#
# Razor - Vipul's Razor is a distributed, collaborative, spam
#         detection and filtering network.
#
# Author:  David Hampton <hampton@employees.org>
#

# NOTE: This policy will work with either the ATrpms provided config
# file in /etc/razor, or with the default of dumping everything into
# $HOME/.razor.

##########
# Razor query application - from system_r applictions
##########
type razor_t, domain, privlog, daemon;
type razor_exec_t, file_type, sysadmfile, exec_type;
role system_r types razor_t;

razor_base_domain(razor)

# Razor config file directory.  When invoked as razor-admin, it can
# update files in this directory.
etcdir_domain(razor)
create_dir_file(razor_t, razor_etc_t);

# Shared razor files updated freuently
var_lib_domain(razor)

# Log files
log_domain(razor)
allow razor_t var_log_t:dir search;
ifdef(`logrotate.te', `
allow logrotate_t razor_log_t:file r_file_perms;
')

##########
##########

#
# Some spam filters executes the razor code directly.  Allow them access here.
#
define(`razor_access',`
r_dir_file($1, razor_etc_t)
allow $1 var_log_t:dir search;
allow $1 razor_log_t:file ra_file_perms;
r_dir_file($1, razor_var_lib_t)
r_dir_file($1, sysadm_razor_home_t)
can_network_client_tcp($1, razor_port_t)
allow $1 razor_port_t:tcp_socket name_connect;
')

ifdef(`spamd.te', `razor_access(spamd_t)');
ifdef(`amavis.te', `razor_access(amavisd_t)');