selinux-refpolicy/strict/domains/program/unused/uwimapd.te

48 lines
1.3 KiB
Plaintext

#DESC uw-imapd-ssl server
#
# Author: Ed Street <edstreet@street-tek.com>
# X-Debian-Packages: uw-imapd (was uw-imapd-ssl)
# Depends: inetd.te
#
daemon_domain(imapd, `, auth_chkpwd, privhome')
tmp_domain(imapd)
can_network_server_tcp(imapd_t)
allow imapd_t port_type:tcp_socket name_connect;
#declare our own services
allow imapd_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
allow imapd_t pop_port_t:tcp_socket name_bind;
#declare this a socket from inetd
allow imapd_t self:unix_dgram_socket { sendto create_socket_perms };
allow imapd_t self:unix_stream_socket create_socket_perms;
domain_auto_trans(inetd_t, imapd_exec_t, imapd_t)
ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, imapd_exec_t, imapd_t)')
#friendly stuff we dont want to see :)
dontaudit imapd_t bin_t:dir search;
#read /etc/ for hostname nsswitch.conf
allow imapd_t etc_t:file { getattr read };
#socket i/o stuff
allow imapd_t inetd_t:tcp_socket { read write ioctl getattr };
#read resolv.conf
allow imapd_t net_conf_t:file { getattr read };
#urandom, for ssl
allow imapd_t random_device_t:chr_file read;
allow imapd_t urandom_device_t:chr_file { read getattr };
allow imapd_t self:fifo_file rw_file_perms;
#mail directory
rw_dir_file(imapd_t, mail_spool_t)
#home directory
allow imapd_t home_root_t:dir search;
allow imapd_t self:file { read getattr };