Chris PeBenito da12b5
policy_module(evolution, 2.1.2)
Chris PeBenito edf241
Chris PeBenito edf241
########################################
Chris PeBenito edf241
#
Chris PeBenito edf241
# Declarations
Chris PeBenito edf241
#
Chris PeBenito edf241
Chris PeBenito 296273
type evolution_t;
Chris PeBenito edf241
type evolution_exec_t;
Chris PeBenito 296273
typealias evolution_t alias { user_evolution_t staff_evolution_t sysadm_evolution_t };
Chris PeBenito 296273
typealias evolution_t alias { auditadm_evolution_t secadm_evolution_t };
Chris PeBenito 296273
application_domain(evolution_t, evolution_exec_t)
Chris PeBenito 296273
ubac_constrained(evolution_t)
Chris PeBenito edf241
Chris PeBenito 296273
type evolution_alarm_t;
Chris PeBenito edf241
type evolution_alarm_exec_t;
Chris PeBenito 296273
typealias evolution_alarm_t alias { user_evolution_alarm_t staff_evolution_alarm_t sysadm_evolution_alarm_t };
Chris PeBenito 296273
typealias evolution_alarm_t alias { auditadm_evolution_alarm_t secadm_evolution_alarm_t };
Chris PeBenito 296273
application_domain(evolution_alarm_t, evolution_alarm_exec_t)
Chris PeBenito 296273
ubac_constrained(evolution_alarm_t)
Chris PeBenito edf241
Chris PeBenito 296273
type evolution_alarm_tmpfs_t;
Chris PeBenito 296273
typealias evolution_alarm_tmpfs_t alias { user_evolution_alarm_tmpfs_t staff_evolution_alarm_tmpfs_t sysadm_evolution_alarm_tmpfs_t };
Chris PeBenito 296273
typealias evolution_alarm_tmpfs_t alias { auditadm_evolution_alarm_tmpfs_t secadm_evolution_alarm_tmpfs_t };
Chris PeBenito 296273
files_tmpfs_file(evolution_alarm_tmpfs_t)
Chris PeBenito 296273
ubac_constrained(evolution_alarm_tmpfs_t)
Chris PeBenito 296273
Chris PeBenito 296273
type evolution_alarm_orbit_tmp_t;
Chris PeBenito 296273
typealias evolution_alarm_orbit_tmp_t alias { user_evolution_alarm_orbit_tmp_t staff_evolution_alarm_orbit_tmp_t sysadm_evolution_alarm_orbit_tmp_t };
Chris PeBenito 296273
typealias evolution_alarm_orbit_tmp_t alias { auditadm_evolution_alarm_orbit_tmp_t secadm_evolution_alarm_orbit_tmp_t };
Chris PeBenito 296273
files_tmp_file(evolution_alarm_orbit_tmp_t)
Chris PeBenito 296273
ubac_constrained(evolution_alarm_orbit_tmp_t)
Chris PeBenito 296273
Chris PeBenito 296273
type evolution_exchange_t;
Chris PeBenito edf241
type evolution_exchange_exec_t;
Chris PeBenito 296273
typealias evolution_exchange_t alias { user_evolution_exchange_t staff_evolution_exchange_t sysadm_evolution_exchange_t };
Chris PeBenito 296273
typealias evolution_exchange_t alias { auditadm_evolution_exchange_t secadm_evolution_exchange_t };
Chris PeBenito 296273
application_domain(evolution_exchange_t, evolution_exchange_exec_t)
Chris PeBenito 296273
ubac_constrained(evolution_exchange_t)
Chris PeBenito 296273
Chris PeBenito 296273
type evolution_exchange_tmpfs_t;
Chris PeBenito 296273
typealias evolution_exchange_tmpfs_t alias { user_evolution_exchange_tmpfs_t staff_evolution_exchange_tmpfs_t sysadm_evolution_exchange_tmpfs_t };
Chris PeBenito 296273
typealias evolution_exchange_tmpfs_t alias { auditadm_evolution_exchange_tmpfs_t secadm_evolution_exchange_tmpfs_t };
Chris PeBenito 296273
files_tmpfs_file(evolution_exchange_tmpfs_t)
Chris PeBenito 296273
ubac_constrained(evolution_exchange_tmpfs_t)
Chris PeBenito 296273
Chris PeBenito 296273
type evolution_exchange_tmp_t;
Chris PeBenito 296273
typealias evolution_exchange_tmp_t alias { user_evolution_exchange_tmp_t staff_evolution_exchange_tmp_t sysadm_evolution_exchange_tmp_t };
Chris PeBenito 296273
typealias evolution_exchange_tmp_t alias { auditadm_evolution_exchange_tmp_t secadm_evolution_exchange_tmp_t };
Chris PeBenito 296273
files_tmp_file(evolution_exchange_tmp_t)
Chris PeBenito 296273
ubac_constrained(evolution_exchange_tmp_t)
Chris PeBenito 296273
Chris PeBenito 296273
type evolution_exchange_orbit_tmp_t;
Chris PeBenito 296273
typealias evolution_exchange_orbit_tmp_t alias { user_evolution_exchange_orbit_tmp_t staff_evolution_exchange_orbit_tmp_t sysadm_evolution_exchange_orbit_tmp_t };
Chris PeBenito 296273
typealias evolution_exchange_orbit_tmp_t alias { auditadm_evolution_exchange_orbit_tmp_t secadm_evolution_exchange_orbit_tmp_t };
Chris PeBenito 296273
files_tmp_file(evolution_exchange_orbit_tmp_t)
Chris PeBenito 296273
ubac_constrained(evolution_exchange_orbit_tmp_t)
Chris PeBenito edf241
Chris PeBenito 296273
type evolution_home_t;
Chris PeBenito 296273
typealias evolution_home_t alias { user_evolution_home_t staff_evolution_home_t sysadm_evolution_home_t };
Chris PeBenito 296273
typealias evolution_home_t alias { auditadm_evolution_home_t secadm_evolution_home_t };
