modules/system/userdomain.if | 5 - 8 files changed, 799 deletions(-) delete mode 100644 policy/modules/apps/evolution.fc delete mode 100644 policy/modules/apps/evolution.if delete mode 100644 policy/modules/apps/evolution.te diff --git a/policy/modules/apps/evolution.fc b/policy/modules/apps/evolution.fc deleted file mode 100644 index c0112777..00000000 --- a/policy/modules/apps/evolution.fc +++ /dev/null @@ -1,21 +0,0 @@ -# -# HOME_DIR/ -# - -HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:evolution_home_t,s0) -HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0) - -# -# /tmp -# -/tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:evolution_exchange_tmp_t,s0) - -# -# /usr -# -/usr/bin/evolution.* -- gen_context(system_u:object_r:evolution_exec_t,s0) - -/usr/libexec/evolution/.*evolution-alarm-notify.* -- gen_context(system_u:object_r:evolution_alarm_exec_t,s0) -/usr/libexec/evolution/.*evolution-exchange-storage.* -- gen_context(system_u:object_r:evolution_exchange_exec_t,s0) -/usr/libexec/evolution-data-server.* -- gen_context(system_u:object_r:evolution_server_exec_t,s0) -/usr/libexec/evolution-webcal.* -- gen_context(system_u:object_r:evolution_webcal_exec_t,s0) diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if deleted file mode 100644 index 1cb204c9..00000000 --- a/policy/modules/apps/evolution.if +++ /dev/null @@ -1,153 +0,0 @@ -## Evolution email client - -######################################## -## -## Role access for evolution -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`evolution_role',` - gen_require(` - type evolution_t, evolution_exec_t, evolution_home_t; - type evolution_alarm_t, evolution_alarm_exec_t; - type evolution_exchange_t, evolution_exchange_exec_t; - type evolution_exchange_orbit_tmp_t; - type evolution_server_t, evolution_server_exec_t; - type evolution_webcal_t, evolution_webcal_exec_t; - ') - - role $1 types { evolution_t evolution_alarm_t evolution_exchange_t }; - role $1 types { evolution_server_t evolution_webcal_t }; - - domtrans_pattern($2, evolution_exec_t, evolution_t) - domtrans_pattern($2, evolution_alarm_exec_t, evolution_alarm_t) - domtrans_pattern($2, evolution_exchange_exec_t, evolution_exchange_t) - domtrans_pattern($2, evolution_server_exec_t, evolution_server_t) - domtrans_pattern($2, evolution_webcal_exec_t, evolution_webcal_t) - - ps_process_pattern($2, evolution_t) - ps_process_pattern($2, evolution_alarm_t) - ps_process_pattern($2, evolution_exchange_t) - ps_process_pattern($2, evolution_server_t) - ps_process_pattern($2, evolution_webcal_t) - - allow evolution_t $2:dir search; - allow evolution_t $2:file read; - allow evolution_t $2:lnk_file read; - allow evolution_t $2:unix_stream_socket connectto; - - allow $2 evolution_t:unix_stream_socket connectto; - allow $2 evolution_t:process noatsecure; - allow $2 evolution_t:process signal_perms; - - # Access .evolution - allow $2 evolution_home_t:dir manage_dir_perms; - allow $2 evolution_home_t:file manage_file_perms; - allow $2 evolution_home_t:lnk_file manage_lnk_file_perms; - allow $2 evolution_home_t:{ dir file lnk_file } { relabelfrom relabelto }; - - allow evolution_exchange_t $2:unix_stream_socket connectto; - - # Clock applet talks to exchange (FIXME: Needs policy) - allow $2 evolution_exchange_t:unix_stream_socket connectto; - allow $2 evolution_exchange_orbit_tmp_t:sock_file write; -') - -######################################## -## -## Create objects in users evolution home folders. -## -## -## -## Domain allowed access. -## -## -## -## -## Private file type. -## -## -## -## -## The object class of the object being created. -## -## -# -interface(`evolution_home_filetrans',` - gen_require(` - type evolution_home_t; - ') - - allow $1 evolution_home_t:dir rw_dir_perms; - type_transition $1 evolution_home_t:$3 $2; -') - -######################################## -## -## Connect to evolution unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`evolution_stream_connect',` - gen_require(` - type evolution_t, evolution_home_t; - ') - - allow $1 evolution_t:unix_stream_socket connectto; - allow $1 evolution_home_t:dir search; -') - -######################################## -## -## Send and receive messages from -## evolution over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`evolution_dbus_chat',` - gen_require(` - type evolution_t; - class dbus send_msg; - ') - - allow $1 evolution_t:dbus send_msg; - allow evolution_t $1:dbus send_msg; -') - -######################################## -## -## Send and receive messages from -## evolution_alarm over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`evolution_alarm_dbus_chat',` - gen_require(` - type evolution_alarm_t; - class dbus send_msg; - ') - - allow $1 evolution_alarm_t:dbus send_msg; - allow evolution_alarm_t $1:dbus send_msg; -') diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te deleted file mode 100644 index c6cbb69e..00000000 --- a/policy/modules/apps/evolution.te +++ /dev/null @@ -1,598 +0,0 @@ -policy_module(evolution, 2.2.0) - -######################################## -# -# Declarations -# - -type evolution_t; -type evolution_exec_t; -typealias evolution_t alias { user_evolution_t staff_evolution_t sysadm_evolution_t }; -typealias evolution_t alias { auditadm_evolution_t secadm_evolution_t }; -application_domain(evolution_t, evolution_exec_t) -ubac_constrained(evolution_t) - -type evolution_alarm_t; -type evolution_alarm_exec_t; -typealias evolution_alarm_t alias { user_evolution_alarm_t staff_evolution_alarm_t sysadm_evolution_alarm_t }; -typealias evolution_alarm_t alias { auditadm_evolution_alarm_t secadm_evolution_alarm_t }; -application_domain(evolution_alarm_t, evolution_alarm_exec_t) -ubac_constrained(evolution_alarm_t) - -type evolution_alarm_tmpfs_t; -typealias evolution_alarm_tmpfs_t alias { user_evolution_alarm_tmpfs_t staff_evolution_alarm_tmpfs_t sysadm_evolution_alarm_tmpfs_t }; -typealias evolution_alarm_tmpfs_t alias { auditadm_evolution_alarm_tmpfs_t secadm_evolution_alarm_tmpfs_t }; -files_tmpfs_file(evolution_alarm_tmpfs_t) -ubac_constrained(evolution_alarm_tmpfs_t) - -type evolution_alarm_orbit_tmp_t; -typealias evolution_alarm_orbit_tmp_t alias { user_evolution_alarm_orbit_tmp_t staff_evolution_alarm_orbit_tmp_t sysadm_evolution_alarm_orbit_tmp_t }; -typealias evolution_alarm_orbit_tmp_t alias { auditadm_evolution_alarm_orbit_tmp_t secadm_evolution_alarm_orbit_tmp_t }; -files_tmp_file(evolution_alarm_orbit_tmp_t) -ubac_constrained(evolution_alarm_orbit_tmp_t) - -type evolution_exchange_t; -type evolution_exchange_exec_t; -typealias evolution_exchange_t alias { user_evolution_exchange_t staff_evolution_exchange_t sysadm_evolution_exchange_t }; -typealias evolution_exchange_t alias { auditadm_evolution_exchange_t secadm_evolution_exchange_t }; -application_domain(evolution_exchange_t, evolution_exchange_exec_t) -ubac_constrained(evolution_exchange_t) - -type evolution_exchange_tmpfs_t; -typealias evolution_exchange_tmpfs_t alias { user_evolution_exchange_tmpfs_t staff_evolution_exchange_tmpfs_t sysadm_evolution_exchange_tmpfs_t }; -typealias evolution_exchange_tmpfs_t alias { auditadm_evolution_exchange_tmpfs_t secadm_evolution_exchange_tmpfs_t }; -files_tmpfs_file(evolution_exchange_tmpfs_t) -ubac_constrained(evolution_exchange_tmpfs_t) - -type evolution_exchange_tmp_t; -typealias evolution_exchange_tmp_t alias { user_evolution_exchange_tmp_t staff_evolution_exchange_tmp_t sysadm_evolution_exchange_tmp_t }; -typealias evolution_exchange_tmp_t alias { auditadm_evolution_exchange_tmp_t secadm_evolution_exchange_tmp_t }; -files_tmp_file(evolution_exchange_tmp_t) -ubac_constrained(evolution_exchange_tmp_t) - -type