#DESC Courier - POP and IMAP servers
#
# Author:  Russell Coker <russell@coker.com.au>
# Modified by: Petre Rodan <peter@tehnosistem.ro>
#

type courier_exec_t, file_type, sysadmfile, exec_type;
type courier_var_run_t, file_type, sysadmfile, pidfile;
type courier_etc_t, file_type, sysadmfile;
type courier_shadow_t, file_type, sysadmfile;

type imap_port_t, port_type;
type imaps_port_t, port_type;
type pop_port_t, port_type;
type pops_port_t, port_type;


define(`courier_domain', `
#################################
#
# Rules for the courier_$1_t domain.
#
# courier_$1_exec_t is the type of the courier_$1 executables.
#
daemon_base_domain(courier_$1, `$2')

allow courier_$1_t var_run_t:dir search;
rw_dir_create_file(courier_$1_t, courier_var_run_t)
allow courier_$1_t courier_var_run_t:sock_file create_file_perms;

# allow it to read config files etc
allow courier_$1_t { courier_etc_t var_t }:dir r_dir_perms;
allow courier_$1_t courier_etc_t:file r_file_perms;
allow courier_$1_t etc_t:dir r_dir_perms;
allow courier_$1_t etc_t:file r_file_perms;

# execute scripts etc
allow courier_$1_t { bin_t courier_$1_exec_t }:file rx_file_perms;
allow courier_$1_t bin_t:dir r_dir_perms;
allow courier_$1_t fs_t:filesystem getattr;

# set process group and allow permissions over-ride
allow courier_$1_t self:process setpgid;
allow courier_$1_t self:capability dac_override;

# Use the network.
can_network(courier_$1_t)
allow courier_$1_t self:fifo_file { read write getattr };
allow courier_$1_t self:unix_stream_socket create_stream_socket_perms;
allow courier_$1_t self:unix_dgram_socket create_socket_perms;

allow courier_$1_t null_device_t:chr_file rw_file_perms;

# allow it to log to /dev/tty
allow courier_$1_t devtty_t:chr_file rw_file_perms;

allow courier_$1_t { usr_t etc_runtime_t }:file r_file_perms;
allow courier_$1_t usr_t:dir r_dir_perms;
allow courier_$1_t root_t:dir r_dir_perms;
can_exec(courier_$1_t, courier_$1_exec_t)
can_exec(courier_$1_t, bin_t)
allow courier_$1_t bin_t:dir search;

allow courier_$1_t proc_t:dir r_dir_perms;
allow courier_$1_t proc_t:file r_file_perms;

')dnl


#################################
#
# Rules for the authentication daemon domain

courier_domain(authdaemon, `, auth_chkpwd')
allow courier_authdaemon_t sbin_t:dir search;
read_locale(courier_authdaemon_t)
allow courier_authdaemon_t courier_shadow_t:file r_file_perms;

var_lib_domain(courier_authdaemon)

allow courier_authdaemon_t courier_authdaemon_var_lib_t:sock_file create_file_perms;

#################################
#
# Rules for the networking domain

courier_domain(tcpd)
allow courier_tcpd_t self:capability net_bind_service;

allow courier_tcpd_t imap_port_t:tcp_socket name_bind;
allow courier_tcpd_t imaps_port_t:tcp_socket name_bind;
allow courier_tcpd_t pop_port_t:tcp_socket name_bind;
allow courier_tcpd_t pops_port_t:tcp_socket name_bind;

allow courier_tcpd_t sbin_t:dir search;
# for TLS
allow courier_tcpd_t random_device_t:chr_file read;
read_locale(courier_tcpd_t)
can_exec(courier_tcpd_t, courier_exec_t)
allow courier_authdaemon_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
allow courier_authdaemon_t courier_tcpd_t:process sigchld;

can_tcp_connect(userdomain, courier_tcpd_t)

var_run_domain(courier_tcpd)
var_lib_domain(courier_tcpd)


# domain for pop and imap
courier_domain(imap)
read_locale(courier_imap_t)

domain_auto_trans(courier_tcpd_t, courier_imap_exec_t, courier_imap_t)
allow courier_imap_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
domain_auto_trans(courier_imap_t, courier_authdaemon_exec_t, courier_authdaemon_t)
allow courier_imap_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
allow courier_authdaemon_t courier_tcpd_t:fd use;
allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
allow courier_imap_t courier_authdaemon_t:process sigchld;
domain_auto_trans(courier_authdaemon_t, courier_imap_exec_t, courier_imap_t)

# do the actual work (read the Maildir)
# imap needs to write files
allow courier_imap_t home_root_t:dir { getattr search };
allow courier_imap_t user_home_dir_type:dir { getattr search };
# pop does not need to create subdirs, IMAP does
create_dir_file(courier_imap_t, user_home_type)

# rw /var/lib/courier-imap/couriersslcache
allow courier_imap_t courier_tcpd_var_lib_t:file rw_file_perms;

# for calendaring
courier_domain(pcp)
allow courier_pcp_t self:capability { setuid setgid };
allow courier_pcp_t random_device_t:chr_file r_file_perms;

# misc stuff that in a normal world should not be needed
allow courier_authdaemon_t home_root_t:dir search;
allow courier_authdaemon_t user_home_dir_type:dir search;
dontaudit courier_authdaemon_t sysadm_home_dir_t:dir search;
allow courier_authdaemon_t self:unix_stream_socket connectto;
allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config };
allow courier_authdaemon_t resolv_conf_t:file { read getattr };

# allow start scripts to read the config
allow initrc_t courier_etc_t:file r_file_perms;

# allow start/stop scripts to play with /var/lib/courier-imap/authdaemon/pid
# (it's a wrong place for a pid file ...)
allow initrc_t courier_authdaemon_var_lib_t:file create_file_perms;