114 lines
2.8 KiB
Plaintext
114 lines
2.8 KiB
Plaintext
|
|
policy_module(mailman,1.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
mailman_domain_template(cgi)
|
|
|
|
type mailman_data_t;
|
|
files_type(mailman_data_t)
|
|
|
|
type mailman_archive_t;
|
|
files_type(mailman_archive_t)
|
|
|
|
type mailman_log_t;
|
|
logging_log_file(mailman_log_t)
|
|
|
|
type mailman_lock_t;
|
|
files_lock_file(mailman_lock_t)
|
|
|
|
mailman_domain_template(mail)
|
|
init_daemon_domain(mailman_mail_t,mailman_mail_exec_t)
|
|
|
|
mailman_domain_template(queue)
|
|
|
|
########################################
|
|
#
|
|
# Mailman CGI local policy
|
|
#
|
|
|
|
# cjp: the template invocation for queue should be
|
|
# in the below optional policy; however, there are no
|
|
# optionals for file contexts yet, so it is promoted
|
|
# to global scope until such facilities exist.
|
|
|
|
optional_policy(`apache.te',`
|
|
allow mailman_cgi_t mailman_archive_t:dir create_dir_perms;
|
|
allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms;
|
|
allow mailman_cgi_t mailman_archive_t:file create_file_perms;
|
|
|
|
kernel_tcp_recvfrom(mailman_cgi_t)
|
|
|
|
term_use_controlling_term(mailman_cgi_t)
|
|
|
|
files_search_spool(mailman_cgi_t)
|
|
|
|
mta_tcp_connect_all_mailservers(mailman_cgi_t)
|
|
|
|
apache_sigchld(mailman_cgi_t)
|
|
apache_use_fd(mailman_cgi_t)
|
|
apache_dontaudit_append_log(mailman_cgi_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Mailman mail local policy
|
|
#
|
|
|
|
allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
|
|
|
|
mta_dontaudit_rw_delivery_tcp_socket(mailman_mail_t)
|
|
|
|
ifdef(`TODO',`
|
|
optional_policy(`qmail.te', `
|
|
allow mailman_mail_t qmail_spool_t:file { read ioctl getattr };
|
|
# do we really need this?
|
|
allow mailman_mail_t qmail_lspawn_t:fifo_file write;
|
|
')
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Mailman queue local policy
|
|
#
|
|
|
|
allow mailman_queue_t self:capability { setgid setuid };
|
|
allow mailman_queue_t self:process signal;
|
|
allow mailman_queue_t self:fifo_file rw_file_perms;
|
|
allow mailman_queue_t self:unix_dgram_socket create_socket_perms;
|
|
allow mailman_queue_t self:netlink_route_socket r_netlink_socket_perms;
|
|
|
|
allow mailman_queue_t mailman_archive_t:dir create_dir_perms;
|
|
allow mailman_queue_t mailman_archive_t:file create_file_perms;
|
|
allow mailman_queue_t mailman_archive_t:lnk_file create_lnk_perms;
|
|
|
|
kernel_read_proc_symlinks(mailman_queue_t)
|
|
kernel_tcp_recvfrom(mailman_queue_t)
|
|
|
|
auth_domtrans_chk_passwd(mailman_queue_t)
|
|
|
|
files_dontaudit_search_pids(mailman_queue_t)
|
|
|
|
# for su
|
|
seutil_dontaudit_search_config(mailman_queue_t)
|
|
|
|
# some of the following could probably be changed to dontaudit, someone who
|
|
# knows mailman well should test this out and send the changes
|
|
userdom_search_sysadm_home_dir(mailman_queue_t)
|
|
userdom_getattr_sysadm_home_dir(mailman_queue_t)
|
|
|
|
mta_tcp_connect_all_mailservers(mailman_queue_t)
|
|
|
|
su_exec(mailman_queue_t)
|
|
|
|
optional_policy(`cron.te',`
|
|
cron_system_entry(mailman_queue_t,mailman_queue_exec_t)
|
|
')
|
|
|
|
optional_policy(`nscd.te',`
|
|
nscd_use_socket(mailman_queue_t)
|
|
')
|