185 lines
4.7 KiB
Plaintext
185 lines
4.7 KiB
Plaintext
|
|
policy_module(amavis,1.0.10)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type amavis_t;
|
|
type amavis_exec_t;
|
|
domain_type(amavis_t)
|
|
init_daemon_domain(amavis_t, amavis_exec_t)
|
|
|
|
# configuration files
|
|
type amavis_etc_t;
|
|
files_type(amavis_etc_t)
|
|
|
|
# pid files
|
|
type amavis_var_run_t;
|
|
files_pid_file(amavis_var_run_t)
|
|
|
|
# var/lib files
|
|
type amavis_var_lib_t;
|
|
files_type(amavis_var_lib_t)
|
|
|
|
# log files
|
|
type amavis_var_log_t;
|
|
logging_log_file(amavis_var_log_t)
|
|
|
|
# tmp files
|
|
type amavis_tmp_t;
|
|
files_tmp_file(amavis_tmp_t)
|
|
|
|
# virus quarantine
|
|
type amavis_quarantine_t;
|
|
files_type(amavis_quarantine_t)
|
|
|
|
type amavis_spool_t;
|
|
files_type(amavis_spool_t)
|
|
|
|
########################################
|
|
#
|
|
# amavis local policy
|
|
#
|
|
|
|
allow amavis_t self:capability { kill chown dac_override setgid setuid };
|
|
dontaudit amavis_t self:capability sys_tty_config;
|
|
allow amavis_t self:process { signal sigchld signull };
|
|
allow amavis_t self:fifo_file rw_file_perms;
|
|
allow amavis_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow amavis_t self:unix_dgram_socket create_socket_perms;
|
|
allow amavis_t self:tcp_socket { listen accept };
|
|
|
|
# configuration files
|
|
allow amavis_t amavis_etc_t:dir r_dir_perms;
|
|
allow amavis_t amavis_etc_t:file r_file_perms;
|
|
allow amavis_t amavis_etc_t:lnk_file { getattr read };
|
|
|
|
# mail quarantine
|
|
allow amavis_t amavis_quarantine_t:file create_file_perms;
|
|
allow amavis_t amavis_quarantine_t:sock_file create_file_perms;
|
|
allow amavis_t amavis_quarantine_t:dir create_dir_perms;
|
|
|
|
# Spool Files
|
|
files_search_spool(amavis_t)
|
|
allow amavis_t amavis_spool_t:dir manage_dir_perms;
|
|
allow amavis_t amavis_spool_t:file manage_file_perms;
|
|
allow amavis_t amavis_spool_t:sock_file manage_file_perms;
|
|
type_transition amavis_t amavis_spool_t:sock_file amavis_var_run_t;
|
|
|
|
# tmp files
|
|
allow amavis_t amavis_tmp_t:file create_file_perms;
|
|
allow amavis_t amavis_tmp_t:dir { rw_dir_perms setattr };
|
|
files_tmp_filetrans(amavis_t,amavis_tmp_t,file)
|
|
|
|
# var/lib files for amavis
|
|
allow amavis_t amavis_var_lib_t:file create_file_perms;
|
|
allow amavis_t amavis_var_lib_t:sock_file create_file_perms;
|
|
allow amavis_t amavis_var_lib_t:dir create_dir_perms;
|
|
|
|
# log files
|
|
allow amavis_t amavis_var_log_t:file create_file_perms;
|
|
allow amavis_t amavis_var_log_t:sock_file create_file_perms;
|
|
allow amavis_t amavis_var_log_t:dir { rw_dir_perms setattr };
|
|
logging_log_filetrans(amavis_t,amavis_var_log_t,{ sock_file file dir })
|
|
|
|
# pid file
|
|
allow amavis_t amavis_var_run_t:file manage_file_perms;
|
|
allow amavis_t amavis_var_run_t:sock_file manage_file_perms;
|
|
allow amavis_t amavis_var_run_t:dir rw_dir_perms;
|
|
files_pid_filetrans(amavis_t,amavis_var_run_t, { file sock_file })
|
|
|
|
kernel_read_kernel_sysctls(amavis_t)
|
|
# amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
|
|
kernel_dontaudit_list_proc(amavis_t)
|
|
kernel_dontaudit_read_proc_symlinks(amavis_t)
|
|
kernel_dontaudit_read_system_state(amavis_t)
|
|
|
|
# find perl
|
|
corecmd_exec_bin(amavis_t)
|
|
corecmd_search_sbin(amavis_t)
|
|
|
|
corenet_non_ipsec_sendrecv(amavis_t)
|
|
corenet_tcp_sendrecv_all_if(amavis_t)
|
|
corenet_tcp_sendrecv_all_nodes(amavis_t)
|
|
corenet_tcp_bind_all_nodes(amavis_t)
|
|
corenet_udp_bind_all_nodes(amavis_t)
|
|
# amavis uses well-defined ports
|
|
corenet_tcp_sendrecv_amavisd_recv_port(amavis_t)
|
|
corenet_tcp_sendrecv_amavisd_send_port(amavis_t)
|
|
# just the other side not. ;-)
|
|
corenet_tcp_sendrecv_all_ports(amavis_t)
|
|
# connect to backchannel port
|
|
corenet_tcp_connect_amavisd_send_port(amavis_t)
|
|
# bind to incoming port
|
|
corenet_tcp_bind_amavisd_recv_port(amavis_t)
|
|
corenet_udp_bind_generic_port(amavis_t)
|
|
corenet_tcp_connect_razor_port(amavis_t)
|
|
|
|
dev_read_rand(amavis_t)
|
|
dev_read_urand(amavis_t)
|
|
|
|
domain_use_interactive_fds(amavis_t)
|
|
|
|
files_read_etc_files(amavis_t)
|
|
files_read_etc_runtime_files(amavis_t)
|
|
files_read_usr_files(amavis_t)
|
|
|
|
auth_dontaudit_read_shadow(amavis_t)
|
|
|
|
init_use_fds(amavis_t)
|
|
init_use_script_ptys(amavis_t)
|
|
init_stream_connect_script(amavis_t)
|
|
|
|
libs_use_ld_so(amavis_t)
|
|
libs_use_shared_libs(amavis_t)
|
|
|
|
logging_send_syslog_msg(amavis_t)
|
|
|
|
miscfiles_read_localization(amavis_t)
|
|
|
|
sysnet_dns_name_resolve(amavis_t)
|
|
sysnet_use_ldap(amavis_t)
|
|
|
|
userdom_dontaudit_search_sysadm_home_dirs(amavis_t)
|
|
|
|
# Cron handling
|
|
cron_use_fds(amavis_t)
|
|
cron_use_system_job_fds(amavis_t)
|
|
cron_rw_pipes(amavis_t)
|
|
|
|
mta_read_config(amavis_t)
|
|
|
|
ifdef(`targeted_policy',`
|
|
term_dontaudit_use_generic_ptys(amavis_t)
|
|
term_dontaudit_use_unallocated_ttys(amavis_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
clamav_stream_connect(amavis_t)
|
|
clamav_domtrans_clamscan(amavis_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dcc_domtrans_client(amavis_t)
|
|
dcc_stream_connect_dccifd(amavis_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
postfix_read_config(amavis_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
pyzor_domtrans(amavis_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
razor_domtrans(amavis_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
spamassassin_exec(amavis_t)
|
|
spamassassin_exec_client(amavis_t)
|
|
')
|