add qmail
This commit is contained in:
Chris PeBenito
parent
baec64317d
commit
65e131f0c7
|
|
@ -40,6 +40,7 @@
|
|||
games
|
||||
mozilla
|
||||
mplayer
|
||||
qmail (Petre Rodan)
|
||||
rhgb
|
||||
thunderbird
|
||||
tor (Erich Schubert)
|
||||
|
|
|
|||
|
|
@ -164,6 +164,7 @@ ifdef(`distro_gentoo',`
|
|||
|
||||
ifdef(`distro_gentoo', `
|
||||
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/.*-.*-linux-gnu/binutils-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
|
|
@ -221,6 +222,10 @@ ifdef(`distro_suse', `
|
|||
|
||||
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
|
||||
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/var/qmail/rc -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
ifdef(`distro_suse',`
|
||||
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(corecommands,1.3.6)
|
||||
policy_module(corecommands,1.3.7)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
|
||||
/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
|
||||
/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
|
||||
/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
|
||||
/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
|
||||
ifdef(`distro_redhat',`
|
||||
/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
|
||||
|
|
@ -14,8 +14,10 @@ ifdef(`distro_redhat',`
|
|||
|
||||
/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
|
||||
|
||||
/var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
||||
|
||||
/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
|
||||
/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
|
||||
/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
|
||||
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
|
||||
|
||||
#ifdef(`postfix.te', `', `
|
||||
|
|
|
|||
|
|
@ -111,6 +111,10 @@ template(`mta_base_mail_template',`
|
|||
procmail_exec($1_mail_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
qmail_domtrans_inject($1_mail_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type etc_mail_t, mail_spool_t, mqueue_spool_t;
|
||||
|
|
@ -138,12 +142,6 @@ template(`mta_base_mail_template',`
|
|||
sendmail_create_log($1_mail_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
ifdef(`qmail.te', `
|
||||
allow $1_mail_t qmail_etc_t:dir search;
|
||||
allow $1_mail_t qmail_etc_t:{ file lnk_file } read;
|
||||
')
|
||||
') dnl end TODO
|
||||
')
|
||||
|
||||
#######################################
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(mta,1.3.0)
|
||||
policy_module(mta,1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -161,6 +161,10 @@ optional_policy(`
|
|||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
qmail_domtrans_inject(system_mail_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
userdom_dontaudit_use_unpriv_users_ptys(system_mail_t)
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,47 @@
|
|||
|
||||
/var/qmail/alias -d gen_context(system_u:object_r:qmail_alias_home_t,s0)
|
||||
/var/qmail/alias(/.*)? gen_context(system_u:object_r:qmail_alias_home_t,s0)
|
||||
|
||||
/var/qmail/bin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
|
||||
/var/qmail/bin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
|
||||
/var/qmail/bin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0)
|
||||
/var/qmail/bin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0)
|
||||
/var/qmail/bin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0)
|
||||
/var/qmail/bin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0)
|
||||
/var/qmail/bin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0)
|
||||
/var/qmail/bin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0)
|
||||
/var/qmail/bin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0)
|
||||
/var/qmail/bin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
|
||||
/var/qmail/bin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0)
|
||||
/var/qmail/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
|
||||
/var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
|
||||
|
||||
/var/qmail/control(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
|
||||
|
||||
/var/qmail/queue(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
|
||||
|
||||
ifdef(`distro_debian', `
|
||||
/etc/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
|
||||
|
||||
/usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
|
||||
|
||||
#/usr/local/bin/serialmail/.* -- gen_context(system_u:object_r:qmail_serialmail_exec_t,s0)
|
||||
|
||||
/usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
|
||||
/usr/sbin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
|
||||
/usr/sbin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0)
|
||||
/usr/sbin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0)
|
||||
/usr/sbin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0)
|
||||
/usr/sbin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0)
|
