2010-05-24 19:32:01 +00:00
|
|
|
policy_module(mta, 2.3.0)
|
2005-05-02 19:24:29 +00:00
|
|
|
|
2005-05-12 20:50:09 +00:00
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# Declarations
|
|
|
|
#
|
|
|
|
|
2008-09-12 14:18:20 +00:00
|
|
|
attribute mailcontent_type;
|
|
|
|
attribute mta_exec_type;
|
2005-08-30 20:47:41 +00:00
|
|
|
attribute mta_user_agent;
|
|
|
|
attribute mailserver_delivery;
|
|
|
|
attribute mailserver_domain;
|
|
|
|
attribute mailserver_sender;
|
|
|
|
|
2005-10-23 20:18:36 +00:00
|
|
|
attribute user_mail_domain;
|
|
|
|
|
2005-05-02 19:24:29 +00:00
|
|
|
type etc_aliases_t;
|
2005-06-29 14:26:41 +00:00
|
|
|
files_type(etc_aliases_t)
|
2005-05-02 19:24:29 +00:00
|
|
|
|
|
|
|
type etc_mail_t;
|
2005-10-24 18:40:24 +00:00
|
|
|
files_config_file(etc_mail_t)
|
2005-05-02 19:24:29 +00:00
|
|
|
|
2010-08-26 13:41:21 +00:00
|
|
|
type mail_home_t alias mail_forward_t;
|
|
|
|
userdom_user_home_content(mail_home_t)
|
2010-01-07 14:48:35 +00:00
|
|
|
|
2005-05-02 19:24:29 +00:00
|
|
|
type mqueue_spool_t;
|
2008-09-12 14:18:20 +00:00
|
|
|
files_mountpoint(mqueue_spool_t)
|
2005-05-02 19:24:29 +00:00
|
|
|
|
|
|
|
type mail_spool_t;
|
2008-09-12 14:18:20 +00:00
|
|
|
files_mountpoint(mail_spool_t)
|
2005-05-12 20:50:09 +00:00
|
|
|
|
|
|
|
type sendmail_exec_t;
|
2008-09-12 14:18:20 +00:00
|
|
|
mta_agent_executable(sendmail_exec_t)
|
2005-05-12 20:50:09 +00:00
|
|
|
|
2005-11-28 20:25:36 +00:00
|
|
|
mta_base_mail_template(system)
|
2005-05-12 20:50:09 +00:00
|
|
|
role system_r types system_mail_t;
|
|
|
|
|
2008-11-05 16:10:46 +00:00
|
|
|
mta_base_mail_template(user)
|
|
|
|
typealias user_mail_t alias { staff_mail_t sysadm_mail_t };
|
|
|
|
typealias user_mail_t alias { auditadm_mail_t secadm_mail_t };
|
|
|
|
typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t };
|
|
|
|
typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t };
|
|
|
|
ubac_constrained(user_mail_t)
|
|
|
|
ubac_constrained(user_mail_tmp_t)
|
|
|
|
|
2005-05-12 20:50:09 +00:00
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# System mail local policy
|
|
|
|
#
|
|
|
|
|
2006-02-16 19:32:13 +00:00
|
|
|
# newalias required this, not sure if it is needed in 'if' file
|
2009-07-29 14:59:09 +00:00
|
|
|
allow system_mail_t self:capability { dac_override fowner };
|
2010-01-07 14:48:35 +00:00
|
|
|
|
2009-07-29 14:59:09 +00:00
|
|
|
read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
|
2005-10-25 20:27:08 +00:00
|
|
|
|
2009-07-29 14:59:09 +00:00
|
|
|
dev_read_sysfs(system_mail_t)
|
2005-09-15 21:03:29 +00:00
|
|
|
dev_read_rand(system_mail_t)
|
2005-06-13 16:22:32 +00:00
|
|
|
dev_read_urand(system_mail_t)
|
2005-05-12 20:50:09 +00:00
|
|
|
|
2010-05-19 13:00:39 +00:00
|
|
|
files_read_usr_files(system_mail_t)
|
|
|
|
|
2009-07-29 14:59:09 +00:00
|
|
|
fs_rw_anon_inodefs_files(system_mail_t)
|
|
|
|
|
|
|
|
selinux_getattr_fs(system_mail_t)
|
|
|
|
|
2010-05-19 13:00:39 +00:00
|
|
|
term_dontaudit_use_unallocated_ttys(system_mail_t)
|
|
|
|
|
2006-02-02 21:08:12 +00:00
|
|
|
init_use_script_ptys(system_mail_t)
|
2005-05-12 20:50:09 +00:00
|
|
|
|
2008-11-05 16:10:46 +00:00
|
|
|
userdom_use_user_terminals(system_mail_t)
|
|
|
|
userdom_dontaudit_search_user_home_dirs(system_mail_t)
|
2010-08-26 13:41:21 +00:00
|
|
|
userdom_dontaudit_list_admin_dir(system_mail_t)
|
|
|
|
|
|
|
|
logging_append_all_logs(system_mail_t)
|
2005-08-30 20:47:41 +00:00
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-10-17 17:55:38 +00:00
|
|
|
apache_read_squirrelmail_data(system_mail_t)
|
|
|
|
apache_append_squirrelmail_data(system_mail_t)
|
|
|
|
|
|
|
|
# apache should set close-on-exec
|
|
|
|
apache_dontaudit_append_log(system_mail_t)
|
2006-02-02 21:08:12 +00:00
|
|
|
