selinux-policy/targeted/domains/program/spamd.te
2005-11-07 20:09:28 +00:00

71 lines
1.9 KiB
Plaintext

#DESC Spamd - Spamassassin daemon
#
# Author: Colin Walters <walters@debian.org>
# X-Debian-Packages: spamassassin
# Depends: spamassassin.te
#
daemon_domain(spamd)
tmp_domain(spamd)
general_domain_access(spamd_t)
uses_shlib(spamd_t)
read_sysctl(spamd_t)
# Various Perl bits
allow spamd_t lib_t:file rx_file_perms;
dontaudit spamd_t shadow_t:file { getattr read };
dontaudit spamd_t initrc_var_run_t:file { read write lock };
dontaudit spamd_t sysadm_home_dir_t:dir { getattr search };
can_network_server(spamd_t)
allow spamd_t spamd_port_t:tcp_socket name_bind;
can_ypbind(spamd_t)
allow spamd_t self:capability net_bind_service;
allow spamd_t proc_t:file { getattr read };
# Spamassassin, when run as root and using per-user config files,
# setuids to the user running spamc. Comment this if you are not
# using this ability.
allow spamd_t self:capability { setuid setgid dac_override sys_tty_config };
allow spamd_t { bin_t sbin_t }:dir { getattr search };
can_exec(spamd_t, bin_t)
ifdef(`sendmail.te', `
allow spamd_t etc_mail_t:dir { getattr read search };
allow spamd_t etc_mail_t:file { getattr ioctl read };
')
allow spamd_t { etc_t etc_runtime_t }:file { getattr ioctl read };
ifdef(`amavis.te', `
# for bayes tokens
allow spamd_t var_lib_t:dir { getattr search };
rw_dir_create_file(spamd_t, amavisd_lib_t)
')
allow spamd_t usr_t:file { getattr ioctl read };
allow spamd_t usr_t:lnk_file { getattr read };
allow spamd_t urandom_device_t:chr_file { getattr read };
system_crond_entry(spamd_exec_t, spamd_t)
allow spamd_t autofs_t:dir { search getattr };
if (use_nfs_home_dirs) {
allow spamd_t nfs_t:dir rw_dir_perms;
allow spamd_t nfs_t:file create_file_perms;
}
if (use_samba_home_dirs) {
allow spamd_t cifs_t:dir rw_dir_perms;
allow spamd_t cifs_t:file create_file_perms;
}
allow spamd_t home_root_t:dir getattr;
allow spamd_t user_home_dir_type:dir { search getattr };