selinux-policy/policy/modules/services/qmail.te

policy_module(qmail, 1.5.0)

########################################
#
# Declarations
#

attribute qmail_user_domains;

type qmail_alias_home_t;
files_type(qmail_alias_home_t)

qmail_child_domain_template(qmail_clean, qmail_start_t)

type qmail_etc_t;
files_config_file(qmail_etc_t)

type qmail_exec_t;
files_type(qmail_exec_t)

type qmail_inject_t, qmail_user_domains;
type qmail_inject_exec_t;
domain_type(qmail_inject_t)
domain_entry_file(qmail_inject_t, qmail_inject_exec_t)
mta_mailserver_user_agent(qmail_inject_t)
role system_r types qmail_inject_t;

qmail_child_domain_template(qmail_local, qmail_lspawn_t)
mta_mailserver_delivery(qmail_local_t)

qmail_child_domain_template(qmail_lspawn, qmail_start_t)
mta_mailserver_delivery(qmail_lspawn_t)

qmail_child_domain_template(qmail_queue, qmail_inject_t)
typeattribute qmail_queue_t qmail_user_domains;
mta_mailserver_user_agent(qmail_queue_t)

qmail_child_domain_template(qmail_remote, qmail_rspawn_t)
mta_mailserver_sender(qmail_remote_t)

qmail_child_domain_template(qmail_rspawn, qmail_start_t)

qmail_child_domain_template(qmail_send, qmail_start_t)

qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t)

qmail_child_domain_template(qmail_splogger, qmail_start_t)

type qmail_spool_t;
files_type(qmail_spool_t)

type qmail_start_t;
type qmail_start_exec_t;
init_daemon_domain(qmail_start_t, qmail_start_exec_t)

type qmail_tcp_env_t;
type qmail_tcp_env_exec_t;
application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)

########################################
#
# qmail-clean local policy
#	this component cleans up the queue directory
#

read_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)

########################################
#
# qmail-inject local policy
#	this component preprocesses mail from stdin and invokes qmail-queue
#

allow qmail_inject_t self:process signal_perms;
allow qmail_inject_t self:fifo_file write_fifo_file_perms;

allow qmail_inject_t qmail_queue_exec_t:file read_file_perms;

corecmd_search_bin(qmail_inject_t)

files_search_var(qmail_inject_t)

miscfiles_read_localization(qmail_inject_t)

qmail_read_config(qmail_inject_t)

########################################
#
# qmail-local local policy
#	this component delivers a mail message
#

allow qmail_local_t self:process signal_perms;
allow qmail_local_t self:fifo_file write_file_perms;
allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;

manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
manage_files_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)

can_exec(qmail_local_t, qmail_local_exec_t)

allow qmail_local_t qmail_queue_exec_t:file read_file_perms;

allow qmail_local_t qmail_spool_t:file read_file_perms;

kernel_read_system_state(qmail_local_t)

corecmd_exec_bin(qmail_local_t)
corecmd_exec_shell(qmail_local_t)

files_read_etc_files(qmail_local_t)
files_read_etc_runtime_files(qmail_local_t)

auth_use_nsswitch(qmail_local_t)

logging_send_syslog_msg(qmail_local_t)

mta_append_spool(qmail_local_t)

qmail_domtrans_queue(qmail_local_t)

optional_policy(`
	uucp_domtrans(qmail_local_t)
')

optional_policy(`
	spamassassin_domtrans_client(qmail_local_t)
')

########################################
#
# qmail-lspawn local policy
#	this component schedules local deliveries
#

allow qmail_lspawn_t self:capability { setuid setgid };
allow qmail_lspawn_t self:process signal_perms;
allow qmail_lspawn_t self:fifo_file rw_fifo_file_perms;
allow qmail_lspawn_t self:unix_stream_socket create_socket_perms;

can_exec(qmail_lspawn_t, qmail_exec_t)

allow qmail_lspawn_t qmail_local_exec_t:file read_file_perms;

read_files_pattern(qmail_lspawn_t, qmail_spool_t, qmail_spool_t)

corecmd_search_bin(qmail_lspawn_t)

files_read_etc_files(qmail_lspawn_t)
files_search_pids(qmail_lspawn_t)
files_search_tmp(qmail_lspawn_t)

