0f7c400223
Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible.
164 lines
4.6 KiB
Plaintext
164 lines
4.6 KiB
Plaintext
policy_module(procmail, 1.12.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type procmail_t;
|
|
type procmail_exec_t;
|
|
application_domain(procmail_t, procmail_exec_t)
|
|
role system_r types procmail_t;
|
|
|
|
type procmail_home_t;
|
|
userdom_user_home_content(procmail_home_t)
|
|
|
|
type procmail_log_t;
|
|
logging_log_file(procmail_log_t)
|
|
|
|
type procmail_tmp_t;
|
|
files_tmp_file(procmail_tmp_t)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_override };
|
|
allow procmail_t self:process { setsched signal signull };
|
|
allow procmail_t self:fifo_file rw_fifo_file_perms;
|
|
allow procmail_t self:unix_stream_socket create_socket_perms;
|
|
allow procmail_t self:unix_dgram_socket create_socket_perms;
|
|
allow procmail_t self:tcp_socket create_stream_socket_perms;
|
|
allow procmail_t self:udp_socket create_socket_perms;
|
|
|
|
can_exec(procmail_t, procmail_exec_t)
|
|
|
|
# Write log to /var/log/procmail.log or /var/log/procmail/.*
|
|
allow procmail_t procmail_log_t:dir setattr_dir_perms;
|
|
create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
|
|
append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
|
|
read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
|
|
logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
|
|
|
|
allow procmail_t procmail_tmp_t:file manage_file_perms;
|
|
files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
|
|
|
|
kernel_read_system_state(procmail_t)
|
|
kernel_read_kernel_sysctls(procmail_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(procmail_t)
|
|
corenet_all_recvfrom_netlabel(procmail_t)
|
|
corenet_tcp_sendrecv_generic_if(procmail_t)
|
|
corenet_udp_sendrecv_generic_if(procmail_t)
|
|
corenet_tcp_sendrecv_generic_node(procmail_t)
|
|
corenet_udp_sendrecv_generic_node(procmail_t)
|
|
corenet_tcp_sendrecv_all_ports(procmail_t)
|
|
corenet_udp_sendrecv_all_ports(procmail_t)
|
|
corenet_udp_bind_generic_node(procmail_t)
|
|
corenet_tcp_connect_spamd_port(procmail_t)
|
|
corenet_sendrecv_spamd_client_packets(procmail_t)
|
|
corenet_sendrecv_comsat_client_packets(procmail_t)
|
|
|
|
dev_read_urand(procmail_t)
|
|
|
|
fs_getattr_xattr_fs(procmail_t)
|
|
fs_search_auto_mountpoints(procmail_t)
|
|
fs_rw_anon_inodefs_files(procmail_t)
|
|
|
|
auth_use_nsswitch(procmail_t)
|
|
|
|
corecmd_exec_bin(procmail_t)
|
|
corecmd_exec_shell(procmail_t)
|
|
corecmd_read_bin_symlinks(procmail_t)
|
|
|
|
files_read_etc_files(procmail_t)
|
|
files_read_etc_runtime_files(procmail_t)
|
|
files_search_pids(procmail_t)
|
|
# for spamassasin
|
|
files_read_usr_files(procmail_t)
|
|
|
|
logging_send_syslog_msg(procmail_t)
|
|
logging_append_all_logs(procmail_t)
|
|
|
|
miscfiles_read_localization(procmail_t)
|
|
|
|
list_dirs_pattern(procmail_t, procmail_home_t, procmail_home_t)
|
|
read_files_pattern(procmail_t, procmail_home_t, procmail_home_t)
|
|
userdom_search_user_home_dirs(procmail_t)
|
|
userdom_search_admin_dir(procmail_t)
|
|
|
|
# only works until we define a different type for maildir
|
|
userdom_manage_user_home_content_dirs(procmail_t)
|
|
userdom_manage_user_home_content_files(procmail_t)
|
|
userdom_manage_user_home_content_symlinks(procmail_t)
|
|
userdom_manage_user_home_content_pipes(procmail_t)
|
|
userdom_manage_user_home_content_sockets(procmail_t)
|
|
userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file })
|
|
|
|
# Execute user executables
|
|
userdom_exec_user_bin_files(procmail_t)
|
|
|
|
mta_manage_spool(procmail_t)
|
|
mta_read_queue(procmail_t)
|
|
|
|
ifdef(`hide_broken_symptoms',`
|
|
mta_dontaudit_rw_queue(procmail_t)
|
|
')
|
|
|
|
tunable_policy(`use_nfs_home_dirs',`
|
|
fs_manage_nfs_dirs(procmail_t)
|
|
fs_manage_nfs_files(procmail_t)
|
|
fs_manage_nfs_symlinks(procmail_t)
|
|
')
|
|
|
|
tunable_policy(`use_samba_home_dirs',`
|
|
fs_manage_cifs_dirs(procmail_t)
|
|
fs_manage_cifs_files(procmail_t)
|
|
fs_manage_cifs_symlinks(procmail_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
clamav_domtrans_clamscan(procmail_t)
|
|
clamav_search_lib(procmail_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
munin_dontaudit_search_lib(procmail_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# for a bug in the postfix local program
|
|
postfix_dontaudit_rw_local_tcp_sockets(procmail_t)
|
|
postfix_dontaudit_use_fds(procmail_t)
|
|
postfix_read_spool_files(procmail_t)
|
|
postfix_read_local_state(procmail_t)
|
|
postfix_read_master_state(procmail_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nagios_search_spool(procmail_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
pyzor_domtrans(procmail_t)
|
|
pyzor_signal(procmail_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mta_read_config(procmail_t)
|
|
sendmail_domtrans(procmail_t)
|
|
sendmail_signal(procmail_t)
|
|
sendmail_dontaudit_rw_tcp_sockets(procmail_t)
|
|
sendmail_dontaudit_rw_unix_stream_sockets(procmail_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
corenet_udp_bind_generic_port(procmail_t)
|
|
corenet_dontaudit_udp_bind_all_ports(procmail_t)
|
|
|
|
spamassassin_domtrans_local_client(procmail_t)
|
|
spamassassin_domtrans_client(procmail_t)
|
|
spamassassin_read_lib_files(procmail_t)
|
|
')
|