||||
/usr/sbin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0)
|
||||
/usr/sbin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0)
|
||||
/usr/sbin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0)
|
||||
/usr/sbin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
|
||||
/usr/sbin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0)
|
||||
/usr/sbin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
|
||||
|
||||
/var/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
|
||||
|
||||
/var/spool/qmail(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
|
||||
')
|
||||
|
||||
|
|
@ -0,0 +1,209 @@
|
|||
## <summary>Qmail Mail Server</summary>
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## The per user domain template for qmail
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## This template is invoked automatically for each user, and
|
||||
## generally does not need to be invoked directly
|
||||
## by policy writers.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## <summary>
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_domain">
|
||||
## <summary>
|
||||
## The type of the user domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_role">
|
||||
## <summary>
|
||||
## The role associated with the user domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`qmail_per_userdomain_template',`
|
||||
gen_require(`
|
||||
attribute qmail_user_domains;
|
||||
')
|
||||
|
||||
role $3 types qmail_user_domains;
|
||||
|
||||
qmail_domtrans_inject($2)
|
||||
|
||||
allow qmail_user_domains $2:process sigchld;
|
||||
allow qmail_user_domains $2:fifo_file { write getattr };
|
||||
allow qmail_user_domains $2:fd use;
|
||||
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Template for qmail parent/sub-domain pairs
|
||||
## </summary>
|
||||
## <param name="child_prefix">
|
||||
## <summary>
|
||||
## The prefix of the child domain
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="parent_domain">
|
||||
## <summary>
|
||||
## The name of the parent domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`qmail_child_domain_template',`
|
||||
type $1_t;
|
||||
domain_type($1_t)
|
||||
type $1_exec_t;
|
||||
domain_entry_file($1_t,$1_exec_t)
|
||||
domain_auto_trans($2, $1_exec_t, $1_t)
|
||||
role system_r types $1_t;
|
||||
|
||||
allow $1_t self:process signal_perms;
|
||||
|
||||
allow $1_t $2:fd use;
|
||||
allow $1_t $2:fifo_file rw_file_perms;
|
||||
allow $1_t $2:process sigchld;
|
||||
|
||||
allow $1_t qmail_etc_t:dir { getattr read search };
|
||||
allow $1_t qmail_etc_t:file { getattr read };
|
||||
allow $1_t qmail_etc_t:lnk_file { getattr read };
|
||||
|
||||
allow $1_t qmail_start_t:fd use;
|
||||
|
||||
kernel_list_proc($2)
|
||||
kernel_read_proc_symlinks($2)
|
||||
|
||||
corecmd_search_bin($1_t)
|
||||
|
||||
files_search_var($1_t)
|
||||
|
||||
fs_getattr_xattr_fs($1_t)
|
||||
|
||||
libs_use_ld_so($1_t)
|
||||
libs_use_shared_libs($1_t)
|
||||
|
||||
miscfiles_read_localization($1_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Transition to qmail_inject_t
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`qmail_domtrans_inject',`
|
||||
gen_require(`
|
||||
type qmail_inject_t;
|
||||
type qmail_inject_exec_t;
|
||||
')
|
||||
|
||||
domain_auto_trans($1, qmail_inject_exec_t, qmail_inject_t)
|
||||
allow qmail_inject_t $1:fd use;
|
||||
allow qmail_inject_t $1:fifo_file { read write };
|
||||
allow qmail_inject_t $1:process sigchld;
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
files_search_usr($1)
|
||||
corecmd_search_sbin($1)
|
||||
',`
|
||||
files_search_var($1)
|
||||
corecmd_search_bin($1)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Transition to qmail_queue_t
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`qmail_domtrans_queue',`
|
||||
gen_require(`
|
||||
type qmail_queue_t;
|
||||
type qmail_queue_exec_t;
|
||||
')
|
||||
|
||||
domain_auto_trans($1, qmail_queue_exec_t, qmail_queue_t)
|
||||
|
||||
allow qmail_queue_t $1:fd use;
|
||||
allow qmail_queue_t $1:fifo_file { read write };
|
||||
allow qmail_queue_t $1:process sigchld;
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
files_search_usr($1)
|
||||
corecmd_search_sbin($1)
|
||||
',`
|
||||
files_search_var($1)
|
||||
corecmd_search_bin($1)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read qmail configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`qmail_read_config',`
|
||||
gen_require(`
|
||||
type qmail_etc_t;
|
||||
')
|
||||
|
||||
allow $1 qmail_etc_t:dir { getattr read search };
|
||||
allow $1 qmail_etc_t:file { getattr read };
|
||||
allow $1 qmail_etc_t:lnk_file { getattr read };
|
||||
files_search_var($1)
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
# handle /etc/qmail
|
||||
files_search_etc($1)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Define the specified domain as a qmail-smtp service.
