198 lines
7.6 KiB
Plaintext
198 lines
7.6 KiB
Plaintext
|
#DESC Qmail - Mail server
|
||
|
#
|
||
|
# Author: Russell Coker <russell@coker.com.au>
|
||
|
# X-Debian-Packages: qmail-src qmail
|
||
|
# Depends: inetd.te mta.te
|
||
|
#
|
||
|
|
||
|
|
||
|
# Type for files created during execution of qmail.
|
||
|
type qmail_var_run_t, file_type, sysadmfile, pidfile;
|
||
|
|
||
|
type qmail_etc_t, file_type, sysadmfile;
|
||
|
|
||
|
allow inetd_t smtp_port_t:tcp_socket name_bind;
|
||
|
|
||
|
type qmail_exec_t, file_type, sysadmfile, exec_type;
|
||
|
type qmail_spool_t, file_type, sysadmfile;
|
||
|
type var_qmail_t, file_type, sysadmfile;
|
||
|
|
||
|
define(`qmaild_sub_domain', `
|
||
|
daemon_sub_domain($1, $2, `$3')
|
||
|
allow $2_t qmail_etc_t:dir { getattr search };
|
||
|
allow $2_t qmail_etc_t:{ lnk_file file } { getattr read };
|
||
|
allow $2_t { var_t var_spool_t }:dir search;
|
||
|
allow $2_t console_device_t:chr_file rw_file_perms;
|
||
|
allow $2_t fs_t:filesystem getattr;
|
||
|
')
|
||
|
|
||
|
#################################
|
||
|
#
|
||
|
# Rules for the qmail_$1_t domain.
|
||
|
#
|
||
|
# qmail_$1_exec_t is the type of the qmail_$1 executables.
|
||
|
#
|
||
|
define(`qmail_daemon_domain', `
|
||
|
qmaild_sub_domain(qmail_start_t, qmail_$1, `$2')
|
||
|
allow qmail_$1_t qmail_start_t:fifo_file { read write };
|
||
|
')dnl
|
||
|
|
||
|
|
||
|
daemon_base_domain(qmail_start)
|
||
|
|
||
|
allow qmail_start_t self:capability { setgid setuid };
|
||
|
allow qmail_start_t { bin_t sbin_t }:dir search;
|
||
|
allow qmail_start_t qmail_etc_t:dir search;
|
||
|
allow qmail_start_t qmail_etc_t:file { getattr read };
|
||
|
can_exec(qmail_start_t, qmail_start_exec_t)
|
||
|
allow qmail_start_t self:fifo_file { getattr read write };
|
||
|
|
||
|
qmail_daemon_domain(lspawn, `, mta_delivery_agent')
|
||
|
allow qmail_lspawn_t self:fifo_file { read write };
|
||
|
allow qmail_lspawn_t self:capability { setuid setgid };
|
||
|
allow qmail_lspawn_t self:process { fork signal_perms };
|
||
|
allow qmail_lspawn_t sbin_t:dir search;
|
||
|
can_exec(qmail_lspawn_t, qmail_exec_t)
|
||
|
allow qmail_lspawn_t self:unix_stream_socket create_socket_perms;
|
||
|
allow qmail_lspawn_t qmail_spool_t:dir search;
|
||
|
allow qmail_lspawn_t qmail_spool_t:file { read getattr };
|
||
|
allow qmail_lspawn_t etc_t:file { getattr read };
|
||
|
allow qmail_lspawn_t tmp_t:dir getattr;
|
||
|
dontaudit qmail_lspawn_t user_home_dir_type:dir { getattr search };
|
||
|
|
||
|
qmail_daemon_domain(send, `, mail_server_sender')
|
||
|
rw_dir_create_file(qmail_send_t, qmail_spool_t)
|
||
|
allow qmail_send_t qmail_spool_t:fifo_file read;
|
||
|
allow qmail_send_t self:process { fork signal_perms };
|
||
|
allow qmail_send_t self:fifo_file write;
|
||
|
domain_auto_trans(qmail_send_t, qmail_queue_exec_t, qmail_queue_t)
|
||
|
allow qmail_send_t sbin_t:dir search;
|
||
|
|
||
|
qmail_daemon_domain(splogger)
|
||
|
allow qmail_splogger_t self:unix_dgram_socket create_socket_perms;
|
||
|
