selinux-policy/policy/modules/services/mailman.te
Dominick Grift d542026b86 The capability IPC goes on top of the local policy.
The capability IPC goes on top of the local policy.

The capability IPC goes on top of the local policy.

The capability IPC goes on top of the local policy.

The capability IPC goes on top of the local policy.
2010-09-22 15:41:45 +02:00

133 lines
3.4 KiB
Plaintext

policy_module(mailman, 1.8.0)
########################################
#
# Declarations
#
mailman_domain_template(cgi)
type mailman_data_t;
files_type(mailman_data_t)
type mailman_archive_t;
files_type(mailman_archive_t)
type mailman_log_t;
logging_log_file(mailman_log_t)
type mailman_lock_t;
files_lock_file(mailman_lock_t)
mailman_domain_template(mail)
init_daemon_domain(mailman_mail_t, mailman_mail_exec_t)
mailman_domain_template(queue)
########################################
#
# Mailman CGI local policy
#
# cjp: the template invocation for cgi should be
# in the below optional policy; however, there are no
# optionals for file contexts yet, so it is promoted
# to global scope until such facilities exist.
optional_policy(`
dev_read_urand(mailman_cgi_t)
manage_dirs_pattern(mailman_cgi_t, mailman_archive_t, mailman_archive_t)
manage_files_pattern(mailman_cgi_t, mailman_archive_t, mailman_archive_t)
manage_lnk_files_pattern(mailman_cgi_t, mailman_archive_t, mailman_archive_t)
files_search_spool(mailman_cgi_t)
term_use_controlling_term(mailman_cgi_t)
# for python pre-compile foolishness
libs_dontaudit_write_lib_dirs(mailman_cgi_t)
apache_sigchld(mailman_cgi_t)
apache_use_fds(mailman_cgi_t)
apache_dontaudit_append_log(mailman_cgi_t)
apache_search_sys_script_state(mailman_cgi_t)
apache_read_config(mailman_cgi_t)
apache_dontaudit_rw_stream_sockets(mailman_cgi_t)
')
########################################
#
# Mailman mail local policy
#
allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config };
allow mailman_mail_t self:process { signal signull };
allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
files_search_spool(mailman_mail_t)
fs_rw_anon_inodefs_files(mailman_mail_t)
mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
mta_dontaudit_rw_queue(mailman_mail_t)
optional_policy(`
courier_read_spool(mailman_mail_t)
')
optional_policy(`
gnome_dontaudit_search_config(mailman_mail_t)
')
optional_policy(`
cron_read_pipes(mailman_mail_t)
')
optional_policy(`
postfix_search_spool(mailman_mail_t)
')
########################################
#
# Mailman queue local policy
#
allow mailman_queue_t self:capability { setgid setuid };
allow mailman_queue_t self:process signal;
allow mailman_queue_t self:fifo_file rw_fifo_file_perms;
allow mailman_queue_t self:unix_dgram_socket create_socket_perms;
manage_dirs_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
manage_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
kernel_read_proc_symlinks(mailman_queue_t)
auth_domtrans_chk_passwd(mailman_queue_t)
files_dontaudit_search_pids(mailman_queue_t)
# for su
seutil_dontaudit_search_config(mailman_queue_t)
# some of the following could probably be changed to dontaudit, someone who
# knows mailman well should test this out and send the changes
userdom_search_user_home_dirs(mailman_queue_t)
optional_policy(`
apache_read_config(mailman_queue_t)
')
optional_policy(`
cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
')
optional_policy(`
su_exec(mailman_queue_t)
')