selinux-policy/targeted/domains/program/spamd.te

#DESC Spamd - Spamassassin daemon
#
# Author: Colin Walters <walters@debian.org>
# X-Debian-Packages: spamassassin
# Depends: spamassassin.te
#

daemon_domain(spamd)

tmp_domain(spamd)

general_domain_access(spamd_t)
uses_shlib(spamd_t)
read_sysctl(spamd_t)

# Various Perl bits
allow spamd_t lib_t:file rx_file_perms;
dontaudit spamd_t shadow_t:file { getattr read };
dontaudit spamd_t initrc_var_run_t:file { read write lock };
dontaudit spamd_t sysadm_home_dir_t:dir { getattr search };

can_network_server(spamd_t)
allow spamd_t spamd_port_t:tcp_socket name_bind;
can_ypbind(spamd_t)
allow spamd_t self:capability net_bind_service;

allow spamd_t proc_t:file { getattr read };

# Spamassassin, when run as root and using per-user config files,
# setuids to the user running spamc.  Comment this if you are not
# using this ability.
allow spamd_t self:capability { setuid setgid dac_override sys_tty_config };

allow spamd_t { bin_t sbin_t }:dir { getattr search };
can_exec(spamd_t, bin_t)

ifdef(`sendmail.te', `
allow spamd_t etc_mail_t:dir { getattr read search };
allow spamd_t etc_mail_t:file { getattr ioctl read };
')
allow spamd_t { etc_t etc_runtime_t }:file { getattr ioctl read };

ifdef(`amavis.te', `
# for bayes tokens
allow spamd_t var_lib_t:dir { getattr search };
rw_dir_create_file(spamd_t, amavisd_lib_t)
')

allow spamd_t usr_t:file { getattr ioctl read };
allow spamd_t usr_t:lnk_file { getattr read };
allow spamd_t urandom_device_t:chr_file { getattr read };

system_crond_entry(spamd_exec_t, spamd_t)

allow spamd_t autofs_t:dir { search getattr };

if (use_nfs_home_dirs) {
allow spamd_t nfs_t:dir rw_dir_perms;
allow spamd_t nfs_t:file create_file_perms;
}

if (use_samba_home_dirs) {
allow spamd_t cifs_t:dir rw_dir_perms;
allow spamd_t cifs_t:file create_file_perms;
}

allow spamd_t home_root_t:dir getattr;
allow spamd_t user_home_dir_type:dir { search getattr };