## Mailman is for managing electronic mail discussion and e-newsletter lists ####################################### ## ## The template to define a mailmain domain. ## ## ##

## This template creates a domain to be used for ## a new mailman daemon. ##

##
## ## ## The type of daemon to be used eg, cgi would give mailman_cgi_ ## ## # template(`mailman_domain_template', ` type mailman_$1_t; domain_type(mailman_$1_t) role system_r types mailman_$1_t; type mailman_$1_exec_t; domain_entry_file(mailman_$1_t, mailman_$1_exec_t) type mailman_$1_tmp_t; files_tmp_file(mailman_$1_tmp_t) allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms; allow mailman_$1_t self:tcp_socket create_stream_socket_perms; allow mailman_$1_t self:udp_socket create_socket_perms; allow mailman_$1_t mailman_data_t:dir create_dir_perms; allow mailman_$1_t mailman_data_t:file create_file_perms; allow mailman_$1_t mailman_data_t:lnk_file create_lnk_perms; allow mailman_$1_t mailman_lock_t:dir rw_dir_perms; allow mailman_$1_t mailman_lock_t:file create_file_perms; files_lock_filetrans(mailman_$1_t,mailman_lock_t,file) allow mailman_$1_t mailman_log_t:dir rw_dir_perms; allow mailman_$1_t mailman_log_t:file create_file_perms; logging_log_filetrans(mailman_$1_t,mailman_log_t,file) allow mailman_$1_t mailman_$1_tmp_t:dir create_dir_perms; allow mailman_$1_t mailman_$1_tmp_t:file create_file_perms; files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir }) kernel_read_kernel_sysctls(mailman_$1_t) kernel_read_system_state(mailman_$1_t) corenet_non_ipsec_sendrecv(mailman_$1_t) corenet_tcp_sendrecv_all_if(mailman_$1_t) corenet_udp_sendrecv_all_if(mailman_$1_t) corenet_raw_sendrecv_all_if(mailman_$1_t) corenet_tcp_sendrecv_all_nodes(mailman_$1_t) corenet_udp_sendrecv_all_nodes(mailman_$1_t) corenet_raw_sendrecv_all_nodes(mailman_$1_t) corenet_tcp_sendrecv_all_ports(mailman_$1_t) corenet_udp_sendrecv_all_ports(mailman_$1_t) corenet_tcp_bind_all_nodes(mailman_$1_t) corenet_udp_bind_all_nodes(mailman_$1_t) corenet_tcp_connect_smtp_port(mailman_$1_t) corenet_sendrecv_smtp_client_packets(mailman_$1_t) fs_getattr_xattr_fs(mailman_$1_t) corecmd_exec_all_executables(mailman_$1_t) files_exec_etc_files(mailman_$1_t) files_list_usr(mailman_$1_t) files_list_var(mailman_$1_t) files_list_var_lib(mailman_$1_t) files_read_var_lib_symlinks(mailman_$1_t) files_read_etc_runtime_files(mailman_$1_t) libs_use_ld_so(mailman_$1_t) libs_use_shared_libs(mailman_$1_t) libs_exec_ld_so(mailman_$1_t) libs_exec_lib_files(mailman_$1_t) logging_send_syslog_msg(mailman_$1_t) miscfiles_read_localization(mailman_$1_t) sysnet_read_config(mailman_$1_t) optional_policy(` mount_send_nfs_client_request(mailman_$1_t) ') optional_policy(` nis_use_ypbind(mailman_$1_t) ') ') ####################################### ## ## Execute mailman in the mailman domain. ## ## ## ## Domain allowed access. ## ## # interface(`mailman_domtrans',` gen_require(` type mailman_mail_exec_t, mailman_mail_t; ') domain_auto_trans($1, mailman_mail_exec_t, mailman_mail_t) allow $1 mailman_mail_t:fd use; allow mailman_mail_t $1:fd use; allow mailman_mail_t $1:fifo_file rw_file_perms; allow mailman_mail_t $1:process sigchld; ') ####################################### ## ## Execute mailman CGI scripts in the ## mailman CGI domain. ## ## ## ## Domain allowed access. ## ## # interface(`mailman_domtrans_cgi',` gen_require(` type