policy_module(amavis,1.0.0) ######################################## # # Declarations # type amavis_t; type amavis_exec_t; domain_type(amavis_t) init_daemon_domain(amavis_t, amavis_exec_t) # configuration files type amavis_etc_t; files_type(amavis_etc_t) # pid files type amavis_var_run_t; files_pid_file(amavis_var_run_t) # var/lib files type amavis_var_lib_t; files_type(amavis_var_lib_t) # log files type amavis_var_log_t; logging_log_file(amavis_var_log_t) # tmp files type amavis_tmp_t; files_tmp_file(amavis_tmp_t) # virus quarantine type amavis_quarantine_t; files_type(amavis_quarantine_t) ######################################## # # amavis local policy # allow amavis_t self:capability { chown dac_override setgid setuid }; dontaudit amavis_t self:capability sys_tty_config; allow amavis_t self:process { signal sigchld signull }; allow amavis_t self:fifo_file rw_file_perms; allow amavis_t self:unix_stream_socket create_stream_socket_perms; allow amavis_t self:unix_dgram_socket create_socket_perms; allow amavis_t self:tcp_socket { listen accept }; # configuration files allow amavis_t amavis_etc_t:dir r_dir_perms; allow amavis_t amavis_etc_t:file r_file_perms; allow amavis_t amavis_etc_t:lnk_file { getattr read }; # mail quarantine allow amavis_t amavis_quarantine_t:file create_file_perms; allow amavis_t amavis_quarantine_t:sock_file create_file_perms; allow amavis_t amavis_quarantine_t:dir create_dir_perms; # tmp files allow amavis_t amavis_tmp_t:file create_file_perms; allow amavis_t amavis_tmp_t:dir { rw_dir_perms setattr }; files_tmp_filetrans(amavis_t,amavis_tmp_t,file) # var/lib files for amavis allow amavis_t amavis_var_lib_t:file create_file_perms; allow amavis_t amavis_var_lib_t:sock_file create_file_perms; allow amavis_t amavis_var_lib_t:dir create_dir_perms; files_var_filetrans(amavis_t,amavis_var_lib_t,{ file dir sock_file }) files_var_lib_filetrans(amavis_t,amavis_var_lib_t,file) # log files allow amavis_t amavis_var_log_t:file create_file_perms; allow amavis_t amavis_var_log_t:sock_file create_file_perms; allow amavis_t amavis_var_log_t:dir { rw_dir_perms setattr }; logging_log_filetrans(amavis_t,amavis_var_log_t,{ sock_file file dir }) # pid file allow amavis_t amavis_var_run_t:file manage_file_perms; allow amavis_t amavis_var_run_t:sock_file manage_file_perms; allow amavis_t amavis_var_run_t:dir rw_dir_perms; files_pid_filetrans(amavis_t,amavis_var_run_t, { file sock_file }) # amavis tries to access /proc/self/stat, /etc/shadow and /root - perl... kernel_dontaudit_list_proc(amavis_t) # find perl corecmd_exec_bin(amavis_t) corecmd_search_sbin(amavis_t) corenet_non_ipsec_sendrecv(amavis_t) corenet_tcp_sendrecv_all_if(amavis_t) corenet_tcp_sendrecv_all_nodes(amavis_t) # amavis uses well-defined ports corenet_tcp_sendrecv_amavisd_recv_port(amavis_t) corenet_tcp_sendrecv_amavisd_send_port(amavis_t) # just the other side not. ;-) corenet_tcp_sendrecv_all_ports(amavis_t) # connect to backchannel port corenet_tcp_connect_amavisd_send_port(amavis_t) # bind to incoming port corenet_tcp_bind_amavisd_recv_port(amavis_t) dev_read_rand(amavis_t) dev_read_urand(amavis_t) domain_use_interactive_fds(amavis_t) files_read_etc_files(amavis_t) files_read_etc_runtime_files(amavis_t) files_read_usr_files(amavis_t) auth_dontaudit_read_shadow(amavis_t) init_use_fds(amavis_t) init_use_script_ptys(amavis_t) libs_use_ld_so(amavis_t) libs_use_shared_libs(amavis_t) logging_send_syslog_msg(amavis_t) miscfiles_read_localization(amavis_t) sysnet_dns_name_resolve(amavis_t) userdom_dontaudit_search_sysadm_home_dirs(amavis_t) # Cron handling cron_use_fds(amavis_t) cron_use_system_job_fds(amavis_t) cron_rw_pipes(amavis_t) mta_read_config(amavis_t) optional_policy(`clamav',` clamav_stream_connect(amavis_t) ') optional_policy(`ldap',` ldap_use(amavis_t) ') optional_policy(`spamassassin',` spamassassin_exec(amavis_t) spamassassin_exec_client(amavis_t) ')