Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
# Evolution   
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
# Author: Ivan Gyurdiev <ivg2@cornell.edu>
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
Chris PeBenito 2705f9
################################################
Chris PeBenito 2705f9
# evolution_common(app_prefix,role_prefix)
Chris PeBenito 2705f9
# 
Chris PeBenito 2705f9
define(`evolution_common', `
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Gnome common stuff
Chris PeBenito 2705f9
gnome_application($1, $2)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Stat root
Chris PeBenito 2705f9
allow $1_t root_t:dir search;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Access null device 
Chris PeBenito 2705f9
allow $1_t null_device_t:chr_file rw_file_perms;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# FIXME: suppress access to .local/.icons/.themes until properly implemented
Chris PeBenito 2705f9
dontaudit $1_t $2_home_t:dir r_dir_perms;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
Chris PeBenito 2705f9
# until properly implemented
Chris PeBenito 2705f9
dontaudit $1_t $2_home_t:file r_file_perms;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
') dnl evolution_common
Chris PeBenito 2705f9
Chris PeBenito 2705f9
#######################################
Chris PeBenito 2705f9
# evolution_data_server(role_prefix) 
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
Chris PeBenito 2705f9
define(`evolution_data_server', `
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Type for daemon
Chris PeBenito 2705f9
type $1_evolution_server_t, domain, nscd_client_domain;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Transition from user type
Chris PeBenito 2705f9
if (! disable_evolution_trans) {
Chris PeBenito 2705f9
domain_auto_trans($1_t, evolution_server_exec_t, $1_evolution_server_t)
Chris PeBenito 2705f9
}
Chris PeBenito 2705f9
role $1_r types $1_evolution_server_t;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Evolution common stuff
Chris PeBenito 2705f9
evolution_common($1_evolution_server, $1)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Access evolution home
Chris PeBenito 2705f9
home_domain_access($1_evolution_server_t, $1, evolution)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Talks to exchange
Chris PeBenito 2705f9
bonobo_connect($1_evolution_server, $1_evolution_exchange)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
can_exec($1_evolution_server_t, shell_exec_t)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Obtain weather data via http (read server name from xml file in /usr)
Chris PeBenito 2705f9
allow $1_evolution_server_t usr_t:file r_file_perms;
Chris PeBenito 2705f9
can_resolve($1_evolution_server_t)
Chris PeBenito 2705f9
can_network_client_tcp($1_evolution_server_t, { http_port_t http_cache_port_t } )
Chris PeBenito 2705f9
allow $1_evolution_server_t { http_cache_port_t http_port_t }:tcp_socket name_connect;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Talk to ldap (address book)
Chris PeBenito 2705f9
can_network_client_tcp($1_evolution_server_t, ldap_port_t)
Chris PeBenito 2705f9
allow $1_evolution_server_t ldap_port_t:tcp_socket name_connect;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Look in /etc/pki
Chris PeBenito a08248
r_dir_file($1_evolution_server_t, cert_t)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
') dnl evolution_data_server
Chris PeBenito 2705f9
Chris PeBenito 2705f9
#######################################
Chris PeBenito 2705f9
# evolution_webcal(role_prefix)
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
Chris PeBenito 2705f9
define(`evolution_webcal', `
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Type for program
Chris PeBenito 2705f9
type $1_evolution_webcal_t, domain, nscd_client_domain;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Transition from user type
Chris PeBenito 2705f9
domain_auto_trans($1_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
Chris PeBenito 2705f9
role $1_r types $1_evolution_webcal_t;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# X/evolution common stuff
Chris PeBenito 2705f9
x_client_domain($1_evolution_webcal, $1)
Chris PeBenito 2705f9
evolution_common($1_evolution_webcal, $1)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Search home directory (?)
