policy_module(zarafa, 1.0.0)
########################################
#
# Declarations
#
attribute zarafa_domain;
zarafa_domain_template(monitor)
zarafa_domain_template(ical)
zarafa_domain_template(server)
zarafa_domain_template(spooler)
zarafa_domain_template(gateway)
zarafa_domain_template(deliver)
type zarafa_deliver_tmp_t;
files_tmp_file(zarafa_deliver_tmp_t)
type zarafa_etc_t;
files_config_file(zarafa_etc_t)
type zarafa_share_t;
files_type(zarafa_share_t)
permissive zarafa_server_t;
permissive zarafa_spooler_t;
permissive zarafa_gateway_t;
permissive zarafa_deliver_t;
permissive zarafa_ical_t;
permissive zarafa_monitor_t;
########################################
#
# zarafa-deliver local policy
#
manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir })
#temporary
#allow zarafa_deliver_t port_t:tcp_socket name_bind;
########################################
#
# zarafa_server local policy
#
allow zarafa_server_t self:capability { chown kill net_bind_service };
allow zarafa_server_t self:process { setrlimit signal };
corenet_tcp_bind_zarafa_port(zarafa_server_t)
files_read_usr_files(zarafa_server_t)
logging_send_syslog_msg(zarafa_server_t)
logging_send_audit_msgs(zarafa_server_t)
sysnet_dns_name_resolve(zarafa_server_t)
optional_policy(`
mysql_stream_connect(zarafa_server_t)
')
optional_policy(`
kerberos_use(zarafa_server_t)
')
########################################
#
# zarafa_spooler local policy
#
allow zarafa_spooler_t self:capability { chown kill };
allow zarafa_spooler_t self:process { signal };
corenet_tcp_connect_smtp_port(zarafa_spooler_t)
########################################
#
# zarafa_gateway local policy
#
allow zarafa_gateway_t self:capability { chown kill };
allow zarafa_gateway_t self:process { setrlimit signal };
corenet_tcp_bind_pop_port(zarafa_gateway_t)
#######################################
#
# zarafa-ical local policy
#
allow zarafa_ical_t self:capability chown;
corenet_tcp_bind_http_cache_port(zarafa_ical_t)
######################################
#
# zarafa-monitor local policy
#
allow zarafa_monitor_t self:capability chown;
########################################
#
# zarafa domains local policy
#
# bad permission on /etc/zarafa
allow zarafa_domain self:capability { dac_override setgid setuid };
allow zarafa_domain self:fifo_file rw_fifo_file_perms;
allow zarafa_domain self:tcp_socket create_stream_socket_perms;
allow zarafa_domain self:unix_stream_socket create_stream_socket_perms;
stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t)
kernel_read_system_state(zarafa_domain)
files_read_etc_files(zarafa_domain)
auth_use_nsswitch(zarafa_domain)
miscfiles_read_localization(zarafa_domain)
# temporary rules
optional_policy(`
apache_content_template(zarafa)
')