selinux-policy/refpolicy/policy/modules/services/amavis.te


policy_module(amavis,1.0.0)

########################################
#
# Declarations
#

type amavis_t;
type amavis_exec_t;
domain_type(amavis_t)
init_daemon_domain(amavis_t, amavis_exec_t)

# configuration files
type amavis_etc_t;
files_type(amavis_etc_t)

# pid files
type amavis_var_run_t;
files_pid_file(amavis_var_run_t)

# var/lib files
type amavis_var_lib_t;
files_type(amavis_var_lib_t)

# log files
type amavis_var_log_t;
logging_log_file(amavis_var_log_t)

# tmp files
type amavis_tmp_t;
files_tmp_file(amavis_tmp_t)

# virus quarantine
type amavis_quarantine_t;
files_type(amavis_quarantine_t)

########################################
#
# amavis local policy
#

allow amavis_t self:capability { chown dac_override setgid setuid };
dontaudit amavis_t self:capability sys_tty_config;
allow amavis_t self:process { signal sigchld signull };
allow amavis_t self:fifo_file rw_file_perms;
allow amavis_t self:unix_stream_socket create_stream_socket_perms;
allow amavis_t self:unix_dgram_socket create_socket_perms;
allow amavis_t self:tcp_socket { listen accept };

# configuration files
allow amavis_t amavis_etc_t:dir r_dir_perms;
allow amavis_t amavis_etc_t:file r_file_perms;
allow amavis_t amavis_etc_t:lnk_file { getattr read };

# mail quarantine
allow amavis_t amavis_quarantine_t:file create_file_perms;
allow amavis_t amavis_quarantine_t:sock_file create_file_perms;
allow amavis_t amavis_quarantine_t:dir create_dir_perms;

# tmp files
allow amavis_t amavis_tmp_t:file create_file_perms;
allow amavis_t amavis_tmp_t:dir { rw_dir_perms setattr };
files_tmp_filetrans(amavis_t,amavis_tmp_t,file)

# var/lib files for amavis
allow amavis_t amavis_var_lib_t:file create_file_perms;
allow amavis_t amavis_var_lib_t:sock_file create_file_perms;
allow amavis_t amavis_var_lib_t:dir create_dir_perms;
files_var_filetrans(amavis_t,amavis_var_lib_t,{ file dir sock_file })
files_var_lib_filetrans(amavis_t,amavis_var_lib_t,file)

# log files
allow amavis_t amavis_var_log_t:file create_file_perms;
allow amavis_t amavis_var_log_t:sock_file create_file_perms;
allow amavis_t amavis_var_log_t:dir { rw_dir_perms setattr };
logging_log_filetrans(amavis_t,amavis_var_log_t,{ sock_file file dir })

# pid file
allow amavis_t amavis_var_run_t:file manage_file_perms;
allow amavis_t amavis_var_run_t:sock_file manage_file_perms;
allow amavis_t amavis_var_run_t:dir rw_dir_perms;
files_pid_filetrans(amavis_t,amavis_var_run_t, { file sock_file })

# amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
kernel_dontaudit_list_proc(amavis_t)

# find perl
corecmd_exec_bin(amavis_t)
corecmd_search_sbin(amavis_t)

corenet_non_ipsec_sendrecv(amavis_t)
corenet_tcp_sendrecv_all_if(amavis_t)
corenet_tcp_sendrecv_all_nodes(amavis_t)
# amavis uses well-defined ports
corenet_tcp_sendrecv_amavisd_recv_port(amavis_t)
corenet_tcp_sendrecv_amavisd_send_port(amavis_t)
# just the other side not. ;-)
corenet_tcp_sendrecv_all_ports(amavis_t)
# connect to backchannel port
corenet_tcp_connect_amavisd_send_port(amavis_t)
# bind to incoming port
corenet_tcp_bind_amavisd_recv_port(amavis_t)

dev_read_rand(amavis_t)
dev_read_urand(amavis_t)

domain_use_interactive_fds(amavis_t)

files_read_etc_files(amavis_t)
files_read_etc_runtime_files(amavis_t)
files_read_usr_files(amavis_t)

auth_dontaudit_read_shadow(amavis_t)

init_use_fds(amavis_t)
init_use_script_ptys(amavis_t)

libs_use_ld_so(amavis_t)
libs_use_shared_libs(amavis_t)

logging_send_syslog_msg(amavis_t)

miscfiles_read_localization(amavis_t)

sysnet_dns_name_resolve(amavis_t)

userdom_dontaudit_search_sysadm_home_dirs(amavis_t)

# Cron handling
cron_use_fds(amavis_t)
cron_use_system_job_fds(amavis_t)
cron_rw_pipes(amavis_t)

mta_read_config(amavis_t)

optional_policy(`
	clamav_stream_connect(amavis_t)
')

optional_policy(`
	ldap_use(amavis_t)
')

optional_policy(`
	spamassassin_exec(amavis_t)
	spamassassin_exec_client(amavis_t)
')
add amavis and clamav from Erich Schubert 2006-03-07 21:15:24 +00:00
			`policy_module(amavis,1.0.0)`

			`########################################`
			`#`
			`# Declarations`
			`#`

			`type amavis_t;`
			`type amavis_exec_t;`
			`domain_type(amavis_t)`
			`init_daemon_domain(amavis_t, amavis_exec_t)`

			`# configuration files`
			`type amavis_etc_t;`
			`files_type(amavis_etc_t)`

			`# pid files`
			`type amavis_var_run_t;`
			`files_pid_file(amavis_var_run_t)`

			`# var/lib files`
			`type amavis_var_lib_t;`
			`files_type(amavis_var_lib_t)`

			`# log files`
			`type amavis_var_log_t;`
			`logging_log_file(amavis_var_log_t)`

