selinux-policy/policy/modules/services/qmail.te
Chris PeBenito 1900668638 trunk: Unified labeled networking policy from Paul Moore.
The latest revision of the labeled policy patches which enable both labeled 
and unlabeled policy support for NetLabel.  This revision takes into account
Chris' feedback from the first version and reduces the number of interface
calls in each domain down to two at present: one for unlabeled access, one for
NetLabel access.  The older, transport layer specific interfaces, are still  
present for use by third-party modules but are not used in the default policy
modules.

trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.

This patch changes the policy to use the netmsg initial SID as the "base"
SID/context for NetLabel packets which only have MLS security attributes.
Currently we use the unlabeled initial SID which makes it very difficult to
distinquish between actual unlabeled packets and those packets which have MLS
security attributes.
2007-06-27 15:23:21 +00:00

309 lines
7.8 KiB
Plaintext

policy_module(qmail,1.1.1)
########################################
#
# Declarations
#
attribute qmail_user_domains;
type qmail_alias_home_t;
files_type(qmail_alias_home_t)
qmail_child_domain_template(qmail_clean, qmail_start_t)
type qmail_etc_t;
files_type(qmail_etc_t)
type qmail_exec_t;
files_type(qmail_exec_t)
type qmail_inject_t, qmail_user_domains;
type qmail_inject_exec_t;
domain_type(qmail_inject_t)
domain_entry_file(qmail_inject_t,qmail_inject_exec_t)
mta_mailserver_user_agent(qmail_inject_t)
role system_r types qmail_inject_t;
qmail_child_domain_template(qmail_local, qmail_lspawn_t)
mta_mailserver_delivery(qmail_local_t)
qmail_child_domain_template(qmail_lspawn, qmail_start_t)
mta_mailserver_delivery(qmail_lspawn_t)
qmail_child_domain_template(qmail_queue, qmail_inject_t)
typeattribute qmail_queue_t qmail_user_domains;
mta_mailserver_user_agent(qmail_queue_t)
qmail_child_domain_template(qmail_remote, qmail_rspawn_t)
mta_mailserver_sender(qmail_remote_t)
qmail_child_domain_template(qmail_rspawn, qmail_start_t)
qmail_child_domain_template(qmail_send, qmail_start_t)
qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t)
qmail_child_domain_template(qmail_splogger, qmail_start_t)
type qmail_spool_t;
files_type(qmail_spool_t)
type qmail_start_t;
type qmail_start_exec_t;
init_daemon_domain(qmail_start_t,qmail_start_exec_t)
type qmail_tcp_env_t;
type qmail_tcp_env_exec_t;
domain_type(qmail_tcp_env_t)
domain_entry_file(qmail_tcp_env_t,qmail_tcp_env_exec_t)
########################################
#
# qmail-clean local policy
# this component cleans up the queue directory
#
read_files_pattern(qmail_clean_t,qmail_spool_t,qmail_spool_t)
delete_files_pattern(qmail_clean_t,qmail_spool_t,qmail_spool_t)
########################################
#
# qmail-inject local policy
# this component preprocesses mail from stdin and invokes qmail-queue
#
allow qmail_inject_t self:fifo_file write;
allow qmail_inject_t self:process signal_perms;
allow qmail_inject_t qmail_queue_exec_t:file read;
corecmd_search_bin(qmail_inject_t)
files_search_var(qmail_inject_t)
libs_use_ld_so(qmail_inject_t)
libs_use_shared_libs(qmail_inject_t)
qmail_read_config(qmail_inject_t)
########################################
#
# qmail-local local policy
# this component delivers a mail message
#
allow qmail_local_t self:fifo_file write;
allow qmail_local_t self:process signal_perms;
allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(qmail_local_t,qmail_alias_home_t,qmail_alias_home_t)
manage_files_pattern(qmail_local_t,qmail_alias_home_t,qmail_alias_home_t)
allow qmail_local_t qmail_queue_exec_t:file read;
allow qmail_local_t qmail_spool_t:file read_file_perms;
kernel_read_system_state(qmail_local_t)
corecmd_exec_shell(qmail_local_t)
files_read_etc_files(qmail_local_t)
files_read_etc_runtime_files(qmail_local_t)
mta_append_spool(qmail_local_t)
qmail_domtrans_queue(qmail_local_t)
########################################
#
# qmail-lspawn local policy
# this component schedules local deliveries
#
allow qmail_lspawn_t self:capability { setuid setgid };
allow qmail_lspawn_t self:process signal_perms;
allow qmail_lspawn_t self:fifo_file { read write };
allow qmail_lspawn_t self:unix_stream_socket create_socket_perms;
can_exec(qmail_lspawn_t, qmail_exec_t)
allow qmail_lspawn_t qmail_local_exec_t:file read;
read_files_pattern(qmail_lspawn_t,qmail_spool_t,qmail_spool_t)
