Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 23599 Details for
Bug 37179
courier-imap policy files
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
type enforcement
courier-imap.te (text/plain), 5.17 KB, created by
petre rodan (RETIRED)
on 2004-01-11 08:25:16 UTC
(
hide
)
Description:
type enforcement
Filename:
MIME Type:
Creator:
petre rodan (RETIRED)
Created:
2004-01-11 08:25:16 UTC
Size:
5.17 KB
patch
obsolete
>#DESC Courier - POP and IMAP servers ># ># Author: Russell Coker <russell@coker.com.au> ># Modified by: Petre Rodan <peter@tehnosistem.ro> ># > >type courier_exec_t, file_type, sysadmfile, exec_type; >type courier_var_run_t, file_type, sysadmfile, pidfile; >type courier_etc_t, file_type, sysadmfile; >type courier_shadow_t, file_type, sysadmfile; > >type imap_port_t, port_type; >type imaps_port_t, port_type; >type pop_port_t, port_type; >type pops_port_t, port_type; > > >define(`courier_domain', ` >################################# ># ># Rules for the courier_$1_t domain. ># ># courier_$1_exec_t is the type of the courier_$1 executables. ># >daemon_base_domain(courier_$1, `$2') > >allow courier_$1_t var_run_t:dir search; >rw_dir_create_file(courier_$1_t, courier_var_run_t) >allow courier_$1_t courier_var_run_t:sock_file create_file_perms; > ># allow it to read config files etc >allow courier_$1_t { courier_etc_t var_t }:dir r_dir_perms; >allow courier_$1_t courier_etc_t:file r_file_perms; >allow courier_$1_t etc_t:dir r_dir_perms; >allow courier_$1_t etc_t:file r_file_perms; > ># execute scripts etc >allow courier_$1_t { bin_t courier_$1_exec_t }:file rx_file_perms; >allow courier_$1_t bin_t:dir r_dir_perms; >allow courier_$1_t fs_t:filesystem getattr; > ># set process group and allow permissions over-ride >allow courier_$1_t self:process setpgid; >allow courier_$1_t self:capability dac_override; > ># Use the network. >can_network(courier_$1_t) >allow courier_$1_t self:fifo_file { read write getattr }; >allow courier_$1_t self:unix_stream_socket create_stream_socket_perms; >allow courier_$1_t self:unix_dgram_socket create_socket_perms; > >allow courier_$1_t null_device_t:chr_file rw_file_perms; > ># allow it to log to /dev/tty >allow courier_$1_t devtty_t:chr_file rw_file_perms; > >allow courier_$1_t { usr_t etc_runtime_t }:file r_file_perms; >allow courier_$1_t usr_t:dir r_dir_perms; >allow courier_$1_t root_t:dir r_dir_perms; >can_exec(courier_$1_t, courier_$1_exec_t) >can_exec(courier_$1_t, bin_t) >allow courier_$1_t bin_t:dir search; > >allow courier_$1_t proc_t:dir r_dir_perms; >allow courier_$1_t proc_t:file r_file_perms; > >')dnl > > >################################# ># ># Rules for the authentication daemon domain > >courier_domain(authdaemon, `, auth_chkpwd') >allow courier_authdaemon_t sbin_t:dir search; >read_locale(courier_authdaemon_t) >allow courier_authdaemon_t courier_shadow_t:file r_file_perms; > >var_lib_domain(courier_authdaemon) > >allow courier_authdaemon_t courier_authdaemon_var_lib_t:sock_file create_file_perms; > >################################# ># ># Rules for the networking domain > >courier_domain(tcpd) >allow courier_tcpd_t self:capability net_bind_service; > >allow courier_tcpd_t imap_port_t:tcp_socket name_bind; >allow courier_tcpd_t imaps_port_t:tcp_socket name_bind; >allow courier_tcpd_t pop_port_t:tcp_socket name_bind; >allow courier_tcpd_t pops_port_t:tcp_socket name_bind; > >allow courier_tcpd_t sbin_t:dir search; ># for TLS >allow courier_tcpd_t random_device_t:chr_file read; >read_locale(courier_tcpd_t) >can_exec(courier_tcpd_t, courier_exec_t) >allow courier_authdaemon_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; >allow courier_authdaemon_t courier_tcpd_t:process sigchld; > >can_tcp_connect(userdomain, courier_tcpd_t) > >var_run_domain(courier_tcpd) >var_lib_domain(courier_tcpd) > > ># domain for pop and imap >courier_domain(imap) >read_locale(courier_imap_t) > >domain_auto_trans(courier_tcpd_t, courier_imap_exec_t, courier_imap_t) >allow courier_imap_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; >domain_auto_trans(courier_imap_t, courier_authdaemon_exec_t, courier_authdaemon_t) >allow courier_imap_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms; >allow courier_authdaemon_t courier_tcpd_t:fd use; >allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; >allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms; >allow courier_imap_t courier_authdaemon_t:process sigchld; >domain_auto_trans(courier_authdaemon_t, courier_imap_exec_t, courier_imap_t) > ># do the actual work (read the Maildir) ># imap needs to write files >allow courier_imap_t home_root_t:dir { getattr search }; >allow courier_imap_t user_home_dir_type:dir { getattr search }; ># pop does not need to create subdirs, IMAP does >create_dir_file(courier_imap_t, user_home_type) > ># rw /var/lib/courier-imap/couriersslcache >allow courier_imap_t courier_tcpd_var_lib_t:file rw_file_perms; > ># for calendaring >courier_domain(pcp) >allow courier_pcp_t self:capability { setuid setgid }; >allow courier_pcp_t random_device_t:chr_file r_file_perms; > ># misc stuff that in a normal world should not be needed >allow courier_authdaemon_t home_root_t:dir search; >allow courier_authdaemon_t user_home_dir_type:dir search; >dontaudit courier_authdaemon_t sysadm_home_dir_t:dir search; >allow courier_authdaemon_t self:unix_stream_socket connectto; >allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config }; >allow courier_authdaemon_t resolv_conf_t:file { read getattr }; > ># allow start scripts to read the config >allow initrc_t courier_etc_t:file r_file_perms; > ># allow start/stop scripts to play with /var/lib/courier-imap/authdaemon/pid ># (it's a wrong place for a pid file ...) >allow initrc_t courier_authdaemon_var_lib_t:file create_file_perms; > >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 37179
:
23129
|
23130
| 23599 |
24497