|
||||
## Needed by antivirus/antispam filters.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="entrypoint">
|
||||
## <summary>
|
||||
## The type associated with the process program.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`qmail_smtpd_service_domain',`
|
||||
gen_require(`
|
||||
type qmail_smtpd_t;
|
||||
')
|
||||
|
||||
domain_auto_trans(qmail_smtpd_t, $2, $1)
|
||||
|
||||
allow $1 qmail_smtpd_t:fd use;
|
||||
allow $1 qmail_smtpd_t:fifo_file { read write };
|
||||
allow $1 qmail_smtpd_t:process sigchld;
|
||||
')
|
||||
|
|
@ -0,0 +1,313 @@
|
|||
|
||||
policy_module(qmail,1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
attribute qmail_user_domains;
|
||||
|
||||
type qmail_alias_home_t;
|
||||
files_type(qmail_alias_home_t)
|
||||
|
||||
qmail_child_domain_template(qmail_clean, qmail_start_t)
|
||||
|
||||
type qmail_etc_t;
|
||||
files_type(qmail_etc_t)
|
||||
|
||||
type qmail_exec_t;
|
||||
files_type(qmail_exec_t)
|
||||
|
||||
type qmail_inject_t, qmail_user_domains;
|
||||
type qmail_inject_exec_t;
|
||||
domain_type(qmail_inject_t)
|
||||
domain_entry_file(qmail_inject_t,qmail_inject_exec_t)
|
||||
mta_mailserver_user_agent(qmail_inject_t)
|
||||
role system_r types qmail_inject_t;
|
||||
|
||||
qmail_child_domain_template(qmail_local, qmail_lspawn_t)
|
||||
mta_mailserver_delivery(qmail_local_t)
|
||||
|
||||
qmail_child_domain_template(qmail_lspawn, qmail_start_t)
|
||||
mta_mailserver_delivery(qmail_lspawn_t)
|
||||
|
||||
qmail_child_domain_template(qmail_queue, qmail_inject_t)
|
||||
typeattribute qmail_queue_t qmail_user_domains;
|
||||
mta_mailserver_user_agent(qmail_queue_t)
|
||||
|
||||
qmail_child_domain_template(qmail_remote, qmail_rspawn_t)
|
||||
mta_mailserver_sender(qmail_remote_t)
|
||||
|
||||
qmail_child_domain_template(qmail_rspawn, qmail_start_t)
|
||||
|
||||
qmail_child_domain_template(qmail_send, qmail_start_t)
|
||||
|
||||
qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t)
|
||||
|
||||
qmail_child_domain_template(qmail_splogger, qmail_start_t)
|
||||
|
||||
type qmail_spool_t;
|
||||
files_type(qmail_spool_t)
|
||||
|
||||
type qmail_start_t;
|
||||
type qmail_start_exec_t;
|
||||
init_daemon_domain(qmail_start_t,qmail_start_exec_t)
|
||||
|
||||
type qmail_tcp_env_t;
|
||||
type qmail_tcp_env_exec_t;
|
||||
domain_type(qmail_tcp_env_t)
|
||||
domain_entry_file(qmail_tcp_env_t,qmail_tcp_env_exec_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# qmail-clean local policy
|
||||
# this component cleans up the queue directory
|
||||
#
|
||||
|
||||
allow qmail_clean_t qmail_spool_t:dir rw_dir_perms;
|
||||
allow qmail_clean_t qmail_spool_t:file { unlink read getattr };
|
||||
|
||||
########################################
|
||||
#
|
||||
# qmail-inject local policy
|
||||
# this component preprocesses mail from stdin and invokes qmail-queue
|
||||
#
|
||||
|
||||
allow qmail_inject_t self:fifo_file write;
|
||||
allow qmail_inject_t self:process signal_perms;
|
||||
|
||||
allow qmail_inject_t qmail_queue_exec_t:file read;
|
||||
|
||||
corecmd_search_bin(qmail_inject_t)
|
||||
