selinux-policy/policy/modules/services/exim.te

policy_module(exim, 1.5.0)

########################################
#
# Declarations
#

## <desc>
##	<p>
##	Allow exim to connect to databases (postgres, mysql)
##	</p>
## </desc>
gen_tunable(exim_can_connect_db, false)

## <desc>
##	<p>
##	Allow exim to read unprivileged user files.
##	</p>
## </desc>
gen_tunable(exim_read_user_files, false)

## <desc>
##	<p>
##	Allow exim to create, read, write, and delete
##	unprivileged user files.
##	</p>
## </desc>
gen_tunable(exim_manage_user_files, false)

type exim_t;
type exim_exec_t;
init_daemon_domain(exim_t, exim_exec_t)
mta_mailserver(exim_t, exim_exec_t)
mta_mailserver_user_agent(exim_t)
application_executable_file(exim_exec_t)
mta_agent_executable(exim_exec_t)

type exim_initrc_exec_t;
init_script_file(exim_initrc_exec_t)

type exim_log_t;
logging_log_file(exim_log_t)

type exim_spool_t;
files_type(exim_spool_t)

type exim_tmp_t;
files_tmp_file(exim_tmp_t)

type exim_var_run_t;
files_pid_file(exim_var_run_t)

########################################
#
# exim local policy
#

allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource };
allow exim_t self:process { setrlimit setpgid };
allow exim_t self:fifo_file rw_fifo_file_perms;
allow exim_t self:unix_stream_socket create_stream_socket_perms;
allow exim_t self:tcp_socket create_stream_socket_perms;
allow exim_t self:udp_socket create_socket_perms;

can_exec(exim_t, exim_exec_t)

manage_files_pattern(exim_t, exim_log_t, exim_log_t)
logging_log_filetrans(exim_t, exim_log_t, { file dir })

manage_dirs_pattern(exim_t, exim_spool_t, exim_spool_t)
manage_files_pattern(exim_t, exim_spool_t, exim_spool_t)
manage_sock_files_pattern(exim_t, exim_spool_t, exim_spool_t)
files_spool_filetrans(exim_t, exim_spool_t, { file dir sock_file })

manage_dirs_pattern(exim_t, exim_tmp_t, exim_tmp_t)
manage_files_pattern(exim_t, exim_tmp_t, exim_tmp_t)
files_tmp_filetrans(exim_t, exim_tmp_t, { file dir })

manage_dirs_pattern(exim_t, exim_var_run_t, exim_var_run_t)
manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t)
files_pid_filetrans(exim_t, exim_var_run_t, { file dir })

kernel_read_kernel_sysctls(exim_t)
kernel_read_network_state(exim_t)
kernel_dontaudit_read_system_state(exim_t)

corecmd_search_bin(exim_t)

corenet_all_recvfrom_unlabeled(exim_t)
corenet_all_recvfrom_netlabel(exim_t)
corenet_tcp_sendrecv_generic_if(exim_t)
corenet_udp_sendrecv_generic_if(exim_t)
corenet_tcp_sendrecv_generic_node(exim_t)
corenet_udp_sendrecv_generic_node(exim_t)
corenet_tcp_sendrecv_all_ports(exim_t)
corenet_tcp_bind_generic_node(exim_t)
corenet_tcp_bind_smtp_port(exim_t)
corenet_tcp_bind_amavisd_send_port(exim_t)
corenet_tcp_connect_auth_port(exim_t)
corenet_tcp_connect_smtp_port(exim_t)
corenet_tcp_connect_ldap_port(exim_t)
corenet_tcp_connect_inetd_child_port(exim_t)
# connect to spamassassin
corenet_tcp_connect_spamd_port(exim_t)

dev_read_rand(exim_t)
dev_read_urand(exim_t)