Chris PeBenito 296273
userdom_user_home_content(evolution_home_t)
Chris PeBenito 296273
Chris PeBenito 296273
type evolution_orbit_tmp_t;
Chris PeBenito 296273
typealias evolution_home_t alias { user_evolution_orbit_tmp_t staff_evolution_orbit_tmp_t sysadm_evolution_orbit_tmp_t };
Chris PeBenito 296273
typealias evolution_home_t alias { auditadm_evolution_orbit_tmp_t secadm_evolution_orbit_tmp_t };
Chris PeBenito 296273
files_tmp_file(evolution_orbit_tmp_t)
Chris PeBenito 296273
ubac_constrained(evolution_orbit_tmp_t)
Chris PeBenito 296273
Chris PeBenito 296273
type evolution_server_t;
Chris PeBenito edf241
type evolution_server_exec_t;
Chris PeBenito 296273
typealias evolution_server_t alias { user_evolution_server_t staff_evolution_server_t sysadm_evolution_server_t };
Chris PeBenito 296273
typealias evolution_server_t alias { auditadm_evolution_server_t secadm_evolution_server_t };
Chris PeBenito 296273
application_domain(evolution_server_t, evolution_server_exec_t)
Chris PeBenito 296273
ubac_constrained(evolution_server_t)
Chris PeBenito 296273
Chris PeBenito 296273
type evolution_server_orbit_tmp_t;
Chris PeBenito 296273
typealias evolution_server_orbit_tmp_t alias { user_evolution_server_orbit_tmp_t staff_evolution_server_orbit_tmp_t sysadm_evolution_server_orbit_tmp_t };
Chris PeBenito 296273
typealias evolution_server_orbit_tmp_t alias { auditadm_evolution_server_orbit_tmp_t secadm_evolution_server_orbit_tmp_t };
Chris PeBenito 296273
files_tmp_file(evolution_server_orbit_tmp_t)
Chris PeBenito 296273
ubac_constrained(evolution_server_orbit_tmp_t)
Chris PeBenito 296273
Chris PeBenito 296273
type evolution_tmpfs_t;
Chris PeBenito 296273
typealias evolution_tmpfs_t alias { user_evolution_tmpfs_t staff_evolution_tmpfs_t sysadm_evolution_tmpfs_t };
Chris PeBenito 296273
typealias evolution_tmpfs_t alias { auditadm_evolution_tmpfs_t secadm_evolution_tmpfs_t };
Chris PeBenito 296273
files_tmpfs_file(evolution_tmpfs_t)
Chris PeBenito 296273
ubac_constrained(evolution_tmpfs_t)
Chris PeBenito edf241
Chris PeBenito 296273
type evolution_webcal_t;
Chris PeBenito edf241
type evolution_webcal_exec_t;
Chris PeBenito 296273
typealias evolution_webcal_t alias { user_evolution_webcal_t staff_evolution_webcal_t sysadm_evolution_webcal_t };
Chris PeBenito 296273
typealias evolution_webcal_t alias { auditadm_evolution_webcal_t secadm_evolution_webcal_t };
Chris PeBenito 296273
application_domain(evolution_webcal_t, evolution_webcal_exec_t)
Chris PeBenito 296273
ubac_constrained(evolution_webcal_t)
Chris PeBenito 296273
Chris PeBenito 296273
type evolution_webcal_tmpfs_t;
Chris PeBenito 296273
typealias evolution_webcal_tmpfs_t alias { user_evolution_webcal_tmpfs_t staff_evolution_webcal_tmpfs_t sysadm_evolution_webcal_tmpfs_t };
Chris PeBenito 296273
typealias evolution_webcal_tmpfs_t alias { auditadm_evolution_webcal_tmpfs_t secadm_evolution_webcal_tmpfs_t };
Chris PeBenito 296273
files_tmpfs_file(evolution_webcal_tmpfs_t)
Chris PeBenito 296273
ubac_constrained(evolution_webcal_tmpfs_t)
Chris PeBenito 296273
Chris PeBenito 296273
########################################
Chris PeBenito 296273
#
Chris PeBenito 296273
# Evolution local policy
Chris PeBenito 296273
#
Chris PeBenito 296273
Chris PeBenito 296273
allow evolution_t self:capability { setuid setgid sys_nice };
Chris PeBenito 296273
allow evolution_t self:process { signal getsched setsched };
Chris PeBenito 296273
allow evolution_t self:fifo_file rw_file_perms;
Chris PeBenito 296273
allow evolution_t self:tcp_socket create_socket_perms;
Chris PeBenito 296273
allow evolution_t self:udp_socket create_socket_perms;
Chris PeBenito 296273
Chris PeBenito 296273
allow evolution_t evolution_alarm_t:dir search_dir_perms;
Chris PeBenito 296273
allow evolution_t evolution_alarm_t:file read;
Chris PeBenito 296273
Chris PeBenito 296273
allow evolution_t evolution_alarm_t:unix_stream_socket connectto;
Chris PeBenito 296273
allow evolution_t evolution_alarm_orbit_tmp_t:sock_file write;
Chris PeBenito 296273
Chris PeBenito 296273
can_exec(evolution_t, evolution_alarm_exec_t)
Chris PeBenito 296273
Chris PeBenito 296273
allow evolution_t evolution_exchange_t:unix_stream_socket connectto;
Chris PeBenito 296273
allow evolution_t evolution_exchange_orbit_tmp_t:sock_file write;
Chris PeBenito 296273
Chris PeBenito 296273
allow evolution_t evolution_home_t:dir manage_dir_perms;
Chris PeBenito 296273
allow evolution_t evolution_home_t:file manage_file_perms;
Chris PeBenito 296273
allow evolution_t evolution_home_t:lnk_file manage_lnk_file_perms;
Chris PeBenito 296273
