/[gentoo-projects]/selinux/courier-imap/courier-imap.te
Gentoo

Contents of /selinux/courier-imap/courier-imap.te

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.11 - (show annotations) (download)
Sun Jun 26 18:42:04 2005 UTC (9 years, 5 months ago) by kaiowas
Branch: MAIN
CVS Tags: HEAD
Changes since 1.10: +25 -31 lines
cleanup

1 #DESC Courier - POP and IMAP servers
2 #
3 # Author: Russell Coker <russell@coker.com.au>
4 # Modified by: Petre Rodan <kaiowas@gentoo.org>
5 #
6
7 type courier_exec_t, file_type, exec_type;
8 type courier_var_run_t, file_type, sysadmfile, pidfile;
9 type courier_etc_t, file_type, sysadmfile;
10 type courier_shadow_t, file_type, sysadmfile;
11
12 define(`courier_domain', `
13 #################################
14 #
15 # Rules for the courier_$1_t domain.
16 #
17 # courier_$1_exec_t is the type of the courier_$1 executables.
18 #
19 daemon_base_domain(courier_$1, `$2')
20
21 allow courier_$1_t var_run_t:dir search;
22 rw_dir_create_file(courier_$1_t, courier_var_run_t)
23 allow courier_$1_t courier_var_run_t:sock_file create_file_perms;
24
25 # allow it to read config files etc
26 allow courier_$1_t { courier_etc_t var_t }:dir r_dir_perms;
27 allow courier_$1_t courier_etc_t:file r_file_perms;
28 allow courier_$1_t etc_t:dir r_dir_perms;
29 allow courier_$1_t etc_t:file r_file_perms;
30
31 # execute scripts etc
32 allow courier_$1_t { bin_t courier_$1_exec_t }:file rx_file_perms;
33 allow courier_$1_t bin_t:dir r_dir_perms;
34 allow courier_$1_t fs_t:filesystem getattr;
35
36 # set process group and allow permissions over-ride
37 allow courier_$1_t self:process setpgid;
38 allow courier_$1_t self:capability dac_override;
39
40 # Use the network.
41 can_network(courier_$1_t)
42 allow courier_$1_t self:fifo_file { read write getattr };
43 allow courier_$1_t self:unix_stream_socket create_stream_socket_perms;
44 allow courier_$1_t self:unix_dgram_socket create_socket_perms;
45
46 allow courier_$1_t null_device_t:chr_file rw_file_perms;
47
48 # allow it to log to /dev/tty
49 allow courier_$1_t devtty_t:chr_file rw_file_perms;
50
51 allow courier_$1_t { usr_t etc_runtime_t }:file r_file_perms;
52 allow courier_$1_t usr_t:dir r_dir_perms;
53 allow courier_$1_t root_t:dir r_dir_perms;
54 can_exec(courier_$1_t, courier_$1_exec_t)
55 can_exec(courier_$1_t, bin_t)
56 allow courier_$1_t { bin_t sbin_t }:dir search;
57
58 allow courier_$1_t proc_t:dir r_dir_perms;
59 allow courier_$1_t proc_t:file r_file_perms;
60
61 ')dnl
62
63
64 #################################
65 #
66 # Rules for the authentication daemon domain
67
68 courier_domain(authdaemon, `, auth_chkpwd')
69
70 var_lib_domain(courier_authdaemon)
71 read_locale(courier_authdaemon_t)
72
73 allow courier_authdaemon_t self:unix_stream_socket connectto;
74 allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config };
75 allow courier_authdaemon_t net_conf_t:file { read getattr };
76 allow courier_authdaemon_t courier_shadow_t:file r_file_perms;
77 allow courier_authdaemon_t courier_authdaemon_var_lib_t:sock_file create_file_perms;
78
79 #################################
80 #
81 # Rules for the logger daemon domain
82
83 courier_domain(logger)
84
85 var_run_domain(courier_logger)
86 read_locale(courier_logger_t)
87
88 domain_auto_trans(courier_logger_t, courier_authdaemon_exec_t, courier_authdaemon_t)
89
90 allow courier_logger_t courier_authdaemon_t:process signal;
91 allow courier_tcpd_t courier_logger_t:process signal;
92 allow courier_tcpd_t courier_imap_t:process signal;
93 allow courier_logger_t devpts_t:dir search;
94
95 #################################
96 #
97 # Rules for the networking domain
98
99 courier_domain(tcpd)
100
101 var_run_domain(courier_tcpd)
102 var_lib_domain(courier_tcpd)
103 read_locale(courier_tcpd_t)
104 can_exec(courier_tcpd_t, courier_exec_t)
105 can_tcp_connect(userdomain, courier_tcpd_t)
106
107 allow courier_tcpd_t self:capability { net_bind_service kill };
108 allow courier_tcpd_t pop_port_t:tcp_socket name_bind;
109 allow courier_tcpd_t bin_t:lnk_file read;
110 allow courier_tcpd_t { random_device_t urandom_device_t }:chr_file read;
111
112 domain_auto_trans(courier_tcpd_t, courier_logger_exec_t, courier_logger_t)
113
114 allow courier_authdaemon_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
115 allow courier_authdaemon_t courier_tcpd_t:process sigchld;
116 allow courier_authdaemon_t courier_tcpd_t:fd use;
117 allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
118
119 # domain for pop and imap
120 courier_domain(imap)
121 read_locale(courier_imap_t)
122
123 domain_auto_trans(courier_tcpd_t, courier_imap_exec_t, courier_imap_t)
124 allow courier_imap_t self:capability { setgid setuid };
125 allow courier_imap_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
126 domain_auto_trans(courier_imap_t, courier_authdaemon_exec_t, courier_authdaemon_t)
127 domain_auto_trans(courier_imap_t, courier_tcpd_exec_t, courier_tcpd_t)
128 allow courier_imap_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
129 domain_auto_trans(courier_authdaemon_t, courier_imap_exec_t, courier_imap_t)
130 allow courier_imap_t courier_authdaemon_t:process sigchld;
131 allow courier_imap_t courier_authdaemon_var_lib_t:dir search;
132 allow courier_imap_t courier_authdaemon_var_lib_t:sock_file write;
133 allow courier_imap_t courier_authdaemon_t:unix_stream_socket connectto;
134
135 allow courier_imap_t var_lib_t:dir search;
136 allow courier_imap_t urandom_device_t:chr_file read;
137
138 # do the actual work (read the Maildir)
139 # imap needs to write files
140 allow courier_imap_t home_root_t:dir { getattr search };
141 allow courier_imap_t user_home_dir_type:dir { getattr search };
142 # pop does not need to create subdirs, IMAP does
143 create_dir_file(courier_imap_t, user_home_type)
144
145 # rw /var/lib/courier-imap/couriersslcache
146 allow courier_imap_t courier_tcpd_var_lib_t:file rw_file_perms;
147
148 # for calendaring
149 courier_domain(pcp)
150 allow courier_pcp_t self:capability { setuid setgid };
151 allow courier_pcp_t random_device_t:chr_file r_file_perms;
152
153 # misc stuff that in a normal world should not be needed
154 allow courier_authdaemon_t home_root_t:dir search;
155 allow courier_authdaemon_t user_home_dir_type:dir search;
156 dontaudit courier_authdaemon_t sysadm_home_dir_t:dir search;
157 dontaudit courier_authdaemon_t tmp_t:dir getattr;
158 allow courier_tcpd_t devpts_t:dir search;
159
160 # allow start scripts to read the config
161 allow initrc_t courier_etc_t:file r_file_perms;

  ViewVC Help
Powered by ViewVC 1.1.20