apache_dontaudit_rw_stream_sockets(system_mail_t)
|
|
|
|
apache_dontaudit_rw_tcp_sockets(system_mail_t)
|
|
|
|
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
|
2010-08-26 13:41:21 +00:00
|
|
|
apache_dontaudit_write_tmp_files(system_mail_t)
|
|
|
|
|
|
|
|
# apache should set close-on-exec
|
|
|
|
apache_dontaudit_rw_stream_sockets(mta_user_agent)
|
|
|
|
apache_dontaudit_rw_sys_script_stream_sockets(mta_user_agent)
|
|
|
|
apache_append_log(mta_user_agent)
|
2005-10-17 17:55:38 +00:00
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-11-28 22:19:08 +00:00
|
|
|
arpwatch_manage_tmp_files(system_mail_t)
|
|
|
|
|
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
2010-09-22 10:07:37 +00:00
|
|
|
ifdef(`hide_broken_symptoms',`
|
2006-02-02 21:08:12 +00:00
|
|
|
arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
|
2005-11-28 22:19:08 +00:00
|
|
|
')
|
2005-10-25 20:27:08 +00:00
|
|
|
')
|
|
|
|
|
2010-08-26 13:41:21 +00:00
|
|
|
optional_policy(`
|
|
|
|
bugzilla_search_dirs(system_mail_t)
|
|
|
|
bugzilla_dontaudit_rw_script_stream_sockets(system_mail_t)
|
|
|
|
')
|
|
|
|
|
2009-07-29 14:59:09 +00:00
|
|
|
optional_policy(`
|
|
|
|
clamav_stream_connect(system_mail_t)
|
|
|
|
clamav_append_log(system_mail_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-08-30 20:47:41 +00:00
|
|
|
cron_read_system_job_tmp_files(system_mail_t)
|
2006-02-02 21:08:12 +00:00
|
|
|
cron_dontaudit_write_pipes(system_mail_t)
|
2010-05-19 13:00:39 +00:00
|
|
|
cron_rw_system_job_stream_sockets(system_mail_t)
|
2010-08-26 13:41:21 +00:00
|
|
|
cron_rw_inherited_spool_files(system_mail_t)
|
|
|
|
cron_rw_inherited_user_spool_files(system_mail_t)
|
2005-08-30 20:47:41 +00:00
|
|
|
')
|
|
|
|
|
2009-07-29 14:59:09 +00:00
|
|
|
optional_policy(`
|
|
|
|
courier_manage_spool_dirs(system_mail_t)
|
|
|
|
courier_manage_spool_files(system_mail_t)
|
|
|
|
courier_rw_spool_pipes(system_mail_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-09-20 18:49:13 +00:00
|
|
|
cvs_read_data(system_mail_t)
|
|
|
|
')
|
|
|
|
|
2009-07-29 14:59:09 +00:00
|
|
|
optional_policy(`
|
|
|
|
fail2ban_append_log(system_mail_t)
|
2010-08-26 13:41:21 +00:00
|
|
|
fail2ban_dontaudit_leaks(system_mail_t)
|
2009-07-29 14:59:09 +00:00
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-08-30 20:47:41 +00:00
|
|
|
logrotate_read_tmp_files(system_mail_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-01-10 14:39:21 +00:00
|
|
|
logwatch_read_tmp_files(system_mail_t)
|
|
|
|
')
|
|
|
|
|
2008-11-24 15:06:58 +00:00
|
|
|
optional_policy(`
|
|
|
|
# newaliases runs as system_mail_t when the sendmail initscript does a restart
|
|
|
|
milter_getattr_all_sockets(system_mail_t)
|
|
|
|
')
|
|
|
|
|
2010-08-26 13:41:21 +00:00
|
|
|
optional_policy(`
|
|
|
|
munin_dontaudit_leaks(system_mail_t)
|
|
|
|
')
|
|
|
|
|
2006-04-06 15:03:23 +00:00
|
|
|
optional_policy(`
|
|
|
|
nagios_read_tmp_files(system_mail_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2008-07-23 21:38:39 +00:00
|
|
|
manage_dirs_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
|
|
|
|
manage_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
|
|
|
|
manage_lnk_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
|
|
|
|
manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
|
|
|
|
manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
|
|
|
|
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
|
2005-10-23 20:18:36 +00:00
|
|
|
|
2006-02-20 21:33:25 +00:00
|
|
|
domain_use_interactive_fds(system_mail_t)
|
2005-08-30 20:47:41 +00:00
|
|
|
')
|
|
|
|
|
2006-04-05 15:32:38 +00:00
|
|
|
optional_policy(`
|
|
|
|
qmail_domtrans_inject(system_mail_t)
|
|
|
|
')
|
|
|
|
|
2006-05-01 20:36:13 +00:00
|
|
|
optional_policy(`
|
|
|
|