userdom_search_user_home_dirs(evolution_t)
Chris PeBenito 296273
Chris PeBenito 296273
allow evolution_t evolution_orbit_tmp_t:dir manage_dir_perms;
Chris PeBenito 296273
allow evolution_t evolution_orbit_tmp_t:file manage_file_perms;
Chris PeBenito 296273
files_tmp_filetrans(evolution_t, evolution_orbit_tmp_t, { dir file })
Chris PeBenito 296273
Chris PeBenito 296273
allow evolution_server_t evolution_orbit_tmp_t:dir manage_dir_perms;
Chris PeBenito 296273
allow evolution_server_t evolution_orbit_tmp_t:file manage_file_perms;
Chris PeBenito 296273
files_tmp_filetrans(evolution_server_t, evolution_orbit_tmp_t, { dir file })
Chris PeBenito 296273
Chris PeBenito 296273
allow evolution_t evolution_server_t:dir search_dir_perms;
Chris PeBenito 296273
allow evolution_t evolution_server_t:file read;
Chris PeBenito 296273
Chris PeBenito 296273
allow evolution_t evolution_server_t:unix_stream_socket connectto;
Chris PeBenito 296273
allow evolution_t evolution_server_orbit_tmp_t:sock_file write;
Chris PeBenito 296273
Chris PeBenito 296273
can_exec(evolution_t, evolution_server_exec_t)
Chris PeBenito 296273
Chris PeBenito 296273
allow evolution_t evolution_tmpfs_t:dir rw_dir_perms;
Chris PeBenito 296273
allow evolution_t evolution_tmpfs_t:file manage_file_perms;
Chris PeBenito 296273
allow evolution_t evolution_tmpfs_t:lnk_file manage_lnk_file_perms;
Chris PeBenito 296273
allow evolution_t evolution_tmpfs_t:sock_file manage_sock_file_perms;
Chris PeBenito 296273
allow evolution_t evolution_tmpfs_t:fifo_file manage_fifo_file_perms;
Chris PeBenito 296273
fs_tmpfs_filetrans(evolution_t, evolution_tmpfs_t, { dir file lnk_file sock_file fifo_file })
Chris PeBenito 296273
Chris PeBenito 296273
#FIXME check to see if really needed
Chris PeBenito 296273
kernel_read_kernel_sysctls(evolution_t)
Chris PeBenito 296273
kernel_read_system_state(evolution_t)
Chris PeBenito 296273
# Allow netstat
Chris PeBenito 296273
kernel_read_network_state(evolution_t)
Chris PeBenito 296273
kernel_read_net_sysctls(evolution_t)
Chris PeBenito 296273
Chris PeBenito 296273
corecmd_exec_shell(evolution_t)
Chris PeBenito 296273
# Run various programs
Chris PeBenito 296273
corecmd_exec_bin(evolution_t)
Chris PeBenito 296273
Chris PeBenito 296273
corenet_all_recvfrom_unlabeled(evolution_t)
Chris PeBenito 296273
corenet_all_recvfrom_netlabel(evolution_t)
Chris PeBenito 296273
corenet_tcp_sendrecv_generic_if(evolution_t)
Chris PeBenito 296273
corenet_udp_sendrecv_generic_if(evolution_t)
Chris PeBenito 296273
corenet_raw_sendrecv_generic_if(evolution_t)
Chris PeBenito c12621
corenet_tcp_sendrecv_generic_node(evolution_t)
Chris PeBenito c12621
corenet_udp_sendrecv_generic_node(evolution_t)
Chris PeBenito 296273
corenet_tcp_sendrecv_pop_port(evolution_t)
Chris PeBenito 296273
corenet_udp_sendrecv_pop_port(evolution_t)
Chris PeBenito 296273
corenet_tcp_sendrecv_smtp_port(evolution_t)
Chris PeBenito 296273
corenet_udp_sendrecv_smtp_port(evolution_t)
Chris PeBenito 296273
corenet_tcp_sendrecv_innd_port(evolution_t)
Chris PeBenito 296273
corenet_udp_sendrecv_innd_port(evolution_t)
Chris PeBenito 296273
corenet_tcp_sendrecv_ldap_port(evolution_t)
Chris PeBenito 296273
corenet_udp_sendrecv_ldap_port(evolution_t)
Chris PeBenito 296273
corenet_tcp_sendrecv_ipp_port(evolution_t)
Chris PeBenito 296273
corenet_udp_sendrecv_ipp_port(evolution_t)
Chris PeBenito 296273
corenet_tcp_connect_pop_port(evolution_t)
Chris PeBenito 296273
corenet_tcp_connect_smtp_port(evolution_t)
Chris PeBenito 296273
corenet_tcp_connect_innd_port(evolution_t)
Chris PeBenito 296273
corenet_tcp_connect_ldap_port(evolution_t)
Chris PeBenito 296273
corenet_tcp_connect_ipp_port(evolution_t)
Chris PeBenito 296273
corenet_sendrecv_pop_client_packets(evolution_t)
Chris PeBenito 296273
corenet_sendrecv_smtp_client_packets(evolution_t)
Chris PeBenito 296273
corenet_sendrecv_innd_client_packets(evolution_t)
Chris PeBenito 296273
corenet_sendrecv_ldap_client_packets(evolution_t)
Chris PeBenito 296273
corenet_sendrecv_ipp_client_packets(evolution_t)
Chris PeBenito 296273
# not sure about this bind
Chris PeBenito c12621
corenet_udp_bind_generic_node(evolution_t)
Chris PeBenito 296273
corenet_udp_bind_generic_port(evolution_t)
Chris PeBenito 296273
Chris PeBenito 296273
dev_read_urand(evolution_t)
Chris PeBenito 296273
Chris PeBenito 296273
domain_dontaudit_read_all_domains_state(evolution_t)
Chris PeBenito 296273
Chris PeBenito 296273
files_read_etc_files(evolution_t)
Chris PeBenito 296273
files_read_usr_files(evolution_t)
Chris PeBenito 296273
files_read_usr_symlinks(evolution_t)
Chris PeBenito 296273
