projects / people / stevee / selinux-policy.git / blame
| Commit | Line | Data |
|---|---|---|
| 29af4c13 | 1 | policy_module(mailman, 1.8.0) |
| 799a0b43 CP |
2 | |
| 3 | ######################################## | |
| 4 | # | |
| 5 | # Declarations | |
| 6 | # | |
| 7 | ||
| 8 | mailman_domain_template(cgi) | |
| 9 | ||
| 10 | type mailman_data_t; | |
| 11 | files_type(mailman_data_t) | |
| 12 | ||
| 13 | type mailman_archive_t; | |
| 14 | files_type(mailman_archive_t) | |
| 15 | ||
| 16 | type mailman_log_t; | |
| 17 | logging_log_file(mailman_log_t) | |
| 18 | ||
| 19 | type mailman_lock_t; | |
| 20 | files_lock_file(mailman_lock_t) | |
| 21 | ||
| edc93b69 DW |
22 | type mailman_var_run_t; |
| 23 | files_pid_file(mailman_var_run_t) | |
| 24 | ||
| 799a0b43 | 25 | mailman_domain_template(mail) |
| 0bfccda4 | 26 | init_daemon_domain(mailman_mail_t, mailman_mail_exec_t) |
| 799a0b43 CP |
27 | |
| 28 | mailman_domain_template(queue) | |
| 29 | ||
| 30 | ######################################## | |
| 31 | # | |
| 32 | # Mailman CGI local policy | |
| 33 | # | |
| 34 | ||
| 46551033 | 35 | # cjp: the template invocation for cgi should be |
| 799a0b43 CP |
36 | # in the below optional policy; however, there are no |
| 37 | # optionals for file contexts yet, so it is promoted | |
| 38 | # to global scope until such facilities exist. | |
| 39 | ||
| bb7170f6 | 40 | optional_policy(` |
| 46551033 CP |
41 | dev_read_urand(mailman_cgi_t) |
| 42 | ||
| 0bfccda4 CP |
43 | manage_dirs_pattern(mailman_cgi_t, mailman_archive_t, mailman_archive_t) |
| 44 | manage_files_pattern(mailman_cgi_t, mailman_archive_t, mailman_archive_t) | |
| 45 | manage_lnk_files_pattern(mailman_cgi_t, mailman_archive_t, mailman_archive_t) | |
| 799a0b43 | 46 | |
| 3c3c0439 | 47 | files_search_spool(mailman_cgi_t) |
| 799a0b43 CP |
48 | |
| 49 | term_use_controlling_term(mailman_cgi_t) | |
| 50 | ||
| 3c3c0439 CP |
51 | # for python pre-compile foolishness |
| 52 | libs_dontaudit_write_lib_dirs(mailman_cgi_t) | |
| 799a0b43 | 53 | |
| 799a0b43 | 54 | apache_sigchld(mailman_cgi_t) |
| 1c1ac67f | 55 | apache_use_fds(mailman_cgi_t) |
| 799a0b43 | 56 | apache_dontaudit_append_log(mailman_cgi_t) |
| 9fd4b818 | 57 | apache_search_sys_script_state(mailman_cgi_t) |
| 92f08c71 CP |
58 | apache_read_config(mailman_cgi_t) |
| 59 | apache_dontaudit_rw_stream_sockets(mailman_cgi_t) | |
| 799a0b43 CP |
60 | ') |
| 61 | ||
| 62 | ######################################## | |
| 63 | # | |
| 64 | # Mailman mail local policy | |
| 65 | # | |
| 66 | ||
| 92f08c71 | 67 | allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config }; |
| d542026b DG |
68 | allow mailman_mail_t self:process { signal signull }; |
| 69 | allow mailman_mail_t self:unix_dgram_socket create_socket_perms; | |
| 92f08c71 CP |
70 | |
| 71 | manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) | |
| 72 | manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) | |
| 73 | manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) | |
| 74 | ||
| ce50f4c7 MG |
75 | manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) |
| 76 | manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) | |
| 77 | files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir }) | |
| edc93b69 | 78 | |
| f46748f8 MG |
79 | # make NNTP gateway working |
| 80 | corenet_tcp_connect_innd_port(mailman_mail_t) | |
| 81 | corenet_tcp_connect_spamd_port(mailman_mail_t) | |
| 82 | ||
| 06ae0889 MG |
83 | dev_read_urand(mailman_mail_t) |
| 84 | ||
| 92f08c71 CP |
85 | files_search_spool(mailman_mail_t) |
| 86 | ||
| 87 | fs_rw_anon_inodefs_files(mailman_mail_t) | |
| 799a0b43 | 88 | |
| 1815bad1 | 89 | mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t) |
| 92f08c71 | 90 | mta_dontaudit_rw_queue(mailman_mail_t) |
| 799a0b43 | 91 | |
| 3624ef76 CP |
92 | optional_policy(` |
| 93 | courier_read_spool(mailman_mail_t) | |
| 94 | ') | |
| 95 | ||
| bb7170f6 | 96 | optional_policy(` |
| 92f08c71 | 97 | cron_read_pipes(mailman_mail_t) |
| 799a0b43 | 98 | ') |
| 92f08c71 CP |
99 | |
| 100 | optional_policy(` | |
| 101 | postfix_search_spool(mailman_mail_t) | |
| 96741dc7 | 102 | postfix_rw_master_pipes(mailman_mail_t) |
| 799a0b43 CP |
103 | ') |
| 104 | ||
| 105 | ######################################## | |
| 106 | # | |
| 107 | # Mailman queue local policy | |
| 108 | # | |
| 109 | ||
| 110 | allow mailman_queue_t self:capability { setgid setuid }; | |
| 111 | allow mailman_queue_t self:process signal; | |
| c0868a7a | 112 | allow mailman_queue_t self:fifo_file rw_fifo_file_perms; |
| 799a0b43 | 113 | allow mailman_queue_t self:unix_dgram_socket create_socket_perms; |
| 799a0b43 | 114 | |
| 0bfccda4 CP |
115 | manage_dirs_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t) |
| 116 | manage_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t) | |
| 117 | manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t) | |
| 799a0b43 CP |
118 | |
| 119 | kernel_read_proc_symlinks(mailman_queue_t) | |
| 799a0b43 | 120 | |
| f46748f8 MG |
121 | corenet_tcp_connect_innd_port(mailman_queue_t) |
| 122 | ||
| 799a0b43 CP |
123 | auth_domtrans_chk_passwd(mailman_queue_t) |
| 124 | ||
| 125 | files_dontaudit_search_pids(mailman_queue_t) | |
| 126 | ||
| 127 | # for su | |
| 128 | seutil_dontaudit_search_config(mailman_queue_t) | |
| 129 | ||
| 130 | # some of the following could probably be changed to dontaudit, someone who | |
| 131 | # knows mailman well should test this out and send the changes | |
| 296273a7 CP |
132 | userdom_search_user_home_dirs(mailman_queue_t) |
| 133 | ||
| 92f08c71 CP |
134 | optional_policy(` |
| 135 | apache_read_config(mailman_queue_t) | |
| 136 | ') | |
| 799a0b43 | 137 | |
| bb7170f6 | 138 | optional_policy(` |
| 0bfccda4 | 139 | cron_system_entry(mailman_queue_t, mailman_queue_exec_t) |
| 799a0b43 | 140 | ') |
| 92f08c71 CP |
141 | |
| 142 | optional_policy(` | |
| 143 | su_exec(mailman_queue_t) | |
| c6fa935f | 144 | ') |