diff --git a/targeted/domains/program/procmail.te b/targeted/domains/program/procmail.te new file mode 100644 index 00000000..2c77b46e --- /dev/null +++ b/targeted/domains/program/procmail.te @@ -0,0 +1,91 @@ +#DESC Procmail - Mail delivery agent for mail servers +# +# Author: Russell Coker +# X-Debian-Packages: procmail +# + +################################# +# +# Rules for the procmail_t domain. +# +# procmail_exec_t is the type of the procmail executable. +# +# privhome only works until we define a different type for maildir +type procmail_t, domain, privlog, privhome, nscd_client_domain; +type procmail_exec_t, file_type, sysadmfile, exec_type; + +role system_r types procmail_t; + +uses_shlib(procmail_t) +allow procmail_t device_t:dir search; +can_network_server(procmail_t) +nsswitch_domain(procmail_t) + +allow procmail_t self:capability { sys_nice chown setuid setgid dac_override }; + +allow procmail_t etc_t:dir r_dir_perms; +allow procmail_t { etc_t etc_runtime_t }:file { getattr read }; +allow procmail_t etc_t:lnk_file read; +read_locale(procmail_t) +read_sysctl(procmail_t) + +allow procmail_t sysctl_t:dir search; + +allow procmail_t self:process { setsched fork sigchld signal }; +dontaudit procmail_t sbin_t:dir { getattr search }; +can_exec(procmail_t, { bin_t shell_exec_t }) +allow procmail_t bin_t:dir { getattr search }; +allow procmail_t bin_t:lnk_file read; +allow procmail_t self:fifo_file rw_file_perms; + +allow procmail_t self:unix_stream_socket create_socket_perms; +allow procmail_t self:unix_dgram_socket create_socket_perms; + +# for /var/mail +rw_dir_create_file(procmail_t, mail_spool_t) + +allow procmail_t var_t:dir { getattr search }; +allow procmail_t var_spool_t:dir r_dir_perms; + +allow procmail_t fs_t:filesystem getattr; +allow procmail_t { self proc_t }:dir search; +allow procmail_t proc_t:file { getattr read }; +allow procmail_t { self proc_t }:lnk_file read; + +# for if /var/mail is a symlink to /var/spool/mail +#allow procmail_t mail_spool_t:lnk_file r_file_perms; + +# for spamassasin +allow procmail_t usr_t:file { getattr ioctl read }; +ifdef(`spamassassin.te', ` +can_exec(procmail_t, spamassassin_exec_t) +allow procmail_t port_t:udp_socket name_bind; +allow procmail_t tmp_t:dir getattr; +') +ifdef(`spamc.te', ` +can_exec(procmail_t, spamc_exec_t) +') + +ifdef(`targeted_policy', ` +allow procmail_t port_t:udp_socket name_bind; +allow procmail_t tmp_t:dir getattr; +') + +# Search /var/run. +allow procmail_t var_run_t:dir { getattr search }; + +# Do not audit attempts to access /root. +dontaudit procmail_t sysadm_home_dir_t:dir { getattr search }; + +allow procmail_t devtty_t:chr_file { read write }; + +allow procmail_t urandom_device_t:chr_file { getattr read }; + +ifdef(`sendmail.te', ` +r_dir_file(procmail_t, etc_mail_t) +allow procmail_t sendmail_t:tcp_socket { read write }; +') + +ifdef(`hide_broken_symptoms', ` +dontaudit procmail_t mqueue_spool_t:file { getattr read write }; +')