#DESC Courier - POP and IMAP servers
#
# Author:  Russell Coker <russell@coker.com.au>
# X-Debian-Packages: courier-base
#

# Type for files created during execution of courier.
type courier_var_run_t, file_type, sysadmfile, pidfile;
type courier_var_lib_t, file_type, sysadmfile;

type courier_etc_t, file_type, sysadmfile;

# allow start scripts to read the config
allow initrc_t courier_etc_t:file r_file_perms;

type courier_exec_t, file_type, sysadmfile, exec_type;
type sqwebmail_cron_exec_t, file_type, sysadmfile, exec_type;

define(`courier_domain', `
#################################
#
# Rules for the courier_$1_t domain.
#
# courier_$1_exec_t is the type of the courier_$1 executables.
#
daemon_base_domain(courier_$1, `$2')

allow courier_$1_t var_run_t:dir search;
rw_dir_create_file(courier_$1_t, courier_var_run_t)
allow courier_$1_t courier_var_run_t:sock_file create_file_perms;

# allow it to read config files etc
allow courier_$1_t { courier_etc_t var_t }:dir r_dir_perms;
allow courier_$1_t courier_etc_t:file r_file_perms;
allow courier_$1_t etc_t:dir r_dir_perms;
allow courier_$1_t etc_t:file r_file_perms;

# execute scripts etc
allow courier_$1_t { bin_t courier_$1_exec_t }:file rx_file_perms;
allow courier_$1_t bin_t:dir r_dir_perms;
allow courier_$1_t fs_t:filesystem getattr;

# set process group and allow permissions over-ride
allow courier_$1_t self:process setpgid;
allow courier_$1_t self:capability dac_override;

# Use the network.
can_network_server(courier_$1_t)
allow courier_$1_t self:fifo_file { read write getattr };
allow courier_$1_t self:unix_stream_socket create_stream_socket_perms;
allow courier_$1_t self:unix_dgram_socket create_socket_perms;

allow courier_$1_t null_device_t:chr_file rw_file_perms;

# allow it to log to /dev/tty
allow courier_$1_t devtty_t:chr_file rw_file_perms;

allow courier_$1_t { usr_t etc_runtime_t }:file r_file_perms;
allow courier_$1_t usr_t:dir r_dir_perms;
allow courier_$1_t root_t:dir r_dir_perms;
can_exec(courier_$1_t, courier_$1_exec_t)
can_exec(courier_$1_t, bin_t)
allow courier_$1_t bin_t:dir search;

allow courier_$1_t proc_t:dir r_dir_perms;
allow courier_$1_t proc_t:file r_file_perms;

')dnl

courier_domain(authdaemon, `, auth_chkpwd')
allow courier_authdaemon_t sbin_t:dir search;
allow courier_authdaemon_t lib_t:file { read getattr };
allow courier_authdaemon_t tmp_t:dir getattr;
allow courier_authdaemon_t self:file { getattr read };
read_locale(courier_authdaemon_t)
can_exec(courier_authdaemon_t, courier_exec_t)
dontaudit courier_authdaemon_t selinux_config_t:dir search;

# for SSP
allow courier_authdaemon_t urandom_device_t:chr_file read;

# should not be needed!
allow courier_authdaemon_t home_root_t:dir search;
allow courier_authdaemon_t user_home_dir_type:dir search;
dontaudit courier_authdaemon_t sysadm_home_dir_t:dir search;
allow courier_authdaemon_t self:unix_stream_socket connectto;
allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config };

courier_domain(tcpd)
allow courier_tcpd_t self:capability { kill net_bind_service };
allow courier_tcpd_t pop_port_t:tcp_socket name_bind;
allow courier_tcpd_t sbin_t:dir search;
allow courier_tcpd_t var_lib_t:dir search;
# for TLS
allow courier_tcpd_t { random_device_t urandom_device_t }:chr_file { getattr read };
read_locale(courier_tcpd_t)
can_exec(courier_tcpd_t, courier_exec_t)
allow courier_authdaemon_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
allow courier_authdaemon_t courier_tcpd_t:process sigchld;

can_tcp_connect(userdomain, courier_tcpd_t)
rw_dir_create_file(courier_tcpd_t, courier_var_lib_t)

# domain for pop and imap
courier_domain(pop)
read_locale(courier_pop_t)
domain_auto_trans(courier_tcpd_t, courier_pop_exec_t, courier_pop_t)
allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
domain_auto_trans(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
allow courier_authdaemon_t courier_tcpd_t:fd use;
allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
allow courier_pop_t courier_authdaemon_t:process sigchld;
domain_auto_trans(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t)

# inherits file handle - should it?
allow courier_pop_t courier_var_lib_t:file { read write };

# do the actual work (read the Maildir)
# imap needs to write files
allow courier_pop_t home_root_t:dir { getattr search };
allow courier_pop_t user_home_dir_type:dir { getattr search };
# pop does not need to create subdirs, IMAP does
#rw_dir_create_file(courier_pop_t, user_home_type)
create_dir_file(courier_pop_t, user_home_type)

# for calendaring
courier_domain(pcp)

allow courier_pcp_t self:capability { setuid setgid };
allow courier_pcp_t random_device_t:chr_file r_file_perms;

# for webmail
courier_domain(sqwebmail)
ifdef(`crond.te', `
system_crond_entry(sqwebmail_cron_exec_t, courier_sqwebmail_t)
')
read_sysctl(courier_sqwebmail_t)