policy_module(spamassassin, 2.2.0) ######################################## # # Declarations # ## ## ## Allow user spamassassin clients to use the network. ## ## gen_tunable(spamassassin_can_network, false) ## ## ## Allow spamd to read/write user home directories. ## ## gen_tunable(spamd_enable_home_dirs, true) type spamassassin_t; type spamassassin_exec_t; typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t }; typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t }; application_domain(spamassassin_t, spamassassin_exec_t) ubac_constrained(spamassassin_t) type spamassassin_home_t; typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; userdom_user_home_content(spamassassin_home_t) files_poly_member(spamassassin_home_t) type spamassassin_tmp_t; typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; files_tmp_file(spamassassin_tmp_t) ubac_constrained(spamassassin_tmp_t) type spamc_t; type spamc_exec_t; typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t }; typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t }; application_domain(spamc_t, spamc_exec_t) ubac_constrained(spamc_t) type spamc_tmp_t; typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; files_tmp_file(spamc_tmp_t) ubac_constrained(spamc_tmp_t) type spamd_t; type spamd_exec_t; init_daemon_domain(spamd_t, spamd_exec_t) type spamd_spool_t; files_type(spamd_spool_t) type spamd_tmp_t; files_tmp_file(spamd_tmp_t) # var/lib files type spamd_var_lib_t; files_type(spamd_var_lib_t) type spamd_var_run_t; files_pid_file(spamd_var_run_t) ############################## # # Standalone program local policy # allow spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamassassin_t self:fd use; allow spamassassin_t self:fifo_file rw_fifo_file_perms; allow spamassassin_t self:sock_file read_sock_file_perms; allow spamassassin_t self:unix_dgram_socket create_socket_perms; allow spamassassin_t self:unix_stream_socket create_stream_socket_perms; allow spamassassin_t self:unix_dgram_socket sendto; allow spamassassin_t self:unix_stream_socket connectto; allow spamassassin_t self:shm create_shm_perms; allow spamassassin_t self:sem create_sem_perms; allow spamassassin_t self:msgq create_msgq_perms; allow spamassassin_t self:msg { send receive }; manage_dirs_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) manage_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) manage_lnk_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) manage_fifo_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) manage_sock_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) userdom_user_home_dir_filetrans(spamassassin_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file }) manage_dirs_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t) manage_files_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t) files_tmp_filetrans(spamassassin_t, spamassassin_tmp_t, { file dir }) manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file }) kernel_read_kernel_sysctls(spamassassin_t) dev_read_urand(spamassassin_t) fs_search_auto_mountpoints(spamassassin_t) # this should probably be removed corecmd_list_bin(spamassassin_t) corecmd_read_bin_symlinks(spamassassin_t) corecmd_read_bin_files(spamassassin_t) corecmd_read_bin_pipes(spamassassin_t) corecmd_read_bin_sockets(spamassassin_t) domain_use_interactive_fds(spamassassin_t) files_read_etc_files(spamassassin_t) files_read_etc_runtime_files(spamassassin_t) files_list_home(spamassassin_t) files_read_usr_files(spamassassin_t) files_dontaudit_search_var(spamassassin_t) logging_send_syslog_msg(spamassassin_t) miscfiles_read_localization(spamassassin_t) # cjp: this could probably be removed seutil_read_config(spamassassin_t) sysnet_dns_name_resolve(spamassassin_t) # set tunable if you have spamassassin do DNS lookups tunable_policy(`spamassassin_can_network',` allow spamassassin_t self:tcp_socket create_stream_socket_perms; allow spamassassin_t self:udp_socket