18f2a72d7f
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes.
326 lines
8.3 KiB
Plaintext
326 lines
8.3 KiB
Plaintext
policy_module(qmail, 1.5.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
attribute qmail_user_domains;
|
|
|
|
type qmail_alias_home_t;
|
|
files_type(qmail_alias_home_t)
|
|
|
|
qmail_child_domain_template(qmail_clean, qmail_start_t)
|
|
|
|
type qmail_etc_t;
|
|
files_config_file(qmail_etc_t)
|
|
|
|
type qmail_exec_t;
|
|
files_type(qmail_exec_t)
|
|
|
|
type qmail_inject_t, qmail_user_domains;
|
|
type qmail_inject_exec_t;
|
|
domain_type(qmail_inject_t)
|
|
domain_entry_file(qmail_inject_t, qmail_inject_exec_t)
|
|
mta_mailserver_user_agent(qmail_inject_t)
|
|
role system_r types qmail_inject_t;
|
|
|
|
qmail_child_domain_template(qmail_local, qmail_lspawn_t)
|
|
mta_mailserver_delivery(qmail_local_t)
|
|
|
|
qmail_child_domain_template(qmail_lspawn, qmail_start_t)
|
|
mta_mailserver_delivery(qmail_lspawn_t)
|
|
|
|
qmail_child_domain_template(qmail_queue, qmail_inject_t)
|
|
typeattribute qmail_queue_t qmail_user_domains;
|
|
mta_mailserver_user_agent(qmail_queue_t)
|
|
|
|
qmail_child_domain_template(qmail_remote, qmail_rspawn_t)
|
|
mta_mailserver_sender(qmail_remote_t)
|
|
|
|
qmail_child_domain_template(qmail_rspawn, qmail_start_t)
|
|
|
|
qmail_child_domain_template(qmail_send, qmail_start_t)
|
|
|
|
qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t)
|
|
|
|
qmail_child_domain_template(qmail_splogger, qmail_start_t)
|
|
|
|
type qmail_spool_t;
|
|
files_type(qmail_spool_t)
|
|
|
|
type qmail_start_t;
|
|
type qmail_start_exec_t;
|
|
init_daemon_domain(qmail_start_t, qmail_start_exec_t)
|
|
|
|
type qmail_tcp_env_t;
|
|
type qmail_tcp_env_exec_t;
|
|
application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
|
|
|
|
########################################
|
|
#
|
|
# qmail-clean local policy
|
|
# this component cleans up the queue directory
|
|
#
|
|
|
|
read_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
|
|
delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
|
|
|
|
########################################
|
|
#
|
|
# qmail-inject local policy
|
|
# this component preprocesses mail from stdin and invokes qmail-queue
|
|
#
|
|
|
|
allow qmail_inject_t self:process signal_perms;
|
|
allow qmail_inject_t self:fifo_file write_fifo_file_perms;
|
|
|
|
allow qmail_inject_t qmail_queue_exec_t:file read_file_perms;
|
|
|
|
corecmd_search_bin(qmail_inject_t)
|
|
|
|
files_search_var(qmail_inject_t)
|
|
|
|
miscfiles_read_localization(qmail_inject_t)
|
|
|
|
qmail_read_config(qmail_inject_t)
|
|
|
|
########################################
|
|
#
|
|
# qmail-local local policy
|
|
# this component delivers a mail message
|
|
#
|
|
|
|
allow qmail_local_t self:process signal_perms;
|
|
allow qmail_local_t self:fifo_file write_file_perms;
|
|
allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
|
|
manage_files_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
|
|
|
|
can_exec(qmail_local_t, qmail_local_exec_t)
|
|
|
|
allow qmail_local_t qmail_queue_exec_t:file read_file_perms;
|
|
|
|
allow qmail_local_t qmail_spool_t:file read_file_perms;
|
|
|
|
kernel_read_system_state(qmail_local_t)
|
|
|
|
corecmd_exec_bin(qmail_local_t)
|
|
corecmd_exec_shell(qmail_local_t)
|
|
|
|
files_read_etc_files(qmail_local_t)
|
|
files_read_etc_runtime_files(qmail_local_t)
|
|
|
|
auth_use_nsswitch(qmail_local_t)
|
|
|
|
logging_send_syslog_msg(qmail_local_t)
|
|
|
|
mta_append_spool(qmail_local_t)
|
|
|
|
qmail_domtrans_queue(qmail_local_t)
|
|
|
|
optional_policy(`
|
|
uucp_domtrans(qmail_local_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
spamassassin_domtrans_client(qmail_local_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# qmail-lspawn local policy
|
|
# this component schedules local deliveries
|
|
#
|
|
|
|
allow qmail_lspawn_t self:capability { setuid setgid };
|
|
allow qmail_lspawn_t self:process signal_perms;
|
|
allow qmail_lspawn_t self:fifo_file rw_fifo_file_perms;
|
|
allow qmail_lspawn_t self:unix_stream_socket create_socket_perms;
|
|
|
|
can_exec(qmail_lspawn_t, qmail_exec_t)
|
|
|
|
allow qmail_lspawn_t qmail_local_exec_t:file read_file_perms;
|
|
|
|
read_files_pattern(qmail_lspawn_t, qmail_spool_t, qmail_spool_t)
|
|
|
|
corecmd_search_bin(qmail_lspawn_t)
|
|
|
|
files_read_etc_files(qmail_lspawn_t)
|
|
files_search_pids(qmail_lspawn_t)
|
|
files_search_tmp(qmail_lspawn_t)
|
|
|
|
########################################
|
|
#
|
|
# qmail-queue local policy
|
|
# this component places a mail in a delivery queue, later to be processed by qmail-send
|
|
#
|
|
|
|
allow qmail_queue_t qmail_lspawn_t:fd use;
|
|
allow qmail_queue_t qmail_lspawn_t:fifo_file write_fifo_file_perms;
|
|
|
|
allow qmail_queue_t qmail_smtpd_t:process sigchld;
