208 lines
5.2 KiB
Plaintext
208 lines
5.2 KiB
Plaintext
|
|
policy_module(mta,1.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
attribute mta_user_agent;
|
|
attribute mailserver_delivery;
|
|
attribute mailserver_domain;
|
|
attribute mailserver_sender;
|
|
|
|
type etc_aliases_t;
|
|
files_type(etc_aliases_t)
|
|
|
|
type etc_mail_t;
|
|
files_type(etc_mail_t)
|
|
|
|
type mqueue_spool_t;
|
|
files_type(mqueue_spool_t)
|
|
|
|
type mail_spool_t;
|
|
files_type(mail_spool_t)
|
|
|
|
type sendmail_exec_t;
|
|
files_type(sendmail_exec_t)
|
|
|
|
type system_mail_t;
|
|
domain_type(system_mail_t)
|
|
domain_entry_file(system_mail_t,sendmail_exec_t)
|
|
role system_r types system_mail_t;
|
|
|
|
# cjp: need to resolve this, but require{}
|
|
# does not work in the else part of the optional
|
|
#ifdef(`targeted_policy',`',`
|
|
# optional_policy(`sendmail.te',`',`
|
|
# init_system_domain(system_mail_t,sendmail_exec_t)
|
|
# ')
|
|
#')
|
|
|
|
########################################
|
|
#
|
|
# System mail local policy
|
|
#
|
|
|
|
allow system_mail_t self:capability { setuid setgid chown };
|
|
allow system_mail_t self:process { signal_perms setrlimit };
|
|
allow system_mail_t self:tcp_socket create_socket_perms;
|
|
|
|
# re-exec itself
|
|
can_exec(system_mail_t, sendmail_exec_t)
|
|
allow system_mail_t sendmail_exec_t:lnk_file r_file_perms;
|
|
|
|
kernel_read_kernel_sysctl(system_mail_t)
|
|
kernel_read_system_state(system_mail_t)
|
|
kernel_read_network_state(system_mail_t)
|
|
|
|
corenet_tcp_sendrecv_all_if(system_mail_t)
|
|
corenet_raw_sendrecv_all_if(system_mail_t)
|
|
corenet_tcp_sendrecv_all_nodes(system_mail_t)
|
|
corenet_raw_sendrecv_all_nodes(system_mail_t)
|
|
corenet_tcp_sendrecv_all_ports(system_mail_t)
|
|
corenet_tcp_bind_all_nodes(system_mail_t)
|
|
|
|
dev_read_rand(system_mail_t)
|
|
dev_read_urand(system_mail_t)
|
|
|
|
fs_getattr_xattr_fs(system_mail_t)
|
|
|
|
init_use_script_pty(system_mail_t)
|
|
|
|
files_read_etc_files(system_mail_t)
|
|
files_read_etc_runtime_files(system_mail_t)
|
|
files_search_spool(system_mail_t)
|
|
# It wants to check for nscd
|
|
files_dontaudit_search_pids(system_mail_t)
|
|
|
|
corecmd_exec_bin(system_mail_t)
|
|
corecmd_search_sbin(system_mail_t)
|
|
|
|
libs_use_ld_so(system_mail_t)
|
|
libs_use_shared_libs(system_mail_t)
|
|
|
|
logging_send_syslog_msg(system_mail_t)
|
|
|
|
miscfiles_read_localization(system_mail_t)
|
|
|
|
sysnet_read_config(system_mail_t)
|
|
sysnet_dns_name_resolve(system_mail_t)
|
|
|
|
userdom_use_sysadm_terms(system_mail_t)
|
|
|
|
ifdef(`targeted_policy',`
|
|
typealias system_mail_t alias sysadm_mail_t;
|
|
|
|
allow system_mail_t etc_mail_t:file r_file_perms;
|
|
|
|
allow system_mail_t mail_spool_t:dir create_dir_perms;
|
|
allow system_mail_t mail_spool_t:file create_file_perms;
|
|
allow system_mail_t mail_spool_t:lnk_file create_lnk_perms;
|
|
allow system_mail_t mail_spool_t:fifo_file rw_file_perms;
|
|
|
|
allow system_mail_t mqueue_spool_t:dir create_dir_perms;
|
|
