selinux-policy/policy/modules/services/mta.te
2009-07-29 10:59:09 -04:00

243 lines
6.2 KiB
Plaintext

policy_module(mta, 2.1.3)
########################################
#
# Declarations
#
attribute mailcontent_type;
attribute mta_exec_type;
attribute mta_user_agent;
attribute mailserver_delivery;
attribute mailserver_domain;
attribute mailserver_sender;
attribute user_mail_domain;
type etc_aliases_t;
files_type(etc_aliases_t)
type etc_mail_t;
files_config_file(etc_mail_t)
type mqueue_spool_t;
files_mountpoint(mqueue_spool_t)
type mail_spool_t;
files_mountpoint(mail_spool_t)
type sendmail_exec_t;
mta_agent_executable(sendmail_exec_t)
mta_base_mail_template(system)
role system_r types system_mail_t;
mta_base_mail_template(user)
typealias user_mail_t alias { staff_mail_t sysadm_mail_t };
typealias user_mail_t alias { auditadm_mail_t secadm_mail_t };
typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t };
typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t };
ubac_constrained(user_mail_t)
ubac_constrained(user_mail_tmp_t)
########################################
#
# System mail local policy
#
# newalias required this, not sure if it is needed in 'if' file
allow system_mail_t self:capability { dac_override fowner };
allow system_mail_t self:fifo_file rw_fifo_file_perms;
read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
allow system_mail_t mta_exec_type:file entrypoint;
can_exec(system_mail_t, mta_exec_type)
kernel_read_system_state(system_mail_t)
kernel_read_network_state(system_mail_t)
dev_read_sysfs(system_mail_t)
dev_read_rand(system_mail_t)
dev_read_urand(system_mail_t)
fs_rw_anon_inodefs_files(system_mail_t)
selinux_getattr_fs(system_mail_t)
init_use_script_ptys(system_mail_t)
userdom_use_user_terminals(system_mail_t)
userdom_dontaudit_search_user_home_dirs(system_mail_t)
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
apache_append_squirrelmail_data(system_mail_t)
# apache should set close-on-exec
apache_dontaudit_append_log(system_mail_t)
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
')
optional_policy(`
arpwatch_manage_tmp_files(system_mail_t)
ifdef(`hide_broken_symptoms', `
arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
')
')
optional_policy(`
clamav_stream_connect(system_mail_t)
clamav_append_log(system_mail_t)
')
optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
')
optional_policy(`
courier_manage_spool_dirs(system_mail_t)
courier_manage_spool_files(system_mail_t)
courier_rw_spool_pipes(system_mail_t)
')
optional_policy(`
cvs_read_data(system_mail_t)
')
optional_policy(`
exim_domtrans(system_mail_t)
exim_manage_log(system_mail_t)
')
optional_policy(`
fail2ban_append_log(system_mail_t)
')
optional_policy(`
logrotate_read_tmp_files(system_mail_t)
')
optional_policy(`
logwatch_read_tmp_files(system_mail_t)
')
optional_policy(`
# newaliases runs as system_mail_t when the sendmail initscript does a restart
milter_getattr_all_sockets(system_mail_t)
')
optional_policy(`
nagios_read_tmp_files(system_mail_t)
')
optional_policy(`
manage_dirs_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
manage_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
manage_lnk_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
domain_use_interactive_fds(system_mail_t)
# postfix needs this for newaliases
files_getattr_tmp_dirs(system_mail_t)
postfix_exec_master(system_mail_t)
postfix_read_config(system_mail_t)
postfix_search_spool(system_mail_t)
ifdef(`distro_redhat',`
# compatability for old default main.cf
postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
')
')
optional_policy(`
qmail_domtrans_inject(system_mail_t)
')
optional_policy(`
sxid_read_log(system_mail_t)
')
optional_policy(`
userdom_dontaudit_use_user_ptys(system_mail_t)
optional_policy(`
cron_dontaudit_append_system_job_tmp_files(system_mail_t)
')
')
optional_policy(`
smartmon_read_tmp_files(system_mail_t)
')
# should break this up among sections:
optional_policy(`
# why is mail delivered to a directory of type arpwatch_data_t?
arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(mta_user_agent)
ifdef(`hide_broken_symptoms', `
arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
')
optional_policy(`
cron_read_system_job_tmp_files(mta_user_agent)
')
')
########################################
#
# User send mail local policy
#
domain_use_interactive_fds(user_mail_t)
userdom_use_user_terminals(user_mail_t)
# Write to the user domain tty. cjp: why?
userdom_use_user_terminals(mta_user_agent)
# Create dead.letter in user home directories.
userdom_manage_user_home_content_files(user_mail_t)
userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
# for reading .forward - maybe we need a new type for it?
# also for delivering mail to maildir
userdom_manage_user_home_content_dirs(mailserver_delivery)
userdom_manage_user_home_content_files(mailserver_delivery)
userdom_manage_user_home_content_symlinks(mailserver_delivery)
userdom_manage_user_home_content_pipes(mailserver_delivery)
userdom_manage_user_home_content_sockets(mailserver_delivery)
userdom_user_home_dir_filetrans_user_home_content(mailserver_delivery, { dir file lnk_file fifo_file sock_file })
# Read user temporary files.
userdom_read_user_tmp_files(user_mail_t)
userdom_dontaudit_append_user_tmp_files(user_mail_t)
# cjp: this should probably be read all user tmp
# files in an appropriate place for mta_user_agent
userdom_read_user_tmp_files(mta_user_agent)
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(user_mail_t)
fs_manage_cifs_symlinks(user_mail_t)
')
optional_policy(`
allow user_mail_t self:capability dac_override;
# Read user temporary files.
# postfix seems to need write access if the file handle is opened read/write
userdom_rw_user_tmp_files(user_mail_t)
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')