files_read_var_files(evolution_t)
Chris PeBenito 296273
Chris PeBenito 296273
fs_search_auto_mountpoints(evolution_t)
Chris PeBenito 296273
Chris PeBenito 296273
logging_send_syslog_msg(evolution_t)
Chris PeBenito 296273
Chris PeBenito 296273
miscfiles_read_localization(evolution_t)
Chris PeBenito 296273
Chris PeBenito 296273
sysnet_read_config(evolution_t)
Chris PeBenito 296273
sysnet_dns_name_resolve(evolution_t)
Chris PeBenito 296273
Chris PeBenito 296273
udev_read_state(evolution_t)
Chris PeBenito 296273
Chris PeBenito 296273
userdom_rw_user_tmp_files(evolution_t)
Chris PeBenito 296273
userdom_manage_user_tmp_dirs(evolution_t)
Chris PeBenito 296273
userdom_manage_user_tmp_sockets(evolution_t)
Chris PeBenito 296273
userdom_manage_user_tmp_files(evolution_t)
Chris PeBenito 296273
userdom_use_user_terminals(evolution_t)
Chris PeBenito 296273
# FIXME: suppress access to .local/.icons/.themes until properly implemented
Chris PeBenito 296273
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
Chris PeBenito 296273
# until properly implemented
Chris PeBenito 296273
userdom_dontaudit_read_user_home_content_files(evolution_t)
Chris PeBenito 296273
Chris PeBenito 296273
mta_read_config(evolution_t)
Chris PeBenito 296273
Chris PeBenito 296273
xserver_user_x_domain_template(evolution, evolution_t, evolution_tmpfs_t)
Chris PeBenito 296273
xserver_read_xdm_tmp_files(evolution_t)
Chris PeBenito 296273
Chris PeBenito 296273
tunable_policy(`use_nfs_home_dirs',`
Chris PeBenito 296273
	fs_manage_nfs_dirs(evolution_t)
Chris PeBenito 296273
	fs_manage_nfs_files(evolution_t)
Chris PeBenito 296273
	fs_manage_nfs_symlinks(evolution_t)
Chris PeBenito 296273
')
Chris PeBenito 296273
Chris PeBenito 296273
tunable_policy(`use_samba_home_dirs',`
Chris PeBenito 296273
	fs_manage_cifs_dirs(evolution_t)
Chris PeBenito 296273
	fs_manage_cifs_files(evolution_t)
Chris PeBenito 296273
	fs_manage_cifs_symlinks(evolution_t)
Chris PeBenito 296273
')
Chris PeBenito 296273
Chris PeBenito 296273
tunable_policy(`mail_read_content && use_nfs_home_dirs',`
Chris PeBenito 296273
	fs_list_auto_mountpoints(evolution_t)
Chris PeBenito 296273
	files_list_home(evolution_t)
Chris PeBenito 296273
	fs_read_nfs_files(evolution_t)
Chris PeBenito 296273
	fs_read_nfs_symlinks(evolution_t)
Chris PeBenito 296273
Chris PeBenito 296273
',`
Chris PeBenito 296273
	files_dontaudit_list_home(evolution_t)
Chris PeBenito 296273
	fs_dontaudit_list_auto_mountpoints(evolution_t)
Chris PeBenito 296273
	fs_dontaudit_read_nfs_files(evolution_t)
Chris PeBenito 296273
	fs_dontaudit_list_nfs(evolution_t)
Chris PeBenito 296273
')
Chris PeBenito 296273
Chris PeBenito 296273
tunable_policy(`mail_read_content && use_samba_home_dirs',`
Chris PeBenito 296273
	fs_list_auto_mountpoints(evolution_t)
Chris PeBenito 296273
	files_list_home(evolution_t)
Chris PeBenito 296273
	fs_read_cifs_files(evolution_t)
Chris PeBenito 296273
	fs_read_cifs_symlinks(evolution_t)
Chris PeBenito 296273
',`
Chris PeBenito 296273
	files_dontaudit_list_home(evolution_t)
Chris PeBenito 296273
	fs_dontaudit_list_auto_mountpoints(evolution_t)
Chris PeBenito 296273
	fs_dontaudit_read_cifs_files(evolution_t)
Chris PeBenito 296273
	fs_dontaudit_list_cifs(evolution_t)
Chris PeBenito 296273
')
Chris PeBenito 296273
Chris PeBenito 296273
tunable_policy(`mail_read_content',`
Chris PeBenito 296273
	userdom_list_user_tmp(evolution_t)
Chris PeBenito 296273
	userdom_read_user_tmp_files(evolution_t)
Chris PeBenito 296273
	userdom_read_user_tmp_symlinks(evolution_t)
Chris PeBenito 296273
	userdom_read_user_home_content_files(evolution_t)
Chris PeBenito 296273
	userdom_read_user_home_content_symlinks(evolution_t)
Chris PeBenito 296273
Chris PeBenito 296273
	ifndef(`enable_mls',`
Chris PeBenito 296273
		fs_search_removable(evolution_t)
Chris PeBenito 296273
		fs_read_removable_files(evolution_t)
Chris PeBenito 296273
		fs_read_removable_symlinks(evolution_t)
Chris PeBenito 296273
	')
Chris PeBenito 296273
',`
Chris PeBenito 296273
	files_dontaudit_list_tmp(evolution_t)
Chris PeBenito 296273
	files_dontaudit_list_home(evolution_t)
Chris PeBenito 296273
	fs_dontaudit_list_removable(evolution_t)
Chris PeBenito 296273
	fs_dontaudit_read_removable_files(evolution_t)
Chris PeBenito 296273
	userdom_dontaudit_list_user_tmp(evolution_t)
Chris PeBenito 296273
	userdom_dontaudit_read_user_tmp_files(evolution_t)
Chris PeBenito 296273
	userdom_dontaudit_list_user_home_dirs(evolution_t)
Chris PeBenito 296273
	userdom_dontaudit_read_user_home_content_files(evolution_t)
Chris PeBenito 296273
')
Chris PeBenito 296273
Chris PeBenito 296273
