54 lines
1.4 KiB
Plaintext
54 lines
1.4 KiB
Plaintext
#
|
|
# Razor - Vipul's Razor is a distributed, collaborative, spam
|
|
# detection and filtering network.
|
|
#
|
|
# Author: David Hampton <hampton@employees.org>
|
|
#
|
|
|
|
# NOTE: This policy will work with either the ATrpms provided config
|
|
# file in /etc/razor, or with the default of dumping everything into
|
|
# $HOME/.razor.
|
|
|
|
##########
|
|
# Razor query application - from system_r applictions
|
|
##########
|
|
type razor_t, domain, privlog, daemon;
|
|
type razor_exec_t, file_type, sysadmfile, exec_type;
|
|
role system_r types razor_t;
|
|
|
|
razor_base_domain(razor)
|
|
|
|
# Razor config file directory. When invoked as razor-admin, it can
|
|
# update files in this directory.
|
|
etcdir_domain(razor)
|
|
create_dir_file(razor_t, razor_etc_t);
|
|
|
|
# Shared razor files updated freuently
|
|
var_lib_domain(razor)
|
|
|
|
# Log files
|
|
log_domain(razor)
|
|
allow razor_t var_log_t:dir search;
|
|
ifdef(`logrotate.te', `
|
|
allow logrotate_t razor_log_t:file r_file_perms;
|
|
')
|
|
|
|
##########
|
|
##########
|
|
|
|
#
|
|
# Some spam filters executes the razor code directly. Allow them access here.
|
|
#
|
|
define(`razor_access',`
|
|
r_dir_file($1, razor_etc_t)
|
|
allow $1 var_log_t:dir search;
|
|
allow $1 razor_log_t:file ra_file_perms;
|
|
r_dir_file($1, razor_var_lib_t)
|
|
r_dir_file($1, sysadm_razor_home_t)
|
|
can_network_client_tcp($1, razor_port_t)
|
|
allow $1 razor_port_t:tcp_socket name_connect;
|
|
')
|
|
|
|
ifdef(`spamd.te', `razor_access(spamd_t)');
|
|
ifdef(`amavis.te', `razor_access(amavisd_t)');
|