85 lines
3.1 KiB
Plaintext
85 lines
3.1 KiB
Plaintext
|
#DESC MTA - Mail agents
|
||
|
|
#
|
||
|
|
# Author: Russell Coker <russell@coker.com.au>
|
||
|
|
# X-Debian-Packages: postfix exim sendmail sendmail-wide
|
||
|
|
#
|
||
|
|
# policy for all mail servers, including allowing user to send mail from the
|
||
|
|
# command-line and for cron jobs to use sendmail -t
|
||
|
|
|
||
|
|
#
|
||
|
|
# sendmail_exec_t is the type of /usr/sbin/sendmail
|
||
|
|
#
|
||
|
|
# define sendmail_exec_t if sendmail.te does not do it for us
|
||
|
|
ifdef(`sendmail.te', `', `
|
||
|
|
type sendmail_exec_t, file_type, exec_type, sysadmfile;
|
||
|
|
')
|
||
|
|
type smtp_port_t, port_type, reserved_port_type;
|
||
|
|
|
||
|
|
|
||
|
|
# create a system_mail_t domain for daemons, init scripts, etc when they run
|
||
|
|
# "mail user@domain"
|
||
|
|
mail_domain(system)
|
||
|
|
|
||
|
|
ifdef(`targeted_policy', `
|
||
|
|
# rules are currently defined in sendmail.te, but it is not included in
|
||
|
|
# targeted policy. We could move these rules permanantly here.
|
||
|
|
ifdef(`postfix.te', `', `can_exec_any(system_mail_t)')
|
||
|
|
allow system_mail_t self:dir { search };
|
||
|
|
r_dir_file(system_mail_t, { proc_t proc_net_t })
|
||
|
|
allow system_mail_t fs_t:filesystem getattr;
|
||
|
|
allow system_mail_t { var_t var_spool_t }:dir getattr;
|
||
|
|
create_dir_file(system_mail_t, mqueue_spool_t)
|
||
|
|
create_dir_file(system_mail_t, mail_spool_t)
|
||
|
|
allow system_mail_t mail_spool_t:fifo_file rw_file_perms;
|
||
|
|
allow system_mail_t etc_mail_t:file { getattr read };
|
||
|
|
', `
|
||
|
|
ifdef(`sendmail.te', `
|
||
|
|
# sendmail has an ugly design, the one process parses input from the user and
|
||
|
|
# then does system things with it.
|
||
|
|
domain_auto_trans(initrc_t, sendmail_exec_t, sendmail_t)
|
||
|
|
', `
|
||
|
|
domain_auto_trans(initrc_t, sendmail_exec_t, system_mail_t)
|
||
|
|
')
|
||
|
|
allow initrc_t sendmail_exec_t:lnk_file { getattr read };
|
||
|
|
|
||
|
|
# allow the sysadmin to do "mail someone < /home/user/whatever"
|
||
|
|
allow sysadm_mail_t user_home_dir_type:dir search;
|
||
|
|
r_dir_file(sysadm_mail_t, user_home_type)
|
||
|
|
')
|
||
|
|
# for a mail server process that does things in response to a user command
|
||
|
|
allow mta_user_agent userdomain:process sigchld;
|
||
|
|
allow mta_user_agent { userdomain privfd }:fd use;
|
||
|
|
ifdef(`crond.te', `
|
||
|
|
allow mta_user_agent crond_t:process sigchld;
|
||
|
|
')
|
||
|
|
allow mta_user_agent sysadm_t:fifo_file { read write };
|
||
|
|
|
||
|
|
allow { system_mail_t mta_user_agent } privmail:fd use;
|
||
|
|
allow { system_mail_t mta_user_agent } privmail:process sigchld;
|
||
|
|
allow { system_mail_t mta_user_agent } privmail:fifo_file { read write };
|
||
|
|
allow { system_mail_t mta_user_agent } admin_tty_type:chr_file { read write };
|
||
|
|
|
||
|
|
ifdef(`arpwatch.te', `
|
||
|
|
# why is mail delivered to a directory of type arpwatch_data_t?
|
||
|
|
allow mta_delivery_agent arpwatch_data_t:dir search;
|
||
|
|
allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms;
|
||
|
|
ifdef(`hide_broken_symptoms', `
|
||
|
|
dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write };
|
||
|
|
')
|
||
|
|
')dnl end if arpwatch.te
|
||
|
|
|
||
|
|
allow mta_delivery_agent home_root_t:dir { getattr search };
|
||
|
|
|
||
|
|
# for /var/spool/mail
|
||
|
|
ra_dir_create_file(mta_delivery_agent, mail_spool_t)
|
||
|
|
|
||
|
|
# for piping mail to a command
|
||
|
|
can_exec(mta_delivery_agent, shell_exec_t)
|
||
|
|
allow mta_delivery_agent bin_t:dir search;
|
||
|
|
allow mta_delivery_agent bin_t:lnk_file read;
|
||
|
|
allow mta_delivery_agent devtty_t:chr_file rw_file_perms;
|
||
|
|
allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read };
|
||
|
|
|
||
|
|
allow system_mail_t etc_runtime_t:file { getattr read };
|
||
|
|
allow system_mail_t urandom_device_t:chr_file read;
|