sxid_read_log(system_mail_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2008-11-05 16:10:46 +00:00
|
|
|
userdom_dontaudit_use_user_ptys(system_mail_t)
|
2005-07-13 18:29:08 +00:00
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-11-28 22:19:08 +00:00
|
|
|
cron_dontaudit_append_system_job_tmp_files(system_mail_t)
|
2005-07-13 18:29:08 +00:00
|
|
|
')
|
2005-05-13 14:37:13 +00:00
|
|
|
')
|
2005-05-12 20:50:09 +00:00
|
|
|
|
2010-08-26 13:41:21 +00:00
|
|
|
optional_policy(`
|
|
|
|
spamd_stream_connect(system_mail_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-02-02 21:08:12 +00:00
|
|
|
smartmon_read_tmp_files(system_mail_t)
|
2006-01-04 15:26:42 +00:00
|
|
|
')
|
|
|
|
|
2005-11-28 22:19:08 +00:00
|
|
|
# should break this up among sections:
|
2005-11-08 22:00:30 +00:00
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-10-10 18:11:46 +00:00
|
|
|
# why is mail delivered to a directory of type arpwatch_data_t?
|
2005-11-08 22:00:30 +00:00
|
|
|
arpwatch_search_data(mailserver_delivery)
|
2005-10-10 18:11:46 +00:00
|
|
|
arpwatch_manage_tmp_files(mta_user_agent)
|
2007-10-02 16:04:50 +00:00
|
|
|
|
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
2010-09-22 10:07:37 +00:00
|
|
|
ifdef(`hide_broken_symptoms',`
|
2006-02-02 21:08:12 +00:00
|
|
|
arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
|
2005-10-10 18:11:46 +00:00
|
|
|
')
|
2007-10-02 16:04:50 +00:00
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-11-28 22:19:08 +00:00
|
|
|
cron_read_system_job_tmp_files(mta_user_agent)
|
|
|
|
')
|
2005-10-10 18:11:46 +00:00
|
|
|
')
|
2008-11-05 16:10:46 +00:00
|
|
|
|
2010-01-07 14:48:35 +00:00
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# Mailserver delivery local policy
|
|
|
|
#
|
|
|
|
|
2010-01-07 14:56:21 +00:00
|
|
|
allow mailserver_delivery mail_spool_t:dir list_dir_perms;
|
|
|
|
create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
|
|
|
|
read_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
|
|
|
|
append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
|
|
|
|
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
|
|
|
|
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
|
|
|
|
|
2010-08-26 13:41:21 +00:00
|
|
|
userdom_search_admin_dir(mailserver_delivery)
|
|
|
|
read_files_pattern(mailserver_delivery, mail_home_t, mail_home_t)
|
2010-01-07 14:48:35 +00:00
|
|
|
|
|
|
|
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
|
|
|
|
|
|
|
|
tunable_policy(`use_samba_home_dirs',`
|
|
|
|
fs_manage_cifs_dirs(mailserver_delivery)
|
|
|
|
fs_manage_cifs_files(mailserver_delivery)
|
|
|
|
fs_manage_cifs_symlinks(mailserver_delivery)
|
|
|
|
')
|
|
|
|
|
|
|
|
tunable_policy(`use_nfs_home_dirs',`
|
|
|
|
fs_manage_nfs_dirs(mailserver_delivery)
|
|
|
|
fs_manage_nfs_files(mailserver_delivery)
|
|
|
|
fs_manage_nfs_symlinks(mailserver_delivery)
|
|
|
|
')
|
|
|
|
|
2010-01-07 14:56:21 +00:00
|
|
|
optional_policy(`
|
|
|
|
dovecot_manage_spool(mailserver_delivery)
|
|
|
|
dovecot_domtrans_deliver(mailserver_delivery)
|
|
|
|
')
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
# so MTA can access /var/lib/mailman/mail/wrapper
|
|
|
|
files_search_var_lib(mailserver_delivery)
|
|
|
|
|
|
|
|
mailman_domtrans(mailserver_delivery)
|
|
|
|
mailman_read_data_symlinks(mailserver_delivery)
|
|
|
|
')
|
|
|
|
|
2010-08-26 13:41:21 +00:00
|
|
|
optional_policy(`
|
|
|
|
uucp_domtrans_uux(mailserver_delivery)
|
|
|
|
')
|
|
|
|
|
2008-11-05 16:10:46 +00:00
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# User send mail local policy
|
|
|
|
#
|
|
|
|
|
2010-08-26 13:41:21 +00:00
|
|
|
|
2008-11-05 16:10:46 +00:00
|
|
|
domain_use_interactive_fds(user_mail_t)
|
|
|
|
|
|
|
|
userdom_use_user_terminals(user_mail_t)