allow system_mail_t mqueue_spool_t:file create_file_perms;
|
|
allow system_mail_t mqueue_spool_t:lnk_file create_lnk_perms;
|
|
|
|
# cjp: another require-in-else to resolve
|
|
# optional_policy(`postfix.te',`',`
|
|
corecmd_exec_bin(system_mail_t)
|
|
corecmd_exec_sbin(system_mail_t)
|
|
|
|
domain_exec_all_entry_files(system_mail_t)
|
|
|
|
files_exec_etc_files(system_mail_t)
|
|
|
|
libs_use_ld_so(system_mail_t)
|
|
libs_use_shared_libs(system_mail_t)
|
|
libs_exec_ld_so(system_mail_t)
|
|
libs_exec_lib_files(system_mail_t)
|
|
# ')
|
|
')
|
|
|
|
optional_policy(`apache.te',`
|
|
apache_read_squirrelmail_data(system_mail_t)
|
|
apache_append_squirrelmail_data(system_mail_t)
|
|
|
|
# apache should set close-on-exec
|
|
apache_dontaudit_append_log(system_mail_t)
|
|
apache_dontaudit_rw_stream_socket(system_mail_t)
|
|
apache_dontaudit_rw_tcp_socket(system_mail_t)
|
|
apache_dontaudit_rw_sys_script_stream_socket(system_mail_t)
|
|
')
|
|
|
|
optional_policy(`cron.te',`
|
|
cron_read_system_job_tmp_files(system_mail_t)
|
|
')
|
|
|
|
optional_policy(`cvs.te',`
|
|
cvs_read_data(system_mail_t)
|
|
')
|
|
|
|
optional_policy(`logrotate.te',`
|
|
logrotate_read_tmp_files(system_mail_t)
|
|
')
|
|
|
|
optional_policy(`nis.te',`
|
|
nis_use_ypbind(system_mail_t)
|
|
')
|
|
|
|
optional_policy(`nscd.te',`
|
|
nscd_use_socket(system_mail_t)
|
|
')
|
|
|
|
optional_policy(`sendmail.te',`
|
|
sendmail_stub()
|
|
|
|
allow system_mail_t etc_mail_t:dir { getattr search };
|
|
|
|
# sendmail -q
|
|
allow system_mail_t mqueue_spool_t:dir rw_dir_perms;
|
|
allow system_mail_t mqueue_spool_t:file create_file_perms;
|
|
')
|
|
|
|
ifdef(`TODO',`
|
|
optional_policy(`procmail.te',`
|
|
procmail_exec(system_mail_t)
|
|
')
|
|
|
|
optional_policy(`sendmail.te',`
|
|
allow system_mail_t { var_t var_spool_t }:dir getattr;
|
|
dontaudit system_mail_t userpty_type:chr_file { getattr read write };
|
|
|
|
optional_policy(`crond.te', `
|
|
dontaudit system_mail_t system_crond_tmp_t:file append;
|
|
')
|
|
')
|
|
|
|
ifdef(`targeted_policy',`
|
|
allow system_mail_t { var_t var_spool_t }:dir getattr;
|
|
',`
|
|
# allow the sysadmin to do "mail someone < /home/user/whatever"
|
|
allow sysadm_mail_t user_home_dir_type:dir search;
|
|
r_dir_file(sysadm_mail_t, user_home_type)
|
|
')
|
|
|
|
allow system_mail_t privmail:fd use;
|
|
allow system_mail_t privmail:process sigchld;
|
|
allow system_mail_t privmail:fifo_file { read write };
|
|
|
|
optional_policy(`qmail.te',`
|
|
allow system_mail_t qmail_etc_t:dir search;
|
|
allow system_mail_t qmail_etc_t:{ file lnk_file } read;
|
|
')
|
|
|
|
optional_policy(`arpwatch.te',`
|
|
# why is mail delivered to a directory of type arpwatch_data_t?
|
|
arpwatch_search_data_dir(mta_delivery_agent)
|
|
arpwatch_manage_tmp_files(system_mail_t)
|
|
arpwatch_manage_tmp_files(mta_user_agent)
|
|
ifdef(`hide_broken_symptoms', `
|
|
arpwatch_dontaudit_rw_packet_socket(system_mail_t)
|
|
arpwatch_dontaudit_rw_packet_socket(mta_user_agent)
|
|
')
|
|
')
|
|
|
|
') dnl end TODO
|