888 lines
19 KiB
Plaintext
888 lines
19 KiB
Plaintext
## <summary>Policy common to all email tranfer agents.</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
## MTA stub interface. No access allowed.
|
|
## </summary>
|
|
## <param name="domain" optional="true">
|
|
## <summary>
|
|
## N/A
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`mta_stub',`
|
|
gen_require(`
|
|
type sendmail_exec_t;
|
|
')
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Basic mail transfer agent domain template.
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## This template creates a derived domain which is
|
|
## a email transfer agent, which sends mail on
|
|
## behalf of the user.
|
|
## </p>
|
|
## <p>
|
|
## This is the basic types and rules, common
|
|
## to the system agent and user agents.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="domain_prefix">
|
|
## <summary>
|
|
## The prefix of the domain (e.g., user
|
|
## is the prefix for user_t).
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
template(`mta_base_mail_template',`
|
|
|
|
gen_require(`
|
|
attribute user_mail_domain;
|
|
type sendmail_exec_t;
|
|
')
|
|
|
|
##############################
|
|
#
|
|
# $1_mail_t declarations
|
|
#
|
|
|
|
type $1_mail_t, user_mail_domain;
|
|
domain_type($1_mail_t)
|
|
domain_entry_file($1_mail_t,sendmail_exec_t)
|
|
|
|
type $1_mail_tmp_t;
|
|
files_tmp_file($1_mail_tmp_t)
|
|
|
|
##############################
|
|
#
|
|
# $1_mail_t local policy
|
|
#
|
|
|
|
allow $1_mail_t self:capability { setuid setgid chown };
|
|
allow $1_mail_t self:process { signal_perms setrlimit };
|
|
allow $1_mail_t self:tcp_socket create_socket_perms;
|
|
|
|
# re-exec itself
|
|
can_exec($1_mail_t, sendmail_exec_t)
|
|
allow $1_mail_t sendmail_exec_t:lnk_file read_lnk_file_perms;
|
|
|
|
kernel_read_kernel_sysctls($1_mail_t)
|
|
|
|
corenet_non_ipsec_sendrecv($1_mail_t)
|
|
corenet_tcp_sendrecv_all_if($1_mail_t)
|
|
corenet_tcp_sendrecv_all_nodes($1_mail_t)
|
|
corenet_tcp_sendrecv_all_ports($1_mail_t)
|
|
corenet_tcp_connect_all_ports($1_mail_t)
|
|
corenet_tcp_connect_smtp_port($1_mail_t)
|
|
corenet_sendrecv_smtp_client_packets($1_mail_t)
|
|
|
|
corecmd_exec_bin($1_mail_t)
|
|
corecmd_search_sbin($1_mail_t)
|
|
|
|
files_read_etc_files($1_mail_t)
|
|
files_search_spool($1_mail_t)
|
|
# It wants to check for nscd
|
|
files_dontaudit_search_pids($1_mail_t)
|
|
|
|
libs_use_ld_so($1_mail_t)
|
|
libs_use_shared_libs($1_mail_t)
|
|
|
|
logging_send_syslog_msg($1_mail_t)
|
|
|
|
miscfiles_read_localization($1_mail_t)
|
|
|
|
sysnet_read_config($1_mail_t)
|
|
sysnet_dns_name_resolve($1_mail_t)
|
|
|
|
optional_policy(`
|
|
nis_use_ypbind($1_mail_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nscd_socket_use($1_mail_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
postfix_domtrans_user_mail_handler($1_mail_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
procmail_exec($1_mail_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
qmail_domtrans_inject($1_mail_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
gen_require(`
|
|
type etc_mail_t, mail_spool_t, mqueue_spool_t;
|
|
')
|
|
|
|
manage_dirs_pattern($1_mail_t,$1_mail_tmp_t,$1_mail_tmp_t)
|
|
manage_files_pattern($1_mail_t,$1_mail_tmp_t,$1_mail_tmp_t)
|
|
files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
|
|
|
|
allow $1_mail_t etc_mail_t:dir { getattr search };
