nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1d8333d7a7
selinux-refpolicy/policy/modules/services/dovecot.te
Topi Miettinen 1d8333d7a7
Remove unlabeled packet access 
When SECMARK or Netlabel packet labeling is used, it's useful to
forbid receiving and sending unlabeled packets. If packet labeling is
not active, there's no effect.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-06-03 23:16:19 +03:00

379 lines
11 KiB
Plaintext
Raw Blame History

policy_module(dovecot, 1.24.1)
########################################
#
# Declarations
#
## <desc>
## <p>
## Determine whether dovecot can connect to
## databases.
## </p>
## </desc>
gen_tunable(dovecot_can_connect_db, false)
attribute dovecot_domain;
type dovecot_t, dovecot_domain;
type dovecot_exec_t;
init_daemon_domain(dovecot_t, dovecot_exec_t)
type dovecot_auth_t, dovecot_domain;
type dovecot_auth_exec_t;
domain_type(dovecot_auth_t)
domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
type dovecot_auth_tmp_t;
files_tmp_file(dovecot_auth_tmp_t)
type dovecot_cert_t;
miscfiles_cert_type(dovecot_cert_t)
type dovecot_deliver_t, dovecot_domain;
type dovecot_deliver_exec_t;
domain_type(dovecot_deliver_t)
domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
role system_r types dovecot_deliver_t;
type dovecot_deliver_tmp_t;
files_tmp_file(dovecot_deliver_tmp_t)
type dovecot_etc_t;
files_config_file(dovecot_etc_t)
type dovecot_initrc_exec_t;
init_script_file(dovecot_initrc_exec_t)
type dovecot_keytab_t;
files_type(dovecot_keytab_t)
type dovecot_passwd_t;
files_type(dovecot_passwd_t)
type dovecot_runtime_t alias dovecot_var_run_t;
files_pid_file(dovecot_runtime_t)
type dovecot_spool_t;
files_type(dovecot_spool_t)
type dovecot_tmp_t;
files_tmp_file(dovecot_tmp_t)
type dovecot_var_lib_t;
files_type(dovecot_var_lib_t)
type dovecot_var_log_t;
logging_log_file(dovecot_var_log_t)
########################################
#
# Common local policy
#
allow dovecot_domain self:capability2 block_suspend;
allow dovecot_domain self:fifo_file rw_fifo_file_perms;
allow dovecot_domain dovecot_etc_t:dir list_dir_perms;
allow dovecot_domain dovecot_etc_t:file read_file_perms;
allow dovecot_domain dovecot_etc_t:lnk_file read_lnk_file_perms;
kernel_read_all_sysctls(dovecot_domain)
kernel_read_system_state(dovecot_domain)
corecmd_exec_bin(dovecot_domain)
corecmd_exec_shell(dovecot_domain)
dev_read_sysfs(dovecot_domain)
dev_read_rand(dovecot_domain)
dev_read_urand(dovecot_domain)
files_read_etc_runtime_files(dovecot_domain)
logging_send_syslog_msg(dovecot_domain)
miscfiles_read_localization(dovecot_domain)
########################################
#
# Local policy
#
allow dovecot_t self:capability { chown dac_override dac_read_search fsetid kill setgid setuid sys_chroot sys_resource };
dontaudit dovecot_t self:capability sys_tty_config;
allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
allow dovecot_t self:tcp_socket { accept listen };
allow dovecot_t self:unix_stream_socket { accept connectto listen };
allow dovecot_t dovecot_cert_t:dir list_dir_perms;
allow dovecot_t dovecot_cert_t:file read_file_perms;
allow dovecot_t dovecot_cert_t:lnk_file read_lnk_file_perms;
allow dovecot_t dovecot_keytab_t:file read_file_perms;
manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
append_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
