## A distributed, collaborative, spam detection and filtering network. ## ##

## A distributed, collaborative, spam detection and filtering network. ##

##

## This policy will work with either the ATrpms provided config ## file in /etc/razor, or with the default of dumping everything into ## $HOME/.razor. ##

##
####################################### ## ## Template to create types and rules common to ## all razor domains. ## ## ## ## The prefix of the domain (e.g., user ## is the prefix for user_t). ## ## # template(`razor_common_domain_template',` gen_require(` type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t; ') allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow $1_t self:fd use; allow $1_t self:fifo_file rw_fifo_file_perms; allow $1_t self:unix_dgram_socket create_socket_perms; allow $1_t self:unix_stream_socket create_stream_socket_perms; allow $1_t self:unix_dgram_socket sendto; allow $1_t self:unix_stream_socket connectto; allow $1_t self:shm create_shm_perms; allow $1_t self:sem create_sem_perms; allow $1_t self:msgq create_msgq_perms; allow $1_t self:msg { send receive }; allow $1_t self:tcp_socket create_socket_perms; # Read system config file allow $1_t razor_etc_t:dir list_dir_perms; allow $1_t razor_etc_t:file read_file_perms; allow $1_t razor_etc_t:lnk_file { getattr read }; manage_dirs_pattern($1_t,razor_log_t,razor_log_t) manage_files_pattern($1_t,razor_log_t,razor_log_t) manage_lnk_files_pattern($1_t,razor_log_t,razor_log_t) logging_log_filetrans($1_t,razor_log_t,file) manage_dirs_pattern($1_t,razor_var_lib_t,razor_var_lib_t) manage_files_pattern($1_t,razor_var_lib_t,razor_var_lib_t) manage_lnk_files_pattern($1_t,razor_var_lib_t,razor_var_lib_t) files_search_var_lib($1_t) # Razor is one executable and several symlinks allow $1_t razor_exec_t:{ file lnk_file } { getattr read }; kernel_read_system_state($1_t) kernel_read_network_state($1_t) kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) kernel_read_kernel_sysctls($1_t) corecmd_exec_bin($1_t) corenet_all_recvfrom_unlabeled($1_t) corenet_all_recvfrom_netlabel($1_t) corenet_tcp_sendrecv_generic_if($1_t) corenet_raw_sendrecv_generic_if($1_t) corenet_tcp_sendrecv_all_nodes($1_t) corenet_raw_sendrecv_all_nodes($1_t) corenet_tcp_sendrecv_razor_port($1_t) # mktemp and other randoms dev_read_rand($1_t) dev_read_urand($1_t) files_search_pids($1_t) # Allow access to various files in the /etc/directory including mtab # and nsswitch files_read_etc_files($1_t) files_read_etc_runtime_files($1_t) fs_search_auto_mountpoints($1_t) libs_use_ld_so($1_t) libs_use_shared_libs($1_t) libs_read_lib_files($1_t) miscfiles_read_localization($1_t) sysnet_read_config($1_t) sysnet_dns_name_resolve($1_t) userdom_use_unpriv_users_fds($1_t) optional_policy(` nis_use_ypbind($1_t) ') ') ####################################### ## ## The per role template for the razor module. ## ## ##

## The per role template for the razor module. ##

##

## This template is invoked automatically for each user, and ## generally does not need to be invoked directly ## by policy writers. ##

##
## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## The type of the user domain. ## ## ## ## ## The role associated with the user domain. ## ## # template(`razor_per_role_template',` gen_require(` type razor_exec_t; ') type $1_razor_t; domain_type($1_razor_t) domain_entry_file($1_razor_t,razor_exec_t) razor_common_domain_template($1_razor) role $3 types $1_razor_t; type $1_razor_home_t alias $1_razor_rw_t; files_poly_member($1_razor_home_t) userdom_user_home_content($1,$1_razor_home_t) type $1_razor_tmp_t; files_tmp_file($1_razor_tmp_t) ############################## # # Local policy # allow $1_razor_t self:unix_stream_socket create_stream_socket_perms; manage_dirs_pattern($1_razor_t,$1_razor_home_t,$1_razor_home_t) manage_files_pattern($1_razor_t,$1_razor_home_t,$1_razor_home_t) manage_lnk_files_pattern($1_razor_t,$1_razor_home_t,$1_razor_home_t) userdom_user_home_dir_filetrans($1,$1_razor_t,$1_razor_home_t,dir) manage_dirs_pattern($1_razor_t,$1_razor_tmp_t,$1_razor_tmp_t) manage_files_pattern($1_razor_t,$1_razor_tmp_t,$1_razor_tmp_t) files_tmp_filetrans($1_razor_t, $1_razor_tmp_t, { file dir }) domtrans_pattern($2, razor_exec_t, $1_razor_t) manage_dirs_pattern($2,$1_razor_home_t,$1_razor_home_t) manage_files_pattern($2,$1_razor_home_t,$1_razor_home_t) manage_lnk_files_pattern($2,$1_razor_home_t,$1_razor_home_t) relabel_dirs_pattern($2,$1_razor_home_t,$1_razor_home_t) relabel_files_pattern($2,$1_razor_home_t,$1_razor_home_t) relabel_lnk_files_pattern($2,$1_razor_home_t,$1_razor_home_t) logging_send_syslog_msg($1_razor_t) userdom_search_user_home_dirs($1,$1_razor_t) # Allow razor to be run by hand. Needed by any action other than # invocation from a spam filter. userdom_use_user_terminals($1,$1_razor_t) tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs($1_razor_t) fs_manage_nfs_files($1_razor_t) fs_manage_nfs_symlinks($1_razor_t) ') tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs($1_razor_t) fs_manage_cifs_files($1_razor_t) fs_manage_cifs_symlinks($1_razor_t) ') optional_policy(` nscd_socket_use($1_razor_t) ') ') ######################################## ## ## Execute razor in the system razor domain. ## ## ## ## Domain allowed access. ## ## # interface(`razor_domtrans',` gen_require(` type razor_t, razor_exec_t; ') domtrans_pattern($1, razor_exec_t, razor_t) ')