|
Chris PeBenito |
2705f9 |
#
|
|
Chris PeBenito |
2705f9 |
# Evolution
|
|
Chris PeBenito |
2705f9 |
#
|
|
Chris PeBenito |
2705f9 |
# Author: Ivan Gyurdiev <ivg2@cornell.edu>
|
|
Chris PeBenito |
2705f9 |
#
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
################################################
|
|
Chris PeBenito |
2705f9 |
# evolution_common(app_prefix,role_prefix)
|
|
Chris PeBenito |
2705f9 |
#
|
|
Chris PeBenito |
2705f9 |
define(`evolution_common', `
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Gnome common stuff
|
|
Chris PeBenito |
2705f9 |
gnome_application($1, $2)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Stat root
|
|
Chris PeBenito |
2705f9 |
allow $1_t root_t:dir search;
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Access null device
|
|
Chris PeBenito |
2705f9 |
allow $1_t null_device_t:chr_file rw_file_perms;
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# FIXME: suppress access to .local/.icons/.themes until properly implemented
|
|
Chris PeBenito |
2705f9 |
dontaudit $1_t $2_home_t:dir r_dir_perms;
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
|
|
Chris PeBenito |
2705f9 |
# until properly implemented
|
|
Chris PeBenito |
2705f9 |
dontaudit $1_t $2_home_t:file r_file_perms;
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
') dnl evolution_common
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
#######################################
|
|
Chris PeBenito |
2705f9 |
# evolution_data_server(role_prefix)
|
|
Chris PeBenito |
2705f9 |
#
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
define(`evolution_data_server', `
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Type for daemon
|
|
Chris PeBenito |
2705f9 |
type $1_evolution_server_t, domain, nscd_client_domain;
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Transition from user type
|
|
Chris PeBenito |
2705f9 |
if (! disable_evolution_trans) {
|
|
Chris PeBenito |
2705f9 |
domain_auto_trans($1_t, evolution_server_exec_t, $1_evolution_server_t)
|
|
Chris PeBenito |
2705f9 |
}
|
|
Chris PeBenito |
2705f9 |
role $1_r types $1_evolution_server_t;
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Evolution common stuff
|
|
Chris PeBenito |
2705f9 |
evolution_common($1_evolution_server, $1)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Access evolution home
|
|
Chris PeBenito |
2705f9 |
home_domain_access($1_evolution_server_t, $1, evolution)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Talks to exchange
|
|
Chris PeBenito |
2705f9 |
bonobo_connect($1_evolution_server, $1_evolution_exchange)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
can_exec($1_evolution_server_t, shell_exec_t)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Obtain weather data via http (read server name from xml file in /usr)
|
|
Chris PeBenito |
2705f9 |
allow $1_evolution_server_t usr_t:file r_file_perms;
|
|
Chris PeBenito |
2705f9 |
can_resolve($1_evolution_server_t)
|
|
Chris PeBenito |
2705f9 |
can_network_client_tcp($1_evolution_server_t, { http_port_t http_cache_port_t } )
|
|
Chris PeBenito |
2705f9 |
allow $1_evolution_server_t { http_cache_port_t http_port_t }:tcp_socket name_connect;
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Talk to ldap (address book)
|
|
Chris PeBenito |
2705f9 |
can_network_client_tcp($1_evolution_server_t, ldap_port_t)
|
|
Chris PeBenito |
2705f9 |
allow $1_evolution_server_t ldap_port_t:tcp_socket name_connect;
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Look in /etc/pki
|
|
Chris PeBenito |
a08248 |
r_dir_file($1_evolution_server_t, cert_t)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
') dnl evolution_data_server
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
#######################################
|
|
Chris PeBenito |
2705f9 |
# evolution_webcal(role_prefix)
|
|
Chris PeBenito |
2705f9 |
#
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
define(`evolution_webcal', `
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Type for program
|
|
Chris PeBenito |
2705f9 |
type $1_evolution_webcal_t, domain, nscd_client_domain;
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Transition from user type
|
|
Chris PeBenito |
2705f9 |
domain_auto_trans($1_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
|
|
Chris PeBenito |
2705f9 |
role $1_r types $1_evolution_webcal_t;
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# X/evolution common stuff
|
|
Chris PeBenito |
2705f9 |
x_client_domain($1_evolution_webcal, $1)
|
|
Chris PeBenito |
2705f9 |
evolution_common($1_evolution_webcal, $1)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Search home directory (?)