create_socket_perms; corenet_all_recvfrom_unlabeled(spamassassin_t) corenet_all_recvfrom_netlabel(spamassassin_t) corenet_tcp_sendrecv_generic_if(spamassassin_t) corenet_udp_sendrecv_generic_if(spamassassin_t) corenet_tcp_sendrecv_generic_node(spamassassin_t) corenet_udp_sendrecv_generic_node(spamassassin_t) corenet_tcp_sendrecv_all_ports(spamassassin_t) corenet_udp_sendrecv_all_ports(spamassassin_t) corenet_tcp_connect_all_ports(spamassassin_t) corenet_sendrecv_all_client_packets(spamassassin_t) sysnet_read_config(spamassassin_t) ') tunable_policy(`spamd_enable_home_dirs',` userdom_manage_user_home_content_dirs(spamd_t) userdom_manage_user_home_content_files(spamd_t) userdom_manage_user_home_content_symlinks(spamd_t) ') tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(spamassassin_t) fs_manage_nfs_files(spamassassin_t) fs_manage_nfs_symlinks(spamassassin_t) ') tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs(spamassassin_t) fs_manage_cifs_files(spamassassin_t) fs_manage_cifs_symlinks(spamassassin_t) ') optional_policy(` # Write pid file and socket in ~/.evolution/cache/tmp evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file }) ') optional_policy(` tunable_policy(`spamassassin_can_network && allow_ypbind',` nis_use_ypbind_uncond(spamassassin_t) ') ') optional_policy(` mta_read_config(spamassassin_t) sendmail_stub(spamassassin_t) ') ######################################## # # Client local policy # allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamc_t self:fd use; allow spamc_t self:fifo_file rw_fifo_file_perms; allow spamc_t self:sock_file read_sock_file_perms; allow spamc_t self:shm create_shm_perms; allow spamc_t self:sem create_sem_perms; allow spamc_t self:msgq create_msgq_perms; allow spamc_t self:msg { send receive }; allow spamc_t self:unix_dgram_socket create_socket_perms; allow spamc_t self:unix_stream_socket create_stream_socket_perms; allow spamc_t self:unix_dgram_socket sendto; allow spamc_t self:unix_stream_socket connectto; allow spamc_t self:tcp_socket create_stream_socket_perms; allow spamc_t self:udp_socket create_socket_perms; manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir }) # Allow connecting to a local spamd allow spamc_t spamd_t:unix_stream_socket connectto; allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms; kernel_read_kernel_sysctls(spamc_t) corenet_all_recvfrom_unlabeled(spamc_t) corenet_all_recvfrom_netlabel(spamc_t) corenet_tcp_sendrecv_generic_if(spamc_t) corenet_udp_sendrecv_generic_if(spamc_t) corenet_tcp_sendrecv_generic_node(spamc_t) corenet_udp_sendrecv_generic_node(spamc_t) corenet_tcp_sendrecv_all_ports(spamc_t) corenet_udp_sendrecv_all_ports(spamc_t) corenet_tcp_connect_all_ports(spamc_t) corenet_sendrecv_all_client_packets(spamc_t) fs_search_auto_mountpoints(spamc_t) # cjp: these should probably be removed: corecmd_list_bin(spamc_t) corecmd_read_bin_symlinks(spamc_t) corecmd_read_bin_files(spamc_t) corecmd_read_bin_pipes(spamc_t) corecmd_read_bin_sockets(spamc_t) domain_use_interactive_fds(spamc_t) files_read_etc_files(spamc_t) files_read_etc_runtime_files(spamc_t) files_read_usr_files(spamc_t) files_dontaudit_search_var(spamc_t) # cjp: this may be removable: files_list_home(spamc_t) logging_send_syslog_msg(spamc_t) miscfiles_read_localization(spamc_t) # cjp: this should probably be removed: seutil_read_config(spamc_t) sysnet_read_config(spamc_t) optional_policy(` # Allow connection to spamd socket above evolution_stream_connect(spamc_t) ') optional_policy(` # Needed for pyzor/razor called from spamd milter_manage_spamass_state(spamc_t) ') optional_policy(` nis_use_ypbind(spamc_t) ') optional_policy(` nscd_socket_use(spamc_t) ') optional_policy(` mta_read_config(spamc_t) sendmail_stub(spamc_t) ') ######################################## # # Server local policy # # Spamassassin, when run as root and using per-user config files, # setuids to the user running