policy_module(mta,1.0) ######################################## # # Declarations # attribute mta_user_agent; attribute mailserver_delivery; attribute mailserver_domain; attribute mailserver_sender; type etc_aliases_t; files_type(etc_aliases_t) type etc_mail_t; files_type(etc_mail_t) type mqueue_spool_t; files_type(mqueue_spool_t) type mail_spool_t; files_type(mail_spool_t) type sendmail_exec_t; files_type(sendmail_exec_t) type system_mail_t; domain_type(system_mail_t) role system_r types system_mail_t; ifdef(`targeted_policy',`',` optional_policy(`sendmail.te',` domain_entry_file(system_mail_t,sendmail_exec_t) ',` init_system_domain(system_mail_t,sendmail_exec_t) ') ') ######################################## # # System mail local policy # allow system_mail_t self:capability { setuid setgid chown }; allow system_mail_t self:process { signal_perms setrlimit }; allow system_mail_t self:tcp_socket create_socket_perms; # re-exec itself can_exec(system_mail_t, sendmail_exec_t) allow system_mail_t sendmail_exec_t:lnk_file r_file_perms; kernel_read_kernel_sysctl(system_mail_t) kernel_read_system_state(system_mail_t) kernel_read_network_state(system_mail_t) corenet_tcp_sendrecv_all_if(system_mail_t) corenet_raw_sendrecv_all_if(system_mail_t) corenet_tcp_sendrecv_all_nodes(system_mail_t) corenet_raw_sendrecv_all_nodes(system_mail_t) corenet_tcp_bind_all_nodes(system_mail_t) corenet_tcp_sendrecv_all_ports(system_mail_t) dev_read_urand(system_mail_t) fs_getattr_xattr_fs(system_mail_t) init_use_script_pty(system_mail_t) files_read_etc_files(system_mail_t) files_read_etc_runtime_files(system_mail_t) files_search_spool(system_mail_t) # It wants to check for nscd files_dontaudit_search_pids(system_mail_t) corecmd_exec_bin(system_mail_t) corecmd_search_sbin(system_mail_t) libs_use_ld_so(system_mail_t) libs_use_shared_libs(system_mail_t) logging_send_syslog_msg(system_mail_t) miscfiles_read_localization(system_mail_t) sysnet_read_config(system_mail_t) userdom_use_sysadm_terms(system_mail_t) ifdef(`targeted_policy',` allow system_mail_t etc_mail_t:file r_file_perms; allow system_mail_t mail_spool_t:dir create_dir_perms; allow system_mail_t mail_spool_t:file create_file_perms; allow system_mail_t mail_spool_t:lnk_file create_lnk_perms; allow system_mail_t mail_spool_t:fifo_file rw_file_perms; allow system_mail_t mqueue_spool_t:dir create_dir_perms; allow system_mail_t mqueue_spool_t:file create_file_perms; allow system_mail_t mqueue_spool_t:lnk_file create_lnk_perms; optional_policy(`postfix.te',`',` corecmd_exec_bin(system_mail_t) corecmd_exec_sbin(system_mail_t) domain_exec_all_entry_files(system_mail_t) files_exec_etc_files(system_mail_t) libs_use_ld_so(system_mail_t) libs_use_shared_libs(system_mail_t) libs_exec_ld_so(system_mail_t) libs_exec_lib_files(system_mail_t) ') ') tunable_policy(`use_dns',` allow system_mail_t self:udp_socket create_socket_perms; corenet_udp_sendrecv_all_if(system_mail_t) corenet_udp_sendrecv_all_nodes(system_mail_t) corenet_udp_bind_all_nodes(system_mail_t) corenet_udp_sendrecv_dns_port(system_mail_t) ') optional_policy(`cron.te',` cron_read_system_job_tmp_files(system_mail_t) ') optional_policy(`logrotate.te',` logrotate_read_tmp_files(system_mail_t) ') optional_policy(`nis.te',` nis_use_ypbind(system_mail_t) ') optional_policy(`nscd.te',` nscd_use_socket(system_mail_t) ') optional_policy(`procmail.te',` procmail_exec(system_mail_t) ') optional_policy(`sendmail.te',` allow system_mail_t etc_mail_t:dir { getattr search }; # sendmail -q allow system_mail_t mqueue_spool_t:dir rw_dir_perms; allow system_mail_t mqueue_spool_t:file create_file_perms; ') ifdef(`TODO',` optional_policy(`sendmail.te',` allow system_mail_t { var_t var_spool_t }:dir getattr; dontaudit system_mail_t userpty_type:chr_file { getattr read write }; optional_policy(`crond.te', ` dontaudit system_mail_t system_crond_tmp_t:file append; ') ') ifdef(`targeted_policy',` allow system_mail_t { var_t var_spool_t }:dir getattr; ',` # allow the sysadmin to do "mail someone < /home/user/whatever" allow sysadm_mail_t user_home_dir_type:dir search; r_dir_file(sysadm_mail_t, user_home_type) ') allow system_mail_t privmail:fd use; allow system_mail_t privmail:process sigchld; allow system_mail_t privmail:fifo_file { read write }; optional_policy(`arpwatch.te',` allow system_mail_t arpwatch_tmp_t:file rw_file_perms; ifdef(`hide_broken_symptoms', ` dontaudit system_mail_t arpwatch_t:packet_socket { read write }; ') ') optional_policy(`qmail.te',` allow system_mail_t qmail_etc_t:dir search; allow system_mail_t qmail_etc_t:{ file lnk_file } read; ') ') dnl end TODO