|
|
Chris PeBenito |
2705f9 |
allow $1_evolution_webcal_t $1_home_dir_t:dir search;
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Networking capability - connect to website and handle ics link
|
|
Chris PeBenito |
2705f9 |
# FIXME: is this necessary ?
|
|
Chris PeBenito |
2705f9 |
can_resolve($1_evolution_webcal_t);
|
|
Chris PeBenito |
2705f9 |
can_network_client_tcp($1_evolution_webcal_t, { http_port_t http_cache_port_t } )
|
|
Chris PeBenito |
2705f9 |
allow $1_evolution_webcal_t { http_cache_port_t http_port_t } :tcp_socket name_connect;
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
') dnl evolution_webcal
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
#######################################
|
|
Chris PeBenito |
2705f9 |
# evolution_alarm(role_prefix)
|
|
Chris PeBenito |
2705f9 |
#
|
|
Chris PeBenito |
2705f9 |
define(`evolution_alarm', `
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Type for program
|
|
Chris PeBenito |
2705f9 |
type $1_evolution_alarm_t, domain, nscd_client_domain;
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Transition from user type
|
|
Chris PeBenito |
2705f9 |
domain_auto_trans($1_t, evolution_alarm_exec_t, $1_evolution_alarm_t)
|
|
Chris PeBenito |
2705f9 |
role $1_r types $1_evolution_alarm_t;
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Common evolution stuff, X
|
|
Chris PeBenito |
2705f9 |
evolution_common($1_evolution_alarm, $1)
|
|
Chris PeBenito |
2705f9 |
x_client_domain($1_evolution_alarm, $1)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Connect to exchange, e-d-s
|
|
Chris PeBenito |
2705f9 |
bonobo_connect($1_evolution_alarm, $1_evolution_server)
|
|
Chris PeBenito |
2705f9 |
bonobo_connect($1_evolution_alarm, $1_evolution_exchange)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Access evolution home
|
|
Chris PeBenito |
2705f9 |
home_domain_access($1_evolution_alarm_t, $1, evolution)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
') dnl evolution_alarm
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
########################################
|
|
Chris PeBenito |
2705f9 |
# evolution_exchange(role_prefix)
|
|
Chris PeBenito |
2705f9 |
#
|
|
Chris PeBenito |
2705f9 |
define(`evolution_exchange', `
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Type for program
|
|
Chris PeBenito |
2705f9 |
type $1_evolution_exchange_t, domain, nscd_client_domain;
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Transition from user type
|
|
Chris PeBenito |
2705f9 |
domain_auto_trans($1_t, evolution_exchange_exec_t, $1_evolution_exchange_t)
|
|
Chris PeBenito |
2705f9 |
role $1_r types $1_evolution_exchange_t;
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Common evolution stuff, X
|
|
Chris PeBenito |
2705f9 |
evolution_common($1_evolution_exchange, $1)
|
|
Chris PeBenito |
2705f9 |
x_client_domain($1_evolution_exchange, $1)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Access evolution home
|
|
Chris PeBenito |
2705f9 |
home_domain_access($1_evolution_exchange_t, $1, evolution)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# /tmp/.exchange-$USER
|
|
Chris PeBenito |
2705f9 |
tmp_domain($1_evolution_exchange)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Allow netstat
|
|
Chris PeBenito |
2705f9 |
allow $1_evolution_exchange_t bin_t:dir search;
|
|
Chris PeBenito |
2705f9 |
can_exec($1_evolution_exchange_t, bin_t)
|
|
Chris PeBenito |
2705f9 |
r_dir_file($1_evolution_exchange_t, proc_net_t)
|
|
Chris PeBenito |
2705f9 |
allow $1_evolution_exchange_t sysctl_net_t:dir search;
|
|
Chris PeBenito |
2705f9 |
allow $1_evolution_exchange_t self:{ udp_socket tcp_socket } create_socket_perms;
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Clock applet talks to exchange (FIXME: Needs policy)
|
|
Chris PeBenito |
2705f9 |
bonobo_connect($1, $1_evolution_exchange)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# FIXME: policy incomplete
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
') dnl evolution_exchange
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
#######################################
|
|
Chris PeBenito |
2705f9 |