optional_policy(`
Chris PeBenito 296273
	automount_read_state(evolution_t)
Chris PeBenito 296273
')
Chris PeBenito 296273
Chris PeBenito 296273
# Allow printing the mail
Chris PeBenito 296273
optional_policy(`
Chris PeBenito 296273
	cups_read_rw_config(evolution_t)
Chris PeBenito 296273
')
Chris PeBenito 296273
Chris PeBenito 296273
optional_policy(`
Chris PeBenito 296273
	dbus_system_bus_client(evolution_t)
Chris PeBenito 296273
	dbus_session_bus_client(evolution_t)
Chris PeBenito 296273
')
Chris PeBenito 296273
Chris PeBenito 296273
optional_policy(`
Chris PeBenito 296273
	gnome_stream_connect_gconf(evolution_t)
Chris PeBenito 296273
')
Chris PeBenito 296273
Chris PeBenito 296273
# Encrypt mail
Chris PeBenito 296273
optional_policy(`
Chris PeBenito 296273
	gpg_domtrans(evolution_t)
Chris PeBenito 296273
	gpg_signal(evolution_t)
Chris PeBenito 296273
')
Chris PeBenito 296273
Chris PeBenito 296273
optional_policy(`
Chris PeBenito 296273
	lpd_domtrans_lpr(evolution_t)
Chris PeBenito 296273
')
Chris PeBenito 296273
Chris PeBenito 296273
optional_policy(`
Chris PeBenito 296273
	mozilla_read_user_home_files(evolution_t)
Chris PeBenito 296273
	mozilla_domtrans(evolution_t)
Chris PeBenito 296273
')
Chris PeBenito 296273
Chris PeBenito 296273
# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
Chris PeBenito 296273
optional_policy(`
Chris PeBenito 296273
	nis_use_ypbind(evolution_t)
Chris PeBenito 296273
')
Chris PeBenito 296273
Chris PeBenito 296273
optional_policy(`
Chris PeBenito 296273
	nscd_socket_use(evolution_t)
Chris PeBenito 296273
')
Chris PeBenito 296273
Chris PeBenito 296273
### Junk mail filtering (start spamd)
Chris PeBenito 296273
optional_policy(`
Chris PeBenito 296273
	spamassassin_exec_spamd(evolution_t)
Chris PeBenito 296273
	spamassassin_domtrans_client(evolution_t)
Chris PeBenito 296273
	spamassassin_domtrans_local_client(evolution_t)
Chris PeBenito 296273
	# Allow evolution to signal the daemon
Chris PeBenito 296273
	# FIXME: Now evolution can read spamd temp files
Chris PeBenito 296273
	spamassassin_read_spamd_tmp_files(evolution_t)
Chris PeBenito 296273
	spamassassin_signal_spamd(evolution_t)
Chris PeBenito 296273
	spamassassin_dontaudit_getattr_spamd_tmp_sockets(evolution_t)
Chris PeBenito 296273
')
Chris PeBenito 296273
Chris PeBenito 296273
########################################
Chris PeBenito 296273
#
Chris PeBenito 296273
# Evolution alarm local policy
Chris PeBenito 296273
#
Chris PeBenito 296273
Chris PeBenito 296273
allow evolution_alarm_t self:process { signal getsched };
Chris PeBenito 296273
allow evolution_alarm_t self:fifo_file rw_fifo_file_perms;
Chris PeBenito 296273
Chris PeBenito 296273
allow evolution_alarm_t evolution_t:unix_stream_socket connectto;
Chris PeBenito 296273
allow evolution_alarm_t evolution_orbit_tmp_t:sock_file write;
Chris PeBenito 296273
Chris PeBenito 296273
allow evolution_alarm_t evolution_alarm_tmpfs_t:dir rw_dir_perms;
Chris PeBenito 296273
allow evolution_alarm_t evolution_alarm_tmpfs_t:file manage_file_perms;
Chris PeBenito 296273
allow evolution_alarm_t evolution_alarm_tmpfs_t:lnk_file manage_lnk_file_perms;
Chris PeBenito 296273
allow evolution_alarm_t evolution_alarm_tmpfs_t:sock_file manage_sock_file_perms;
Chris PeBenito 296273
allow evolution_alarm_t evolution_alarm_tmpfs_t:fifo_file manage_fifo_file_perms;
Chris PeBenito 296273
fs_tmpfs_filetrans(evolution_alarm_t, evolution_alarm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
Chris PeBenito 296273
Chris PeBenito 296273
allow evolution_alarm_t evolution_exchange_t:unix_stream_socket connectto;
Chris PeBenito 296273
allow evolution_alarm_t evolution_exchange_orbit_tmp_t:sock_file write;
Chris PeBenito 296273
Chris PeBenito 296273
# Access evolution home
Chris PeBenito 296273
allow evolution_alarm_t evolution_home_t:dir manage_dir_perms;
Chris PeBenito 296273
allow evolution_alarm_t evolution_home_t:file manage_file_perms;
Chris PeBenito 296273
allow evolution_alarm_t evolution_home_t:lnk_file manage_lnk_file_perms;
Chris PeBenito 296273
Chris PeBenito 296273
allow evolution_alarm_t evolution_server_t:unix_stream_socket connectto;
Chris PeBenito 296273
allow evolution_alarm_t evolution_server_orbit_tmp_t:sock_file write;
Chris PeBenito 296273
Chris PeBenito 296273
dev_read_urand(evolution_alarm_t)
Chris PeBenito 296273
Chris PeBenito 296273
files_read_etc_files(evolution_alarm_t)
Chris PeBenito 296273
files_read_usr_files(evolution_alarm_t)
Chris PeBenito 296273
Chris PeBenito 296273
fs_search_auto_mountpoints(evolution_alarm_t)
Chris PeBenito 296273
Chris PeBenito 296273