|
|
|
|
# Write to the user domain tty. cjp: why?
|
|
|
|
userdom_use_user_terminals(mta_user_agent)
|
|
|
|
# Create dead.letter in user home directories.
|
|
|
|
userdom_manage_user_home_content_files(user_mail_t)
|
|
|
|
userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
|
|
|
|
# for reading .forward - maybe we need a new type for it?
|
|
|
|
# also for delivering mail to maildir
|
|
|
|
userdom_manage_user_home_content_dirs(mailserver_delivery)
|
|
|
|
userdom_manage_user_home_content_files(mailserver_delivery)
|
|
|
|
userdom_manage_user_home_content_symlinks(mailserver_delivery)
|
|
|
|
userdom_manage_user_home_content_pipes(mailserver_delivery)
|
|
|
|
userdom_manage_user_home_content_sockets(mailserver_delivery)
|
|
|
|
userdom_user_home_dir_filetrans_user_home_content(mailserver_delivery, { dir file lnk_file fifo_file sock_file })
|
|
|
|
# Read user temporary files.
|
|
|
|
userdom_read_user_tmp_files(user_mail_t)
|
|
|
|
userdom_dontaudit_append_user_tmp_files(user_mail_t)
|
|
|
|
# cjp: this should probably be read all user tmp
|
|
|
|
# files in an appropriate place for mta_user_agent
|
|
|
|
userdom_read_user_tmp_files(mta_user_agent)
|
|
|
|
|
|
|
|
tunable_policy(`use_samba_home_dirs',`
|
|
|
|
fs_manage_cifs_files(user_mail_t)
|
|
|
|
fs_manage_cifs_symlinks(user_mail_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
allow user_mail_t self:capability dac_override;
|
|
|
|
|
|
|
|
# Read user temporary files.
|
|
|
|
# postfix seems to need write access if the file handle is opened read/write
|
|
|
|
userdom_rw_user_tmp_files(user_mail_t)
|
|
|
|
|
|
|
|
postfix_read_config(user_mail_t)
|
|
|
|
postfix_list_spool(user_mail_t)
|
|
|
|
')
|
2010-08-26 13:41:21 +00:00
|
|
|
|
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# Comman user_mail_domain policy
|
|
|
|
#
|
|
|
|
|
|
|
|
allow user_mail_domain self:fifo_file rw_fifo_file_perms;
|
|
|
|
allow user_mail_domain mta_exec_type:file entrypoint;
|
|
|
|
|
|
|
|
read_files_pattern(user_mail_domain, etc_aliases_t, etc_aliases_t)
|
|
|
|
|
|
|
|
can_exec(user_mail_domain, mta_exec_type)
|
|
|
|
|
|
|
|
allow system_mail_t user_mail_domain:file read_file_perms;
|
|
|
|
|
|
|
|
read_files_pattern(user_mail_domain, etc_mail_t, etc_mail_t)
|
|
|
|
|
|
|
|
kernel_read_system_state(user_mail_domain)
|
|
|
|
kernel_read_network_state(user_mail_domain)
|
|
|
|
kernel_request_load_module(user_mail_domain)
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
# postfix needs this for newaliases
|
|
|
|
files_getattr_tmp_dirs(user_mail_domain)
|
|
|
|
|
|
|
|
postfix_exec_master(user_mail_domain)
|
|
|
|
postfix_read_config(user_mail_domain)
|
|
|
|
postfix_search_spool(user_mail_domain)
|
|
|
|
|
|
|
|
ifdef(`distro_redhat',`
|
|
|
|
# compatability for old default main.cf
|
|
|
|
postfix_config_filetrans(user_mail_domain, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
|
|
|
|
')
|
|
|
|
')
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
exim_domtrans(user_mail_domain)
|
|
|
|
exim_manage_log(user_mail_domain)
|
|
|
|
')
|