evolution_exchange_orbit_tmp_t; -typealias evolution_exchange_orbit_tmp_t alias { user_evolution_exchange_orbit_tmp_t staff_evolution_exchange_orbit_tmp_t sysadm_evolution_exchange_orbit_tmp_t }; -typealias evolution_exchange_orbit_tmp_t alias { auditadm_evolution_exchange_orbit_tmp_t secadm_evolution_exchange_orbit_tmp_t }; -files_tmp_file(evolution_exchange_orbit_tmp_t) -ubac_constrained(evolution_exchange_orbit_tmp_t) - -type evolution_home_t; -typealias evolution_home_t alias { user_evolution_home_t staff_evolution_home_t sysadm_evolution_home_t }; -typealias evolution_home_t alias { auditadm_evolution_home_t secadm_evolution_home_t }; -userdom_user_home_content(evolution_home_t) - -type evolution_orbit_tmp_t; -typealias evolution_home_t alias { user_evolution_orbit_tmp_t staff_evolution_orbit_tmp_t sysadm_evolution_orbit_tmp_t }; -typealias evolution_home_t alias { auditadm_evolution_orbit_tmp_t secadm_evolution_orbit_tmp_t }; -files_tmp_file(evolution_orbit_tmp_t) -ubac_constrained(evolution_orbit_tmp_t) - -type evolution_server_t; -type evolution_server_exec_t; -typealias evolution_server_t alias { user_evolution_server_t staff_evolution_server_t sysadm_evolution_server_t }; -typealias evolution_server_t alias { auditadm_evolution_server_t secadm_evolution_server_t }; -application_domain(evolution_server_t, evolution_server_exec_t) -ubac_constrained(evolution_server_t) - -type evolution_server_orbit_tmp_t; -typealias evolution_server_orbit_tmp_t alias { user_evolution_server_orbit_tmp_t staff_evolution_server_orbit_tmp_t sysadm_evolution_server_orbit_tmp_t }; -typealias evolution_server_orbit_tmp_t alias { auditadm_evolution_server_orbit_tmp_t secadm_evolution_server_orbit_tmp_t }; -files_tmp_file(evolution_server_orbit_tmp_t) -ubac_constrained(evolution_server_orbit_tmp_t) - -type evolution_tmpfs_t; -typealias evolution_tmpfs_t alias { user_evolution_tmpfs_t staff_evolution_tmpfs_t sysadm_evolution_tmpfs_t }; -typealias evolution_tmpfs_t alias { auditadm_evolution_tmpfs_t secadm_evolution_tmpfs_t }; -files_tmpfs_file(evolution_tmpfs_t) -ubac_constrained(evolution_tmpfs_t) - -type evolution_webcal_t; -type evolution_webcal_exec_t; -typealias evolution_webcal_t alias { user_evolution_webcal_t staff_evolution_webcal_t sysadm_evolution_webcal_t }; -typealias evolution_webcal_t alias { auditadm_evolution_webcal_t secadm_evolution_webcal_t }; -application_domain(evolution_webcal_t, evolution_webcal_exec_t) -ubac_constrained(evolution_webcal_t) - -type evolution_webcal_tmpfs_t; -typealias evolution_webcal_tmpfs_t alias { user_evolution_webcal_tmpfs_t staff_evolution_webcal_tmpfs_t sysadm_evolution_webcal_tmpfs_t }; -typealias evolution_webcal_tmpfs_t alias { auditadm_evolution_webcal_tmpfs_t secadm_evolution_webcal_tmpfs_t }; -files_tmpfs_file(evolution_webcal_tmpfs_t) -ubac_constrained(evolution_webcal_tmpfs_t) - -######################################## -# -# Evolution local policy -# - -allow evolution_t self:capability { setuid setgid sys_nice }; -allow evolution_t self:process { signal getsched setsched }; -allow evolution_t self:fifo_file rw_file_perms; -allow evolution_t self:tcp_socket create_socket_perms; -allow evolution_t self:udp_socket create_socket_perms; - -allow evolution_t evolution_alarm_t:dir search_dir_perms; -allow evolution_t evolution_alarm_t:file read; - -allow evolution_t evolution_alarm_t:unix_stream_socket connectto; -allow evolution_t evolution_alarm_orbit_tmp_t:sock_file write; - -can_exec(evolution_t, evolution_alarm_exec_t) - -allow evolution_t evolution_exchange_t:unix_stream_socket connectto; -allow evolution_t evolution_exchange_orbit_tmp_t:sock_file write; - -allow evolution_t evolution_home_t:dir manage_dir_perms; -allow evolution_t evolution_home_t:file manage_file_perms; -allow evolution_t