selinux-policy/policy/modules/services/procmail.te
2007-11-15 20:10:26 +00:00

136 lines
3.5 KiB
Plaintext

policy_module(procmail,1.7.1)
########################################
#
# Declarations
#
type procmail_t;
type procmail_exec_t;
application_domain(procmail_t,procmail_exec_t)
role system_r types procmail_t;
type procmail_tmp_t;
files_tmp_file(procmail_tmp_t)
########################################
#
# Local policy
#
allow procmail_t self:capability { sys_nice chown setuid setgid dac_override };
allow procmail_t self:process { setsched signal signull };
allow procmail_t self:fifo_file rw_fifo_file_perms;
allow procmail_t self:unix_stream_socket create_socket_perms;
allow procmail_t self:unix_dgram_socket create_socket_perms;
allow procmail_t self:tcp_socket create_stream_socket_perms;
allow procmail_t self:udp_socket create_socket_perms;
can_exec(procmail_t,procmail_exec_t)
allow procmail_t procmail_tmp_t:file manage_file_perms;
files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
kernel_read_system_state(procmail_t)
kernel_read_kernel_sysctls(procmail_t)
corenet_all_recvfrom_unlabeled(procmail_t)
corenet_all_recvfrom_netlabel(procmail_t)
corenet_tcp_sendrecv_all_if(procmail_t)
corenet_udp_sendrecv_all_if(procmail_t)
corenet_tcp_sendrecv_all_nodes(procmail_t)
corenet_udp_sendrecv_all_nodes(procmail_t)
corenet_tcp_sendrecv_all_ports(procmail_t)
corenet_udp_sendrecv_all_ports(procmail_t)
corenet_udp_bind_all_nodes(procmail_t)
corenet_tcp_connect_spamd_port(procmail_t)
corenet_sendrecv_spamd_client_packets(procmail_t)
corenet_sendrecv_comsat_client_packets(procmail_t)
dev_read_urand(procmail_t)
fs_getattr_xattr_fs(procmail_t)
fs_search_auto_mountpoints(procmail_t)
fs_rw_anon_inodefs_files(procmail_t)
auth_use_nsswitch(procmail_t)
corecmd_exec_bin(procmail_t)
corecmd_exec_shell(procmail_t)
files_read_etc_files(procmail_t)
files_read_etc_runtime_files(procmail_t)
files_search_pids(procmail_t)
# for spamassasin
files_read_usr_files(procmail_t)
libs_use_ld_so(procmail_t)
libs_use_shared_libs(procmail_t)
logging_send_syslog_msg(procmail_t)
miscfiles_read_localization(procmail_t)
# only works until we define a different type for maildir
userdom_priveleged_home_dir_manager(procmail_t)
# Do not audit attempts to access /root.
userdom_dontaudit_search_sysadm_home_dirs(procmail_t)
userdom_dontaudit_search_staff_home_dirs(procmail_t)
mta_manage_spool(procmail_t)
ifdef(`hide_broken_symptoms',`
mta_dontaudit_rw_queue(procmail_t)
')
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(procmail_t)
fs_manage_nfs_files(procmail_t)
fs_manage_nfs_symlinks(procmail_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(procmail_t)
fs_manage_cifs_files(procmail_t)
fs_manage_cifs_symlinks(procmail_t)
')
optional_policy(`
clamav_domtrans_clamscan(procmail_t)
clamav_search_lib(procmail_t)
')
optional_policy(`
munin_dontaudit_search_lib(procmail_t)
')
optional_policy(`
# for a bug in the postfix local program
postfix_dontaudit_rw_local_tcp_sockets(procmail_t)
postfix_dontaudit_use_fds(procmail_t)
postfix_read_spool_files(procmail_t)
postfix_read_local_state(procmail_t)
postfix_read_master_state(procmail_t)
')
optional_policy(`
pyzor_domtrans(procmail_t)
')
optional_policy(`
mta_read_config(procmail_t)
sendmail_domtrans(procmail_t)
sendmail_rw_tcp_sockets(procmail_t)
sendmail_rw_unix_stream_sockets(procmail_t)
')
optional_policy(`
corenet_udp_bind_generic_port(procmail_t)
corenet_dontaudit_udp_bind_all_ports(procmail_t)
spamassassin_exec(procmail_t)
spamassassin_exec_client(procmail_t)
spamassassin_read_lib_files(procmail_t)
')