selinux-refpolicy/mls/macros/program/mail_client_macros.te

69 lines
1.5 KiB
Plaintext

#
# Shared macro for mail clients
#
# Author: Ivan Gyurdiev <ivg2@cornell.edu>
#
########################################
# mail_client_domain(client, role_prefix)
#
define(`mail_client_domain', `
# Allow netstat
# Startup shellscripts
allow $1_t bin_t:dir r_dir_perms;
allow $1_t bin_t:lnk_file r_file_perms;
can_exec($1_t, bin_t)
r_dir_file($1_t, proc_net_t)
allow $1_t sysctl_net_t:dir search;
# Allow DNS
can_resolve($1_t)
# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
can_ypbind($1_t)
can_network_client_tcp($1_t, { pop_port_t smtp_port_t innd_port_t ldap_port_t ipp_port_t })
allow $1_t { pop_port_t smtp_port_t innd_port_t ldap_port_t ipp_port_t }:tcp_socket name_connect;
# Allow printing the mail
ifdef(`cups.te',`
allow $1_t cupsd_etc_t:dir r_dir_perms;
allow $1_t cupsd_rw_etc_t:file r_file_perms;
')
ifdef(`lpr.te', `
domain_auto_trans($1_t, lpr_exec_t, $2_lpr_t)
')
# Attachments
read_content($1_t, $2, mail)
# Save mail
write_untrusted($1_t, $2)
# Encrypt mail
ifdef(`gpg.te', `
domain_auto_trans($1_t, gpg_exec_t, $2_gpg_t)
allow $1_t $2_gpg_t:process signal;
')
# Start links in web browser
ifdef(`mozilla.te', `
can_exec($1_t, shell_exec_t)
domain_auto_trans($1_t, mozilla_exec_t, $2_mozilla_t)
')
ifdef(`dbusd.te', `
dbusd_client(system, $1)
allow $1_t system_dbusd_t:dbus send_msg;
dbusd_client($2, $1)
allow $1_t $2_dbusd_t:dbus send_msg;
ifdef(`cups.te', `
allow cupsd_t $1_t:dbus send_msg;
')
')
# Allow the user domain to signal/ps.
can_ps($2_t, $1_t)
allow $2_t $1_t:process signal_perms;
')