mailman_cgi_exec_t, mailman_cgi_t; ') domain_auto_trans($1, mailman_cgi_exec_t, mailman_cgi_t) allow $1 mailman_cgi_t:fd use; allow mailman_cgi_t $1:fd use; allow mailman_cgi_t $1:fifo_file rw_file_perms; allow mailman_cgi_t $1:process sigchld; ') ####################################### ## ## Execute mailman in the caller domain. ## ## ## ## Domain allowd access. ## ## # interface(`mailman_exec',` gen_require(` type mailman_mail_exec_t; ') can_exec($1,mailman_mail_exec_t) ') ####################################### ## ## Send generic signals to the mailman cgi domain. ## ## ## ## Domain allowed access. ## ## # interface(`mailman_signal_cgi',` gen_require(` type mailman_cgi_t; ') allow $1 mailman_cgi_t:process signal; ') ####################################### ## ## Allow domain to search data directories. ## ## ## ## Domain allowed access. ## ## # interface(`mailman_search_data',` gen_require(` type mailman_data_t; ') allow $1 mailman_data_t:dir search_dir_perms; ') ####################################### ## ## Allow domain to to read mailman data files. ## ## ## ## Domain allowed access. ## ## # interface(`mailman_read_data_files',` gen_require(` type mailman_data_t; ') allow $1 mailman_data_t:dir search_dir_perms; allow $1 mailman_data_t:file read_file_perms; ') ####################################### ## ## Allow domain to to create mailman data files ## and write the directory. ## ## ## ## Domain allowed access. ## ## # interface(`mailman_manage_data_files',` gen_require(` type mailman_data_t; ') allow $1 mailman_data_t:dir rw_dir_perms; allow $1 mailman_data_t:file manage_file_perms; ') ####################################### ## ## List the contents of mailman data directories. ## ## ## ## Domain allowed access. ## ## # interface(`mailman_list_data',` gen_require(` type mailman_data_t; ') allow $1 mailman_data_t:dir r_dir_perms; ') ####################################### ## ## Allow read acces to mailman data symbolic links. ## ## ## ## Domain allowed access. ## ## # interface(`mailman_read_data_symlinks',` gen_require(` type mailman_data_t; ') allow $1 mailman_data_t:dir search; allow $1 mailman_data_t:lnk_file read; ') ####################################### ## ## Create, read, write, and delete ## mailman logs. ## ## ## ## Domain allowed access. ## ## # interface(`mailman_manage_log',` gen_require(` type mailman_log_t; ') allow $1 mailman_log_t:dir rw_dir_perms; allow $1 mailman_log_t:file create_file_perms; allow $1 mailman_log_t:lnk_file create_lnk_perms; ') ####################################### ## ## Allow domain to read mailman archive files. ## ## ## ## Domain allowed access. ## ## # interface(`mailman_read_archive',` gen_require(` type mailman_archive_t; ') allow $1 mailman_archive_t:dir list_dir_perms; allow $1 mailman_archive_t:file r_file_perms; allow $1 mailman_archive_t:lnk_file { getattr read }; ') ####################################### ## ## Execute mailman_queue in the mailman_queue domain. ## ## ## ## Domain allowed access. ## ## # interface(`mailman_domtrans_queue',` gen_require(` type mailman_queue_exec_t, mailman_queue_t; ') domain_auto_trans($1, mailman_queue_exec_t, mailman_queue_t) allow $1 mailman_queue_t:fd use; allow mailman_queue_t $1:fd use; allow mailman_queue_t $1:fifo_file rw_file_perms; allow mailman_queue_t $1:process sigchld; ')