evolution_home_t:lnk_file manage_lnk_file_perms; -userdom_search_user_home_dirs(evolution_t) - -allow evolution_t evolution_orbit_tmp_t:dir manage_dir_perms; -allow evolution_t evolution_orbit_tmp_t:file manage_file_perms; -files_tmp_filetrans(evolution_t, evolution_orbit_tmp_t, { dir file }) - -allow evolution_server_t evolution_orbit_tmp_t:dir manage_dir_perms; -allow evolution_server_t evolution_orbit_tmp_t:file manage_file_perms; -files_tmp_filetrans(evolution_server_t, evolution_orbit_tmp_t, { dir file }) - -allow evolution_t evolution_server_t:dir search_dir_perms; -allow evolution_t evolution_server_t:file read; - -allow evolution_t evolution_server_t:unix_stream_socket connectto; -allow evolution_t evolution_server_orbit_tmp_t:sock_file write; - -can_exec(evolution_t, evolution_server_exec_t) - -allow evolution_t evolution_tmpfs_t:dir rw_dir_perms; -allow evolution_t evolution_tmpfs_t:file manage_file_perms; -allow evolution_t evolution_tmpfs_t:lnk_file manage_lnk_file_perms; -allow evolution_t evolution_tmpfs_t:sock_file manage_sock_file_perms; -allow evolution_t evolution_tmpfs_t:fifo_file manage_fifo_file_perms; -fs_tmpfs_filetrans(evolution_t, evolution_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -#FIXME check to see if really needed -kernel_read_kernel_sysctls(evolution_t) -kernel_read_system_state(evolution_t) -# Allow netstat -kernel_read_network_state(evolution_t) -kernel_read_net_sysctls(evolution_t) - -corecmd_exec_shell(evolution_t) -# Run various programs -corecmd_exec_bin(evolution_t) - -corenet_all_recvfrom_unlabeled(evolution_t) -corenet_all_recvfrom_netlabel(evolution_t) -corenet_tcp_sendrecv_generic_if(evolution_t) -corenet_udp_sendrecv_generic_if(evolution_t) -corenet_raw_sendrecv_generic_if(evolution_t) -corenet_tcp_sendrecv_generic_node(evolution_t) -corenet_udp_sendrecv_generic_node(evolution_t) -corenet_tcp_sendrecv_pop_port(evolution_t) -corenet_udp_sendrecv_pop_port(evolution_t) -corenet_tcp_sendrecv_smtp_port(evolution_t) -corenet_udp_sendrecv_smtp_port(evolution_t) -corenet_tcp_sendrecv_innd_port(evolution_t) -corenet_udp_sendrecv_innd_port(evolution_t) -corenet_tcp_sendrecv_ldap_port(evolution_t) -corenet_udp_sendrecv_ldap_port(evolution_t) -corenet_tcp_sendrecv_ipp_port(evolution_t) -corenet_udp_sendrecv_ipp_port(evolution_t) -corenet_tcp_connect_pop_port(evolution_t) -corenet_tcp_connect_smtp_port(evolution_t) -corenet_tcp_connect_innd_port(evolution_t) -corenet_tcp_connect_ldap_port(evolution_t) -corenet_tcp_connect_ipp_port(evolution_t) -corenet_sendrecv_pop_client_packets(evolution_t) -corenet_sendrecv_smtp_client_packets(evolution_t) -corenet_sendrecv_innd_client_packets(evolution_t) -corenet_sendrecv_ldap_client_packets(evolution_t) -corenet_sendrecv_ipp_client_packets(evolution_t) -# not sure about this bind -corenet_udp_bind_generic_node(evolution_t) -corenet_udp_bind_generic_port(evolution_t) - -dev_read_urand(evolution_t) - -domain_dontaudit_read_all_domains_state(evolution_t) - -files_read_etc_files(evolution_t) -files_read_usr_files(evolution_t) -files_read_usr_symlinks(evolution_t) -files_read_var_files(evolution_t) - -fs_search_auto_mountpoints(evolution_t) - -auth_use_nsswitch(evolution_t) - -logging_send_syslog_msg(evolution_t) - -miscfiles_read_localization(evolution_t) - -sysnet_read_config(evolution_t) -sysnet_dns_name_resolve(evolution_t) - -udev_read_state(evolution_t) - -userdom_rw_user_tmp_files(evolution_t) -userdom_manage_user_tmp_dirs(evolution_t) -userdom_manage_user_tmp_sockets(evolution_t) -userdom_manage_user_tmp_files(evolution_t) -userdom_use_inherited_user_terminals(evolution_t) -# FIXME: suppress access to .local/.icons/.themes until properly implemented -# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) -# until properly implemented -userdom_dontaudit_read_user_home_content_files(evolution_t) - -mta_read_config(evolution_t) - -xserver_user_x_domain_template(evolution, evolution_t, evolution_tmpfs_t) -xserver_read_xdm_tmp_files(evolution_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(evolution_t) - fs_manage_nfs_files(evolution_t) - fs_manage_nfs_symlinks(evolution_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(evolution_t) - fs_manage_cifs_files(evolution_t) - fs_manage_cifs_symlinks(evolution_t) -') - -tunable_policy(`mail_read_content && use_nfs_home_dirs',` - fs_list_auto_mountpoints(evolution_t) - files_list_home(evolution_t) - fs_read_nfs_files(evolution_t) - fs_read_nfs_symlinks(evolution_t) - -',` - files_dontaudit_list_home(evolution_t) - fs_dontaudit_list_auto_mountpoints(evolution_t) - fs_dontaudit_read_nfs_files(evolution_t) - fs_dontaudit_list_nfs(evolution_t) -') - -tunable_policy(`mail_read_content && use_samba_home_dirs',` - fs_list_auto_mountpoints(evolution_t) - files_list_home(evolution_t) - fs_read_cifs_files(evolution_t) - fs_read_cifs_symlinks(evolution_t) -',` - files_dontaudit_list_home(evolution_t) - fs_dontaudit_list_auto_mountpoints(evolution_t) - fs_dontaudit_read_cifs_files(evolution_t) - fs_dontaudit_list_cifs(evolution_t) -') - -tunable_policy(`mail_read_content',` - userdom_list_user_tmp(evolution_t) - userdom_read_user_tmp_files(evolution_t) - userdom_read_user_tmp_symlinks(evolution_t) - userdom_read_user_home_content_files(evolution_t) - userdom_read_user_home_content_symlinks(evolution_t) - - ifndef(`enable_mls',` - fs_search_removable(evolution_t) - fs_read_removable_files(evolution_t) - fs_read_removable_symlinks(evolution_t) - ') -',` - files_dontaudit_list_tmp(evolution_t) - files_dontaudit_list_home(evolution_t) - fs_dontaudit_list_removable(evolution_t) - fs_dontaudit_read_removable_files(evolution_t) - userdom_dontaudit_list_user_tmp(evolution_t) - userdom_dontaudit_read_user_tmp_files(evolution_t) - userdom_dontaudit_list_user_home_dirs(evolution_t) - userdom_dontaudit_read_user_home_content_files(evolution_t) -') - -optional_policy(` - automount_read_state(evolution_t) -') - -# Allow printing the mail -optional_policy(` - cups_read_rw_config(evolution_t) -') - -optional_policy(` - dbus_system_bus_client(evolution_t) - dbus_session_bus_client(evolution_t) -') - -optional_policy(` - gnome_stream_connect_gconf(evolution_t) -') - -# Encrypt mail -optional_policy(` - gpg_domtrans(evolution_t) - gpg_signal(evolution_t) -') - -optional_policy(` - lpd_domtrans_lpr(evolution_t) -') - -### Junk mail filtering (start spamd) -optional_policy(` - spamassassin_exec_spamd(evolution_t) - spamassassin_domtrans_client(evolution_t) - spamassassin_domtrans_local_client(evolution_t) - # Allow evolution to signal the daemon - # FIXME: Now evolution can read spamd temp files - spamassassin_read_spamd_tmp_files(evolution_t) - spamassassin_signal_spamd(evolution_t) - spamassassin_dontaudit_getattr_spamd_tmp_sockets(evolution_t) -') - -######################################## -# -# Evolution alarm local policy -# - -allow evolution_alarm_t self:process { signal getsched }; -allow evolution_alarm_t self:fifo_file rw_fifo_file_perms; - -allow evolution_alarm_t evolution_t:unix_stream_socket connectto; -allow evolution_alarm_t evolution_orbit_tmp_t:sock_file write; - -allow evolution_alarm_t evolution_alarm_tmpfs_t:dir rw_dir_perms; -allow evolution_alarm_t evolution_alarm_tmpfs_t:file manage_file_perms; -allow evolution_alarm_t evolution_alarm_tmpfs_t:lnk_file manage_lnk_file_perms; -allow evolution_alarm_t evolution_alarm_tmpfs_t:sock_file manage_sock_file_perms; -allow evolution_alarm_t evolution_alarm_tmpfs_t:fifo_file manage_fifo_file_perms; -fs_tmpfs_filetrans(evolution_alarm_t, evolution_alarm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -allow evolution_alarm_t evolution_exchange_t:unix_stream_socket