create_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
setattr_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })
manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_dirs_pattern(dovecot_t, dovecot_runtime_t, dovecot_runtime_t)
manage_files_pattern(dovecot_t, dovecot_runtime_t, dovecot_runtime_t)
manage_lnk_files_pattern(dovecot_t, dovecot_runtime_t, dovecot_runtime_t)
manage_sock_files_pattern(dovecot_t, dovecot_runtime_t, dovecot_runtime_t)
manage_fifo_files_pattern(dovecot_t, dovecot_runtime_t, dovecot_runtime_t)
files_pid_filetrans(dovecot_t, dovecot_runtime_t, { dir file fifo_file })
can_exec(dovecot_t, dovecot_exec_t)
allow dovecot_t dovecot_auth_t:process signal;
domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
corenet_all_recvfrom_netlabel(dovecot_t)
corenet_tcp_sendrecv_generic_if(dovecot_t)
corenet_tcp_sendrecv_generic_node(dovecot_t)
corenet_tcp_bind_generic_node(dovecot_t)
corenet_sendrecv_lmtp_server_packets(dovecot_t)
corenet_tcp_bind_lmtp_port(dovecot_t)
corenet_sendrecv_mail_server_packets(dovecot_t)
corenet_tcp_bind_mail_port(dovecot_t)
corenet_sendrecv_pop_server_packets(dovecot_t)
corenet_tcp_bind_pop_port(dovecot_t)
corenet_sendrecv_sieve_server_packets(dovecot_t)
corenet_tcp_bind_sieve_port(dovecot_t)
corenet_sendrecv_all_client_packets(dovecot_t)
corenet_tcp_connect_all_ports(dovecot_t)
corenet_tcp_connect_postgresql_port(dovecot_t)
domain_use_interactive_fds(dovecot_t)
files_read_var_lib_files(dovecot_t)
files_read_var_symlinks(dovecot_t)
files_search_spool(dovecot_t)
files_dontaudit_list_default(dovecot_t)
files_dontaudit_search_all_dirs(dovecot_t)
files_search_all_mountpoints(dovecot_t)
files_list_usr(dovecot_t)
files_read_usr_files(dovecot_t)
fs_getattr_all_fs(dovecot_t)
fs_getattr_all_dirs(dovecot_t)
fs_read_tmpfs_symlinks(dovecot_t)
fs_search_auto_mountpoints(dovecot_t)
fs_list_inotifyfs(dovecot_t)
init_getattr_utmp(dovecot_t)
auth_use_nsswitch(dovecot_t)
miscfiles_read_generic_certs(dovecot_t)
miscfiles_read_generic_tls_privkey(dovecot_t)
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
userdom_use_user_terminals(dovecot_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(dovecot_t)
fs_manage_nfs_files(dovecot_t)
fs_manage_nfs_symlinks(dovecot_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(dovecot_t)
fs_manage_cifs_files(dovecot_t)
fs_manage_cifs_symlinks(dovecot_t)
')
optional_policy(`
kerberos_manage_host_rcache(dovecot_t)
kerberos_read_keytab(dovecot_t)
kerberos_tmp_filetrans_host_rcache(dovecot_t, file, "imap_0")
kerberos_use(dovecot_t)
')
optional_policy(`
mta_manage_spool(dovecot_t)
mta_manage_mail_home_rw_content(dovecot_t)
mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir")
mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir")
')
optional_policy(`
postgresql_stream_connect(dovecot_t)
')
optional_policy(`
postfix_manage_private_sockets(dovecot_t)
postfix_search_spool(dovecot_t)
')
optional_policy(`
sendmail_domtrans(dovecot_t)
')
optional_policy(`
seutil_sigchld_newrole(dovecot_t)
')
optional_policy(`
squid_dontaudit_search_cache(dovecot_t)
')
optional_policy(`
udev_read_db(dovecot_t)
')
########################################
#
# Auth local policy
#
allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice };
allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap };
