|
Chris PeBenito |
2705f9 |
#
|
|
Chris PeBenito |
2705f9 |
# Shared macro for mail clients
|
|
Chris PeBenito |
2705f9 |
#
|
|
Chris PeBenito |
2705f9 |
# Author: Ivan Gyurdiev <ivg2@cornell.edu>
|
|
Chris PeBenito |
2705f9 |
#
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
########################################
|
|
Chris PeBenito |
2705f9 |
# mail_client_domain(client, role_prefix)
|
|
Chris PeBenito |
2705f9 |
#
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
define(`mail_client_domain', `
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Allow netstat
|
|
Chris PeBenito |
2705f9 |
# Startup shellscripts
|
|
Chris PeBenito |
2705f9 |
allow $1_t bin_t:dir r_dir_perms;
|
|
Chris PeBenito |
2705f9 |
allow $1_t bin_t:lnk_file r_file_perms;
|
|
Chris PeBenito |
2705f9 |
can_exec($1_t, bin_t)
|
|
Chris PeBenito |
2705f9 |
r_dir_file($1_t, proc_net_t)
|
|
Chris PeBenito |
2705f9 |
allow $1_t sysctl_net_t:dir search;
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Allow DNS
|
|
Chris PeBenito |
2705f9 |
can_resolve($1_t)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
|
|
Chris PeBenito |
2705f9 |
can_ypbind($1_t)
|
|
Chris PeBenito |
2705f9 |
can_network_client_tcp($1_t, { pop_port_t smtp_port_t innd_port_t ldap_port_t ipp_port_t })
|
|
Chris PeBenito |
2705f9 |
allow $1_t { pop_port_t smtp_port_t innd_port_t ldap_port_t ipp_port_t }:tcp_socket name_connect;
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Allow printing the mail
|
|
Chris PeBenito |
2705f9 |
ifdef(`cups.te',`
|
|
Chris PeBenito |
2705f9 |
allow $1_t cupsd_etc_t:dir r_dir_perms;
|
|
Chris PeBenito |
2705f9 |
allow $1_t cupsd_rw_etc_t:file r_file_perms;
|
|
Chris PeBenito |
2705f9 |
')
|
|
Chris PeBenito |
2705f9 |
ifdef(`lpr.te', `
|
|
Chris PeBenito |
2705f9 |
domain_auto_trans($1_t, lpr_exec_t, $2_lpr_t)
|
|
Chris PeBenito |
2705f9 |
')
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Attachments
|
|
Chris PeBenito |
2705f9 |
read_content($1_t, $2, mail)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Save mail
|
|
Chris PeBenito |
2705f9 |
write_untrusted($1_t, $2)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Encrypt mail
|
|
Chris PeBenito |
2705f9 |
ifdef(`gpg.te', `
|
|
Chris PeBenito |
2705f9 |
domain_auto_trans($1_t, gpg_exec_t, $2_gpg_t)
|
|
Chris PeBenito |
2705f9 |
allow $1_t $2_gpg_t:process signal;
|
|
Chris PeBenito |
2705f9 |
')
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Start links in web browser
|
|
Chris PeBenito |
2705f9 |
ifdef(`mozilla.te', `
|
|
Chris PeBenito |
2705f9 |
can_exec($1_t, shell_exec_t)
|
|
Chris PeBenito |
2705f9 |
domain_auto_trans($1_t, mozilla_exec_t, $2_mozilla_t)
|
|
Chris PeBenito |
2705f9 |
')
|
|
Chris PeBenito |
2705f9 |
ifdef(`dbusd.te', `
|
|
Chris PeBenito |
2705f9 |
dbusd_client(system, $1)
|
|
Chris PeBenito |
a08248 |
allow $1_t system_dbusd_t:dbus send_msg;
|
|
Chris PeBenito |
2705f9 |
dbusd_client($2, $1)
|
|
Chris PeBenito |
2705f9 |
allow $1_t $2_dbusd_t:dbus send_msg;
|
|
Chris PeBenito |
2705f9 |
ifdef(`cups.te', `
|
|
Chris PeBenito |
2705f9 |
allow cupsd_t $1_t:dbus send_msg;
|
|
Chris PeBenito |
2705f9 |
')
|
|
Chris PeBenito |
2705f9 |
')
|
|
Chris PeBenito |
a08248 |
# Allow the user domain to signal/ps.
|
|
Chris PeBenito |
a08248 |
can_ps($2_t, $1_t)
|
|
Chris PeBenito |
a08248 |
allow $2_t $1_t:process signal_perms;
|
|
Chris PeBenito |
a08248 |
|
|
Chris PeBenito |
2705f9 |
')
|