corecmd_search_sbin(qmail_inject_t)
|
||||
|
||||
files_search_var(qmail_inject_t)
|
||||
|
||||
libs_use_ld_so(qmail_inject_t)
|
||||
libs_use_shared_libs(qmail_inject_t)
|
||||
|
||||
qmail_read_config(qmail_inject_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# qmail-local local policy
|
||||
# this component delivers a mail message
|
||||
#
|
||||
|
||||
allow qmail_local_t self:fifo_file write;
|
||||
allow qmail_local_t self:process signal_perms;
|
||||
allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
allow qmail_local_t qmail_alias_home_t:dir create_dir_perms;
|
||||
allow qmail_local_t qmail_alias_home_t:file create_file_perms;
|
||||
|
||||
allow qmail_local_t qmail_queue_exec_t:file read;
|
||||
|
||||
allow qmail_local_t qmail_spool_t:file r_file_perms;
|
||||
|
||||
kernel_read_system_state(qmail_local_t)
|
||||
|
||||
corecmd_exec_shell(qmail_local_t)
|
||||
corecmd_search_sbin(qmail_local_t)
|
||||
|
||||
files_read_etc_files(qmail_local_t)
|
||||
files_read_etc_runtime_files(qmail_local_t)
|
||||
|
||||
mta_append_spool(qmail_local_t)
|
||||
|
||||
qmail_domtrans_queue(qmail_local_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# qmail-lspawn local policy
|
||||
# this component schedules local deliveries
|
||||
#
|
||||
|
||||
allow qmail_lspawn_t self:capability { setuid setgid };
|
||||
allow qmail_lspawn_t self:process signal_perms;
|
||||
allow qmail_lspawn_t self:fifo_file { read write };
|
||||
allow qmail_lspawn_t self:unix_stream_socket create_socket_perms;
|
||||
|
||||
can_exec(qmail_lspawn_t, qmail_exec_t)
|
||||
|
||||
allow qmail_lspawn_t qmail_local_exec_t:file read;
|
||||
|
||||
allow qmail_lspawn_t qmail_spool_t:dir search;
|
||||
allow qmail_lspawn_t qmail_spool_t:file { read getattr };
|
||||
|
||||
corecmd_search_sbin(qmail_lspawn_t)
|
||||
|
||||
files_read_etc_files(qmail_lspawn_t)
|
||||
files_search_pids(qmail_lspawn_t)
|
||||
files_search_tmp(qmail_lspawn_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# qmail-queue local policy
|
||||
# this component places a mail in a delivery queue, later to be processed by qmail-send
|
||||
#
|
||||
|
||||
allow qmail_queue_t qmail_lspawn_t:fd use;
|
||||
allow qmail_queue_t qmail_lspawn_t:fifo_file write;
|
||||
|
||||
allow qmail_queue_t qmail_smtpd_t:fd use;
|
||||
allow qmail_queue_t qmail_smtpd_t:fifo_file read;
|
||||
allow qmail_queue_t qmail_smtpd_t:process sigchld;
|
||||
|
||||
allow qmail_queue_t qmail_spool_t:dir create_dir_perms;
|
||||
allow qmail_queue_t qmail_spool_t:fifo_file { read write };
|
||||
allow qmail_queue_t qmail_spool_t:file create_file_perms;
|
||||
|
||||
optional_policy(`
|
||||
daemontools_ipc_domain(qmail_queue_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# qmail-remote local policy
|
||||
# this component sends mail via SMTP
|
||||
#
|
||||
|
||||
allow qmail_remote_t self:tcp_socket create_socket_perms;
|
||||
allow qmail_remote_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow qmail_remote_t qmail_spool_t:dir search;
|
||||
allow qmail_remote_t qmail_spool_t:file rw_file_perms;
|
||||
|
||||