spamc. Comment this if you are not # using this ability. allow spamd_t self:capability { setuid setgid dac_override sys_tty_config }; dontaudit spamd_t self:capability sys_tty_config; allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamd_t self:fd use; allow spamd_t self:fifo_file rw_fifo_file_perms; allow spamd_t self:sock_file read_sock_file_perms; allow spamd_t self:shm create_shm_perms; allow spamd_t self:sem create_sem_perms; allow spamd_t self:msgq create_msgq_perms; allow spamd_t self:msg { send receive }; allow spamd_t self:unix_dgram_socket create_socket_perms; allow spamd_t self:unix_stream_socket create_stream_socket_perms; allow spamd_t self:unix_dgram_socket sendto; allow spamd_t self:unix_stream_socket connectto; allow spamd_t self:tcp_socket create_stream_socket_perms; allow spamd_t self:udp_socket create_socket_perms; allow spamd_t self:netlink_route_socket r_netlink_socket_perms; manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t) manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t) files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) # var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; read_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file }) kernel_read_all_sysctls(spamd_t) kernel_read_system_state(spamd_t) corenet_all_recvfrom_unlabeled(spamd_t) corenet_all_recvfrom_netlabel(spamd_t) corenet_tcp_sendrecv_generic_if(spamd_t) corenet_udp_sendrecv_generic_if(spamd_t) corenet_tcp_sendrecv_generic_node(spamd_t) corenet_udp_sendrecv_generic_node(spamd_t) corenet_tcp_sendrecv_all_ports(spamd_t) corenet_udp_sendrecv_all_ports(spamd_t) corenet_tcp_bind_generic_node(spamd_t) corenet_tcp_bind_spamd_port(spamd_t) corenet_tcp_connect_razor_port(spamd_t) corenet_tcp_connect_smtp_port(spamd_t) corenet_sendrecv_razor_client_packets(spamd_t) corenet_sendrecv_spamd_server_packets(spamd_t) # spamassassin 3.1 needs this for its # DnsResolver.pm module which binds to # random ports >= 1024. corenet_udp_bind_generic_node(spamd_t) corenet_udp_bind_generic_port(spamd_t) corenet_udp_bind_imaze_port(spamd_t) corenet_dontaudit_udp_bind_all_ports(spamd_t) corenet_sendrecv_imaze_server_packets(spamd_t) corenet_sendrecv_generic_server_packets(spamd_t) dev_read_sysfs(spamd_t) dev_read_urand(spamd_t) fs_getattr_all_fs(spamd_t) fs_search_auto_mountpoints(spamd_t) auth_dontaudit_read_shadow(spamd_t) corecmd_exec_bin(spamd_t) domain_use_interactive_fds(spamd_t) files_read_usr_files(spamd_t) files_read_etc_files(spamd_t) files_read_etc_runtime_files(spamd_t) # /var/lib/spamassin files_read_var_lib_files(spamd_t) init_dontaudit_rw_utmp(spamd_t) logging_send_syslog_msg(spamd_t) miscfiles_read_localization(spamd_t) sysnet_read_config(spamd_t) sysnet_use_ldap(spamd_t) sysnet_dns_name_resolve(spamd_t) userdom_use_unpriv_users_fds(spamd_t) userdom_search_user_home_dirs(spamd_t) tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files(spamd_t) ') tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(spamd_t) ') optional_policy(` amavis_manage_lib_files(spamd_t) ') optional_policy(` cron_system_entry(spamd_t, spamd_exec_t) ') optional_policy(` daemontools_service_domain(spamd_t, spamd_exec_t) ') optional_policy(` dcc_domtrans_client(spamd_t) dcc_stream_connect_dccifd(spamd_t) ') optional_policy(` milter_manage_spamass_state(spamd_t) ') optional_policy(` mysql_search_db(spamd_t) mysql_stream_connect(spamd_t) ') optional_policy(` nis_use_ypbind(spamd_t) ') optional_policy(` postfix_read_config(spamd_t) ') optional_policy(` postgresql_stream_connect(spamd_t) ') optional_policy(` pyzor_domtrans(spamd_t) pyzor_signal(spamd_t) ') optional_policy(` razor_domtrans(spamd_t) ') optional_policy(` seutil_sigchld_newrole(spamd_t) ') optional_policy(` sendmail_stub(spamd_t) mta_read_config(spamd_t) ') optional_policy(` udev_read_db(spamd_t) ')
## Allow user spamassassin clients to use the network. ##
## Allow spamd to read/write user home directories. ##