# evolution_domain(role_prefix)
|
|
Chris PeBenito |
2705f9 |
#
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
define(`evolution_domain', `
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Type for program
|
|
Chris PeBenito |
2705f9 |
type $1_evolution_t, domain, nscd_client_domain, privlog;
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Transition from user type
|
|
Chris PeBenito |
2705f9 |
domain_auto_trans($1_t, evolution_exec_t, $1_evolution_t)
|
|
Chris PeBenito |
2705f9 |
role $1_r types $1_evolution_t;
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# X, mail, evolution common stuff
|
|
Chris PeBenito |
2705f9 |
x_client_domain($1_evolution, $1)
|
|
Chris PeBenito |
2705f9 |
mail_client_domain($1_evolution, $1)
|
|
Chris PeBenito |
2705f9 |
gnome_file_dialog($1_evolution, $1)
|
|
Chris PeBenito |
2705f9 |
evolution_common($1_evolution, $1)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Connect to e-d-s, exchange, alarm
|
|
Chris PeBenito |
2705f9 |
bonobo_connect($1_evolution, $1_evolution_server)
|
|
Chris PeBenito |
2705f9 |
bonobo_connect($1_evolution, $1_evolution_exchange)
|
|
Chris PeBenito |
2705f9 |
bonobo_connect($1_evolution, $1_evolution_alarm)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Access .evolution
|
|
Chris PeBenito |
2705f9 |
home_domain($1, evolution)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Store passwords in .gnome2_private
|
|
Chris PeBenito |
2705f9 |
gnome_private_store($1_evolution, $1)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Run various programs
|
|
Chris PeBenito |
2705f9 |
allow $1_evolution_t { bin_t sbin_t }:dir r_dir_perms;
|
|
Chris PeBenito |
2705f9 |
allow $1_evolution_t { self bin_t }:lnk_file r_file_perms;
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
### Junk mail filtering (start spamd)
|
|
Chris PeBenito |
2705f9 |
ifdef(`spamd.te', `
|
|
Chris PeBenito |
2705f9 |
# Start the spam daemon
|
|
Chris PeBenito |
2705f9 |
domain_auto_trans($1_evolution_t, spamd_exec_t, spamd_t)
|
|
Chris PeBenito |
2705f9 |
role $1_r types spamd_t;
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Write pid file and socket in ~/.evolution/cache/tmp
|
|
Chris PeBenito |
2705f9 |
file_type_auto_trans(spamd_t, $1_evolution_home_t, spamd_tmp_t, { file sock_file })
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Allow evolution to signal the daemon
|
|
Chris PeBenito |
2705f9 |
# FIXME: Now evolution can read spamd temp files
|
|
Chris PeBenito |
2705f9 |
allow $1_evolution_t spamd_tmp_t:file r_file_perms;
|
|
Chris PeBenito |
2705f9 |
allow $1_evolution_t spamd_t:process signal;
|
|
Chris PeBenito |
2705f9 |
dontaudit $1_evolution_t spamd_tmp_t:sock_file getattr;
|
|
Chris PeBenito |
2705f9 |
') dnl spamd.te
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
### Junk mail filtering (start spamc)
|
|
Chris PeBenito |
2705f9 |
ifdef(`spamc.te', `
|
|
Chris PeBenito |
2705f9 |
domain_auto_trans($1_evolution_t, spamc_exec_t, $1_spamc_t)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Allow connection to spamd socket above
|
|
Chris PeBenito |
2705f9 |
allow $1_spamc_t $1_evolution_home_t:dir search;
|
|
Chris PeBenito |
2705f9 |
') dnl spamc.te
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
### Junk mail filtering (start spamassassin)
|
|
Chris PeBenito |
2705f9 |
ifdef(`spamassassin.te', `
|
|
Chris PeBenito |
2705f9 |
domain_auto_trans($1_evolution_t, spamassassin_exec_t, $1_spamassassin_t)
|
|
Chris PeBenito |
2705f9 |
') dnl spamassasin.te
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
') dnl evolution_domain
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
#################################
|
|
Chris PeBenito |
2705f9 |
# evolution_domains(role_prefix)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
define(`evolution_domains', `
|
|
Chris PeBenito |
2705f9 |
evolution_domain($1)
|
|
Chris PeBenito |
2705f9 |
evolution_data_server($1)
|
|
Chris PeBenito |
2705f9 |
evolution_webcal($1)
|
|
Chris PeBenito |
2705f9 |
evolution_alarm($1)
|
|
Chris PeBenito |
2705f9 |
evolution_exchange($1)
|
|
Chris PeBenito |
2705f9 |
') dnl end evolution_domains
|