|
|
|
|
# Write to /var/spool/mail and /var/spool/mqueue.
|
|
manage_files_pattern($1_mail_t,mail_spool_t,mail_spool_t)
|
|
manage_files_pattern($1_mail_t,mqueue_spool_t,mqueue_spool_t)
|
|
|
|
# Check available space.
|
|
fs_getattr_xattr_fs($1_mail_t)
|
|
|
|
files_read_etc_runtime_files($1_mail_t)
|
|
|
|
# Write to /var/log/sendmail.st
|
|
sendmail_manage_log($1_mail_t)
|
|
sendmail_create_log($1_mail_t)
|
|
')
|
|
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## The per role template for the mta module.
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## This template creates a derived domain which is
|
|
## a email transfer agent, which sends mail on
|
|
## behalf of the user.
|
|
## </p>
|
|
## <p>
|
|
## This template is invoked automatically for each user, and
|
|
## generally does not need to be invoked directly
|
|
## by policy writers.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="userdomain_prefix">
|
|
## <summary>
|
|
## The prefix of the user domain (e.g., user
|
|
## is the prefix for user_t).
|
|
## </summary>
|
|
## </param>
|
|
## <param name="user_domain">
|
|
## <summary>
|
|
## The type of the user domain.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="user_role">
|
|
## <summary>
|
|
## The role associated with the user domain.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
template(`mta_per_role_template',`
|
|
gen_require(`
|
|
attribute mta_user_agent;
|
|
attribute mailserver_delivery;
|
|
')
|
|
|
|
##############################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
mta_base_mail_template($1)
|
|
role $3 types $1_mail_t;
|
|
|
|
##############################
|
|
#
|
|
# $1_mail_t local policy
|
|
#
|
|
|
|
# Transition from the user domain to the derived domain.
|
|
domtrans_pattern($2, sendmail_exec_t, $1_mail_t)
|
|
allow $2 sendmail_exec_t:lnk_file { getattr read };
|
|
|
|
domain_use_interactive_fds($1_mail_t)
|
|
|
|
userdom_use_user_terminals($1,$1_mail_t)
|
|
# Write to the user domain tty. cjp: why?
|
|
userdom_use_user_terminals($1,mta_user_agent)
|
|
# Create dead.letter in user home directories.
|
|
userdom_manage_user_home_content_files($1,$1_mail_t)
|
|
userdom_user_home_dir_filetrans_user_home_content($1,$1_mail_t,file)
|
|
# for reading .forward - maybe we need a new type for it?
|
|
# also for delivering mail to maildir
|
|
userdom_manage_user_home_content_dirs($1,mailserver_delivery)
|
|
userdom_manage_user_home_content_files($1,mailserver_delivery)
|
|
userdom_manage_user_home_content_symlinks($1,mailserver_delivery)
|
|
userdom_manage_user_home_content_pipes($1,mailserver_delivery)
|
|
userdom_manage_user_home_content_sockets($1,mailserver_delivery)
|
|
userdom_user_home_dir_filetrans_user_home_content($1,mailserver_delivery,{ dir file lnk_file fifo_file sock_file })
|
|
# Read user temporary files.
|
|
userdom_read_user_tmp_files($1,$1_mail_t)
|
|
userdom_dontaudit_append_user_tmp_files($1,$1_mail_t)
|
|
# cjp: this should probably be read all user tmp
|
|
# files in an appropriate place for mta_user_agent
|
|
userdom_read_user_tmp_files($1,mta_user_agent)
|
|
|
|
tunable_policy(`use_samba_home_dirs',`
|
|
fs_manage_cifs_files($1_mail_t)
|
|
fs_manage_cifs_symlinks($1_mail_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
allow $1_mail_t self:capability dac_override;
|
|
|
|
# Read user temporary files.
|
|
# postfix seems to need write access if the file handle is opened read/write
|
|
userdom_rw_user_tmp_files($1,$1_mail_t)
|
|
|
|
postfix_read_config($1_mail_t)
|
|
postfix_list_spool($1_mail_t)
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Provide extra permissions for admin users