# Init script handling
domain_use_interactive_fds(exim_t)

files_search_usr(exim_t)
files_search_var(exim_t)
files_read_etc_files(exim_t)
files_read_etc_runtime_files(exim_t)
files_getattr_all_mountpoints(exim_t)

fs_getattr_xattr_fs(exim_t)
fs_list_inotifyfs(exim_t)

auth_use_nsswitch(exim_t)

logging_send_syslog_msg(exim_t)

miscfiles_read_localization(exim_t)
miscfiles_read_generic_certs(exim_t)

userdom_dontaudit_search_user_home_dirs(exim_t)

mta_read_aliases(exim_t)
mta_read_config(exim_t)
mta_manage_spool(exim_t)
mta_mailserver_delivery(exim_t)

tunable_policy(`exim_can_connect_db',`
	corenet_tcp_connect_mysqld_port(exim_t)
	corenet_sendrecv_mysqld_client_packets(exim_t)
	corenet_tcp_connect_postgresql_port(exim_t)
	corenet_sendrecv_postgresql_client_packets(exim_t)
')

tunable_policy(`exim_read_user_files',`
	userdom_read_user_home_content_files(exim_t)
	userdom_read_user_tmp_files(exim_t)
')

tunable_policy(`exim_manage_user_files',`
	userdom_manage_user_home_content_dirs(exim_t)
	userdom_read_user_tmp_files(exim_t)
	userdom_write_user_tmp_files(exim_t)
')

optional_policy(`
	clamav_domtrans_clamscan(exim_t)
	clamav_stream_connect(exim_t)
')

optional_policy(`
	cron_read_pipes(exim_t)
	cron_rw_system_job_pipes(exim_t)
')

optional_policy(`
	cyrus_stream_connect(exim_t)
')

optional_policy(`
	kerberos_keytab_template(exim, exim_t)
')

optional_policy(`
	mailman_read_data_files(exim_t)
	mailman_domtrans(exim_t)
')

optional_policy(`
	nagios_search_spool(exim_t)
')

optional_policy(`
	tunable_policy(`exim_can_connect_db',`
		mysql_stream_connect(exim_t)
	')
')

optional_policy(`
	tunable_policy(`exim_can_connect_db',`
		postgresql_stream_connect(exim_t)
	')
')

optional_policy(`
	procmail_domtrans(exim_t)
	procmail_read_home_files(exim_t)
')

optional_policy(`
	sasl_connect(exim_t)
')

optional_policy(`
	# https://bugzilla.redhat.com/show_bug.cgi?id=512710
	# uses sendmail for outgoing mail and exim
	# for incoming mail
	sendmail_manage_tmp_files(exim_t)
')

optional_policy(`
	spamassassin_exec(exim_t)
	spamassassin_exec_client(exim_t)
')
Bump module versions for release. 2010-05-24 19:32:01 +00:00			`policy_module(exim, 1.5.0)`
trunk: add exim from dan. 2007-10-24 15:07:40 +00:00
			`########################################`
			`#`
			`# Declarations`
			`#`

trunk: 4 patches from dan. 2009-05-14 14:41:50 +00:00			`## <desc>`
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. 2010-09-22 10:07:37 +00:00			`## <p>`
			`## Allow exim to connect to databases (postgres, mysql)`
			`## </p>`
trunk: 4 patches from dan. 2009-05-14 14:41:50 +00:00			`## </desc>`
			`gen_tunable(exim_can_connect_db, false)`

trunk: add exim from dan. 2007-10-24 15:07:40 +00:00			`## <desc>`
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. 2010-09-22 10:07:37 +00:00			`## <p>`
			`## Allow exim to read unprivileged user files.`
			`## </p>`
trunk: add exim from dan. 2007-10-24 15:07:40 +00:00			`## </desc>`
trunk: massive whitespace cleanup from dominick grift. 2008-07-23 21:38:39 +00:00			`gen_tunable(exim_read_user_files, false)`
trunk: add exim from dan. 2007-10-24 15:07:40 +00:00
			`## <desc>`
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. 2010-09-22 10:07:37 +00:00			`## <p>`
			`## Allow exim to create, read, write, and delete`
			`## unprivileged user files.`
			`## </p>`
trunk: add exim from dan. 2007-10-24 15:07:40 +00:00			`## </desc>`
trunk: massive whitespace cleanup from dominick grift. 2008-07-23 21:38:39 +00:00			`gen_tunable(exim_manage_user_files, false)`
trunk: add exim from dan. 2007-10-24 15:07:40 +00:00
			`type exim_t;`
			`type exim_exec_t;`
			`init_daemon_domain(exim_t, exim_exec_t)`
trunk: 4 patches from dan. 2009-05-14 14:41:50 +00:00			`mta_mailserver(exim_t, exim_exec_t)`
			`mta_mailserver_user_agent(exim_t)`
			`application_executable_file(exim_exec_t)`
			`mta_agent_executable(exim_exec_t)`
trunk: add exim from dan. 2007-10-24 15:07:40 +00:00
UPdate for f14 policy 2010-08-26 13:41:21 +00:00			`type exim_initrc_exec_t;`
			`init_script_file(exim_initrc_exec_t)`

