57 lines
1.5 KiB
Plaintext
57 lines
1.5 KiB
Plaintext
#
|
|
# Macros for sendmail domains.
|
|
#
|
|
|
|
#
|
|
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
|
# Russell Coker <russell@coker.com.au>
|
|
#
|
|
|
|
#
|
|
# sendmail_user_domain(domain_prefix)
|
|
#
|
|
# Define a derived domain for the sendmail program when executed by
|
|
# a user domain to send outgoing mail. These domains are separate and
|
|
# independent of the domain used for the sendmail daemon process.
|
|
#
|
|
undefine(`sendmail_user_domain')
|
|
define(`sendmail_user_domain', `
|
|
|
|
# Use capabilities
|
|
allow $1_mail_t self:capability net_bind_service;
|
|
|
|
tmp_domain($1_mail)
|
|
|
|
# Write to /var/spool/mail and /var/spool/mqueue.
|
|
allow $1_mail_t mail_spool_t:dir rw_dir_perms;
|
|
allow $1_mail_t mail_spool_t:file create_file_perms;
|
|
allow $1_mail_t mqueue_spool_t:dir rw_dir_perms;
|
|
allow $1_mail_t mqueue_spool_t:file create_file_perms;
|
|
|
|
# Write to /var/log/sendmail.st
|
|
file_type_auto_trans($1_mail_t, var_log_t, sendmail_log_t)
|
|
|
|
allow $1_mail_t etc_mail_t:dir { getattr search };
|
|
|
|
allow $1_mail_t { var_t var_spool_t }:dir getattr;
|
|
|
|
allow $1_mail_t etc_runtime_t:file { getattr read };
|
|
|
|
# Check available space.
|
|
allow $1_mail_t fs_t:filesystem getattr;
|
|
|
|
allow $1_mail_t sysctl_kernel_t:dir search;
|
|
|
|
ifelse(`$1', `sysadm', `
|
|
allow $1_mail_t proc_t:dir { getattr search };
|
|
allow $1_mail_t proc_t:{ lnk_file file } { getattr read };
|
|
dontaudit $1_mail_t proc_net_t:dir search;
|
|
allow $1_mail_t sysctl_kernel_t:file { getattr read };
|
|
allow $1_mail_t etc_runtime_t:file { getattr read };
|
|
', `
|
|
dontaudit $1_mail_t proc_t:dir search;
|
|
dontaudit $1_mail_t sysctl_kernel_t:file read;
|
|
')dnl end if sysadm
|
|
')
|
|
|