Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
# Shared macro for mail clients
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
# Author: Ivan Gyurdiev <ivg2@cornell.edu>
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
Chris PeBenito ab58ad
########################################
Chris PeBenito ab58ad
# mail_client_domain(client, role_prefix)
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
Chris PeBenito ab58ad
define(`mail_client_domain', `
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Allow netstat
Chris PeBenito ab58ad
# Startup shellscripts
Chris PeBenito ab58ad
allow $1_t bin_t:dir r_dir_perms;
Chris PeBenito ab58ad
allow $1_t bin_t:lnk_file r_file_perms;
Chris PeBenito ab58ad
can_exec($1_t, bin_t)
Chris PeBenito ab58ad
r_dir_file($1_t, proc_net_t)
Chris PeBenito ab58ad
allow $1_t sysctl_net_t:dir search;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Allow DNS
Chris PeBenito ab58ad
can_resolve($1_t)
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
Chris PeBenito ab58ad
can_ypbind($1_t)
Chris PeBenito ab58ad
can_network_client_tcp($1_t, { pop_port_t smtp_port_t innd_port_t ldap_port_t ipp_port_t })
Chris PeBenito ab58ad
allow $1_t { pop_port_t smtp_port_t innd_port_t ldap_port_t ipp_port_t }:tcp_socket name_connect;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Allow printing the mail
Chris PeBenito ab58ad
ifdef(`cups.te',`
Chris PeBenito ab58ad
allow $1_t cupsd_etc_t:dir r_dir_perms;
Chris PeBenito ab58ad
allow $1_t cupsd_rw_etc_t:file r_file_perms;
Chris PeBenito ab58ad
')
Chris PeBenito ab58ad
ifdef(`lpr.te', `
Chris PeBenito ab58ad
domain_auto_trans($1_t, lpr_exec_t, $2_lpr_t)
Chris PeBenito ab58ad
')
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Attachments
Chris PeBenito ab58ad
read_content($1_t, $2, mail)
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Save mail
Chris PeBenito ab58ad
write_untrusted($1_t, $2)
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Encrypt mail
Chris PeBenito ab58ad
ifdef(`gpg.te', `
Chris PeBenito ab58ad
domain_auto_trans($1_t, gpg_exec_t, $2_gpg_t)
Chris PeBenito ab58ad
allow $1_t $2_gpg_t:process signal;
Chris PeBenito ab58ad
')
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Start links in web browser
Chris PeBenito ab58ad
ifdef(`mozilla.te', `
Chris PeBenito ab58ad
can_exec($1_t, shell_exec_t)
Chris PeBenito ab58ad
domain_auto_trans($1_t, mozilla_exec_t, $2_mozilla_t)
Chris PeBenito ab58ad
') 
Chris PeBenito ab58ad
ifdef(`dbusd.te', `
Chris PeBenito ab58ad
dbusd_client(system, $1)
Chris PeBenito ab58ad
allow $1_t system_dbusd_t:dbus send_msg;
Chris PeBenito ab58ad
dbusd_client($2, $1)
Chris PeBenito ab58ad
allow $1_t $2_dbusd_t:dbus send_msg;
Chris PeBenito ab58ad
ifdef(`cups.te', `
Chris PeBenito ab58ad
allow cupsd_t $1_t:dbus send_msg;
Chris PeBenito ab58ad
') 
Chris PeBenito ab58ad
') 
Chris PeBenito ab58ad
# Allow the user domain to signal/ps.
Chris PeBenito ab58ad
can_ps($2_t, $1_t)
Chris PeBenito ab58ad
allow $2_t $1_t:process signal_perms;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
')