corecmd_search_bin(qmail_lspawn_t)
files_read_etc_files(qmail_lspawn_t)
files_search_pids(qmail_lspawn_t)
files_search_tmp(qmail_lspawn_t)
########################################
#
# qmail-queue local policy
# this component places a mail in a delivery queue, later to be processed by qmail-send
#
allow qmail_queue_t qmail_lspawn_t:fd use;
allow qmail_queue_t qmail_lspawn_t:fifo_file write;
allow qmail_queue_t qmail_smtpd_t:fd use;
allow qmail_queue_t qmail_smtpd_t:fifo_file read;
allow qmail_queue_t qmail_smtpd_t:process sigchld;
manage_dirs_pattern(qmail_queue_t,qmail_spool_t,qmail_spool_t)
manage_files_pattern(qmail_queue_t,qmail_spool_t,qmail_spool_t)
rw_fifo_files_pattern(qmail_queue_t,qmail_spool_t,qmail_spool_t)
optional_policy(`
daemontools_ipc_domain(qmail_queue_t)
')
########################################
#
# qmail-remote local policy
# this component sends mail via SMTP
#
allow qmail_remote_t self:tcp_socket create_socket_perms;
allow qmail_remote_t self:udp_socket create_socket_perms;
rw_files_pattern(qmail_remote_t,qmail_spool_t,qmail_spool_t)
corenet_all_recvfrom_unlabeled(qmail_remote_t)
corenet_all_recvfrom_netlabel(qmail_remote_t)
corenet_tcp_sendrecv_generic_if(qmail_remote_t)
corenet_udp_sendrecv_generic_if(qmail_remote_t)
corenet_tcp_sendrecv_generic_node(qmail_remote_t)
corenet_udp_sendrecv_generic_node(qmail_remote_t)
corenet_tcp_sendrecv_smtp_port(qmail_remote_t)
corenet_udp_sendrecv_dns_port(qmail_remote_t)
corenet_tcp_connect_smtp_port(qmail_remote_t)
corenet_sendrecv_smtp_client_packets(qmail_remote_t)
dev_read_rand(qmail_remote_t)
dev_read_urand(qmail_remote_t)
sysnet_read_config(qmail_remote_t)
########################################
#
# qmail-rspawn local policy
# this component scedules remote deliveries
#
allow qmail_rspawn_t self:process signal_perms;
allow qmail_rspawn_t self:fifo_file read;
allow qmail_rspawn_t qmail_remote_exec_t:file read;
rw_files_pattern(qmail_rspawn_t,qmail_spool_t,qmail_spool_t)
corecmd_search_bin(qmail_rspawn_t)
########################################
#
# qmail-send local policy
# this component delivers mail messages from the queue
#
allow qmail_send_t self:process signal_perms;
allow qmail_send_t self:fifo_file write;
manage_dirs_pattern(qmail_send_t,qmail_spool_t,qmail_spool_t)
manage_files_pattern(qmail_send_t,qmail_spool_t,qmail_spool_t)
read_fifo_files_pattern(qmail_send_t,qmail_spool_t,qmail_spool_t)
qmail_domtrans_queue(qmail_send_t)
optional_policy(`
daemontools_ipc_domain(qmail_send_t)
')
########################################
#
# qmail-smtpd local policy
# this component receives mails via SMTP
#
allow qmail_smtpd_t self:process signal_perms;
allow qmail_smtpd_t self:fifo_file write;
allow qmail_smtpd_t self:tcp_socket create_socket_perms;
allow qmail_smtpd_t qmail_queue_exec_t:file read;
dev_read_rand(qmail_smtpd_t)
dev_read_urand(qmail_smtpd_t)
qmail_domtrans_queue(qmail_smtpd_t)
optional_policy(`
daemontools_ipc_domain(qmail_smtpd_t)
')
optional_policy(`
ucspitcp_service_domain(qmail_smtpd_t, qmail_smtpd_exec_t)
')
########################################
#
# splogger local policy
# this component creates entries in syslog
#
allow qmail_splogger_t self:unix_dgram_socket create_socket_perms;
files_read_etc_files(qmail_splogger_t)
init_dontaudit_use_script_fds(qmail_splogger_t)
miscfiles_read_localization(qmail_splogger_t)
########################################
#
# qmail-start local policy
# this component starts up the mail delivery component
#
allow qmail_start_t self:capability { setgid setuid };
dontaudit qmail_start_t self:capability sys_tty_config;
allow qmail_start_t self:fifo_file { getattr read write };
allow qmail_start_t self:process signal_perms;
can_exec(qmail_start_t, qmail_start_exec_t)
corecmd_search_bin(qmail_start_t)
files_search_var(qmail_start_t)
libs_use_ld_so(qmail_start_t)
libs_use_shared_libs(qmail_start_t)
qmail_read_config(qmail_start_t)
optional_policy(`
daemontools_service_domain(qmail_start_t, qmail_start_exec_t)
daemontools_ipc_domain(qmail_start_t)
')
########################################
#
# tcp-env local policy
# this component sets up TCP-related environment variables
#
allow qmail_tcp_env_t qmail_smtpd_exec_t:file read;
corecmd_search_bin(qmail_tcp_env_t)
sysnet_read_config(qmail_tcp_env_t)
optional_policy(`
inetd_tcp_service_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
')
optional_policy(`
ucspitcp_service_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
')