allow qmail_splogger_t etc_t:lnk_file read;
|
||
|
dontaudit qmail_splogger_t initrc_t:fd use;
|
||
|
read_locale(qmail_splogger_t)
|
||
|
|
||
|
qmail_daemon_domain(rspawn)
|
||
|
allow qmail_rspawn_t qmail_spool_t:dir search;
|
||
|
allow qmail_rspawn_t qmail_spool_t:file rw_file_perms;
|
||
|
allow qmail_rspawn_t self:process { fork signal_perms };
|
||
|
allow qmail_rspawn_t self:fifo_file read;
|
||
|
allow qmail_rspawn_t { bin_t sbin_t }:dir search;
|
||
|
|
||
|
qmaild_sub_domain(qmail_rspawn_t, qmail_remote)
|
||
|
allow qmail_rspawn_t qmail_remote_exec_t:file { getattr read };
|
||
|
can_network_server(qmail_remote_t)
|
||
|
can_ypbind(qmail_remote_t)
|
||
|
allow qmail_remote_t qmail_spool_t:dir search;
|
||
|
allow qmail_remote_t qmail_spool_t:file rw_file_perms;
|
||
|
allow qmail_remote_t self:tcp_socket create_socket_perms;
|
||
|
allow qmail_remote_t self:udp_socket create_socket_perms;
|
||
|
|
||
|
qmail_daemon_domain(clean)
|
||
|
allow qmail_clean_t qmail_spool_t:dir rw_dir_perms;
|
||
|
allow qmail_clean_t qmail_spool_t:file { unlink read getattr };
|
||
|
|
||
|
# privhome will do until we get a separate maildir type
|
||
|
qmaild_sub_domain(qmail_lspawn_t, qmail_local, `, privhome, mta_delivery_agent')
|
||
|
allow qmail_lspawn_t qmail_local_exec_t:file { getattr read };
|
||
|
allow qmail_local_t self:process { fork signal_perms };
|
||
|
domain_auto_trans(qmail_local_t, qmail_queue_exec_t, qmail_queue_t)
|
||
|
allow qmail_local_t qmail_queue_exec_t:file { getattr read };
|
||
|
allow qmail_local_t qmail_spool_t:file { ioctl read };
|
||
|
allow qmail_local_t self:fifo_file write;
|
||
|
allow qmail_local_t sbin_t:dir search;
|
||
|
allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
|
||
|
allow qmail_local_t etc_t:file { getattr read };
|
||
|
|
||
|
# for piping mail to a command
|
||
|
can_exec(qmail_local_t, shell_exec_t)
|
||
|
allow qmail_local_t bin_t:dir search;
|
||
|
allow qmail_local_t bin_t:lnk_file read;
|
||
|
allow qmail_local_t devtty_t:chr_file rw_file_perms;
|
||
|
allow qmail_local_t { etc_runtime_t proc_t }:file { getattr read };
|
||
|
|
||
|
ifdef(`tcpd.te', `
|
||
|
qmaild_sub_domain(tcpd_t, qmail_tcp_env)
|
||
|
# bug
|
||
|
can_exec(tcpd_t, tcpd_exec_t)
|
||
|
', `
|
||
|
qmaild_sub_domain(inetd_t, qmail_tcp_env)
|
||
|
')
|
||
|
allow qmail_tcp_env_t inetd_t:fd use;
|
||
|
allow qmail_tcp_env_t inetd_t:tcp_socket { read write getattr };
|
||
|
allow qmail_tcp_env_t inetd_t:process sigchld;
|
||
|
allow qmail_tcp_env_t sbin_t:dir search;
|
||
|
can_network_server(qmail_tcp_env_t)
|
||
|
can_ypbind(qmail_tcp_env_t)
|
||
|
|
||
|
qmaild_sub_domain(qmail_tcp_env_t, qmail_smtpd)
|
||
|
allow qmail_tcp_env_t qmail_smtpd_exec_t:file { getattr read };
|
||
|
can_network_server(qmail_smtpd_t)
|
||
|
can_ypbind(qmail_smtpd_t)
|
||
|
allow qmail_smtpd_t inetd_t:fd use;
|
||
|
allow qmail_smtpd_t inetd_t:tcp_socket { read write };
|
||
|
allow qmail_smtpd_t inetd_t:process sigchld;
|
||
|
allow qmail_smtpd_t self:process { fork signal_perms };
|
||
|
