diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc
index 16ec2003..5193fc36 100644
--- a/policy/modules/services/mta.fc
+++ b/policy/modules/services/mta.fc
@@ -1,4 +1,4 @@
-/bin/mail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
@@ -9,11 +9,15 @@ ifdef(`distro_redhat',`
/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
')
+/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
@@ -22,7 +26,3 @@ ifdef(`distro_redhat',`
/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
-
-#ifdef(`postfix.te', `', `
-#/var/spool/postfix(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
-#')
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 6641292d..9b9dd2db 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -93,6 +93,12 @@ template(`mta_base_mail_template',`
miscfiles_read_localization($1_mail_t)
+ optional_policy(`
+ exim_read_log($1_mail_t)
+ exim_append_log($1_mail_t)
+ exim_manage_spool_files($1_mail_t)
+ ')
+
optional_policy(`
postfix_domtrans_user_mail_handler($1_mail_t)
')
@@ -130,6 +136,9 @@ template(`mta_base_mail_template',`
sendmail_create_log($1_mail_t)
')
+ optional_policy(`
+ uucp_manage_spool($1_mail_t)
+ ')
')
########################################
@@ -307,6 +316,7 @@ interface(`mta_mailserver_delivery',`
optional_policy(`
dovecot_manage_spool($1)
+ dovecot_domtrans_deliver($1)
')
optional_policy(`
@@ -444,6 +454,25 @@ interface(`mta_read_config',`
read_lnk_files_pattern($1, etc_mail_t, etc_mail_t)
')
+########################################
+##
+## write mail server configuration.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`mta_write_config',`
+ gen_require(`
+ type etc_mail_t;
+ ')
+
+ write_files_pattern($1, etc_mail_t, etc_mail_t)
+')
+
########################################
##
## Read mail address aliases.
@@ -591,8 +620,8 @@ interface(`mta_getattr_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
- allow $1 mail_spool_t:lnk_file read;
- allow $1 mail_spool_t:file getattr;
+ getattr_files_pattern($1, mail_spool_t, mail_spool_t)
+ read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
########################################
@@ -612,7 +641,7 @@ interface(`mta_dontaudit_getattr_spool_files',`
')
files_dontaudit_search_spool($1)
- dontaudit $1 mail_spool_t:dir search;
+ dontaudit $1 mail_spool_t:dir search_dir_perms;
dontaudit $1 mail_spool_t:lnk_file read;
dontaudit $1 mail_spool_t:file getattr;
')
@@ -806,6 +835,7 @@ interface(`mta_manage_queue',`
')
files_search_spool($1)
+ manage_dirs_pattern($1, mqueue_spool_t, mqueue_spool_t)
manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index 5c33cd6e..992fd4a1 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -1,5 +1,5 @@
-policy_module(mta, 2.1.2)
+policy_module(mta, 2.1.3)
########################################
#
@@ -47,20 +47,27 @@ ubac_constrained(user_mail_tmp_t)
#
# newalias required this, not sure if it is needed in 'if' file
-allow system_mail_t self:capability { dac_override };
+allow system_mail_t self:capability { dac_override fowner };
+allow system_mail_t self:fifo_file rw_fifo_file_perms;
read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
+read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
allow system_mail_t mta_exec_type:file entrypoint;
-allow system_mail_t mailcontent_type:file read_file_perms;
+can_exec(system_mail_t, mta_exec_type)
kernel_read_system_state(system_mail_t)
kernel_read_network_state(system_mail_t)
+dev_read_sysfs(system_mail_t)
dev_read_rand(system_mail_t)
dev_read_urand(system_mail_t)
+fs_rw_anon_inodefs_files(system_mail_t)
+
+selinux_getattr_fs(system_mail_t)
+
init_use_script_ptys(system_mail_t)
userdom_use_user_terminals(system_mail_t)
@@ -85,15 +92,35 @@ optional_policy(`
')
')
+optional_policy(`
+ clamav_stream_connect(system_mail_t)
+ clamav_append_log(system_mail_t)
+')
+
optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
')
+optional_policy(`
+ courier_manage_spool_dirs(system_mail_t)
+ courier_manage_spool_files(system_mail_t)
+ courier_rw_spool_pipes(system_mail_t)
+')
+
optional_policy(`
cvs_read_data(system_mail_t)
')
+optional_policy(`
+ exim_domtrans(system_mail_t)
+ exim_manage_log(system_mail_t)
+')
+
+optional_policy(`
+ fail2ban_append_log(system_mail_t)
+')
+
optional_policy(`
logrotate_read_tmp_files(system_mail_t)
')
@@ -132,10 +159,6 @@ optional_policy(`
# compatability for old default main.cf
postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
')
-
- optional_policy(`
- cron_rw_tcp_sockets(system_mail_t)
- ')
')
optional_policy(`