trunk: add exim from dan. 2007-10-24 15:07:40 +00:00			`type exim_log_t;`
			`logging_log_file(exim_log_t)`

			`type exim_spool_t;`
			`files_type(exim_spool_t)`

			`type exim_tmp_t;`
			`files_tmp_file(exim_tmp_t)`

			`type exim_var_run_t;`
			`files_pid_file(exim_var_run_t)`

			`########################################`
			`#`
			`# exim local policy`
			`#`

trunk: whitespace fixes 2009-06-26 14:40:13 +00:00			`allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource };`
trunk: 4 patches from dan. 2009-05-14 14:41:50 +00:00			`allow exim_t self:process { setrlimit setpgid };`
trunk: add exim from dan. 2007-10-24 15:07:40 +00:00			`allow exim_t self:fifo_file rw_fifo_file_perms;`
			`allow exim_t self:unix_stream_socket create_stream_socket_perms;`
			`allow exim_t self:tcp_socket create_stream_socket_perms;`
trunk: 4 patches from dan. 2009-05-14 14:41:50 +00:00			`allow exim_t self:udp_socket create_socket_perms;`
trunk: add exim from dan. 2007-10-24 15:07:40 +00:00
trunk: whitespace fixes 2009-06-26 14:40:13 +00:00			`can_exec(exim_t, exim_exec_t)`
trunk: add exim from dan. 2007-10-24 15:07:40 +00:00
			`manage_files_pattern(exim_t, exim_log_t, exim_log_t)`
			`logging_log_filetrans(exim_t, exim_log_t, { file dir })`

			`manage_dirs_pattern(exim_t, exim_spool_t, exim_spool_t)`
			`manage_files_pattern(exim_t, exim_spool_t, exim_spool_t)`
			`manage_sock_files_pattern(exim_t, exim_spool_t, exim_spool_t)`
trunk: massive whitespace cleanup from dominick grift. 2008-07-23 21:38:39 +00:00			`files_spool_filetrans(exim_t, exim_spool_t, { file dir sock_file })`
trunk: add exim from dan. 2007-10-24 15:07:40 +00:00
			`manage_dirs_pattern(exim_t, exim_tmp_t, exim_tmp_t)`
			`manage_files_pattern(exim_t, exim_tmp_t, exim_tmp_t)`
			`files_tmp_filetrans(exim_t, exim_tmp_t, { file dir })`

			`manage_dirs_pattern(exim_t, exim_var_run_t, exim_var_run_t)`
			`manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t)`
			`files_pid_filetrans(exim_t, exim_var_run_t, { file dir })`

			`kernel_read_kernel_sysctls(exim_t)`
trunk: 4 patches from dan. 2009-05-14 14:41:50 +00:00			`kernel_read_network_state(exim_t)`
trunk: Exim updates on Debian from Devin Carrawy. 2008-03-04 18:25:13 +00:00			`kernel_dontaudit_read_system_state(exim_t)`

trunk: add exim from dan. 2007-10-24 15:07:40 +00:00			`corecmd_search_bin(exim_t)`