|
|
## mail domain.
|
|
## </summary>
|
|
## <param name="userdomain_prefix">
|
|
## <summary>
|
|
## The prefix of the user domain (e.g., user
|
|
## is the prefix for user_t).
|
|
## </summary>
|
|
## </param>
|
|
## <param name="user_domain">
|
|
## <summary>
|
|
## The type of the user domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
template(`mta_admin_template',`
|
|
gen_require(`
|
|
type $1_mail_t;
|
|
')
|
|
|
|
ifdef(`strict_policy',`
|
|
# allow the sysadmin to do "mail someone < /home/user/whatever"
|
|
userdom_read_unpriv_users_home_content_files($1_mail_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
gen_require(`
|
|
attribute mta_user_agent;
|
|
type etc_aliases_t;
|
|
')
|
|
|
|
allow mta_user_agent $2:fifo_file { read write };
|
|
|
|
manage_dirs_pattern($1_mail_t,etc_aliases_t,etc_aliases_t)
|
|
manage_files_pattern($1_mail_t,etc_aliases_t,etc_aliases_t)
|
|
manage_lnk_files_pattern($1_mail_t,etc_aliases_t,etc_aliases_t)
|
|
manage_fifo_files_pattern($1_mail_t,etc_aliases_t,etc_aliases_t)
|
|
manage_sock_files_pattern($1_mail_t,etc_aliases_t,etc_aliases_t)
|
|
files_etc_filetrans($1_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file })
|
|
|
|
# postfix needs this for newaliases
|
|
files_getattr_tmp_dirs($1_mail_t)
|
|
|
|
postfix_exec_master($1_mail_t)
|
|
|
|
ifdef(`distro_redhat',`
|
|
# compatability for old default main.cf
|
|
postfix_config_filetrans($1_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file })
|
|
')
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make the specified domain usable for a mail server.
|
|
## </summary>
|
|
## <param name="type">
|
|
## <summary>
|
|
## Type to be used as a mail server domain.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`mta_mailserver',`
|
|
gen_require(`
|
|
attribute mailserver_domain;
|
|
')
|
|
|
|
init_daemon_domain($1,$2)
|
|
typeattribute $1 mailserver_domain;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Modified mailserver interface for
|
|
## sendmail daemon use.
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## A modified MTA mail server interface for
|
|
## the sendmail program. It's design does
|
|
## not fit well with policy, and using the
|
|
## regular interface causes a type_transition
|
|
## conflict if direct running of init scripts
|
|
## is enabled.
|
|
## </p>
|
|
## <p>
|
|
## This interface should most likely only be used
|
|
## by the sendmail policy.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type to be used for the mail server.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="entry_point">
|
|
## <summary>
|
|
## The type to be used for the domain entry point program.
|
|
## </summary>
|
|
## </param>
|
|
interface(`mta_sendmail_mailserver',`
|
|
gen_require(`
|
|
attribute mailserver_domain;
|
|
type sendmail_exec_t;
|
|
')
|
|
|
|
init_system_domain($1,sendmail_exec_t)
|
|
typeattribute $1 mailserver_domain;
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Make a type a mailserver type used
|
|
## for sending mail.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Mail server domain type used for sending mail.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`mta_mailserver_sender',`
|
|
gen_require(`
|
|
attribute mailserver_sender;
|
|
')
|
|
|
|
typeattribute $1 mailserver_sender;
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Make a type a mailserver type used
|
|
## for delivering mail to local users.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Mail server domain type used for delivering mail.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`mta_mailserver_delivery',`
|
|
gen_require(`
|
|
attribute mailserver_delivery;
|
|
type mail_spool_t;
|
|
')
|
|
|
|
typeattribute $1 mailserver_delivery;
|
|
|
|
allow $1 mail_spool_t:dir list_dir_perms;
|
|
create_files_pattern($1,mail_spool_t,mail_spool_t)
|
|
read_files_pattern($1,mail_spool_t,mail_spool_t)
|
|
create_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
|
|
read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
|
|
|
|
optional_policy(`
|
|
dovecot_manage_spool($1)
|
|
')
|
|
|
|
optional_policy(`
|
|
# so MTA can access /var/lib/mailman/mail/wrapper
|
|
files_search_var_lib($1)
|
|
|
|
mailman_domtrans($1)
|
|
mailman_read_data_symlinks($1)
|
|
')
