## Evolution email client.
########################################
##
## Role access for evolution.
##
##
##
## Role allowed access.
##
##
##
##
## User domain for the role.
##
##
#
interface(`evolution_role',`
gen_require(`
attribute_role evolution_roles;
type evolution_t, evolution_exec_t, evolution_home_t;
type evolution_alarm_t, evolution_alarm_exec_t, evolution_alarm_orbit_tmp_t;
type evolution_exchange_t, evolution_exchange_exec_t, evolution_exchange_tmp_t;
type evolution_exchange_orbit_tmp_t, evolution_orbit_tmp_t, evolution_server_orbit_tmp_t;
type evolution_server_t, evolution_server_exec_t, evolution_webcal_t;
type evolution_webcal_exec_t, evolution_alarm_tmpfs_t, evolution_exchange_tmpfs_t;
type evolution_tmpfs_t, evolution_webcal_tmpfs_t;
')
roleattribute $1 evolution_roles;
domtrans_pattern($2, evolution_exec_t, evolution_t)
domtrans_pattern($2, evolution_alarm_exec_t, evolution_alarm_t)
domtrans_pattern($2, evolution_exchange_exec_t, evolution_exchange_t)
domtrans_pattern($2, evolution_server_exec_t, evolution_server_t)
domtrans_pattern($2, evolution_webcal_exec_t, evolution_webcal_t)
allow $2 { evolution_t evolution_alarm_t evolution_exchange_t evolution_server_t evolution_webcal_t }:process { noatsecure ptrace signal_perms };
ps_process_pattern($2, { evolution_t evolution_alarm_t evolution_exchange_t })
ps_process_pattern($2, { evolution_server_t evolution_webcal_t })
allow evolution_t $2:dir search_dir_perms;
allow evolution_t $2:file read_file_perms;
allow evolution_t $2:lnk_file read_lnk_file_perms;
allow $2 evolution_home_t:dir { relabel_dir_perms manage_dir_perms };
allow $2 evolution_home_t:file { relabel_file_perms manage_file_perms };
allow $2 evolution_home_t:lnk_file { relabel_lnk_file_perms manage_lnk_file_perms };
userdom_user_home_dir_filetrans($2, evolution_home_t, dir, ".camel_certs")
userdom_user_home_dir_filetrans($2, evolution_home_t, dir, ".evolution")
allow $2 evolution_exchange_tmp_t:dir { manage_dir_perms relabel_dir_perms };
allow $2 { evolution_alarm_orbit_tmp_t evolution_exchange_orbit_tmp_t evolution_orbit_tmp_t evolution_server_orbit_tmp_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms };
allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:file { manage_file_perms relabel_file_perms };
allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
allow { evolution_t evolution_exchange_t } $2:unix_stream_socket connectto;
stream_connect_pattern($2, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t)
stream_connect_pattern($2, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t)
optional_policy(`
evolution_dbus_chat($2)
evolution_alarm_dbus_chat($2)
')
')
########################################
##
## Create objects in the evolution home
## directories with a private type.
##
##
##
## Domain allowed access.
##
##
##
##
## Private file type.
##
##
##
##
## Class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
interface(`evolution_home_filetrans',`
gen_require(`
type evolution_home_t;
')
userdom_search_user_home_dirs($1)
filetrans_pattern($1, evolution_home_t, $2, $3, $4)
')
########################################
##
## Read evolution home files.
##
##
##
## Domain allowed access.
##
##
#
interface(`evolution_read_home_files',`
gen_require(`
type evolution_home_t;
')
read_files_pattern($1, evolution_home_t, evolution_home_t)
')
########################################
##
## Connect to evolution using a unix
## domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
interface(`evolution_stream_connect',`
gen_require(`
type evolution_t, evolution_orbit_tmp_t;
')
files_search_tmp($1)
stream_connect_pattern($1, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t)
')
########################################
##
## Read evolution orbit temporary
## files.
##
##
##
## Domain allowed access.
##
##
#
interface(`evolution_read_orbit_tmp_files',`
gen_require(`
type evolution_orbit_tmp_t;
')
files_search_tmp($1)
read_files_pattern($1, evolution_orbit_tmp_t, evolution_orbit_tmp_t)
')
########################################
##
## Send and receive messages from
## evolution over dbus.
##
##
##
## Domain allowed access.
##
##
#
interface(`evolution_dbus_chat',`
gen_require(`
type evolution_t;
class dbus send_msg;
')
allow $1 evolution_t:dbus send_msg;
allow evolution_t $1:dbus send_msg;
')
########################################
##
## Send and receive messages from
## evolution_alarm over dbus.
##
##
##
## Domain allowed access.
##
##
#
interface(`evolution_alarm_dbus_chat',`
gen_require(`
type evolution_alarm_t;
class dbus send_msg;
')
allow $1 evolution_alarm_t:dbus send_msg;
allow evolution_alarm_t $1:dbus send_msg;
')
########################################
##
## Make a domain transition to the
## evolution target domain.
##
##
##
## Domain allowed access.
##
##
#
interface(`evolution_domtrans',`
gen_require(`
type evolution_t, evolution_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, evolution_exec_t, evolution_t)
')