#DESC Qmail - Mail server
#
# Author:  Russell Coker <russell@coker.com.au>
# X-Debian-Packages: qmail-src qmail
# Depends: inetd.te mta.te
#


# Type for files created during execution of qmail.
type qmail_var_run_t, file_type, sysadmfile, pidfile;

type qmail_etc_t, file_type, sysadmfile;
typealias qmail_etc_t alias etc_qmail_t;

allow inetd_t smtp_port_t:tcp_socket name_bind;

type qmail_exec_t, file_type, sysadmfile, exec_type;
type qmail_spool_t, file_type, sysadmfile;
type var_qmail_t, file_type, sysadmfile;

define(`qmaild_sub_domain', `
daemon_sub_domain($1, $2, `$3')
allow $2_t qmail_etc_t:dir { getattr search };
allow $2_t qmail_etc_t:{ lnk_file file } { getattr read };
allow $2_t { var_t var_spool_t }:dir search;
allow $2_t console_device_t:chr_file rw_file_perms;
allow $2_t fs_t:filesystem getattr;
')

#################################
#
# Rules for the qmail_$1_t domain.
#
# qmail_$1_exec_t is the type of the qmail_$1 executables.
#
define(`qmail_daemon_domain', `
qmaild_sub_domain(qmail_start_t, qmail_$1, `$2')
allow qmail_$1_t qmail_start_t:fifo_file { read write };
')dnl


daemon_base_domain(qmail_start)

allow qmail_start_t self:capability { setgid setuid };
allow qmail_start_t { bin_t sbin_t }:dir search;
allow qmail_start_t qmail_etc_t:dir search;
allow qmail_start_t qmail_etc_t:file { getattr read };
can_exec(qmail_start_t, qmail_start_exec_t)
allow qmail_start_t self:fifo_file { getattr read write };

qmail_daemon_domain(lspawn, `, mta_delivery_agent')
allow qmail_lspawn_t self:fifo_file { read write };
allow qmail_lspawn_t self:capability { setuid setgid };
allow qmail_lspawn_t self:process { fork signal_perms };
allow qmail_lspawn_t sbin_t:dir search;
can_exec(qmail_lspawn_t, qmail_exec_t)
allow qmail_lspawn_t self:unix_stream_socket create_socket_perms;
allow qmail_lspawn_t qmail_spool_t:dir search;
allow qmail_lspawn_t qmail_spool_t:file { read getattr };
allow qmail_lspawn_t etc_t:file { getattr read };
allow qmail_lspawn_t tmp_t:dir getattr;
dontaudit qmail_lspawn_t user_home_dir_type:dir { getattr search };

qmail_daemon_domain(send, `, mail_server_sender')
rw_dir_create_file(qmail_send_t, qmail_spool_t)
allow qmail_send_t qmail_spool_t:fifo_file read;
allow qmail_send_t self:process { fork signal_perms };
allow qmail_send_t self:fifo_file write;
domain_auto_trans(qmail_send_t, qmail_queue_exec_t, qmail_queue_t)
allow qmail_send_t sbin_t:dir search;

qmail_daemon_domain(splogger)
allow qmail_splogger_t self:unix_dgram_socket create_socket_perms;
allow qmail_splogger_t etc_t:lnk_file read;
dontaudit qmail_splogger_t initrc_t:fd use;
read_locale(qmail_splogger_t)

qmail_daemon_domain(rspawn)
allow qmail_rspawn_t qmail_spool_t:dir search;
allow qmail_rspawn_t qmail_spool_t:file rw_file_perms;
allow qmail_rspawn_t self:process { fork signal_perms };
allow qmail_rspawn_t self:fifo_file read;
allow qmail_rspawn_t { bin_t sbin_t }:dir search;

qmaild_sub_domain(qmail_rspawn_t, qmail_remote)
allow qmail_rspawn_t qmail_remote_exec_t:file read;
can_network_server(qmail_remote_t)
can_ypbind(qmail_remote_t)
allow qmail_remote_t qmail_spool_t:dir search;
allow qmail_remote_t qmail_spool_t:file rw_file_perms;
allow qmail_remote_t self:tcp_socket create_socket_perms;
allow qmail_remote_t self:udp_socket create_socket_perms;

qmail_daemon_domain(clean)
allow qmail_clean_t qmail_spool_t:dir rw_dir_perms;
allow qmail_clean_t qmail_spool_t:file { unlink read getattr };

# privhome will do until we get a separate maildir type
qmaild_sub_domain(qmail_lspawn_t, qmail_local, `, privhome, mta_delivery_agent')
allow qmail_lspawn_t qmail_local_exec_t:file read;
allow qmail_local_t self:process { fork signal_perms };
domain_auto_trans(qmail_local_t, qmail_queue_exec_t, qmail_queue_t)
allow qmail_local_t qmail_queue_exec_t:file read;
allow qmail_local_t qmail_spool_t:file { ioctl read };
allow qmail_local_t self:fifo_file write;
allow qmail_local_t sbin_t:dir search;
allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
allow qmail_local_t etc_t:file { getattr read };