allow qmail_smtpd_t self:fifo_file write;
|
||
|
allow qmail_smtpd_t self:tcp_socket create_socket_perms;
|
||
|
allow qmail_smtpd_t sbin_t:dir search;
|
||
|
domain_auto_trans(qmail_smtpd_t, qmail_queue_exec_t, qmail_queue_t)
|
||
|
allow qmail_smtpd_t qmail_queue_exec_t:file { getattr read };
|
||
|
|
||
|
qmaild_sub_domain(user_mail_domain, qmail_inject, `, mta_user_agent')
|
||
|
allow qmail_inject_t self:process { fork signal_perms };
|
||
|
allow qmail_inject_t self:fifo_file write;
|
||
|
allow qmail_inject_t sbin_t:dir search;
|
||
|
role sysadm_r types qmail_inject_t;
|
||
|
in_user_role(qmail_inject_t)
|
||
|
|
||
|
qmaild_sub_domain(userdomain, qmail_qread, `, mta_user_agent')
|
||
|
in_user_role(qmail_qread_t)
|
||
|
role sysadm_r types qmail_qread_t;
|
||
|
r_dir_file(qmail_qread_t, qmail_spool_t)
|
||
|
allow qmail_qread_t self:capability dac_override;
|
||
|
allow qmail_qread_t privfd:fd use;
|
||
|
|
||
|
qmaild_sub_domain(qmail_inject_t, qmail_queue, `, mta_user_agent')
|
||
|
role sysadm_r types qmail_queue_t;
|
||
|
in_user_role(qmail_queue_t)
|
||
|
allow qmail_inject_t qmail_queue_exec_t:file { getattr read };
|
||
|
rw_dir_create_file(qmail_queue_t, qmail_spool_t)
|
||
|
allow qmail_queue_t qmail_spool_t:fifo_file { read write };
|
||
|
allow qmail_queue_t { qmail_start_t qmail_lspawn_t }:fd use;
|
||
|
allow qmail_queue_t qmail_lspawn_t:fifo_file write;
|
||
|
allow qmail_queue_t qmail_start_t:fifo_file { read write };
|
||
|
allow qmail_queue_t privfd:fd use;
|
||
|
allow qmail_queue_t crond_t:fifo_file { read write };
|
||
|
allow qmail_queue_t inetd_t:fd use;
|
||
|
allow qmail_queue_t inetd_t:tcp_socket { read write };
|
||
|
allow qmail_queue_t sysadm_t:fd use;
|
||
|
allow qmail_queue_t sysadm_t:fifo_file write;
|
||
|
|
||
|
allow user_crond_domain qmail_etc_t:dir search;
|
||
|
allow user_crond_domain qmail_etc_t:file { getattr read };
|
||
|
|
||
|
qmaild_sub_domain(user_crond_domain, qmail_serialmail)
|
||
|
in_user_role(qmail_serialmail_t)
|
||
|
can_network_server(qmail_serialmail_t)
|
||
|
can_ypbind(qmail_serialmail_t)
|
||
|
can_exec(qmail_serialmail_t, qmail_serialmail_exec_t)
|
||
|
allow qmail_serialmail_t self:process { fork signal_perms };
|
||
|
allow qmail_serialmail_t proc_t:file { getattr read };
|
||
|
allow qmail_serialmail_t etc_runtime_t:file { getattr read };
|
||
|
allow qmail_serialmail_t home_root_t:dir search;
|
||
|
allow qmail_serialmail_t user_home_dir_type:dir { search read getattr };
|
||
|
rw_dir_create_file(qmail_serialmail_t, user_home_type)
|
||
|
allow qmail_serialmail_t self:fifo_file { read write };
|
||
|
allow qmail_serialmail_t self:udp_socket create_socket_perms;
|
||
|
allow qmail_serialmail_t self:tcp_socket create_socket_perms;
|
||
|
allow qmail_serialmail_t privfd:fd use;
|
||
|
allow qmail_serialmail_t crond_t:fifo_file { read write ioctl };
|
||
|
allow qmail_serialmail_t devtty_t:chr_file { read write };
|
||
|
|
||
|
# for tcpclient
|
||
|
can_exec(qmail_serialmail_t, bin_t)
|
||
|
allow qmail_serialmail_t bin_t:dir search;
|