selinux-policy/policy/modules/services/spamassassin.te

policy_module(spamassassin,1.6.2)

########################################
#
# Declarations
#

ifdef(`strict_policy',`
## <desc>
## <p>
## Allow user spamassassin clients to use the network.
## </p>
## </desc>
gen_tunable(spamassassin_can_network,false)
')

ifdef(`targeted_policy',`
## <desc>
## <p>
## Allow spamd to read/write user home directories.
## </p>
## </desc>
gen_tunable(spamd_enable_home_dirs,true)
')

# spamassassin client executable
type spamc_exec_t;
corecmd_executable_file(spamc_exec_t)

type spamd_t;
type spamd_exec_t;
init_daemon_domain(spamd_t,spamd_exec_t)

type spamd_spool_t;
files_type(spamd_spool_t)

type spamd_tmp_t;
files_tmp_file(spamd_tmp_t)

# var/lib files
type spamd_var_lib_t;
files_type(spamd_var_lib_t)

type spamd_var_run_t;
files_pid_file(spamd_var_run_t)

type spamassassin_exec_t;
corecmd_executable_file(spamassassin_exec_t)

########################################
#
# Spamassassin daemon local policy
#

# Spamassassin, when run as root and using per-user config files,
# setuids to the user running spamc.  Comment this if you are not
# using this ability.

allow spamd_t self:capability { setuid setgid dac_override sys_tty_config };
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
allow spamd_t self:fifo_file rw_fifo_file_perms;
allow spamd_t self:sock_file read_sock_file_perms;
allow spamd_t self:shm create_shm_perms;
allow spamd_t self:sem create_sem_perms;
allow spamd_t self:msgq create_msgq_perms;
allow spamd_t self:msg { send receive };
allow spamd_t self:unix_dgram_socket create_socket_perms;
allow spamd_t self:unix_stream_socket create_stream_socket_perms;
allow spamd_t self:unix_dgram_socket sendto;
allow spamd_t self:unix_stream_socket connectto;
allow spamd_t self:tcp_socket create_stream_socket_perms;
allow spamd_t self:udp_socket create_socket_perms;
allow spamd_t self:netlink_route_socket r_netlink_socket_perms;

manage_dirs_pattern(spamd_t,spamd_spool_t,spamd_spool_t)
manage_files_pattern(spamd_t,spamd_spool_t,spamd_spool_t)
files_spool_filetrans(spamd_t,spamd_spool_t, { file dir })

manage_dirs_pattern(spamd_t,spamd_tmp_t,spamd_tmp_t)
manage_files_pattern(spamd_t,spamd_tmp_t,spamd_tmp_t)
files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })

# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
read_files_pattern(spamd_t,spamd_var_lib_t,spamd_var_lib_t)

manage_files_pattern(spamd_t,spamd_var_run_t,spamd_var_run_t)
files_pid_filetrans(spamd_t,spamd_var_run_t,file)

kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)

corenet_all_recvfrom_unlabeled(spamd_t)
corenet_all_recvfrom_netlabel(spamd_t)
corenet_tcp_sendrecv_all_if(spamd_t)
corenet_udp_sendrecv_all_if(spamd_t)
corenet_tcp_sendrecv_all_nodes(spamd_t)
corenet_udp_sendrecv_all_nodes(spamd_t)
corenet_tcp_sendrecv_all_ports(spamd_t)
corenet_udp_sendrecv_all_ports(spamd_t)
corenet_tcp_bind_all_nodes(spamd_t)
corenet_tcp_bind_spamd_port(spamd_t)
corenet_tcp_connect_razor_port(spamd_t)
corenet_tcp_connect_smtp_port(spamd_t)
corenet_sendrecv_razor_client_packets(spamd_t)
corenet_sendrecv_spamd_server_packets(spamd_t)
# spamassassin 3.1 needs this for its
# DnsResolver.pm module which binds to
# random ports >= 1024.
corenet_udp_bind_all_nodes(spamd_t)
corenet_udp_bind_generic_port(spamd_t)
corenet_udp_bind_imaze_port(spamd_t)
corenet_dontaudit_udp_bind_all_ports(spamd_t)
corenet_sendrecv_imaze_server_packets(spamd_t)
corenet_sendrecv_generic_server_packets(spamd_t)

dev_read_sysfs(spamd_t)
dev_read_urand(spamd_t)

fs_getattr_all_fs(spamd_t)
fs_search_auto_mountpoints(spamd_t)

auth_dontaudit_read_shadow(spamd_t)

corecmd_exec_bin(spamd_t)

domain_use_interactive_fds(spamd_t)

files_read_usr_files(spamd_t)
files_read_etc_files(spamd_t)
files_read_etc_runtime_files(spamd_t)
# /var/lib/spamassin
files_read_var_lib_files(spamd_t)

init_dontaudit_rw_utmp(spamd_t)

libs_use_ld_so(spamd_t)
libs_use_shared_libs(spamd_t)
# Various Perl bits
libs_use_lib_files(spamd_t)

logging_send_syslog_msg(spamd_t)

miscfiles_read_localization(spamd_t)

sysnet_read_config(spamd_t)
sysnet_use_ldap(spamd_t)
sysnet_dns_name_resolve(spamd_t)

userdom_use_unpriv_users_fds(spamd_t)
userdom_search_unpriv_users_home_dirs(spamd_t)
userdom_dontaudit_search_sysadm_home_dirs(spamd_t)

ifdef(`targeted_policy',`
	term_dontaudit_use_unallocated_ttys(spamd_t)
	term_dontaudit_use_generic_ptys(spamd_t)

	files_dontaudit_read_root_files(spamd_t)

	tunable_policy(`spamd_enable_home_dirs',`
		userdom_manage_generic_user_home_content_dirs(spamd_t)
		userdom_manage_generic_user_home_content_files(spamd_t)
		userdom_manage_generic_user_home_content_symlinks(spamd_t)
		userdom_generic_user_home_dir_filetrans_generic_user_home_content(spamd_t,dir)
	')
')

tunable_policy(`use_nfs_home_dirs',`
	fs_manage_nfs_files(spamd_t)
')

tunable_policy(`use_samba_home_dirs',`
	fs_manage_cifs_files(spamd_t)
')

optional_policy(`
	amavis_manage_lib_files(spamd_t)
')

optional_policy(`
	cron_system_entry(spamd_t,spamd_exec_t)
')

optional_policy(`
	daemontools_service_domain(spamd_t,spamd_exec_t)
')

optional_policy(`
	dcc_domtrans_client(spamd_t)
	dcc_stream_connect_dccifd(spamd_t)
')

optional_policy(`
	mysql_search_db(spamd_t)
	mysql_stream_connect(spamd_t)
')

optional_policy(`
	nis_use_ypbind(spamd_t)
')

optional_policy(`
	postfix_read_config(spamd_t)
')

optional_policy(`
	postgresql_stream_connect(spamd_t)
')

optional_policy(`
	pyzor_domtrans(spamd_t)
	pyzor_signal(spamd_t)
')

optional_policy(`
	razor_domtrans(spamd_t)
')

optional_policy(`
	seutil_sigchld_newrole(spamd_t)
')

optional_policy(`
	sendmail_stub(spamd_t)
	mta_read_config(spamd_t)
')

optional_policy(`
	udev_read_db(spamd_t)
')