policy_module(evolution, 2.9.2) ######################################## # # Declarations # ## ##

## Allow evolution to create and write ## user certificates in addition to ## being able to read them ##

##
gen_tunable(evolution_manage_user_certs, false) attribute_role evolution_roles; type evolution_t; type evolution_exec_t; userdom_user_application_domain(evolution_t, evolution_exec_t) role evolution_roles types evolution_t; optional_policy(` wm_application_domain(evolution_t, evolution_exec_t) ') type evolution_alarm_t; type evolution_alarm_exec_t; userdom_user_application_domain(evolution_alarm_t, evolution_alarm_exec_t) role evolution_roles types evolution_alarm_t; type evolution_alarm_tmpfs_t; userdom_user_tmpfs_file(evolution_alarm_tmpfs_t) type evolution_alarm_orbit_tmp_t; userdom_user_tmp_file(evolution_alarm_orbit_tmp_t) type evolution_exchange_t; type evolution_exchange_exec_t; userdom_user_application_domain(evolution_exchange_t, evolution_exchange_exec_t) role evolution_roles types evolution_exchange_t; type evolution_exchange_tmpfs_t; userdom_user_tmpfs_file(evolution_exchange_tmpfs_t) type evolution_exchange_tmp_t; userdom_user_tmp_file(evolution_exchange_tmp_t) type evolution_exchange_orbit_tmp_t; userdom_user_tmp_file(evolution_exchange_orbit_tmp_t) type evolution_home_t; userdom_user_home_content(evolution_home_t) type evolution_orbit_tmp_t; userdom_user_tmp_file(evolution_orbit_tmp_t) type evolution_server_t; type evolution_server_exec_t; userdom_user_application_domain(evolution_server_t, evolution_server_exec_t) role evolution_roles types evolution_server_t; type evolution_server_orbit_tmp_t; userdom_user_tmp_file(evolution_server_orbit_tmp_t) type evolution_tmpfs_t; userdom_user_tmpfs_file(evolution_tmpfs_t) type evolution_webcal_t; type evolution_webcal_exec_t; userdom_user_application_domain(evolution_webcal_t, evolution_webcal_exec_t) role evolution_roles types evolution_webcal_t; type evolution_webcal_tmpfs_t; userdom_user_tmpfs_file(evolution_webcal_tmpfs_t) type evolution_xdg_cache_t; xdg_cache_content(evolution_xdg_cache_t) type evolution_xdg_config_t; xdg_config_content(evolution_xdg_config_t) type evolution_xdg_data_t; xdg_data_content(evolution_xdg_data_t) ######################################## # # Local policy # allow evolution_t self:capability { setgid setuid sys_nice }; allow evolution_t self:process { execmem getsched setsched signal signull }; allow evolution_t self:fifo_file rw_file_perms; allow evolution_t evolution_home_t:dir manage_dir_perms; allow evolution_t evolution_home_t:file manage_file_perms; allow evolution_t evolution_home_t:lnk_file manage_lnk_file_perms; userdom_user_home_dir_filetrans(evolution_t, evolution_home_t, dir, ".evolution") userdom_user_home_dir_filetrans(evolution_t, evolution_home_t, dir, ".camel_certs") allow evolution_t evolution_orbit_tmp_t:dir manage_dir_perms; allow evolution_t evolution_orbit_tmp_t:file manage_file_perms; files_tmp_filetrans(evolution_t, evolution_orbit_tmp_t, { dir file }) allow evolution_server_t evolution_orbit_tmp_t:dir manage_dir_perms; allow evolution_server_t evolution_orbit_tmp_t:file manage_file_perms; files_tmp_filetrans(evolution_server_t, evolution_orbit_tmp_t, { dir file }) allow evolution_t evolution_tmpfs_t:dir rw_dir_perms; allow evolution_t evolution_tmpfs_t:file manage_file_perms; allow evolution_t