Attachment 23599 Details for Bug 37179 – type enforcement

type enforcement

courier-imap.te (text/plain), 5.17 KB, created by petre rodan (RETIRED) on 2004-01-11 08:25:16 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: petre rodan (RETIRED)

Created: 2004-01-11 08:25:16 UTC

Size: 5.17 KB

patch

obsolete

>#DESC Courier - POP and IMAP servers
>#
># Author:  Russell Coker <russell@coker.com.au>
># Modified by: Petre Rodan <peter@tehnosistem.ro>
>#
>
>type courier_exec_t, file_type, sysadmfile, exec_type;
>type courier_var_run_t, file_type, sysadmfile, pidfile;
>type courier_etc_t, file_type, sysadmfile;
>type courier_shadow_t, file_type, sysadmfile;
>
>type imap_port_t, port_type;
>type imaps_port_t, port_type;
>type pop_port_t, port_type;
>type pops_port_t, port_type;
>
>
>define(`courier_domain', `
>#################################
>#
># Rules for the courier_$1_t domain.
>#
># courier_$1_exec_t is the type of the courier_$1 executables.
>#
>daemon_base_domain(courier_$1, `$2')
>
>allow courier_$1_t var_run_t:dir search;
>rw_dir_create_file(courier_$1_t, courier_var_run_t)
>allow courier_$1_t courier_var_run_t:sock_file create_file_perms;
>
># allow it to read config files etc
>allow courier_$1_t { courier_etc_t var_t }:dir r_dir_perms;
>allow courier_$1_t courier_etc_t:file r_file_perms;
>allow courier_$1_t etc_t:dir r_dir_perms;
>allow courier_$1_t etc_t:file r_file_perms;
>
># execute scripts etc
>allow courier_$1_t { bin_t courier_$1_exec_t }:file rx_file_perms;
>allow courier_$1_t bin_t:dir r_dir_perms;
>allow courier_$1_t fs_t:filesystem getattr;
>
># set process group and allow permissions over-ride
>allow courier_$1_t self:process setpgid;
>allow courier_$1_t self:capability dac_override;
>
># Use the network.
>can_network(courier_$1_t)
>allow courier_$1_t self:fifo_file { read write getattr };
>allow courier_$1_t self:unix_stream_socket create_stream_socket_perms;
>allow courier_$1_t self:unix_dgram_socket create_socket_perms;
>
>allow courier_$1_t null_device_t:chr_file rw_file_perms;
>
># allow it to log to /dev/tty
>allow courier_$1_t devtty_t:chr_file rw_file_perms;
>
>allow courier_$1_t { usr_t etc_runtime_t }:file r_file_perms;
>allow courier_$1_t usr_t:dir r_dir_perms;
>allow courier_$1_t root_t:dir r_dir_perms;
>can_exec(courier_$1_t, courier_$1_exec_t)
>can_exec(courier_$1_t, bin_t)
>allow courier_$1_t bin_t:dir search;
>
>allow courier_$1_t proc_t:dir r_dir_perms;
>allow courier_$1_t proc_t:file r_file_perms;
>
>')dnl
>
>
>#################################
>#
># Rules for the authentication daemon domain
>
>courier_domain(authdaemon, `, auth_chkpwd')
>allow courier_authdaemon_t sbin_t:dir search;
>read_locale(courier_authdaemon_t)
>allow courier_authdaemon_t courier_shadow_t:file r_file_perms;
>
>var_lib_domain(courier_authdaemon)
>
>allow courier_authdaemon_t courier_authdaemon_var_lib_t:sock_file create_file_perms;
>
>#################################
>#
># Rules for the networking domain
>
>courier_domain(tcpd)
>allow courier_tcpd_t self:capability net_bind_service;
>
>allow courier_tcpd_t imap_port_t:tcp_socket name_bind;
>allow courier_tcpd_t imaps_port_t:tcp_socket name_bind;
>allow courier_tcpd_t pop_port_t:tcp_socket name_bind;
>allow courier_tcpd_t pops_port_t:tcp_socket name_bind;
>
>allow courier_tcpd_t sbin_t:dir search;
># for TLS
>allow courier_tcpd_t random_device_t:chr_file read;
>read_locale(courier_tcpd_t)
>can_exec(courier_tcpd_t, courier_exec_t)
>allow courier_authdaemon_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
>allow courier_authdaemon_t courier_tcpd_t:process sigchld;
>
>can_tcp_connect(userdomain, courier_tcpd_t)
>
>var_run_domain(courier_tcpd)
>var_lib_domain(courier_tcpd)
>
>
># domain for pop and imap
>courier_domain(imap)
>read_locale(courier_imap_t)
>
>domain_auto_trans(courier_tcpd_t, courier_imap_exec_t, courier_imap_t)
>allow courier_imap_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
>domain_auto_trans(courier_imap_t, courier_authdaemon_exec_t, courier_authdaemon_t)
>allow courier_imap_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
>allow courier_authdaemon_t courier_tcpd_t:fd use;
>allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
>allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
>allow courier_imap_t courier_authdaemon_t:process sigchld;
>domain_auto_trans(courier_authdaemon_t, courier_imap_exec_t, courier_imap_t)
>
># do the actual work (read the Maildir)
># imap needs to write files
>allow courier_imap_t home_root_t:dir { getattr search };
>allow courier_imap_t user_home_dir_type:dir { getattr search };
># pop does not need to create subdirs, IMAP does
>create_dir_file(courier_imap_t, user_home_type)
>
># rw /var/lib/courier-imap/couriersslcache
>allow courier_imap_t courier_tcpd_var_lib_t:file rw_file_perms;
>
># for calendaring
>courier_domain(pcp)
>allow courier_pcp_t self:capability { setuid setgid };
>allow courier_pcp_t random_device_t:chr_file r_file_perms;
>
># misc stuff that in a normal world should not be needed
>allow courier_authdaemon_t home_root_t:dir search;
>allow courier_authdaemon_t user_home_dir_type:dir search;
>dontaudit courier_authdaemon_t sysadm_home_dir_t:dir search;
>allow courier_authdaemon_t self:unix_stream_socket connectto;
>allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config };
>allow courier_authdaemon_t resolv_conf_t:file { read getattr };
>
># allow start scripts to read the config
>allow initrc_t courier_etc_t:file r_file_perms;
>
># allow start/stop scripts to play with /var/lib/courier-imap/authdaemon/pid
># (it's a wrong place for a pid file ...)
>allow initrc_t courier_authdaemon_var_lib_t:file create_file_perms;
>
>

Actions: View

Attachments on bug 37179: 23129 | 23130 | 23599 | 24497