#DESC Exim - Mail server # # Author: David Hampton # From postfix.te by Russell Coker # Depends: mta.te # ########## # Permissions common to the exim daemon, and exim invoked by a user to # send a file ########## define(`exim_common',` # Networking - All instances need to talk to other mail hosts and # amavisd can_network_tcp($1_t); allow $1_t smtp_port_t:tcp_socket name_connect; ## can_network_client_tcp($1_t, smtp_port_t); ## ifdef(`amavis.te', ` ## can_network_client_tcp($1_t, amavisd_recv_port_t); ## allow $1_t amavisd_recv_port_t:tcp_socket { recv_msg send_msg }; ## ') can_resolve($1_t); # Exim forks children to do its work. general_domain_access($1_t) # Certs and SSL r_dir_file($1_t, cert_t) allow $1_t { random_device_t urandom_device_t }:chr_file r_file_perms; general_proc_read_access($1_t) read_locale($1_t) allow $1_t etc_t:file { getattr read }; allow $1_t sbin_t:dir search; allow $1_t tmp_t:dir getattr; allow $1_t self:fifo_file { read write }; can_exec($1_t, exim_exec_t) allow $1_t self:capability { chown fowner dac_override setgid setuid }; allow $1_t self:process setrlimit; # Have to walk through /var/xxx to get to /var/xxx/exim allow $1_t var_log_t:dir search; allow $1_t var_spool_t:dir search; # Exim creates a spool file per message create_dir_file($1_t, exim_spool_t); # It also creates a log file per message create_dir_file($1_t, exim_log_t); # The database is modified by every message allow $1_t exim_spool_db_t:dir search; allow $1_t exim_spool_db_t:file rw_file_perms; # Checking the existence of mailman lists allow $1_t mailman_data_t:file getattr; # Trying to read mtab dontaudit $1_t etc_runtime_t:file { getattr read }; ') define(`exim_user_domain',` ######################################## ######################################## application_domain(exim_$1, `, mta_delivery_agent, mail_server_domain, mail_server_sender, nscd_client_domain, privlog'); in_user_role(exim_$1_t) domain_auto_trans($1_t, exim_exec_t, exim_$1_t) exim_common(exim_$1) role $1_r types exim_$1_t; allow exim_$1_t $1_tmp_t:file { getattr read }; allow exim_$1_t $1_devpts_t:chr_file rw_file_perms; allow exim_$1_t sshd_t:fd use; ')