Chris PeBenito 2705f9
allow $1_evolution_webcal_t $1_home_dir_t:dir search;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Networking capability - connect to website and handle ics link
Chris PeBenito 2705f9
# FIXME: is this necessary ?
Chris PeBenito 2705f9
can_resolve($1_evolution_webcal_t);
Chris PeBenito 2705f9
can_network_client_tcp($1_evolution_webcal_t, { http_port_t http_cache_port_t } )
Chris PeBenito 2705f9
allow $1_evolution_webcal_t { http_cache_port_t http_port_t } :tcp_socket name_connect;
Chris PeBenito 2705f9
  
Chris PeBenito 2705f9
') dnl evolution_webcal
Chris PeBenito 2705f9
Chris PeBenito 2705f9
#######################################
Chris PeBenito 2705f9
# evolution_alarm(role_prefix)
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
define(`evolution_alarm', `
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Type for program
Chris PeBenito 2705f9
type $1_evolution_alarm_t, domain, nscd_client_domain;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Transition from user type
Chris PeBenito 2705f9
domain_auto_trans($1_t, evolution_alarm_exec_t, $1_evolution_alarm_t)
Chris PeBenito 2705f9
role $1_r types $1_evolution_alarm_t;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Common evolution stuff, X
Chris PeBenito 2705f9
evolution_common($1_evolution_alarm, $1)
Chris PeBenito 2705f9
x_client_domain($1_evolution_alarm, $1)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Connect to exchange, e-d-s
Chris PeBenito 2705f9
bonobo_connect($1_evolution_alarm, $1_evolution_server) 
Chris PeBenito 2705f9
bonobo_connect($1_evolution_alarm, $1_evolution_exchange)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Access evolution home
Chris PeBenito 2705f9
home_domain_access($1_evolution_alarm_t, $1, evolution)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
') dnl evolution_alarm
Chris PeBenito 2705f9
Chris PeBenito 2705f9
########################################
Chris PeBenito 2705f9
# evolution_exchange(role_prefix)
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
define(`evolution_exchange', `
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Type for program
Chris PeBenito 2705f9
type $1_evolution_exchange_t, domain, nscd_client_domain;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Transition from user type
Chris PeBenito 2705f9
domain_auto_trans($1_t, evolution_exchange_exec_t, $1_evolution_exchange_t)
Chris PeBenito 2705f9
role $1_r types $1_evolution_exchange_t;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Common evolution stuff, X
Chris PeBenito 2705f9
evolution_common($1_evolution_exchange, $1)
Chris PeBenito 2705f9
x_client_domain($1_evolution_exchange, $1)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Access evolution home
Chris PeBenito 2705f9
home_domain_access($1_evolution_exchange_t, $1, evolution)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# /tmp/.exchange-$USER
Chris PeBenito 2705f9
tmp_domain($1_evolution_exchange)
Chris PeBenito 2705f9
 
Chris PeBenito 2705f9
# Allow netstat
Chris PeBenito 2705f9
allow $1_evolution_exchange_t bin_t:dir search; 
Chris PeBenito 2705f9
can_exec($1_evolution_exchange_t, bin_t)
Chris PeBenito 2705f9
r_dir_file($1_evolution_exchange_t, proc_net_t)
Chris PeBenito 2705f9
allow $1_evolution_exchange_t sysctl_net_t:dir search;
Chris PeBenito 2705f9
allow $1_evolution_exchange_t self:{ udp_socket tcp_socket } create_socket_perms;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Clock applet talks to exchange (FIXME: Needs policy)
Chris PeBenito 2705f9
bonobo_connect($1, $1_evolution_exchange)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# FIXME: policy incomplete
Chris PeBenito 2705f9
Chris PeBenito 2705f9
') dnl evolution_exchange
Chris PeBenito 2705f9
Chris PeBenito 2705f9
#######################################
