blob: d0080bad2f2331b8ad681de63237d8b52f771a6c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
|
policy_module(courier, 1.6.2)
########################################
#
# Declarations
#
courier_domain_template(authdaemon)
type courier_etc_t;
files_config_file(courier_etc_t)
courier_domain_template(pcp)
courier_domain_template(pop)
type courier_spool_t;
files_type(courier_spool_t)
courier_domain_template(tcpd)
type courier_var_lib_t;
files_type(courier_var_lib_t)
type courier_var_run_t;
files_pid_file(courier_var_run_t)
type courier_exec_t;
mta_agent_executable(courier_exec_t)
courier_domain_template(sqwebmail)
typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t;
########################################
#
# Authdaemon local policy
#
allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config };
allow courier_authdaemon_t self:unix_stream_socket connectto;
can_exec(courier_authdaemon_t, courier_exec_t)
allow courier_authdaemon_t courier_tcpd_t:fd use;
allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_fifo_file_perms;
allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms;
allow courier_authdaemon_t courier_tcpd_t:process sigchld;
allow courier_authdaemon_t courier_tcpd_t:fd use;
allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
files_search_spool(courier_authdaemon_t)
corecmd_search_bin(courier_authdaemon_t)
# for SSP
dev_read_urand(courier_authdaemon_t)
files_getattr_tmp_dirs(courier_authdaemon_t)
auth_domtrans_chk_passwd(courier_authdaemon_t)
libs_read_lib_files(courier_authdaemon_t)
miscfiles_read_localization(courier_authdaemon_t)
# should not be needed!
userdom_search_user_home_dirs(courier_authdaemon_t)
courier_domtrans_pop(courier_authdaemon_t)
########################################
#
# Calendar (PCP) local policy
#
allow courier_pcp_t self:capability { setuid setgid };
dev_read_rand(courier_pcp_t)
########################################
#
# POP3/IMAP local policy
#
allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
allow courier_pop_t courier_authdaemon_t:process sigchld;
allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
# inherits file handle - should it?
allow courier_pop_t courier_var_lib_t:file { read write };
miscfiles_read_localization(courier_pop_t)
courier_domtrans_authdaemon(courier_pop_t)
# do the actual work (read the Maildir)
userdom_manage_user_home_content_files(courier_pop_t)
# cjp: the fact that this is different for pop vs imap means that
# there should probably be a courier_pop_t and courier_imap_t
# this should also probably be a separate type too instead of
# the regular home dir
userdom_manage_user_home_content_dirs(courier_pop_t)
########################################
#
# TCPd local policy
#
allow courier_tcpd_t self:capability kill;
can_exec(courier_tcpd_t, courier_exec_t)
manage_files_pattern(courier_tcpd_t, courier_var_lib_t, courier_var_lib_t)
manage_lnk_files_pattern(courier_tcpd_t, courier_var_lib_t, courier_var_lib_t)
files_search_var_lib(courier_tcpd_t)
corecmd_search_bin(courier_tcpd_t)
corenet_tcp_bind_all_nodes(courier_tcpd_t)
corenet_tcp_bind_pop_port(courier_tcpd_t)
corenet_sendrecv_pop_server_packets(courier_tcpd_t)
# for TLS
dev_read_rand(courier_tcpd_t)
dev_read_urand(courier_tcpd_t)
miscfiles_read_localization(courier_tcpd_t)
courier_domtrans_pop(courier_tcpd_t)
########################################
#
# Webmail local policy
#
kernel_read_kernel_sysctls(courier_sqwebmail_t)
optional_policy(`
cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t)
')
|
