policy_module(spamassassin,1.2.3) ######################################## # # Declarations # # spamassassin client executable type spamc_exec_t; files_type(spamc_exec_t) type spamd_t; type spamd_exec_t; init_daemon_domain(spamd_t,spamd_exec_t) type spamd_tmp_t; files_tmp_file(spamd_tmp_t) type spamd_var_run_t; files_pid_file(spamd_var_run_t) type spamassassin_exec_t; files_type(spamassassin_exec_t) ######################################## # # Spamassassin daemon local policy # # Spamassassin, when run as root and using per-user config files, # setuids to the user running spamc. Comment this if you are not # using this ability. allow spamd_t self:capability { setuid setgid dac_override sys_tty_config }; dontaudit spamd_t self:capability sys_tty_config; allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamd_t self:fd use; allow spamd_t self:fifo_file rw_file_perms; allow spamd_t self:sock_file r_file_perms; allow spamd_t self:shm create_shm_perms; allow spamd_t self:sem create_sem_perms; allow spamd_t self:msgq create_msgq_perms; allow spamd_t self:msg { send receive }; allow spamd_t self:unix_dgram_socket create_socket_perms; allow spamd_t self:unix_stream_socket create_stream_socket_perms; allow spamd_t self:unix_dgram_socket sendto; allow spamd_t self:unix_stream_socket connectto; allow spamd_t self:tcp_socket create_stream_socket_perms; allow spamd_t self:udp_socket create_socket_perms; allow spamd_t spamd_tmp_t:dir create_dir_perms; allow spamd_t spamd_tmp_t:file create_file_perms; files_filetrans_tmp(spamd_t, spamd_tmp_t, { file dir }) allow spamd_t spamd_var_run_t:file create_file_perms; allow spamd_t spamd_var_run_t:dir rw_dir_perms; files_filetrans_pid(spamd_t,spamd_var_run_t) kernel_read_all_sysctls(spamd_t) kernel_read_system_state(spamd_t) kernel_tcp_recvfrom(spamd_t) corenet_tcp_sendrecv_all_if(spamd_t) corenet_udp_sendrecv_all_if(spamd_t) corenet_raw_sendrecv_all_if(spamd_t) corenet_tcp_sendrecv_all_nodes(spamd_t) corenet_udp_sendrecv_all_nodes(spamd_t) corenet_raw_sendrecv_all_nodes(spamd_t) corenet_tcp_sendrecv_all_ports(spamd_t) corenet_udp_sendrecv_all_ports(spamd_t) corenet_non_ipsec_sendrecv(spamd_t) corenet_tcp_bind_all_nodes(spamd_t) corenet_udp_bind_all_nodes(spamd_t) corenet_tcp_bind_spamd_port(spamd_t) # spamassassin 3.1 needs this for its # DnsResolver.pm module which binds to # random ports >= 1024. corenet_udp_bind_generic_port(spamd_t) corenet_udp_bind_imaze_port(spamd_t) corenet_tcp_connect_razor_port(spamd_t) dev_read_sysfs(spamd_t) dev_read_urand(spamd_t) fs_getattr_all_fs(spamd_t) fs_search_auto_mountpoints(spamd_t) term_dontaudit_use_console(spamd_t) auth_dontaudit_read_shadow(spamd_t) corecmd_exec_bin(spamd_t) corecmd_search_sbin(spamd_t) domain_use_wide_inherit_fd(spamd_t) files_read_usr_files(spamd_t) files_read_etc_files(spamd_t) files_read_etc_runtime_files(spamd_t) init_use_fd(spamd_t) init_use_script_ptys(spamd_t) init_dontaudit_rw_utmp(spamd_t) libs_use_ld_so(spamd_t) libs_use_shared_libs(spamd_t) # Various Perl bits libs_use_lib_files(spamd_t) logging_send_syslog_msg(spamd_t) miscfiles_read_localization(spamd_t) sysnet_read_config(spamd_t) sysnet_use_ldap(spamd_t) userdom_use_unpriv_users_fd(spamd_t) userdom_search_unpriv_user_home_dirs(spamd_t) userdom_dontaudit_search_sysadm_home_dir(spamd_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(spamd_t) term_dontaudit_use_generic_ptys(spamd_t) files_dontaudit_read_root_files(spamd_t) tunable_policy(`spamd_enable_home_dirs',` userdom_manage_generic_user_home_dirs(spamd_t) userdom_manage_generic_user_home_files(spamd_t) userdom_manage_generic_user_home_symlinks(spamd_t) ') ') tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files(spamd_t) ') tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(spamd_t) ') optional_policy(`cron',` cron_system_entry(spamd_t,spamd_exec_t) ') optional_policy(`daemontools',` daemontools_service_domain(spamd_t,spamd_exec_t) ') optional_policy(`nis',` nis_use_ypbind(spamd_t) ') optional_policy(`selinuxutil',` seutil_sigchld_newrole(spamd_t) ') optional_policy(`sendmail',` sendmail_stub(spamd_t) mta_read_config(spamd_t) ') optional_policy(`udev',` udev_read_db(spamd_t) ') ifdef(`TODO',` optional_policy(`amavis', ` # for bayes tokens allow spamd_t var_lib_t:dir { getattr search }; allow spamd_t amavisd_lib_t:dir rw_dir_perms; allow spamd_t amavisd_lib_t:file create_file_perms; allow spamd_t amavisd_lib_t:lnk_file create_lnk_perms; ') ') dnl end TODO