selinux-policy/mls/domains/program/spamd.te

#DESC Spamd - Spamassassin daemon
#
# Author: Colin Walters <walters@debian.org>
# X-Debian-Packages: spamassassin
# Depends: spamassassin.te
#

daemon_domain(spamd)

tmp_domain(spamd)

general_domain_access(spamd_t)
uses_shlib(spamd_t)
read_sysctl(spamd_t)

# Various Perl bits
allow spamd_t lib_t:file rx_file_perms;
dontaudit spamd_t shadow_t:file { getattr read };
dontaudit spamd_t initrc_var_run_t:file { read write lock };
dontaudit spamd_t sysadm_home_dir_t:dir { getattr search };

can_network_server(spamd_t)
allow spamd_t spamd_port_t:tcp_socket name_bind;
allow spamd_t port_type:udp_socket name_bind;
dontaudit spamd_t reserved_port_type:udp_socket name_bind;
can_ypbind(spamd_t)
can_resolve(spamd_t)
allow spamd_t self:capability net_bind_service;

allow spamd_t proc_t:file { getattr read };

# Spamassassin, when run as root and using per-user config files,
# setuids to the user running spamc.  Comment this if you are not
# using this ability.
allow spamd_t self:capability { setuid setgid dac_override sys_tty_config };

allow spamd_t { bin_t sbin_t }:dir { getattr search };
can_exec(spamd_t, bin_t)

ifdef(`sendmail.te', `
allow spamd_t etc_mail_t:dir { getattr read search };
allow spamd_t etc_mail_t:file { getattr ioctl read };
')
allow spamd_t { etc_t etc_runtime_t }:file { getattr ioctl read };

ifdef(`amavis.te', `
# for bayes tokens
allow spamd_t var_lib_t:dir { getattr search };
rw_dir_create_file(spamd_t, amavisd_lib_t)
')

allow spamd_t usr_t:file { getattr ioctl read };
allow spamd_t usr_t:lnk_file { getattr read };
allow spamd_t urandom_device_t:chr_file { getattr read };

system_crond_entry(spamd_exec_t, spamd_t)
ifdef(`targeted_policy', `home_domain_access(spamd_t, user)')