rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity
923aa2ad32
selinux-policy/policy/modules/services/amavis.te
Dominick Grift 72ba80bf88 Use permission sets where possible. 
Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.
2010-09-22 15:35:28 +02:00

190 lines
5.2 KiB
Plaintext
Raw Blame History

policy_module(amavis, 1.11.0)
########################################
#
# Declarations
#
type amavis_t;
type amavis_exec_t;
domain_type(amavis_t)
init_daemon_domain(amavis_t, amavis_exec_t)
# configuration files
type amavis_etc_t;
files_config_file(amavis_etc_t)
type amavis_initrc_exec_t;
init_script_file(amavis_initrc_exec_t)
# pid files
type amavis_var_run_t;
files_pid_file(amavis_var_run_t)
# var/lib files
type amavis_var_lib_t;
files_type(amavis_var_lib_t)
# log files
type amavis_var_log_t;
logging_log_file(amavis_var_log_t)
# tmp files
type amavis_tmp_t;
files_tmp_file(amavis_tmp_t)
# virus quarantine
type amavis_quarantine_t;
files_type(amavis_quarantine_t)
type amavis_spool_t;
files_type(amavis_spool_t)
########################################
#
# amavis local policy
#
allow amavis_t self:capability { kill chown dac_override setgid setuid };
dontaudit amavis_t self:capability sys_tty_config;
allow amavis_t self:process { signal sigchld signull };
allow amavis_t self:fifo_file rw_fifo_file_perms;
allow amavis_t self:unix_stream_socket create_stream_socket_perms;
allow amavis_t self:unix_dgram_socket create_socket_perms;
allow amavis_t self:tcp_socket { listen accept };
allow amavis_t self:netlink_route_socket r_netlink_socket_perms;
# configuration files
allow amavis_t amavis_etc_t:dir list_dir_perms;
read_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t)
read_lnk_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t)
can_exec(amavis_t, amavis_exec_t)
# mail quarantine
manage_dirs_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t)
manage_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t)
manage_sock_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t)
# Spool Files
manage_dirs_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
manage_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file)
files_search_spool(amavis_t)
# tmp files
manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
allow amavis_t amavis_tmp_t:dir setattr_dir_perms;
files_tmp_filetrans(amavis_t, amavis_tmp_t, file)
# var/lib files for amavis
manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
manage_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
manage_sock_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
files_search_var_lib(amavis_t)
# log files
allow amavis_t amavis_var_log_t:dir setattr_dir_perms;
manage_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir })
# pid file
manage_dirs_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
manage_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
manage_sock_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
files_pid_filetrans(amavis_t, amavis_var_run_t, { dir file sock_file })
kernel_read_kernel_sysctls(amavis_t)
# amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
kernel_dontaudit_list_proc(amavis_t)
kernel_dontaudit_read_proc_symlinks(amavis_t)
kernel_dontaudit_read_system_state(amavis_t)
# find perl
corecmd_exec_bin(amavis_t)
corenet_all_recvfrom_unlabeled(amavis_t)
corenet_all_recvfrom_netlabel(amavis_t)
corenet_tcp_sendrecv_generic_if(amavis_t)
corenet_tcp_sendrecv_generic_node(amavis_t)
corenet_tcp_bind_generic_node(amavis_t)
corenet_udp_bind_generic_node(amavis_t)
# amavis uses well-defined ports
corenet_tcp_sendrecv_amavisd_recv_port(amavis_t)
corenet_tcp_sendrecv_amavisd_send_port(amavis_t)
# just the other side not. ;-)
corenet_tcp_sendrecv_all_ports(amavis_t)
# connect to backchannel port
corenet_tcp_connect_amavisd_send_port(amavis_t)
# bind to incoming port
corenet_tcp_bind_amavisd_recv_port(amavis_t)
corenet_udp_bind_generic_port(amavis_t)
corenet_dontaudit_udp_bind_all_ports(amavis_t)
corenet_tcp_connect_razor_port(amavis_t)
dev_read_rand(amavis_t)
dev_read_urand(amavis_t)
domain_use_interactive_fds(amavis_t)
files_read_etc_files(amavis_t)
files_read_etc_runtime_files(amavis_t)
files_read_usr_files(amavis_t)
fs_getattr_xattr_fs(amavis_t)
auth_dontaudit_read_shadow(amavis_t)
# uses uptime which reads utmp - redhat bug 561383
init_read_utmp(amavis_t)
init_stream_connect_script(amavis_t)
logging_send_syslog_msg(amavis_t)
miscfiles_read_generic_certs(amavis_t)
miscfiles_read_localization(amavis_t)
sysnet_dns_name_resolve(amavis_t)
sysnet_use_ldap(amavis_t)
userdom_dontaudit_search_user_home_dirs(amavis_t)
# Cron handling
cron_use_fds(amavis_t)
cron_use_system_job_fds(amavis_t)
cron_rw_pipes(amavis_t)
mta_read_config(amavis_t)
optional_policy(`
clamav_stream_connect(amavis_t)
clamav_domtrans_clamscan(amavis_t)
')
optional_policy(`
dcc_domtrans_client(amavis_t)
dcc_stream_connect_dccifd(amavis_t)
')
optional_policy(`
postfix_read_config(amavis_t)
')
optional_policy(`
pyzor_domtrans(amavis_t)
pyzor_signal(amavis_t)
')
optional_policy(`
razor_domtrans(amavis_t)
')
optional_policy(`
spamassassin_exec(amavis_t)
spamassassin_exec_client(amavis_t)
spamassassin_read_lib_files(amavis_t)
')
Reference in New Issue View Git Blame Copy Permalink