########################################
#
# qmail-queue local policy
#	this component places a mail in a delivery queue, later to be processed by qmail-send
#

allow qmail_queue_t qmail_lspawn_t:fd use;
allow qmail_queue_t qmail_lspawn_t:fifo_file write_fifo_file_perms;

allow qmail_queue_t qmail_smtpd_t:process sigchld;
allow qmail_queue_t qmail_smtpd_t:fd use;
allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms;

manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
rw_fifo_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)

corecmd_exec_bin(qmail_queue_t)

logging_send_syslog_msg(qmail_queue_t)

optional_policy(`
	daemontools_ipc_domain(qmail_queue_t)
')

########################################
#
# qmail-remote local policy
#	this component sends mail via SMTP
#

allow qmail_remote_t self:tcp_socket create_socket_perms;
allow qmail_remote_t self:udp_socket create_socket_perms;

rw_files_pattern(qmail_remote_t, qmail_spool_t, qmail_spool_t)

corenet_all_recvfrom_unlabeled(qmail_remote_t)
corenet_all_recvfrom_netlabel(qmail_remote_t)
corenet_tcp_sendrecv_generic_if(qmail_remote_t)
corenet_udp_sendrecv_generic_if(qmail_remote_t)
corenet_tcp_sendrecv_generic_node(qmail_remote_t)
corenet_udp_sendrecv_generic_node(qmail_remote_t)
corenet_tcp_sendrecv_smtp_port(qmail_remote_t)
corenet_udp_sendrecv_dns_port(qmail_remote_t)
corenet_tcp_connect_smtp_port(qmail_remote_t)
corenet_sendrecv_smtp_client_packets(qmail_remote_t)

dev_read_rand(qmail_remote_t)
dev_read_urand(qmail_remote_t)

sysnet_read_config(qmail_remote_t)

########################################
#
# qmail-rspawn local policy
#	this component scedules remote deliveries
#

allow qmail_rspawn_t self:process signal_perms;
allow qmail_rspawn_t self:fifo_file read_fifo_file_perms;

allow qmail_rspawn_t qmail_remote_exec_t:file read_file_perms;

rw_files_pattern(qmail_rspawn_t, qmail_spool_t, qmail_spool_t)

corecmd_search_bin(qmail_rspawn_t)

########################################
#
# qmail-send local policy
#	this component delivers mail messages from the queue
#

allow qmail_send_t self:process signal_perms;
allow qmail_send_t self:fifo_file write_fifo_file_perms;

manage_dirs_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t)
manage_files_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t)
read_fifo_files_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t)

qmail_domtrans_queue(qmail_send_t)

optional_policy(`
	daemontools_ipc_domain(qmail_send_t)
')

########################################
#
# qmail-smtpd local policy
#	this component receives mails via SMTP
#

allow qmail_smtpd_t self:process signal_perms;
allow qmail_smtpd_t self:fifo_file write_fifo_file_perms;
allow qmail_smtpd_t self:tcp_socket create_socket_perms;

allow qmail_smtpd_t qmail_queue_exec_t:file read_file_perms;

dev_read_rand(qmail_smtpd_t)
dev_read_urand(qmail_smtpd_t)

qmail_domtrans_queue(qmail_smtpd_t)

optional_policy(`
	daemontools_ipc_domain(qmail_smtpd_t)
')

optional_policy(`
	kerberos_keytab_template(qmail, qmail_smtpd_t)
')

optional_policy(`
	ucspitcp_service_domain(qmail_smtpd_t, qmail_smtpd_exec_t)
')

########################################
#
# splogger local policy
#	this component creates entries in syslog
#

allow qmail_splogger_t self:unix_dgram_socket create_socket_perms;

files_read_etc_files(qmail_splogger_t)

init_dontaudit_use_script_fds(qmail_splogger_t)

miscfiles_read_localization(qmail_splogger_t)

########################################
#
# qmail-start local policy
#	this component starts up the mail delivery component
#

allow qmail_start_t self:capability { setgid setuid };
dontaudit qmail_start_t self:capability sys_tty_config;
allow qmail_start_t self:process signal_perms;
allow qmail_start_t self:fifo_file rw_fifo_file_perms;

can_exec(qmail_start_t, qmail_start_exec_t)

corecmd_search_bin(qmail_start_t)

files_search_var(qmail_start_t)

qmail_read_config(qmail_start_t)

optional_policy(`
	daemontools_service_domain(qmail_start_t, qmail_start_exec_t)
	daemontools_ipc_domain(qmail_start_t)
')

########################################
#
# tcp-env local policy
#	this component sets up TCP-related environment variables
#

allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms;

corecmd_search_bin(qmail_tcp_env_t)

sysnet_read_config(qmail_tcp_env_t)

optional_policy(`
	inetd_tcp_service_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
')

optional_policy(`
	ucspitcp_service_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
')