Chris PeBenito 2705f9
# evolution_domain(role_prefix)
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
Chris PeBenito 2705f9
define(`evolution_domain', `
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Type for program
Chris PeBenito 2705f9
type $1_evolution_t, domain, nscd_client_domain, privlog; 
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Transition from user type
Chris PeBenito 2705f9
domain_auto_trans($1_t, evolution_exec_t, $1_evolution_t)
Chris PeBenito 2705f9
role $1_r types $1_evolution_t;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# X, mail, evolution common stuff 
Chris PeBenito 2705f9
x_client_domain($1_evolution, $1)
Chris PeBenito 2705f9
mail_client_domain($1_evolution, $1)
Chris PeBenito 2705f9
gnome_file_dialog($1_evolution, $1)
Chris PeBenito 2705f9
evolution_common($1_evolution, $1)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Connect to e-d-s, exchange, alarm
Chris PeBenito 2705f9
bonobo_connect($1_evolution, $1_evolution_server)
Chris PeBenito 2705f9
bonobo_connect($1_evolution, $1_evolution_exchange)
Chris PeBenito 2705f9
bonobo_connect($1_evolution, $1_evolution_alarm)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Access .evolution
Chris PeBenito 2705f9
home_domain($1, evolution)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Store passwords in .gnome2_private
Chris PeBenito 2705f9
gnome_private_store($1_evolution, $1) 
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Run various programs
Chris PeBenito 2705f9
allow $1_evolution_t { bin_t sbin_t }:dir r_dir_perms;
Chris PeBenito 2705f9
allow $1_evolution_t { self bin_t }:lnk_file r_file_perms;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
### Junk mail filtering (start spamd)
Chris PeBenito 2705f9
ifdef(`spamd.te', `
Chris PeBenito 2705f9
# Start the spam daemon
Chris PeBenito 2705f9
domain_auto_trans($1_evolution_t, spamd_exec_t, spamd_t)
Chris PeBenito 2705f9
role $1_r types spamd_t;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Write pid file and socket in ~/.evolution/cache/tmp
Chris PeBenito 2705f9
file_type_auto_trans(spamd_t, $1_evolution_home_t, spamd_tmp_t, { file sock_file })
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Allow evolution to signal the daemon
Chris PeBenito 2705f9
# FIXME: Now evolution can read spamd temp files
Chris PeBenito 2705f9
allow $1_evolution_t spamd_tmp_t:file r_file_perms;
Chris PeBenito 2705f9
allow $1_evolution_t spamd_t:process signal;
Chris PeBenito 2705f9
dontaudit $1_evolution_t spamd_tmp_t:sock_file getattr;
Chris PeBenito 2705f9
') dnl spamd.te
Chris PeBenito 2705f9
Chris PeBenito 2705f9
### Junk mail filtering (start spamc)
Chris PeBenito 2705f9
ifdef(`spamc.te', `
Chris PeBenito 2705f9
domain_auto_trans($1_evolution_t, spamc_exec_t, $1_spamc_t)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Allow connection to spamd socket above
Chris PeBenito 2705f9
allow $1_spamc_t $1_evolution_home_t:dir search;
Chris PeBenito 2705f9
') dnl spamc.te
Chris PeBenito 2705f9
Chris PeBenito 2705f9
### Junk mail filtering (start spamassassin) 
Chris PeBenito 2705f9
ifdef(`spamassassin.te', `
Chris PeBenito 2705f9
domain_auto_trans($1_evolution_t, spamassassin_exec_t, $1_spamassassin_t)
Chris PeBenito 2705f9
') dnl spamassasin.te
Chris PeBenito 2705f9
Chris PeBenito 2705f9
') dnl evolution_domain
Chris PeBenito 2705f9
Chris PeBenito 2705f9
#################################
Chris PeBenito 2705f9
#  evolution_domains(role_prefix) 
Chris PeBenito 2705f9
Chris PeBenito 2705f9
define(`evolution_domains', `
Chris PeBenito 2705f9
evolution_domain($1)
Chris PeBenito 2705f9
evolution_data_server($1)
Chris PeBenito 2705f9
evolution_webcal($1)
Chris PeBenito 2705f9
evolution_alarm($1)
Chris PeBenito 2705f9
evolution_exchange($1)
Chris PeBenito 2705f9
') dnl end evolution_domains