			`corenet_all_recvfrom_unlabeled(exim_t)`
trunk: 4 patches from dan. 2009-05-14 14:41:50 +00:00			`corenet_all_recvfrom_netlabel(exim_t)`
trunk: change network interface access from all to generic network interfaces. 2009-01-06 20:24:10 +00:00			`corenet_tcp_sendrecv_generic_if(exim_t)`
trunk: 4 patches from dan. 2009-05-14 14:41:50 +00:00			`corenet_udp_sendrecv_generic_if(exim_t)`
trunk: Remove node definitions and change node usage to generic nodes. 2009-01-09 19:48:02 +00:00			`corenet_tcp_sendrecv_generic_node(exim_t)`
trunk: 4 patches from dan. 2009-05-14 14:41:50 +00:00			`corenet_udp_sendrecv_generic_node(exim_t)`
trunk: add exim from dan. 2007-10-24 15:07:40 +00:00			`corenet_tcp_sendrecv_all_ports(exim_t)`
trunk: Remove node definitions and change node usage to generic nodes. 2009-01-09 19:48:02 +00:00			`corenet_tcp_bind_generic_node(exim_t)`
trunk: add exim from dan. 2007-10-24 15:07:40 +00:00			`corenet_tcp_bind_smtp_port(exim_t)`
			`corenet_tcp_bind_amavisd_send_port(exim_t)`
			`corenet_tcp_connect_auth_port(exim_t)`
trunk: Exim updates on Debian from Devin Carrawy. 2008-03-04 18:25:13 +00:00			`corenet_tcp_connect_smtp_port(exim_t)`
			`corenet_tcp_connect_ldap_port(exim_t)`
trunk: add exim from dan. 2007-10-24 15:07:40 +00:00			`corenet_tcp_connect_inetd_child_port(exim_t)`
trunk: 4 patches from dan. 2009-05-14 14:41:50 +00:00			`# connect to spamassassin`
			`corenet_tcp_connect_spamd_port(exim_t)`
trunk: add exim from dan. 2007-10-24 15:07:40 +00:00
trunk: Exim updates on Debian from Devin Carrawy. 2008-03-04 18:25:13 +00:00			`dev_read_rand(exim_t)`
			`dev_read_urand(exim_t)`

trunk: add exim from dan. 2007-10-24 15:07:40 +00:00			`# Init script handling`
			`domain_use_interactive_fds(exim_t)`

trunk: 4 patches from dan. 2009-05-14 14:41:50 +00:00			`files_search_usr(exim_t)`
			`files_search_var(exim_t)`
trunk: add exim from dan. 2007-10-24 15:07:40 +00:00			`files_read_etc_files(exim_t)`
trunk: 4 patches from dan. 2009-05-14 14:41:50 +00:00			`files_read_etc_runtime_files(exim_t)`
Exim patch from Dan Walsh. 2010-01-07 16:50:55 +00:00			`files_getattr_all_mountpoints(exim_t)`
trunk: 4 patches from dan. 2009-05-14 14:41:50 +00:00
			`fs_getattr_xattr_fs(exim_t)`
			`fs_list_inotifyfs(exim_t)`
trunk: add exim from dan. 2007-10-24 15:07:40 +00:00
			`auth_use_nsswitch(exim_t)`

			`logging_send_syslog_msg(exim_t)`

			`miscfiles_read_localization(exim_t)`
Implement miscfiles_cert_type(). This is based on Fedoras' miscfiles_cert_type implementation. The idea was that openvpn needs to be able read home certificates (home_cert_t) which is not implemented in refpolicy yet, as well as generic cert_t certificates. Note that openvpn is allowed to read all cert_types, as i know that it needs access to both generic cert_t as well as (future) home_cert_t. Dwalsh noted that other domains may need this as well but because i do not know exactly which domains i will not changes any other domains call to generic cert type interfaces. Signed-off-by: Dominick Grift <domg472@gmail.com> 2010-09-09 16:14:48 +00:00			`miscfiles_read_generic_certs(exim_t)`
trunk: add exim from dan. 2007-10-24 15:07:40 +00:00
trunk: merge UBAC. 2008-11-05 16:10:46 +00:00			`userdom_dontaudit_search_user_home_dirs(exim_t)`
trunk: add exim from dan. 2007-10-24 15:07:40 +00:00
			`mta_read_aliases(exim_t)`
trunk: 4 patches from dan. 2009-05-14 14:41:50 +00:00			`mta_read_config(exim_t)`
			`mta_manage_spool(exim_t)`
			`mta_mailserver_delivery(exim_t)`