miscfiles_read_localization(evolution_alarm_t)
Chris PeBenito 296273
Chris PeBenito 296273
# Access evolution home
Chris PeBenito 296273
userdom_search_user_home_dirs(evolution_alarm_t)
Chris PeBenito 296273
# FIXME: suppress access to .local/.icons/.themes until properly implemented
Chris PeBenito 296273
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
Chris PeBenito 296273
# until properly implemented
Chris PeBenito 296273
userdom_dontaudit_read_user_home_content_files(evolution_alarm_t)
Chris PeBenito 296273
Chris PeBenito 296273
xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t)
Chris PeBenito 296273
Chris PeBenito 296273
# Access evolution home
Chris PeBenito 296273
tunable_policy(`use_nfs_home_dirs',`
Chris PeBenito 296273
	fs_manage_nfs_files(evolution_alarm_t)
Chris PeBenito 296273
')
Chris PeBenito 296273
Chris PeBenito 296273
tunable_policy(`use_samba_home_dirs',`
Chris PeBenito 296273
	fs_manage_cifs_files(evolution_alarm_t)
Chris PeBenito 296273
')
Chris PeBenito 296273
Chris PeBenito 296273
optional_policy(`
Chris PeBenito 296273
	dbus_session_bus_client(evolution_alarm_t)
Chris PeBenito 296273
')
Chris PeBenito 296273
Chris PeBenito 296273
optional_policy(`
Chris PeBenito 296273
	gnome_stream_connect_gconf(evolution_alarm_t)
Chris PeBenito 296273
')
Chris PeBenito 296273
Chris PeBenito 296273
optional_policy(`
Chris PeBenito 296273
	nscd_socket_use(evolution_alarm_t)
Chris PeBenito 296273
')
Chris PeBenito 296273
Chris PeBenito 296273
########################################
Chris PeBenito 296273
#
Chris PeBenito 296273
# Evolution exchange connector local policy
Chris PeBenito 296273
#
Chris PeBenito 296273
Chris PeBenito 296273
allow evolution_exchange_t self:process getsched;
Chris PeBenito 296273
allow evolution_exchange_t self:fifo_file rw_fifo_file_perms;
Chris PeBenito 296273
Chris PeBenito 296273
allow evolution_exchange_t self:tcp_socket create_socket_perms;
Chris PeBenito 296273
allow evolution_exchange_t self:udp_socket create_socket_perms;
Chris PeBenito 296273
Chris PeBenito 296273
allow evolution_exchange_t evolution_t:unix_stream_socket connectto;
Chris PeBenito 296273
allow evolution_exchange_t evolution_orbit_tmp_t:sock_file write;
Chris PeBenito 296273
Chris PeBenito 296273
allow evolution_exchange_t evolution_alarm_t:unix_stream_socket connectto;
Chris PeBenito 296273
allow evolution_exchange_t evolution_alarm_orbit_tmp_t:sock_file write;
Chris PeBenito 296273
Chris PeBenito 296273
# Access evolution home
Chris PeBenito 296273
allow evolution_exchange_t evolution_home_t:dir manage_dir_perms;
Chris PeBenito 296273
allow evolution_exchange_t evolution_home_t:file manage_file_perms;
Chris PeBenito 296273
allow evolution_exchange_t evolution_home_t:lnk_file manage_lnk_file_perms;
Chris PeBenito 296273
Chris PeBenito 296273
allow evolution_exchange_t evolution_server_t:unix_stream_socket connectto;
Chris PeBenito 296273
allow evolution_exchange_t evolution_server_orbit_tmp_t:sock_file write;
Chris PeBenito 296273
Chris PeBenito 296273
# /tmp/.exchange-$USER
Chris PeBenito 296273
allow evolution_exchange_t evolution_exchange_tmp_t:dir manage_dir_perms;
Chris PeBenito 296273
allow evolution_exchange_t evolution_exchange_tmp_t:file manage_file_perms;
Chris PeBenito 296273
files_tmp_filetrans(evolution_exchange_t, evolution_exchange_tmp_t, { file dir })
Chris PeBenito 296273
Chris PeBenito 296273
allow evolution_exchange_t evolution_exchange_tmpfs_t:dir rw_dir_perms;
Chris PeBenito 296273
allow evolution_exchange_t evolution_exchange_tmpfs_t:file manage_file_perms;
Chris PeBenito 296273
allow evolution_exchange_t evolution_exchange_tmpfs_t:lnk_file manage_lnk_file_perms;
Chris PeBenito 296273
allow evolution_exchange_t evolution_exchange_tmpfs_t:sock_file manage_sock_file_perms;
Chris PeBenito 296273
allow evolution_exchange_t evolution_exchange_tmpfs_t:fifo_file manage_fifo_file_perms;
Chris PeBenito 296273
fs_tmpfs_filetrans(evolution_exchange_t, evolution_exchange_tmpfs_t, { dir file lnk_file sock_file fifo_file })
Chris PeBenito 296273
Chris PeBenito 296273
kernel_read_network_state(evolution_exchange_t)
Chris PeBenito 296273
kernel_read_net_sysctls(evolution_exchange_t)
Chris PeBenito 296273
Chris PeBenito 296273
# Allow netstat
Chris PeBenito 296273
corecmd_exec_bin(evolution_exchange_t)
Chris PeBenito 296273
Chris PeBenito 296273
dev_read_urand(evolution_exchange_t)
Chris PeBenito 296273
Chris PeBenito 296273
files_read_etc_files(evolution_exchange_t)
Chris PeBenito 296273
files_read_usr_files(evolution_exchange_t)
Chris PeBenito 296273
Chris PeBenito 296273