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Make a type a mailserver type used
|
|
## for sending mail on behalf of local
|
|
## users to the local mail spool.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Mail server domain type used for sending local mail.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`mta_mailserver_user_agent',`
|
|
gen_require(`
|
|
attribute mta_user_agent;
|
|
')
|
|
|
|
typeattribute $1 mta_user_agent;
|
|
|
|
optional_policy(`
|
|
# apache should set close-on-exec
|
|
apache_dontaudit_rw_stream_sockets($1)
|
|
apache_dontaudit_rw_sys_script_stream_sockets($1)
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send mail from the system.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`mta_send_mail',`
|
|
gen_require(`
|
|
attribute mta_user_agent;
|
|
type system_mail_t, sendmail_exec_t;
|
|
')
|
|
|
|
allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms;
|
|
domain_auto_trans($1, sendmail_exec_t, system_mail_t)
|
|
|
|
allow $1 system_mail_t:fd use;
|
|
allow system_mail_t $1:fd use;
|
|
allow system_mail_t $1:fifo_file rw_file_perms;
|
|
allow system_mail_t $1:process sigchld;
|
|
|
|
allow mta_user_agent $1:fd use;
|
|
allow mta_user_agent $1:process sigchld;
|
|
allow mta_user_agent $1:fifo_file { read write };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute send mail in a specified domain.
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## Execute send mail in a specified domain.
|
|
## </p>
|
|
## <p>
|
|
## No interprocess communication (signals, pipes,
|
|
## etc.) is provided by this interface since
|
|
## the domains are not owned by this module.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="source_domain">
|
|
## <summary>
|
|
## Domain to transition from.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="target_domain">
|
|
## <summary>
|
|
## Domain to transition to.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`mta_sendmail_domtrans',`
|
|
gen_require(`
|
|
type sendmail_exec_t;
|
|
')
|
|
|
|
files_search_usr($1)
|
|
corecmd_read_sbin_symlinks($1)
|
|
domain_auto_trans($1,sendmail_exec_t,$2)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute sendmail in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`mta_sendmail_exec',`
|
|
gen_require(`
|
|
type sendmail_exec_t;
|
|
')
|
|
|
|
can_exec($1, sendmail_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read mail server configuration.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mta_read_config',`
|
|
gen_require(`
|
|
type etc_mail_t;
|
|
')
|
|
|
|
files_search_etc($1)
|
|
allow $1 etc_mail_t:dir list_dir_perms;
|
|
read_files_pattern($1,etc_mail_t,etc_mail_t)
|
|
read_lnk_files_pattern($1,etc_mail_t,etc_mail_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read mail address aliases.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`mta_read_aliases',`
|
|
gen_require(`
|
|
type etc_aliases_t;
|
|
')
|
|
|
|
files_search_etc($1)
|
|
allow $1 etc_aliases_t:file read_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Type transition files created in /etc
|
|
## to the mail address aliases type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`mta_etc_filetrans_aliases',`
|
|
gen_require(`
|
|
type etc_aliases_t;
|
|
')
|
|
|
|
files_etc_filetrans($1,etc_aliases_t, file)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read and write mail aliases.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mta_rw_aliases',`
|
|
gen_require(`
|
|
type etc_aliases_t;
|
|
')
|
|
|
|
files_search_etc($1)
|
|
allow $1 etc_aliases_t:file { rw_file_perms setattr };
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Do not audit attempts to read and write TCP
|
|
## sockets of mail delivery domains.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Mail server domain.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
|
|
gen_require(`
|
|
attribute mailserver_delivery;
|
|
')
|
|
|
|
dontaudit $1 mailserver_delivery:tcp_socket { read write };
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Connect to all mail servers over TCP. (Deprecated)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Mail server domain.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`mta_tcp_connect_all_mailservers',`
|
|
refpolicywarn(`$0($*) has been deprecated.')