connectto; -allow evolution_alarm_t evolution_exchange_orbit_tmp_t:sock_file write; - -# Access evolution home -allow evolution_alarm_t evolution_home_t:dir manage_dir_perms; -allow evolution_alarm_t evolution_home_t:file manage_file_perms; -allow evolution_alarm_t evolution_home_t:lnk_file manage_lnk_file_perms; - -allow evolution_alarm_t evolution_server_t:unix_stream_socket connectto; -allow evolution_alarm_t evolution_server_orbit_tmp_t:sock_file write; - -dev_read_urand(evolution_alarm_t) - -files_read_etc_files(evolution_alarm_t) -files_read_usr_files(evolution_alarm_t) - -fs_search_auto_mountpoints(evolution_alarm_t) - -auth_use_nsswitch(evolution_alarm_t) - -miscfiles_read_localization(evolution_alarm_t) - -# Access evolution home -userdom_search_user_home_dirs(evolution_alarm_t) -# FIXME: suppress access to .local/.icons/.themes until properly implemented -# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) -# until properly implemented -userdom_dontaudit_read_user_home_content_files(evolution_alarm_t) - -xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t) - -# Access evolution home -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files(evolution_alarm_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files(evolution_alarm_t) -') - -optional_policy(` - dbus_session_bus_client(evolution_alarm_t) -') - -optional_policy(` - gnome_stream_connect_gconf(evolution_alarm_t) -') - -######################################## -# -# Evolution exchange connector local policy -# - -allow evolution_exchange_t self:process getsched; -allow evolution_exchange_t self:fifo_file rw_fifo_file_perms; - -allow evolution_exchange_t self:tcp_socket create_socket_perms; -allow evolution_exchange_t self:udp_socket create_socket_perms; - -allow evolution_exchange_t evolution_t:unix_stream_socket connectto; -allow evolution_exchange_t evolution_orbit_tmp_t:sock_file write; - -allow evolution_exchange_t evolution_alarm_t:unix_stream_socket connectto; -allow evolution_exchange_t evolution_alarm_orbit_tmp_t:sock_file write; - -# Access evolution home -allow evolution_exchange_t evolution_home_t:dir manage_dir_perms; -allow evolution_exchange_t evolution_home_t:file manage_file_perms; -allow evolution_exchange_t evolution_home_t:lnk_file manage_lnk_file_perms; - -allow evolution_exchange_t evolution_server_t:unix_stream_socket connectto; -allow evolution_exchange_t evolution_server_orbit_tmp_t:sock_file write; - -# /tmp/.exchange-$USER -allow evolution_exchange_t evolution_exchange_tmp_t:dir manage_dir_perms; -allow evolution_exchange_t evolution_exchange_tmp_t:file manage_file_perms; -files_tmp_filetrans(evolution_exchange_t, evolution_exchange_tmp_t, { file dir }) - -allow evolution_exchange_t evolution_exchange_tmpfs_t:dir rw_dir_perms; -allow evolution_exchange_t evolution_exchange_tmpfs_t:file manage_file_perms; -allow evolution_exchange_t evolution_exchange_tmpfs_t:lnk_file manage_lnk_file_perms; -allow evolution_exchange_t evolution_exchange_tmpfs_t:sock_file manage_sock_file_perms; -allow evolution_exchange_t evolution_exchange_tmpfs_t:fifo_file manage_fifo_file_perms; -fs_tmpfs_filetrans(evolution_exchange_t, evolution_exchange_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -kernel_read_network_state(evolution_exchange_t) -kernel_read_net_sysctls(evolution_exchange_t) - -# Allow netstat -corecmd_exec_bin(evolution_exchange_t) - -dev_read_urand(evolution_exchange_t) - -files_read_etc_files(evolution_exchange_t) -files_read_usr_files(evolution_exchange_t) - -# Access evolution home -fs_search_auto_mountpoints(evolution_exchange_t) - -auth_use_nsswitch(evolution_exchange_t) - -miscfiles_read_localization(evolution_exchange_t) - -userdom_write_user_tmp_sockets(evolution_exchange_t) -# Access evolution home -userdom_search_user_home_dirs(evolution_exchange_t) -# FIXME: suppress access to .local/.icons/.themes until properly implemented -# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) -# until properly implemented -userdom_dontaudit_read_user_home_content_files(evolution_exchange_t) - -xserver_user_x_domain_template(evolution_exchange, evolution_exchange_t, evolution_exchange_tmpfs_t) - -# Access evolution home -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files(evolution_exchange_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files(evolution_exchange_t) -') - -optional_policy(` - gnome_stream_connect_gconf(evolution_exchange_t) -') - -######################################## -# -# Evolution data server local policy -# - -allow evolution_server_t self:process { getsched signal }; - -allow evolution_server_t self:fifo_file { read write }; -allow evolution_server_t self:unix_stream_socket { accept connectto }; -# Talk to ldap (address book), -# Obtain weather data via http (read server name from xml file in /usr) -allow evolution_server_t self:tcp_socket create_socket_perms; - -allow evolution_server_t evolution_t:unix_stream_socket connectto; -allow evolution_server_t evolution_orbit_tmp_t:sock_file write; - -allow evolution_server_t evolution_exchange_t:unix_stream_socket connectto; -allow evolution_server_t evolution_exchange_orbit_tmp_t:sock_file write; - -# Access evolution home -allow evolution_server_t evolution_home_t:dir manage_dir_perms; -allow evolution_server_t evolution_home_t:file manage_file_perms; -allow evolution_server_t evolution_home_t:lnk_file manage_lnk_file_perms; - -allow evolution_server_t evolution_alarm_t:unix_stream_socket connectto; -allow evolution_server_t evolution_alarm_orbit_tmp_t:sock_file write; - -kernel_read_system_state(evolution_server_t) - -corecmd_exec_shell(evolution_server_t) - -# Obtain weather data via http (read server name from xml file in /usr) -corenet_all_recvfrom_unlabeled(evolution_server_t) -corenet_all_recvfrom_netlabel(evolution_server_t) -corenet_tcp_sendrecv_generic_if(evolution_server_t) -corenet_tcp_sendrecv_generic_node(evolution_server_t) -corenet_tcp_sendrecv_http_port(evolution_server_t) -corenet_tcp_sendrecv_http_cache_port(evolution_server_t) -corenet_tcp_connect_http_cache_port(evolution_server_t) -corenet_tcp_connect_http_port(evolution_server_t) -corenet_sendrecv_http_client_packets(evolution_server_t) -corenet_sendrecv_http_cache_client_packets(evolution_server_t) - -dev_read_urand(evolution_server_t) - -files_read_etc_files(evolution_server_t) -# Obtain weather data via http (read server name from xml file in /usr) -files_read_usr_files(evolution_server_t) - -fs_search_auto_mountpoints(evolution_server_t) - -auth_use_nsswitch(evolution_server_t) - -miscfiles_read_localization(evolution_server_t) -# Look in /etc/pki -miscfiles_read_generic_certs(evolution_server_t) - -# Talk to ldap (address book) -sysnet_read_config(evolution_server_t) -sysnet_dns_name_resolve(evolution_server_t) -sysnet_use_ldap(evolution_server_t) - -# Access evolution home -userdom_search_user_home_dirs(evolution_server_t) -# FIXME: suppress access to .local/.icons/.themes until properly implemented -# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) -# until properly implemented -userdom_dontaudit_read_user_home_content_files(evolution_server_t) - -# Access evolution home -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files(evolution_server_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files(evolution_server_t) -') - -optional_policy(` - gnome_stream_connect_gconf(evolution_server_t) -') - -######################################## -# -# Evolution webcal local policy -# - -allow evolution_webcal_t self:tcp_socket create_socket_perms; - -# X/evolution common stuff -allow evolution_webcal_t evolution_webcal_tmpfs_t:dir rw_dir_perms; -allow