# Access evolution home
Chris PeBenito 296273
fs_search_auto_mountpoints(evolution_exchange_t)
Chris PeBenito 296273
Chris PeBenito 296273
miscfiles_read_localization(evolution_exchange_t)
Chris PeBenito 296273
Chris PeBenito 296273
userdom_write_user_tmp_sockets(evolution_exchange_t)
Chris PeBenito 296273
# Access evolution home
Chris PeBenito 296273
userdom_search_user_home_dirs(evolution_exchange_t)
Chris PeBenito 296273
# FIXME: suppress access to .local/.icons/.themes until properly implemented
Chris PeBenito 296273
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
Chris PeBenito 296273
# until properly implemented
Chris PeBenito 296273
userdom_dontaudit_read_user_home_content_files(evolution_exchange_t)
Chris PeBenito 296273
Chris PeBenito 3f67f7
xserver_user_x_domain_template(evolution_exchange, evolution_exchange_t, evolution_exchange_tmpfs_t)
Chris PeBenito 296273
Chris PeBenito 296273
# Access evolution home
Chris PeBenito 296273
tunable_policy(`use_nfs_home_dirs',`
Chris PeBenito 296273
	fs_manage_nfs_files(evolution_exchange_t)
Chris PeBenito 296273
')
Chris PeBenito 296273
Chris PeBenito 296273
tunable_policy(`use_samba_home_dirs',`
Chris PeBenito 296273
	fs_manage_cifs_files(evolution_exchange_t)
Chris PeBenito 296273
')
Chris PeBenito 296273
Chris PeBenito 296273
optional_policy(`
Chris PeBenito 296273
	gnome_stream_connect_gconf(evolution_exchange_t)
Chris PeBenito 296273
')
Chris PeBenito 296273
Chris PeBenito 296273
optional_policy(`
Chris PeBenito 296273
	nscd_socket_use(evolution_exchange_t)
Chris PeBenito 296273
')
Chris PeBenito 296273
Chris PeBenito 296273
########################################
Chris PeBenito 296273
#
Chris PeBenito 296273
# Evolution data server local policy
Chris PeBenito 296273
#
Chris PeBenito 296273
Chris PeBenito 296273
allow evolution_server_t self:process { getsched signal };
Chris PeBenito 296273
Chris PeBenito 296273
allow evolution_server_t self:fifo_file { read write };
Chris PeBenito 296273
allow evolution_server_t self:unix_stream_socket { accept connectto };
Chris PeBenito 296273
# Talk to ldap (address book),
Chris PeBenito 296273
# Obtain weather data via http (read server name from xml file in /usr)
Chris PeBenito 296273
allow evolution_server_t self:tcp_socket create_socket_perms;
Chris PeBenito 296273
Chris PeBenito 296273
allow evolution_server_t evolution_t:unix_stream_socket connectto;
Chris PeBenito 296273
allow evolution_server_t evolution_orbit_tmp_t:sock_file write;
Chris PeBenito 296273
Chris PeBenito 296273
allow evolution_server_t evolution_exchange_t:unix_stream_socket connectto;
Chris PeBenito 296273
allow evolution_server_t evolution_exchange_orbit_tmp_t:sock_file write;
Chris PeBenito 296273
Chris PeBenito 296273
# Access evolution home
Chris PeBenito 296273
allow evolution_server_t evolution_home_t:dir manage_dir_perms;
Chris PeBenito 296273
allow evolution_server_t evolution_home_t:file manage_file_perms;
Chris PeBenito 296273
allow evolution_server_t evolution_home_t:lnk_file manage_lnk_file_perms;
Chris PeBenito 296273
Chris PeBenito 296273
allow evolution_server_t evolution_alarm_t:unix_stream_socket connectto;
Chris PeBenito 296273
allow evolution_server_t evolution_alarm_orbit_tmp_t:sock_file write;
Chris PeBenito 296273
Chris PeBenito 296273
kernel_read_system_state(evolution_server_t)
Chris PeBenito 296273
Chris PeBenito 296273
corecmd_exec_shell(evolution_server_t)
Chris PeBenito 296273
Chris PeBenito 296273
# Obtain weather data via http (read server name from xml file in /usr)
Chris PeBenito 296273
corenet_all_recvfrom_unlabeled(evolution_server_t)
Chris PeBenito 296273
corenet_all_recvfrom_netlabel(evolution_server_t)
Chris PeBenito 296273
corenet_tcp_sendrecv_generic_if(evolution_server_t)
Chris PeBenito c12621
corenet_tcp_sendrecv_generic_node(evolution_server_t)
Chris PeBenito 296273
corenet_tcp_sendrecv_http_port(evolution_server_t)
Chris PeBenito 296273
corenet_tcp_sendrecv_http_cache_port(evolution_server_t)
Chris PeBenito 296273
corenet_tcp_connect_http_cache_port(evolution_server_t)
Chris PeBenito 296273
corenet_tcp_connect_http_port(evolution_server_t)
Chris PeBenito 296273
corenet_sendrecv_http_client_packets(evolution_server_t)
Chris PeBenito 296273
corenet_sendrecv_http_cache_client_packets(evolution_server_t)
Chris PeBenito 296273
Chris PeBenito 296273
dev_read_urand(evolution_server_t)
Chris PeBenito 296273
Chris PeBenito 296273
files_read_etc_files(evolution_server_t)
Chris PeBenito 296273
# Obtain weather data via http (read server name from xml file in /usr)
Chris PeBenito 296273
files_read_usr_files(evolution_server_t)