|
|
allow qmail_queue_t qmail_smtpd_t:fd use;
|
|
allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms;
|
|
|
|
manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
|
|
manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
|
|
rw_fifo_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
|
|
|
|
corecmd_exec_bin(qmail_queue_t)
|
|
|
|
logging_send_syslog_msg(qmail_queue_t)
|
|
|
|
optional_policy(`
|
|
daemontools_ipc_domain(qmail_queue_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# qmail-remote local policy
|
|
# this component sends mail via SMTP
|
|
#
|
|
|
|
allow qmail_remote_t self:tcp_socket create_socket_perms;
|
|
allow qmail_remote_t self:udp_socket create_socket_perms;
|
|
|
|
rw_files_pattern(qmail_remote_t, qmail_spool_t, qmail_spool_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(qmail_remote_t)
|
|
corenet_all_recvfrom_netlabel(qmail_remote_t)
|
|
corenet_tcp_sendrecv_generic_if(qmail_remote_t)
|
|
corenet_udp_sendrecv_generic_if(qmail_remote_t)
|
|
corenet_tcp_sendrecv_generic_node(qmail_remote_t)
|
|
corenet_udp_sendrecv_generic_node(qmail_remote_t)
|
|
corenet_tcp_sendrecv_smtp_port(qmail_remote_t)
|
|
corenet_udp_sendrecv_dns_port(qmail_remote_t)
|
|
corenet_tcp_connect_smtp_port(qmail_remote_t)
|
|
corenet_sendrecv_smtp_client_packets(qmail_remote_t)
|
|
|
|
dev_read_rand(qmail_remote_t)
|
|
dev_read_urand(qmail_remote_t)
|
|
|
|
sysnet_read_config(qmail_remote_t)
|
|
|
|
########################################
|
|
#
|
|
# qmail-rspawn local policy
|
|
# this component scedules remote deliveries
|
|
#
|
|
|
|
allow qmail_rspawn_t self:process signal_perms;
|
|
allow qmail_rspawn_t self:fifo_file read_fifo_file_perms;
|
|
|
|
allow qmail_rspawn_t qmail_remote_exec_t:file read_file_perms;
|
|
|
|
rw_files_pattern(qmail_rspawn_t, qmail_spool_t, qmail_spool_t)
|
|
|
|
corecmd_search_bin(qmail_rspawn_t)
|
|
|
|
########################################
|
|
#
|
|
# qmail-send local policy
|
|
# this component delivers mail messages from the queue
|
|
#
|
|
|
|
allow qmail_send_t self:process signal_perms;
|
|
allow qmail_send_t self:fifo_file write_fifo_file_perms;
|
|
|
|
manage_dirs_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t)
|
|
manage_files_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t)
|
|
read_fifo_files_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t)
|
|
|
|
qmail_domtrans_queue(qmail_send_t)
|
|
|
|
optional_policy(`
|
|
daemontools_ipc_domain(qmail_send_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# qmail-smtpd local policy
|
|
# this component receives mails via SMTP
|
|
#
|
|
|
|
allow qmail_smtpd_t self:process signal_perms;
|
|
allow qmail_smtpd_t self:fifo_file write_fifo_file_perms;
|
|
allow qmail_smtpd_t self:tcp_socket create_socket_perms;
|
|
|
|
allow qmail_smtpd_t qmail_queue_exec_t:file read_file_perms;
|
|
|
|
dev_read_rand(qmail_smtpd_t)
|
|
dev_read_urand(qmail_smtpd_t)
|
|
|
|
qmail_domtrans_queue(qmail_smtpd_t)
|
|
|
|
optional_policy(`
|
|
daemontools_ipc_domain(qmail_smtpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
kerberos_keytab_template(qmail, qmail_smtpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ucspitcp_service_domain(qmail_smtpd_t, qmail_smtpd_exec_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# splogger local policy
|
|
# this component creates entries in syslog
|
|
#
|
|
|
|
allow qmail_splogger_t self:unix_dgram_socket create_socket_perms;
|
|
|
|
files_read_etc_files(qmail_splogger_t)
|
|
|
|
init_dontaudit_use_script_fds(qmail_splogger_t)
|
|
|
|
miscfiles_read_localization(qmail_splogger_t)
|
|
|
|
########################################
|
|
#
|
|
# qmail-start local policy
|
|
# this component starts up the mail delivery component
|
|
#
|
|
|
|
allow qmail_start_t self:capability { setgid setuid };
|
|
dontaudit qmail_start_t self:capability sys_tty_config;
|
|
allow qmail_start_t self:process signal_perms;
|
|
allow qmail_start_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
can_exec(qmail_start_t, qmail_start_exec_t)
|
|
|
|
corecmd_search_bin(qmail_start_t)
|
|
|
|
files_search_var(qmail_start_t)
|
|
|
|
qmail_read_config(qmail_start_t)
|
|
|
|
optional_policy(`
|
|
daemontools_service_domain(qmail_start_t, qmail_start_exec_t)
|
|
daemontools_ipc_domain(qmail_start_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# tcp-env local policy
|
|
# this component sets up TCP-related environment variables
|
|
#
|
|
|
|
allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms;
|
|
|
|
corecmd_search_bin(qmail_tcp_env_t)
|
|
|
|
sysnet_read_config(qmail_tcp_env_t)
|
|
|
|
optional_policy(`
|
|
inetd_tcp_service_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ucspitcp_service_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
|
|
')
|