			`# tmp files`
			`type amavis_tmp_t;`
			`files_tmp_file(amavis_tmp_t)`

			`# virus quarantine`
			`type amavis_quarantine_t;`
			`files_type(amavis_quarantine_t)`

			`########################################`
			`#`
			`# amavis local policy`
			`#`

			`allow amavis_t self:capability { chown dac_override setgid setuid };`
			`dontaudit amavis_t self:capability sys_tty_config;`
			`allow amavis_t self:process { signal sigchld signull };`
			`allow amavis_t self:fifo_file rw_file_perms;`
			`allow amavis_t self:unix_stream_socket create_stream_socket_perms;`
			`allow amavis_t self:unix_dgram_socket create_socket_perms;`
			`allow amavis_t self:tcp_socket { listen accept };`

			`# configuration files`
			`allow amavis_t amavis_etc_t:dir r_dir_perms;`
			`allow amavis_t amavis_etc_t:file r_file_perms;`
			`allow amavis_t amavis_etc_t:lnk_file { getattr read };`

			`# mail quarantine`
			`allow amavis_t amavis_quarantine_t:file create_file_perms;`
			`allow amavis_t amavis_quarantine_t:sock_file create_file_perms;`
			`allow amavis_t amavis_quarantine_t:dir create_dir_perms;`

			`# tmp files`
			`allow amavis_t amavis_tmp_t:file create_file_perms;`
			`allow amavis_t amavis_tmp_t:dir { rw_dir_perms setattr };`
			`files_tmp_filetrans(amavis_t,amavis_tmp_t,file)`

			`# var/lib files for amavis`
			`allow amavis_t amavis_var_lib_t:file create_file_perms;`
			`allow amavis_t amavis_var_lib_t:sock_file create_file_perms;`
			`allow amavis_t amavis_var_lib_t:dir create_dir_perms;`
			`files_var_filetrans(amavis_t,amavis_var_lib_t,{ file dir sock_file })`
			`files_var_lib_filetrans(amavis_t,amavis_var_lib_t,file)`

			`# log files`
			`allow amavis_t amavis_var_log_t:file create_file_perms;`
			`allow amavis_t amavis_var_log_t:sock_file create_file_perms;`
			`allow amavis_t amavis_var_log_t:dir { rw_dir_perms setattr };`
			`logging_log_filetrans(amavis_t,amavis_var_log_t,{ sock_file file dir })`

			`# pid file`
			`allow amavis_t amavis_var_run_t:file manage_file_perms;`
			`allow amavis_t amavis_var_run_t:sock_file manage_file_perms;`
			`allow amavis_t amavis_var_run_t:dir rw_dir_perms;`
			`files_pid_filetrans(amavis_t,amavis_var_run_t, { file sock_file })`

			`# amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...`
			`kernel_dontaudit_list_proc(amavis_t)`

			`# find perl`
			`corecmd_exec_bin(amavis_t)`
			`corecmd_search_sbin(amavis_t)`

			`corenet_non_ipsec_sendrecv(amavis_t)`
			`corenet_tcp_sendrecv_all_if(amavis_t)`
			`corenet_tcp_sendrecv_all_nodes(amavis_t)`
			`# amavis uses well-defined ports`
			`corenet_tcp_sendrecv_amavisd_recv_port(amavis_t)`
			`corenet_tcp_sendrecv_amavisd_send_port(amavis_t)`
			`# just the other side not. ;-)`
			`corenet_tcp_sendrecv_all_ports(amavis_t)`
			`# connect to backchannel port`
			`corenet_tcp_connect_amavisd_send_port(amavis_t)`
			`# bind to incoming port`
			`corenet_tcp_bind_amavisd_recv_port(amavis_t)`

			`dev_read_rand(amavis_t)`
			`dev_read_urand(amavis_t)`

			`domain_use_interactive_fds(amavis_t)`

			`files_read_etc_files(amavis_t)`
			`files_read_etc_runtime_files(amavis_t)`
			`files_read_usr_files(amavis_t)`

			`auth_dontaudit_read_shadow(amavis_t)`

			`init_use_fds(amavis_t)`
			`init_use_script_ptys(amavis_t)`

			`libs_use_ld_so(amavis_t)`
			`libs_use_shared_libs(amavis_t)`

			`logging_send_syslog_msg(amavis_t)`

			`miscfiles_read_localization(amavis_t)`

			`sysnet_dns_name_resolve(amavis_t)`

			`userdom_dontaudit_search_sysadm_home_dirs(amavis_t)`

			`# Cron handling`
			`cron_use_fds(amavis_t)`
			`cron_use_system_job_fds(amavis_t)`
			`cron_rw_pipes(amavis_t)`

			`mta_read_config(amavis_t)`

deprecate module name as first parameter of optional_policy() 2006-03-24 16:13:54 +00:00			optional_policy(`
add amavis and clamav from Erich Schubert 2006-03-07 21:15:24 +00:00			`clamav_stream_connect(amavis_t)`
			`')`

deprecate module name as first parameter of optional_policy() 2006-03-24 16:13:54 +00:00			optional_policy(`
add amavis and clamav from Erich Schubert 2006-03-07 21:15:24 +00:00			`ldap_use(amavis_t)`
			`')`

deprecate module name as first parameter of optional_policy() 2006-03-24 16:13:54 +00:00			optional_policy(`
add amavis and clamav from Erich Schubert 2006-03-07 21:15:24 +00:00			`spamassassin_exec(amavis_t)`
			`spamassassin_exec_client(amavis_t)`
			`')`