#DESC uw-imapd-ssl server

#

# Author:  Ed Street <edstreet@street-tek.com>

# X-Debian-Packages: uw-imapd (was uw-imapd-ssl)

# Depends: inetd.te

#

daemon_domain(imapd, `, auth_chkpwd, privhome')

tmp_domain(imapd)

can_network_server_tcp(imapd_t)

allow imapd_t port_type:tcp_socket name_connect;

#declare our own services

allow imapd_t self:capability { dac_override net_bind_service setgid setuid sys_resource };

allow imapd_t pop_port_t:tcp_socket name_bind;

#declare this a socket from inetd

allow imapd_t self:unix_dgram_socket { sendto create_socket_perms };

allow imapd_t self:unix_stream_socket create_socket_perms;

domain_auto_trans(inetd_t, imapd_exec_t, imapd_t)

ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, imapd_exec_t, imapd_t)')

#friendly stuff we dont want to see :)

dontaudit imapd_t bin_t:dir search;

#read /etc/ for hostname nsswitch.conf

allow imapd_t etc_t:file { getattr read };

#socket i/o stuff

allow imapd_t inetd_t:tcp_socket { read write ioctl getattr };

#read resolv.conf

allow imapd_t net_conf_t:file { getattr read };

#urandom, for ssl

allow imapd_t random_device_t:chr_file read;

allow imapd_t urandom_device_t:chr_file { read getattr };

allow imapd_t self:fifo_file rw_file_perms;

#mail directory

rw_dir_file(imapd_t, mail_spool_t)

#home directory

allow imapd_t home_root_t:dir search;

allow imapd_t self:file { read getattr };