corenet_non_ipsec_sendrecv(qmail_remote_t)
|
||||
corenet_tcp_sendrecv_generic_if(qmail_remote_t)
|
||||
corenet_udp_sendrecv_generic_if(qmail_remote_t)
|
||||
corenet_tcp_sendrecv_generic_node(qmail_remote_t)
|
||||
corenet_udp_sendrecv_generic_node(qmail_remote_t)
|
||||
corenet_tcp_sendrecv_smtp_port(qmail_remote_t)
|
||||
corenet_udp_sendrecv_dns_port(qmail_remote_t)
|
||||
corenet_tcp_connect_smtp_port(qmail_remote_t)
|
||||
|
||||
dev_read_rand(qmail_remote_t)
|
||||
dev_read_urand(qmail_remote_t)
|
||||
|
||||
sysnet_read_config(qmail_remote_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# qmail-rspawn local policy
|
||||
# this component scedules remote deliveries
|
||||
#
|
||||
|
||||
allow qmail_rspawn_t self:process signal_perms;
|
||||
allow qmail_rspawn_t self:fifo_file read;
|
||||
|
||||
allow qmail_rspawn_t qmail_remote_exec_t:file read;
|
||||
|
||||
allow qmail_rspawn_t qmail_spool_t:dir search;
|
||||
allow qmail_rspawn_t qmail_spool_t:file rw_file_perms;
|
||||
|
||||
corecmd_search_bin(qmail_rspawn_t)
|
||||
corecmd_search_sbin(qmail_rspawn_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# qmail-send local policy
|
||||
# this component delivers mail messages from the queue
|
||||
#
|
||||
|
||||
allow qmail_send_t self:process signal_perms;
|
||||
allow qmail_send_t self:fifo_file write;
|
||||
|
||||
allow qmail_send_t qmail_spool_t:dir create_dir_perms;
|
||||
allow qmail_send_t qmail_spool_t:file create_file_perms;
|
||||
allow qmail_send_t qmail_spool_t:fifo_file read;
|
||||
|
||||
qmail_domtrans_queue(qmail_send_t)
|
||||
|
||||
optional_policy(`
|
||||
daemontools_ipc_domain(qmail_send_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# qmail-smtpd local policy
|
||||
# this component receives mails via SMTP
|
||||
#
|
||||
|
||||
allow qmail_smtpd_t self:process signal_perms;
|
||||
allow qmail_smtpd_t self:fifo_file write;
|
||||
allow qmail_smtpd_t self:tcp_socket create_socket_perms;
|
||||
|
||||
allow qmail_smtpd_t qmail_queue_exec_t:file read;
|
||||
|
||||
dev_read_rand(qmail_smtpd_t)
|
||||
dev_read_urand(qmail_smtpd_t)
|
||||
|
||||
qmail_domtrans_queue(qmail_smtpd_t)
|
||||
|
||||
optional_policy(`
|
||||
daemontools_ipc_domain(qmail_smtpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
ucspitcp_service_domain(qmail_smtpd_t, qmail_smtpd_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# splogger local policy
|
||||
# this component creates entries in syslog
|
||||
#
|
||||
|
||||
allow qmail_splogger_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
files_read_etc_files(qmail_splogger_t)
|
||||
|
||||
init_dontaudit_use_script_fds(qmail_splogger_t)
|
||||
|
||||
miscfiles_read_localization(qmail_splogger_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# qmail-start local policy
|
||||
# this component starts up the mail delivery component
|
||||
#
|
||||
|
||||
allow qmail_start_t self:capability { setgid setuid };
|
||||
dontaudit qmail_start_t self:capability sys_tty_config;
|
||||
allow qmail_start_t self:fifo_file { getattr read write };
|
||||
allow qmail_start_t self:process signal_perms;
|
||||
|
