policy_module(procmail,1.1.2) ######################################## # # Declarations # type procmail_t; type procmail_exec_t; domain_type(procmail_t) domain_entry_file(procmail_t,procmail_exec_t) role system_r types procmail_t; ######################################## # # Local policy # allow procmail_t self:capability { sys_nice chown setuid setgid dac_override }; allow procmail_t self:process { setsched fork sigchld signal }; allow procmail_t self:fifo_file rw_file_perms; allow procmail_t self:unix_stream_socket create_socket_perms; allow procmail_t self:unix_dgram_socket create_socket_perms; allow procmail_t self:tcp_socket create_stream_socket_perms; allow procmail_t self:udp_socket create_socket_perms; kernel_read_system_state(procmail_t) kernel_read_kernel_sysctls(procmail_t) corenet_tcp_sendrecv_all_if(procmail_t) corenet_raw_sendrecv_all_if(procmail_t) corenet_udp_sendrecv_all_if(procmail_t) corenet_tcp_sendrecv_all_nodes(procmail_t) corenet_udp_sendrecv_all_nodes(procmail_t) corenet_raw_sendrecv_all_nodes(procmail_t) corenet_tcp_sendrecv_all_ports(procmail_t) corenet_udp_sendrecv_all_ports(procmail_t) corenet_non_ipsec_sendrecv(procmail_t) corenet_tcp_bind_all_nodes(procmail_t) corenet_udp_bind_all_nodes(procmail_t) corenet_tcp_connect_spamd_port(procmail_t) dev_read_urand(procmail_t) fs_getattr_xattr_fs(procmail_t) auth_use_nsswitch(procmail_t) corecmd_exec_bin(procmail_t) corecmd_exec_shell(procmail_t) corecmd_dontaudit_search_sbin(procmail_t) files_read_etc_files(procmail_t) files_read_etc_runtime_files(procmail_t) files_search_pids(procmail_t) # for spamassasin files_read_usr_files(procmail_t) libs_use_ld_so(procmail_t) libs_use_shared_libs(procmail_t) miscfiles_read_localization(procmail_t) # only works until we define a different type for maildir userdom_priveleged_home_dir_manager(procmail_t) # Do not audit attempts to access /root. userdom_dontaudit_search_sysadm_home_dir(procmail_t) userdom_dontaudit_search_staff_home_dir(procmail_t) mta_manage_spool(procmail_t) ifdef(`hide_broken_symptoms',` mta_dontaudit_rw_queue(procmail_t) ') ifdef(`targeted_policy', ` corenet_udp_bind_generic_port(procmail_t) files_getattr_tmp_dirs(procmail_t) ') optional_policy(`logging',` logging_send_syslog_msg(procmail_t) ') optional_policy(`nscd',` nscd_use_socket(procmail_t) ') optional_policy(`postfix',` # for a bug in the postfix local program postfix_dontaudit_rw_local_tcp_socket(procmail_t) postfix_dontaudit_use_fd(procmail_t) ') optional_policy(`sendmail',` mta_read_config(procmail_t) sendmail_rw_tcp_socket(procmail_t) ') optional_policy(`spamassassin',` corenet_udp_bind_generic_port(procmail_t) corenet_tcp_connect_spamd_port(procmail_t) files_getattr_tmp_dirs(procmail_t) spamassassin_exec(procmail_t) spamassassin_exec_client(procmail_t) ')