Chris PeBenito 296273
Chris PeBenito 296273
fs_search_auto_mountpoints(evolution_server_t)
Chris PeBenito 296273
Chris PeBenito 296273
miscfiles_read_localization(evolution_server_t)
Chris PeBenito 296273
# Look in /etc/pki
Chris PeBenito e9d6df
miscfiles_read_generic_certs(evolution_server_t)
Chris PeBenito 296273
Chris PeBenito 296273
# Talk to ldap (address book)
Chris PeBenito 296273
sysnet_read_config(evolution_server_t)
Chris PeBenito 296273
sysnet_dns_name_resolve(evolution_server_t)
Chris PeBenito 296273
sysnet_use_ldap(evolution_server_t)
Chris PeBenito 296273
Chris PeBenito 296273
# Access evolution home
Chris PeBenito 296273
userdom_search_user_home_dirs(evolution_server_t)
Chris PeBenito 296273
# FIXME: suppress access to .local/.icons/.themes until properly implemented
Chris PeBenito 296273
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
Chris PeBenito 296273
# until properly implemented
Chris PeBenito 296273
userdom_dontaudit_read_user_home_content_files(evolution_server_t)
Chris PeBenito 296273
Chris PeBenito 296273
# Access evolution home
Chris PeBenito 296273
tunable_policy(`use_nfs_home_dirs',`
Chris PeBenito 296273
	fs_manage_nfs_files(evolution_server_t)
Chris PeBenito 296273
')
Chris PeBenito 296273
Chris PeBenito 296273
tunable_policy(`use_samba_home_dirs',`
Chris PeBenito 296273
	fs_manage_cifs_files(evolution_server_t)
Chris PeBenito 296273
')
Chris PeBenito 296273
Chris PeBenito 296273
optional_policy(`
Chris PeBenito 296273
	gnome_stream_connect_gconf(evolution_server_t)
Chris PeBenito 296273
')
Chris PeBenito 296273
Chris PeBenito 296273
optional_policy(`
Chris PeBenito 296273
	nscd_socket_use(evolution_server_t)
Chris PeBenito 296273
')
Chris PeBenito 296273
Chris PeBenito 296273
########################################
Chris PeBenito 296273
#
Chris PeBenito 296273
# Evolution webcal local policy
Chris PeBenito 296273
#
Chris PeBenito 296273
Chris PeBenito 296273
allow evolution_webcal_t self:tcp_socket create_socket_perms;
Chris PeBenito 296273
Chris PeBenito 296273
# X/evolution common stuff
Chris PeBenito 296273
allow evolution_webcal_t evolution_webcal_tmpfs_t:dir rw_dir_perms;
Chris PeBenito 296273
allow evolution_webcal_t evolution_webcal_tmpfs_t:file manage_file_perms;
Chris PeBenito 296273
allow evolution_webcal_t evolution_webcal_tmpfs_t:lnk_file manage_lnk_file_perms;
Chris PeBenito 296273
allow evolution_webcal_t evolution_webcal_tmpfs_t:sock_file manage_sock_file_perms;
Chris PeBenito 296273
allow evolution_webcal_t evolution_webcal_tmpfs_t:fifo_file manage_fifo_file_perms;
Chris PeBenito 296273
fs_tmpfs_filetrans(evolution_webcal_t, evolution_webcal_tmpfs_t, { dir file lnk_file sock_file fifo_file })
Chris PeBenito 296273
Chris PeBenito 296273
corenet_all_recvfrom_unlabeled(evolution_webcal_t)
Chris PeBenito 296273
corenet_all_recvfrom_netlabel(evolution_webcal_t)
Chris PeBenito 296273
corenet_tcp_sendrecv_generic_if(evolution_webcal_t)
Chris PeBenito 296273
corenet_raw_sendrecv_generic_if(evolution_webcal_t)
Chris PeBenito c12621
corenet_tcp_sendrecv_generic_node(evolution_webcal_t)
Chris PeBenito c12621
corenet_raw_sendrecv_generic_node(evolution_webcal_t)
Chris PeBenito 296273
corenet_tcp_sendrecv_http_port(evolution_webcal_t)
Chris PeBenito 296273
corenet_tcp_sendrecv_http_cache_port(evolution_webcal_t)
Chris PeBenito 296273
corenet_tcp_connect_http_cache_port(evolution_webcal_t)
Chris PeBenito 296273
corenet_tcp_connect_http_port(evolution_webcal_t)
Chris PeBenito 296273
corenet_sendrecv_http_client_packets(evolution_webcal_t)
Chris PeBenito 296273
corenet_sendrecv_http_cache_client_packets(evolution_webcal_t)
Chris PeBenito 296273
Chris PeBenito 296273
# Networking capability - connect to website and handle ics link
Chris PeBenito 296273
sysnet_read_config(evolution_webcal_t)
Chris PeBenito 296273
sysnet_dns_name_resolve(evolution_webcal_t)
Chris PeBenito 296273
Chris PeBenito 296273
# Search home directory (?)
Chris PeBenito 296273
userdom_search_user_home_dirs(evolution_webcal_t)
Chris PeBenito 296273
# FIXME: suppress access to .local/.icons/.themes until properly implemented
Chris PeBenito 296273
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
Chris PeBenito 296273
# until properly implemented
Chris PeBenito 296273
userdom_dontaudit_read_user_home_content_files(evolution_webcal_t)
Chris PeBenito 296273
Chris PeBenito 296273
xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t)
Chris PeBenito 296273
Chris PeBenito 296273
optional_policy(`
Chris PeBenito 296273
	nscd_socket_use(evolution_webcal_t)
Chris PeBenito 296273
')