allow dovecot_auth_t self:unix_stream_socket { accept connectto listen };
read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
allow dovecot_auth_t dovecot_runtime_t:dir list_dir_perms;
allow dovecot_auth_t dovecot_runtime_t:file manage_file_perms;
allow dovecot_auth_t dovecot_runtime_t:fifo_file write_fifo_file_perms;
manage_sock_files_pattern(dovecot_auth_t, dovecot_runtime_t, dovecot_runtime_t)
allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
files_search_pids(dovecot_auth_t)
files_read_usr_files(dovecot_auth_t)
files_read_var_lib_files(dovecot_auth_t)
selinux_get_enforce_mode(dovecot_auth_t)
selinux_get_fs_mount(dovecot_auth_t)
auth_domtrans_chk_passwd(dovecot_auth_t)
auth_use_nsswitch(dovecot_auth_t)
fs_search_tmpfs(dovecot_auth_t)
fs_read_tmpfs_symlinks(dovecot_auth_t)
init_rw_utmp(dovecot_auth_t)
init_rw_inherited_stream_socket(dovecot_auth_t)
init_use_fds(dovecot_auth_t)
logging_send_audit_msgs(dovecot_auth_t)
seutil_search_default_contexts(dovecot_auth_t)
sysnet_use_ldap(dovecot_auth_t)
tunable_policy(`dovecot_can_connect_db',`
corenet_sendrecv_gds_db_client_packets(dovecot_auth_t)
corenet_tcp_connect_gds_db_port(dovecot_auth_t)
corenet_sendrecv_mssql_client_packets(dovecot_auth_t)
corenet_tcp_connect_mssql_port(dovecot_auth_t)
corenet_sendrecv_oracledb_client_packets(dovecot_auth_t)
corenet_tcp_connect_oracledb_port(dovecot_auth_t)
')
optional_policy(`
tunable_policy(`dovecot_can_connect_db',`
mysql_stream_connect(dovecot_auth_t)
mysql_read_config(dovecot_auth_t)
mysql_tcp_connect(dovecot_auth_t)
')
')
optional_policy(`
nis_authenticate(dovecot_auth_t)
')
optional_policy(`
postfix_manage_private_sockets(dovecot_auth_t)
postfix_search_spool(dovecot_auth_t)
')
optional_policy(`
postgresql_unpriv_client(dovecot_auth_t)
tunable_policy(`dovecot_can_connect_db',`
postgresql_stream_connect(dovecot_auth_t)
postgresql_tcp_connect(dovecot_auth_t)
')
')
optional_policy(`
userdom_list_user_tmp(dovecot_auth_t)
userdom_read_user_tmp_files(dovecot_auth_t)
userdom_read_user_tmp_symlinks(dovecot_auth_t)
')
########################################
#
# Deliver local policy
#
allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
allow dovecot_deliver_t dovecot_runtime_t:dir list_dir_perms;
allow dovecot_deliver_t dovecot_runtime_t:file read_file_perms;
allow dovecot_deliver_t dovecot_runtime_t:sock_file read_sock_file_perms;
stream_connect_pattern(dovecot_deliver_t, dovecot_runtime_t, dovecot_runtime_t, { dovecot_t dovecot_auth_t })
can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
allow dovecot_deliver_t dovecot_t:process signull;
fs_getattr_all_fs(dovecot_deliver_t)
auth_use_nsswitch(dovecot_deliver_t)
logging_search_logs(dovecot_deliver_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(dovecot_deliver_t)
fs_manage_nfs_files(dovecot_deliver_t)
fs_manage_nfs_symlinks(dovecot_deliver_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(dovecot_deliver_t)
fs_manage_cifs_files(dovecot_deliver_t)
fs_manage_cifs_symlinks(dovecot_deliver_t)
')
optional_policy(`
mta_mailserver_delivery(dovecot_deliver_t)
mta_read_queue(dovecot_deliver_t)
')
optional_policy(`
postfix_use_fds_master(dovecot_deliver_t)
')
optional_policy(`
sendmail_domtrans(dovecot_deliver_t)
')
Reference in New Issue View Git Blame Copy Permalink