# for piping mail to a command
can_exec(qmail_local_t, shell_exec_t)
allow qmail_local_t bin_t:dir search;
allow qmail_local_t bin_t:lnk_file read;
allow qmail_local_t devtty_t:chr_file rw_file_perms;
allow qmail_local_t { etc_runtime_t proc_t }:file { getattr read };

ifdef(`tcpd.te', `
qmaild_sub_domain(tcpd_t, qmail_tcp_env)
# bug
can_exec(tcpd_t, tcpd_exec_t)
', `
qmaild_sub_domain(inetd_t, qmail_tcp_env)
')
allow qmail_tcp_env_t inetd_t:fd use;
allow qmail_tcp_env_t inetd_t:tcp_socket { read write getattr };
allow qmail_tcp_env_t inetd_t:process sigchld;
allow qmail_tcp_env_t sbin_t:dir search;
can_network_server(qmail_tcp_env_t)
can_ypbind(qmail_tcp_env_t)

qmaild_sub_domain(qmail_tcp_env_t, qmail_smtpd)
allow qmail_tcp_env_t qmail_smtpd_exec_t:file read;
can_network_server(qmail_smtpd_t)
can_ypbind(qmail_smtpd_t)
allow qmail_smtpd_t inetd_t:fd use;
allow qmail_smtpd_t inetd_t:tcp_socket { read write };
allow qmail_smtpd_t inetd_t:process sigchld;
allow qmail_smtpd_t self:process { fork signal_perms };
allow qmail_smtpd_t self:fifo_file write;
allow qmail_smtpd_t self:tcp_socket create_socket_perms;
allow qmail_smtpd_t sbin_t:dir search;
domain_auto_trans(qmail_smtpd_t, qmail_queue_exec_t, qmail_queue_t)
allow qmail_smtpd_t qmail_queue_exec_t:file read;

qmaild_sub_domain(user_mail_domain, qmail_inject, `, mta_user_agent')
allow qmail_inject_t self:process { fork signal_perms };
allow qmail_inject_t self:fifo_file write;
allow qmail_inject_t sbin_t:dir search;
role sysadm_r types qmail_inject_t;
in_user_role(qmail_inject_t)

qmaild_sub_domain(userdomain, qmail_qread, `, mta_user_agent')
in_user_role(qmail_qread_t)
role sysadm_r types qmail_qread_t;
r_dir_file(qmail_qread_t, qmail_spool_t)
allow qmail_qread_t self:capability dac_override;
allow qmail_qread_t privfd:fd use;

qmaild_sub_domain(qmail_inject_t, qmail_queue, `, mta_user_agent')
role sysadm_r types qmail_queue_t;
in_user_role(qmail_queue_t)
allow qmail_inject_t qmail_queue_exec_t:file read;
rw_dir_create_file(qmail_queue_t, qmail_spool_t)
allow qmail_queue_t qmail_spool_t:fifo_file { read write };
allow qmail_queue_t { qmail_start_t qmail_lspawn_t }:fd use;
allow qmail_queue_t qmail_lspawn_t:fifo_file write;
allow qmail_queue_t qmail_start_t:fifo_file { read write };
allow qmail_queue_t privfd:fd use;
allow qmail_queue_t crond_t:fifo_file { read write };
allow qmail_queue_t inetd_t:fd use;
allow qmail_queue_t inetd_t:tcp_socket { read write };
allow qmail_queue_t sysadm_t:fd use;
allow qmail_queue_t sysadm_t:fifo_file write;

allow user_crond_t qmail_etc_t:dir search;
allow user_crond_t qmail_etc_t:file read;

qmaild_sub_domain(user_crond_t, qmail_serialmail)
in_user_role(qmail_serialmail_t)
can_network_server(qmail_serialmail_t)
can_ypbind(qmail_serialmail_t)
can_exec(qmail_serialmail_t, qmail_serialmail_exec_t)
allow qmail_serialmail_t self:process { fork signal_perms };
allow qmail_serialmail_t proc_t:file { getattr read };
allow qmail_serialmail_t etc_runtime_t:file { getattr read };
allow qmail_serialmail_t home_root_t:dir search;
allow qmail_serialmail_t user_home_dir_type:dir { search read getattr };
rw_dir_create_file(qmail_serialmail_t, user_home_type)
allow qmail_serialmail_t self:fifo_file { read write };
allow qmail_serialmail_t self:udp_socket create_socket_perms;
allow qmail_serialmail_t self:tcp_socket create_socket_perms;
allow qmail_serialmail_t privfd:fd use;
allow qmail_serialmail_t crond_t:fifo_file { read write ioctl };
allow qmail_serialmail_t devtty_t:chr_file { read write };

# for tcpclient
can_exec(qmail_serialmail_t, bin_t)
allow qmail_serialmail_t bin_t:dir search;