			tunable_policy(`exim_can_connect_db',`
			`corenet_tcp_connect_mysqld_port(exim_t)`
			`corenet_sendrecv_mysqld_client_packets(exim_t)`
trunk: whitespace fixes 2009-06-26 14:40:13 +00:00			`corenet_tcp_connect_postgresql_port(exim_t)`
			`corenet_sendrecv_postgresql_client_packets(exim_t)`
trunk: 4 patches from dan. 2009-05-14 14:41:50 +00:00			`')`
trunk: add exim from dan. 2007-10-24 15:07:40 +00:00
			tunable_policy(`exim_read_user_files',`
trunk: merge UBAC. 2008-11-05 16:10:46 +00:00			`userdom_read_user_home_content_files(exim_t)`
			`userdom_read_user_tmp_files(exim_t)`
trunk: add exim from dan. 2007-10-24 15:07:40 +00:00			`')`

			tunable_policy(`exim_manage_user_files',`
trunk: merge UBAC. 2008-11-05 16:10:46 +00:00			`userdom_manage_user_home_content_dirs(exim_t)`
			`userdom_read_user_tmp_files(exim_t)`
			`userdom_write_user_tmp_files(exim_t)`
trunk: add exim from dan. 2007-10-24 15:07:40 +00:00			`')`
trunk: 4 patches from dan. 2009-05-14 14:41:50 +00:00
			optional_policy(`
			`clamav_domtrans_clamscan(exim_t)`
			`clamav_stream_connect(exim_t)`
			`')`

			optional_policy(`
			`cron_read_pipes(exim_t)`
			`cron_rw_system_job_pipes(exim_t)`
			`')`

			optional_policy(`
			`cyrus_stream_connect(exim_t)`
			`')`

			optional_policy(`
			`kerberos_keytab_template(exim, exim_t)`
			`')`

			optional_policy(`
			`mailman_read_data_files(exim_t)`
			`mailman_domtrans(exim_t)`
			`')`

UPdate for f14 policy 2010-08-26 13:41:21 +00:00			optional_policy(`
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. 2010-09-22 10:07:37 +00:00			`nagios_search_spool(exim_t)`
UPdate for f14 policy 2010-08-26 13:41:21 +00:00			`')`

trunk: 4 patches from dan. 2009-05-14 14:41:50 +00:00			optional_policy(`
			tunable_policy(`exim_can_connect_db',`
			`mysql_stream_connect(exim_t)`
			`')`
			`')`

			optional_policy(`
			tunable_policy(`exim_can_connect_db',`
			`postgresql_stream_connect(exim_t)`
			`')`
			`')`

			optional_policy(`
			`procmail_domtrans(exim_t)`
UPdate for f14 policy 2010-08-26 13:41:21 +00:00			`procmail_read_home_files(exim_t)`
trunk: 4 patches from dan. 2009-05-14 14:41:50 +00:00			`')`

			optional_policy(`
			`sasl_connect(exim_t)`
			`')`

Seems reasonable that exim may need to manage these files when /etc/alternatives/mta points to exim Patch from Dan Walsh 2010-03-03 15:08:44 +00:00			optional_policy(`
Add additional comments for e1e78df. 2010-03-04 14:10:18 +00:00			`# https://bugzilla.redhat.com/show_bug.cgi?id=512710`
			`# uses sendmail for outgoing mail and exim`
			`# for incoming mail`
Seems reasonable that exim may need to manage these files when /etc/alternatives/mta points to exim Patch from Dan Walsh 2010-03-03 15:08:44 +00:00			`sendmail_manage_tmp_files(exim_t)`
			`')`

trunk: 4 patches from dan. 2009-05-14 14:41:50 +00:00			optional_policy(`
			`spamassassin_exec(exim_t)`
			`spamassassin_exec_client(exim_t)`
			`')`