evolution_webcal_t evolution_webcal_tmpfs_t:file manage_file_perms; -allow evolution_webcal_t evolution_webcal_tmpfs_t:lnk_file manage_lnk_file_perms; -allow evolution_webcal_t evolution_webcal_tmpfs_t:sock_file manage_sock_file_perms; -allow evolution_webcal_t evolution_webcal_tmpfs_t:fifo_file manage_fifo_file_perms; -fs_tmpfs_filetrans(evolution_webcal_t, evolution_webcal_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -corenet_all_recvfrom_unlabeled(evolution_webcal_t) -corenet_all_recvfrom_netlabel(evolution_webcal_t) -corenet_tcp_sendrecv_generic_if(evolution_webcal_t) -corenet_raw_sendrecv_generic_if(evolution_webcal_t) -corenet_tcp_sendrecv_generic_node(evolution_webcal_t) -corenet_raw_sendrecv_generic_node(evolution_webcal_t) -corenet_tcp_sendrecv_http_port(evolution_webcal_t) -corenet_tcp_sendrecv_http_cache_port(evolution_webcal_t) -corenet_tcp_connect_http_cache_port(evolution_webcal_t) -corenet_tcp_connect_http_port(evolution_webcal_t) -corenet_sendrecv_http_client_packets(evolution_webcal_t) -corenet_sendrecv_http_cache_client_packets(evolution_webcal_t) - -auth_use_nsswitch(evolution_webcal_t) - -# Networking capability - connect to website and handle ics link -sysnet_read_config(evolution_webcal_t) -sysnet_dns_name_resolve(evolution_webcal_t) - -# Search home directory (?) -userdom_search_user_home_dirs(evolution_webcal_t) -# FIXME: suppress access to .local/.icons/.themes until properly implemented -# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) -# until properly implemented -userdom_dontaudit_read_user_home_content_files(evolution_webcal_t) - -xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t) diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index 2489e789..815d09f7 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -245,10 +245,6 @@ ifndef(`distro_redhat',` dbus_role_template(staff, staff_r, staff_t) ') - optional_policy(` - evolution_role(staff_r, staff_t) - ') - optional_policy(` games_role(staff_r, staff_t) ') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 4924cf47..f6ec2973 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -502,10 +502,6 @@ ifndef(`distro_redhat',` dbus_role_template(sysadm, sysadm_r, sysadm_t) ') - optional_policy(` - evolution_role(sysadm_r, sysadm_t) - ') - optional_policy(` games_role(sysadm_r, sysadm_t) ') diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te index dd41b667..21379abb 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -127,10 +127,6 @@ ifndef(`distro_redhat',` dbus_role_template(user, user_r, user_t) ') - optional_policy(` - evolution_role(user_r, user_t) - ') - optional_policy(` games_role(user_r, user_t) ') diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te index 9d10f0b4..c9a01803 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te @@ -208,11 +208,6 @@ tunable_policy(`spamd_enable_home_dirs',` userdom_manage_user_home_content_symlinks(spamd_t) ') -optional_policy(` - # Write pid file and socket in ~/.evolution/cache/tmp - evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file }) -') - optional_policy(` tunable_policy(`spamassassin_can_network && allow_ypbind',` nis_use_ypbind_uncond(spamassassin_t) @@ -323,11 +318,6 @@ optional_policy(` abrt_stream_connect(spamc_t) ') -optional_policy(` - # Allow connection to spamd socket above - evolution_stream_connect(spamc_t) -') - optional_policy(` milter_manage_spamass_state(spamc_t) ') diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index b523cbe0..30fc6451 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -719,11 +719,6 @@ template(`userdom_common_user_template',` devicekit_dbus_chat_disk($1_usertype) ') - optional_policy(` - evolution_dbus_chat($1_usertype) - evolution_alarm_dbus_chat($1_usertype) - ') - optional_policy(` gnome_dbus_chat_gconfdefault($1_usertype) ') -- 2.47.2