evolution_tmpfs_t:lnk_file manage_lnk_file_perms; allow evolution_t evolution_tmpfs_t:sock_file manage_sock_file_perms; allow evolution_t evolution_tmpfs_t:fifo_file manage_fifo_file_perms; fs_tmpfs_filetrans(evolution_t, evolution_tmpfs_t, { dir file lnk_file sock_file fifo_file }) allow evolution_t { evolution_alarm_t evolution_server_t }:dir search_dir_perms; allow evolution_t { evolution_alarm_t evolution_server_t }:file read_file_perms; stream_connect_pattern(evolution_t, evolution_alarm_orbit_tmp_t, evolution_alarm_orbit_tmp_t, evolution_alarm_t) stream_connect_pattern(evolution_t, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t) stream_connect_pattern(evolution_t, evolution_server_orbit_tmp_t, evolution_server_orbit_tmp_t, evolution_server_t) manage_files_pattern(evolution_t, evolution_xdg_cache_t, evolution_xdg_cache_t) manage_dirs_pattern(evolution_t, evolution_xdg_cache_t, evolution_xdg_cache_t) xdg_cache_filetrans(evolution_t, evolution_xdg_cache_t, { dir file } ) manage_files_pattern(evolution_t, evolution_xdg_config_t, evolution_xdg_config_t) manage_dirs_pattern(evolution_t, evolution_xdg_config_t, evolution_xdg_config_t) xdg_config_filetrans(evolution_t, evolution_xdg_config_t, { dir file } ) manage_files_pattern(evolution_t, evolution_xdg_data_t, evolution_xdg_data_t) manage_dirs_pattern(evolution_t, evolution_xdg_data_t, evolution_xdg_data_t) xdg_data_filetrans(evolution_t, evolution_xdg_data_t, { dir file } ) can_exec(evolution_t, { evolution_alarm_exec_t evolution_server_exec_t }) kernel_read_kernel_sysctls(evolution_t) kernel_read_system_state(evolution_t) kernel_read_network_state(evolution_t) kernel_read_net_sysctls(evolution_t) corecmd_exec_bin(evolution_t) corecmd_exec_shell(evolution_t) corenet_all_recvfrom_unlabeled(evolution_t) corenet_all_recvfrom_netlabel(evolution_t) corenet_tcp_sendrecv_generic_if(evolution_t) corenet_udp_sendrecv_generic_if(evolution_t) corenet_raw_sendrecv_generic_if(evolution_t) corenet_tcp_sendrecv_generic_node(evolution_t) corenet_udp_sendrecv_generic_node(evolution_t) corenet_sendrecv_pop_client_packets(evolution_t) corenet_tcp_connect_pop_port(evolution_t) corenet_sendrecv_smtp_client_packets(evolution_t) corenet_tcp_connect_smtp_port(evolution_t) corenet_sendrecv_innd_client_packets(evolution_t) corenet_tcp_connect_innd_port(evolution_t) corenet_sendrecv_ldap_client_packets(evolution_t) corenet_tcp_connect_ldap_port(evolution_t) corenet_sendrecv_ipp_client_packets(evolution_t) corenet_tcp_connect_ipp_port(evolution_t) dev_read_rand(evolution_t) dev_read_urand(evolution_t) domain_dontaudit_read_all_domains_state(evolution_t) files_map_usr_files(evolution_t) files_read_usr_files(evolution_t) fs_dontaudit_getattr_xattr_fs(evolution_t) fs_getattr_tmpfs(evolution_t) fs_search_auto_mountpoints(evolution_t) fs_search_cgroup_dirs(evolution_t) auth_use_nsswitch(evolution_t) logging_send_syslog_msg(evolution_t) miscfiles_read_generic_certs(evolution_t) miscfiles_read_localization(evolution_t) udev_read_state(evolution_t) userdom_use_user_terminals(evolution_t) tunable_policy(`evolution_manage_user_certs',` userdom_manage_user_certs(evolution_t) ',` userdom_dontaudit_manage_user_certs(evolution_t) userdom_read_user_certs(evolution_t) ') userdom_write_user_tmp_sockets(evolution_t) userdom_user_content_access_template(evolution, evolution_t) mta_read_config(evolution_t) xdg_manage_downloads(evolution_t) xserver_user_x_domain_template(evolution, evolution_t, evolution_tmpfs_t) xserver_read_xdm_tmp_files(evolution_t) ifndef(`enable_mls',` fs_list_dos(evolution_t) fs_read_dos_files(evolution_t) fs_search_removable(evolution_t) fs_read_removable_files(evolution_t) fs_read_removable_symlinks(evolution_t) fs_read_iso9660_files(evolution_t) ') tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(evolution_t) fs_manage_nfs_files(evolution_t) fs_manage_nfs_symlinks(evolution_t) ') tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs(evolution_t) fs_manage_cifs_files(evolution_t) fs_manage_cifs_symlinks(evolution_t) ') optional_policy(` automount_read_state(evolution_t) ') optional_policy(` cups_read_rw_config(evolution_t) ') optional_policy(` dbus_system_bus_client(evolution_t) dbus_all_session_bus_client(evolution_t) ') optional_policy(` gnome_stream_connect_gconf(evolution_t) ') optional_policy(` gpg_domtrans(evolution_t) gpg_signal(evolution_t) ') optional_policy(` lpd_run_lpr(evolution_t, evolution_roles) ') optional_policy(` mozilla_read_user_home_files(evolution_t) mozilla_domtrans(evolution_t) ') optional_policy(` ooffice_domtrans(evolution_t) ooffice_rw_tmp_files(evolution_t) ') optional_policy(` spamassassin_exec_spamd(evolution_t) spamassassin_domtrans_client(evolution_t) spamassassin_domtrans_local_client(evolution_t) spamassassin_read_spamd_tmp_files(evolution_t) spamassassin_signal_spamd(evolution_t) spamassassin_dontaudit_getattr_spamd_tmp_sockets(evolution_t) ') ######################################## # # Alarm local policy # allow evolution_alarm_t self:process { signal getsched }; allow evolution_alarm_t self:fifo_file rw_fifo_file_perms; allow evolution_alarm_t evolution_alarm_tmpfs_t:dir rw_dir_perms; allow evolution_alarm_t evolution_alarm_tmpfs_t:file manage_file_perms; allow evolution_alarm_t evolution_alarm_tmpfs_t:lnk_file manage_lnk_file_perms; allow evolution_alarm_t evolution_alarm_tmpfs_t:sock_file manage_sock_file_perms; allow evolution_alarm_t evolution_alarm_tmpfs_t:fifo_file manage_fifo_file_perms; fs_tmpfs_filetrans(evolution_alarm_t, evolution_alarm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) allow evolution_alarm_t evolution_home_t:dir manage_dir_perms; allow evolution_alarm_t evolution_home_t:file manage_file_perms; allow evolution_alarm_t evolution_home_t:lnk_file manage_lnk_file_perms; userdom_user_home_dir_filetrans(evolution_alarm_t, evolution_home_t, dir, ".evolution") userdom_user_home_dir_filetrans(evolution_alarm_t, evolution_home_t, dir, ".camel_certs") stream_connect_pattern(evolution_alarm_t, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t) stream_connect_pattern(evolution_alarm_t, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t) stream_connect_pattern(evolution_alarm_t, evolution_server_orbit_tmp_t, evolution_server_orbit_tmp_t, evolution_server_t) kernel_dontaudit_read_system_state(evolution_alarm_t) dev_read_urand(evolution_alarm_t) files_read_usr_files(evolution_alarm_t) fs_dontaudit_getattr_xattr_fs(evolution_alarm_t) fs_search_auto_mountpoints(evolution_alarm_t) auth_use_nsswitch(evolution_alarm_t) miscfiles_read_localization(evolution_alarm_t) userdom_dontaudit_read_user_home_content_files(evolution_alarm_t) xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t) tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(evolution_