#DESC Dovecot POP and IMAP servers

#

# Author:  Russell Coker <russell@coker.com.au>

# X-Debian-Packages: dovecot-imapd, dovecot-pop3d

#

# Main dovecot daemon

#

daemon_domain(dovecot, `, privhome')

etc_domain(dovecot);

allow dovecot_t dovecot_var_run_t:sock_file create_file_perms;

can_exec(dovecot_t, dovecot_exec_t)

type dovecot_cert_t, file_type, sysadmfile;

type dovecot_passwd_t, file_type, sysadmfile;

type dovecot_spool_t, file_type, sysadmfile;

allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };

allow dovecot_t self:process setrlimit;

can_network_tcp(dovecot_t)

allow dovecot_t port_type:tcp_socket name_connect;

can_ypbind(dovecot_t)

allow dovecot_t self:unix_dgram_socket create_socket_perms;

allow dovecot_t self:unix_stream_socket create_stream_socket_perms;

can_unix_connect(dovecot_t, self)

allow dovecot_t etc_t:file { getattr read };

allow dovecot_t initrc_var_run_t:file getattr;

allow dovecot_t bin_t:dir { getattr search };

can_exec(dovecot_t, bin_t)

allow dovecot_t pop_port_t:tcp_socket name_bind;

allow dovecot_t urandom_device_t:chr_file { getattr read };

allow dovecot_t cert_t:dir search;

r_dir_file(dovecot_t, dovecot_cert_t)

r_dir_file(dovecot_t, cert_t)

allow dovecot_t { self proc_t }:file { getattr read };

allow dovecot_t self:fifo_file rw_file_perms;

can_kerberos(dovecot_t)

allow dovecot_t tmp_t:dir search;

rw_dir_create_file(dovecot_t, mail_spool_t)

create_dir_file(dovecot_t, dovecot_spool_t)

create_dir_file(mta_delivery_agent, dovecot_spool_t)

allow dovecot_t mail_spool_t:lnk_file read;

allow dovecot_t var_spool_t:dir { search };

#

# Dovecot auth daemon

#

daemon_sub_domain(dovecot_t, dovecot_auth, `, auth_chkpwd')

can_ldap(dovecot_auth_t)

can_ypbind(dovecot_auth_t)

can_kerberos(dovecot_auth_t)

can_resolve(dovecot_auth_t)

allow dovecot_auth_t self:process { fork signal_perms };

allow dovecot_auth_t self:capability { setgid setuid };

allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };

allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;

allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;

allow dovecot_auth_t self:fifo_file rw_file_perms;

allow dovecot_auth_t urandom_device_t:chr_file { getattr read };

allow dovecot_auth_t etc_t:file { getattr read };

allow dovecot_auth_t { self proc_t }:file { getattr read };

read_locale(dovecot_auth_t)

read_sysctl(dovecot_auth_t)

allow dovecot_auth_t dovecot_passwd_t:file { getattr read };

dontaudit dovecot_auth_t selinux_config_t:dir search;