||||
can_exec(qmail_start_t, qmail_start_exec_t)
|
||||
|
||||
corecmd_search_bin(qmail_start_t)
|
||||
corecmd_search_sbin(qmail_start_t)
|
||||
|
||||
files_search_var(qmail_start_t)
|
||||
|
||||
libs_use_ld_so(qmail_start_t)
|
||||
libs_use_shared_libs(qmail_start_t)
|
||||
|
||||
qmail_read_config(qmail_start_t)
|
||||
|
||||
optional_policy(`
|
||||
daemontools_service_domain(qmail_start_t, qmail_start_exec_t)
|
||||
daemontools_ipc_domain(qmail_start_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# tcp-env local policy
|
||||
# this component sets up TCP-related environment variables
|
||||
#
|
||||
|
||||
allow qmail_tcp_env_t qmail_smtpd_exec_t:file read;
|
||||
|
||||
corecmd_search_sbin(qmail_tcp_env_t)
|
||||
|
||||
sysnet_read_config(qmail_tcp_env_t)
|
||||
|
||||
optional_policy(`
|
||||
inetd_tcp_service_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
ucspitcp_service_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
|
||||
')
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(ucspitcp,1.0.0)
|
||||
policy_module(ucspitcp,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -56,6 +56,7 @@ allow ucspitcp_t self:capability { net_bind_service setgid setuid };
|
|||
allow ucspitcp_t self:fifo_file { read write };
|
||||
allow ucspitcp_t self:process { fork sigchld };
|
||||
allow ucspitcp_t self:tcp_socket create_stream_socket_perms;
|
||||
allow ucspitcp_t self:udp_socket create_socket_perms;
|
||||
|
||||
corecmd_search_bin(ucspitcp_t)
|
||||
corecmd_search_sbin(ucspitcp_t)
|
||||
|
|
@ -68,6 +69,7 @@ corenet_tcp_sendrecv_all_ports(ucspitcp_t)
|
|||
corenet_udp_sendrecv_all_ports(ucspitcp_t)
|
||||
corenet_non_ipsec_sendrecv(ucspitcp_t)
|
||||
corenet_tcp_bind_all_nodes(ucspitcp_t)
|
||||
corenet_udp_bind_all_nodes(ucspitcp_t)
|
||||
corenet_tcp_bind_ftp_port(ucspitcp_t)
|
||||
corenet_tcp_bind_ftp_data_port(ucspitcp_t)
|
||||
corenet_tcp_bind_http_port(ucspitcp_t)
|
||||
|
|
|
|||
|
|
@ -36,6 +36,10 @@
|
|||
/var/dnscache/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
|
||||
/var/dnscache/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
|
||||
|
||||
/var/qmail/supervise(/.*)? gen_context(system_u:object_r:svc_svc_t,s0)
|
||||
/var/qmail/supervise/.*/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
|
||||
/var/qmail/supervise/.*/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
|
||||
|
||||
/var/service/.* gen_context(system_u:object_r:svc_svc_t,s0)
|
||||
/var/service/.*/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0)
|
||||
/var/service/.*/log/main(/.*)? gen_context(system_u:object_r:svc_log_t,s0)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(daemontools,1.0.0)
|
||||
policy_module(daemontools,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -90,6 +90,10 @@ libs_use_shared_libs(svc_run_t)
|
|||
daemontools_domtrans_multilog(svc_run_t)
|
||||
daemontools_read_svc(svc_run_t)
|
||||
|
||||
optional_policy(`
|
||||
qmail_read_config(svc_run_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# local policy for service monitoring programs
|
||||
|
|
|
|||
Loading…
Reference in New Issue