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Do not audit attempts to read a symlink
|
|
## in the mail spool.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`mta_dontaudit_read_spool_symlinks',`
|
|
gen_require(`
|
|
type mail_spool_t;
|
|
')
|
|
|
|
dontaudit $1 mail_spool_t:lnk_file read;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Get the attributes of mail spool files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`mta_getattr_spool',`
|
|
gen_require(`
|
|
type mail_spool_t;
|
|
')
|
|
|
|
files_search_spool($1)
|
|
allow $1 mail_spool_t:dir list_dir_perms;
|
|
allow $1 mail_spool_t:lnk_file read;
|
|
allow $1 mail_spool_t:file getattr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to get the attributes
|
|
## of mail spool files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`mta_dontaudit_getattr_spool_files',`
|
|
gen_require(`
|
|
type mail_spool_t;
|
|
')
|
|
|
|
files_dontaudit_search_spool($1)
|
|
dontaudit $1 mail_spool_t:dir search;
|
|
dontaudit $1 mail_spool_t:lnk_file read;
|
|
dontaudit $1 mail_spool_t:file getattr;
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Create private objects in the
|
|
## mail spool directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="private type">
|
|
## <summary>
|
|
## The type of the object to be created.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="object">
|
|
## <summary>
|
|
## The object class of the object being created.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`mta_spool_filetrans',`
|
|
gen_require(`
|
|
type mail_spool_t;
|
|
')
|
|
|
|
files_search_spool($1)
|
|
filetrans_pattern($1,mail_spool_t,$2,$3)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read and write the mail spool.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`mta_rw_spool',`
|
|
gen_require(`
|
|
type mail_spool_t;
|
|
')
|
|
|
|
files_search_spool($1)
|
|
allow $1 mail_spool_t:dir list_dir_perms;
|
|
allow $1 mail_spool_t:file setattr;
|
|
rw_files_pattern($1,mail_spool_t,mail_spool_t)
|
|
read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Create, read, and write the mail spool.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`mta_append_spool',`
|
|
gen_require(`
|
|
type mail_spool_t;
|
|
')
|
|
|
|
files_search_spool($1)
|
|
allow $1 mail_spool_t:dir list_dir_perms;
|
|
create_files_pattern($1,mail_spool_t,mail_spool_t)
|
|
write_files_pattern($1,mail_spool_t,mail_spool_t)
|
|
read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Delete from the mail spool.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`mta_delete_spool',`
|
|
gen_require(`
|
|
type mail_spool_t;
|
|
')
|
|
|
|
files_search_spool($1)
|
|
delete_files_pattern($1,mail_spool_t,mail_spool_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete mail spool files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`mta_manage_spool',`
|
|
gen_require(`
|
|
type mail_spool_t;
|
|
')
|
|
|
|
files_search_spool($1)
|
|
manage_dirs_pattern($1,mail_spool_t,mail_spool_t)
|
|
manage_files_pattern($1,mail_spool_t,mail_spool_t)
|
|
manage_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Do not audit attempts to read and
|
|
## write the mail queue.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`mta_dontaudit_rw_queue',`
|
|
gen_require(`
|
|
type mqueue_spool_t;
|
|
')
|
|
|
|
dontaudit $1 mqueue_spool_t:dir search_dir_perms;
|
|
dontaudit $1 mqueue_spool_t:file { getattr read write };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete
|
|
## mail queue files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`mta_manage_queue',`
|
|
gen_require(`
|
|
type mqueue_spool_t;
|
|
')
|
|
|
|
files_search_spool($1)
|
|
manage_files_pattern($1,mqueue_spool_t,mqueue_spool_t)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Read sendmail binary.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
# cjp: added for postfix
|
|
interface(`mta_read_sendmail_bin',`
|
|
gen_require(`
|
|
type sendmail_exec_t;
|
|
')
|
|
|
|
allow $1 sendmail_exec_t:file read_file_perms;
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Read and write unix domain stream sockets
|
|
## of user mail domains.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`mta_rw_user_mail_stream_sockets',`
|
|
gen_require(`
|
|
attribute user_mail_domain;
|
|
')
|
|
|
|
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
|
|
')
|