alarm_t) fs_manage_nfs_files(evolution_alarm_t) fs_manage_nfs_symlinks(evolution_alarm_t) ') tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs(evolution_alarm_t) fs_manage_cifs_files(evolution_alarm_t) fs_manage_cifs_symlinks(evolution_alarm_t) ') optional_policy(` dbus_all_session_bus_client(evolution_alarm_t) dbus_connect_all_session_bus(evolution_alarm_t) optional_policy(` evolution_dbus_chat(evolution_alarm_t) ') ') optional_policy(` gnome_stream_connect_gconf(evolution_alarm_t) ') ######################################## # # Exchange local policy # allow evolution_exchange_t self:process getsched; allow evolution_exchange_t self:fifo_file rw_fifo_file_perms; allow evolution_exchange_t evolution_home_t:dir manage_dir_perms; allow evolution_exchange_t evolution_home_t:file manage_file_perms; allow evolution_exchange_t evolution_home_t:lnk_file manage_lnk_file_perms; userdom_user_home_dir_filetrans(evolution_exchange_t, evolution_home_t, dir, ".evolution") userdom_user_home_dir_filetrans(evolution_exchange_t, evolution_home_t, dir, ".camel_certs") allow evolution_exchange_t evolution_exchange_tmp_t:dir manage_dir_perms; allow evolution_exchange_t evolution_exchange_tmp_t:file manage_file_perms; files_tmp_filetrans(evolution_exchange_t, evolution_exchange_tmp_t, { file dir }) allow evolution_exchange_t evolution_exchange_tmpfs_t:dir rw_dir_perms; allow evolution_exchange_t evolution_exchange_tmpfs_t:file manage_file_perms; allow evolution_exchange_t evolution_exchange_tmpfs_t:lnk_file manage_lnk_file_perms; allow evolution_exchange_t evolution_exchange_tmpfs_t:sock_file manage_sock_file_perms; allow evolution_exchange_t evolution_exchange_tmpfs_t:fifo_file manage_fifo_file_perms; fs_tmpfs_filetrans(evolution_exchange_t, evolution_exchange_tmpfs_t, { dir file lnk_file sock_file fifo_file }) stream_connect_pattern(evolution_exchange_t, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t) stream_connect_pattern(evolution_exchange_t, evolution_server_orbit_tmp_t, evolution_server_orbit_tmp_t, evolution_server_t) stream_connect_pattern(evolution_exchange_t, evolution_alarm_orbit_tmp_t, evolution_alarm_orbit_tmp_t, evolution_alarm_t) kernel_read_network_state(evolution_exchange_t) kernel_read_net_sysctls(evolution_exchange_t) corecmd_exec_bin(evolution_exchange_t) dev_read_urand(evolution_exchange_t) files_read_usr_files(evolution_exchange_t) fs_search_auto_mountpoints(evolution_exchange_t) auth_use_nsswitch(evolution_exchange_t) miscfiles_read_localization(evolution_exchange_t) userdom_dontaudit_read_user_home_content_files(evolution_exchange_t) userdom_write_user_tmp_sockets(evolution_exchange_t) xserver_user_x_domain_template(evolution_exchange, evolution_exchange_t, evolution_exchange_tmpfs_t) tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(evolution_exchange_t) fs_manage_nfs_files(evolution_exchange_t) fs_manage_nfs_symlinks(evolution_exchange_t) ') tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs(evolution_exchange_t) fs_manage_cifs_files(evolution_exchange_t) fs_manage_cifs_symlinks(evolution_exchange_t) ') optional_policy(` gnome_stream_connect_gconf(evolution_exchange_t) ') ######################################## # # Server local policy # allow evolution_server_t self:process { getsched signal }; allow evolution_server_t self:fifo_file { read write }; allow evolution_server_t self:unix_stream_socket { accept connectto listen }; allow evolution_server_t evolution_home_t:dir manage_dir_perms; allow evolution_server_t evolution_home_t:file manage_file_perms; allow evolution_server_t evolution_home_t:lnk_file manage_lnk_file_perms; userdom_user_home_dir_filetrans(evolution_server_t, evolution_home_t, dir, ".evolution") userdom_user_home_dir_filetrans(evolution_server_t, evolution_home_t, dir, ".camel_certs") stream_connect_pattern(evolution_server_t, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t) stream_connect_pattern(evolution_server_t, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t) stream_connect_pattern(evolution_server_t, evolution_alarm_orbit_tmp_t, evolution_alarm_orbit_tmp_t, evolution_alarm_t) kernel_read_system_state(evolution_server_t) corecmd_exec_shell(evolution_server_t) corenet_all_recvfrom_unlabeled(evolution_server_t) corenet_all_recvfrom_netlabel(evolution_server_t) corenet_tcp_sendrecv_generic_if(evolution_server_t) corenet_tcp_sendrecv_generic_node(evolution_server_t) corenet_sendrecv_http_cache_client_packets(evolution_server_t) corenet_tcp_connect_http_cache_port(evolution_server_t) corenet_sendrecv_http_client_packets(evolution_server_t) corenet_tcp_connect_http_port(evolution_server_t) dev_read_urand(evolution_server_t) files_read_usr_files(evolution_server_t) fs_search_auto_mountpoints(evolution_server_t) auth_use_nsswitch(evolution_server_t) miscfiles_read_localization(evolution_server_t) miscfiles_read_generic_certs(evolution_server_t) userdom_dontaudit_read_user_home_content_files(evolution_server_t) tunable_policy(`evolution_manage_user_certs',` userdom_manage_user_certs(evolution_server_t) ',` userdom_dontaudit_manage_user_certs(evolution_server_t) userdom_read_user_certs(evolution_server_t) ') tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(evolution_server_t) fs_manage_nfs_files(evolution_server_t) fs_manage_nfs_symlinks(evolution_server_t) ') tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs(evolution_server_t) fs_manage_cifs_files(evolution_server_t) fs_manage_cifs_symlinks(evolution_server_t) ') optional_policy(` gnome_stream_connect_gconf(evolution_server_t) ') ######################################## # # Webcal local policy # allow evolution_webcal_t evolution_webcal_tmpfs_t:dir rw_dir_perms; allow evolution_webcal_t evolution_webcal_tmpfs_t:file manage_file_perms; allow evolution_webcal_t evolution_webcal_tmpfs_t:lnk_file manage_lnk_file_perms; allow evolution_webcal_t evolution_webcal_tmpfs_t:sock_file manage_sock_file_perms; allow evolution_webcal_t evolution_webcal_tmpfs_t:fifo_file manage_fifo_file_perms; fs_tmpfs_filetrans(evolution_webcal_t, evolution_webcal_tmpfs_t, { dir file lnk_file sock_file fifo_file }) corenet_all_recvfrom_unlabeled(evolution_webcal_t) corenet_all_recvfrom_netlabel(evolution_webcal_t) corenet_tcp_sendrecv_generic_if(evolution_webcal_t) corenet_tcp_sendrecv_generic_node(evolution_webcal_t) corenet_tcp_connect_http_port(evolution_webcal_t) corenet_sendrecv_http_client_packets(evolution_webcal_t) corenet_tcp_connect_http_cache_port(evolution_webcal_t) corenet_sendrecv_http_cache_client_packets(evolution_webcal_t) auth_use_nsswitch(evolution_webcal_t) userdom_search_user_home_dirs(evolution_webcal_t) userdom_dontaudit_read_user_home_content_files(evolution_webcal_t) xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t)