]>
Commit | Line | Data |
---|---|---|
29af4c13 | 1 | policy_module(mailman, 1.8.0) |
799a0b43 CP |
2 | |
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
8 | mailman_domain_template(cgi) | |
9 | ||
10 | type mailman_data_t; | |
11 | files_type(mailman_data_t) | |
12 | ||
13 | type mailman_archive_t; | |
14 | files_type(mailman_archive_t) | |
15 | ||
16 | type mailman_log_t; | |
17 | logging_log_file(mailman_log_t) | |
18 | ||
19 | type mailman_lock_t; | |
20 | files_lock_file(mailman_lock_t) | |
21 | ||
edc93b69 DW |
22 | type mailman_var_run_t; |
23 | files_pid_file(mailman_var_run_t) | |
24 | ||
799a0b43 | 25 | mailman_domain_template(mail) |
0bfccda4 | 26 | init_daemon_domain(mailman_mail_t, mailman_mail_exec_t) |
799a0b43 CP |
27 | |
28 | mailman_domain_template(queue) | |
29 | ||
30 | ######################################## | |
31 | # | |
32 | # Mailman CGI local policy | |
33 | # | |
34 | ||
46551033 | 35 | # cjp: the template invocation for cgi should be |
799a0b43 CP |
36 | # in the below optional policy; however, there are no |
37 | # optionals for file contexts yet, so it is promoted | |
38 | # to global scope until such facilities exist. | |
39 | ||
bb7170f6 | 40 | optional_policy(` |
46551033 CP |
41 | dev_read_urand(mailman_cgi_t) |
42 | ||
0bfccda4 CP |
43 | manage_dirs_pattern(mailman_cgi_t, mailman_archive_t, mailman_archive_t) |
44 | manage_files_pattern(mailman_cgi_t, mailman_archive_t, mailman_archive_t) | |
45 | manage_lnk_files_pattern(mailman_cgi_t, mailman_archive_t, mailman_archive_t) | |
799a0b43 | 46 | |
3c3c0439 | 47 | files_search_spool(mailman_cgi_t) |
799a0b43 CP |
48 | |
49 | term_use_controlling_term(mailman_cgi_t) | |
50 | ||
3c3c0439 CP |
51 | # for python pre-compile foolishness |
52 | libs_dontaudit_write_lib_dirs(mailman_cgi_t) | |
799a0b43 | 53 | |
799a0b43 | 54 | apache_sigchld(mailman_cgi_t) |
1c1ac67f | 55 | apache_use_fds(mailman_cgi_t) |
799a0b43 | 56 | apache_dontaudit_append_log(mailman_cgi_t) |
9fd4b818 | 57 | apache_search_sys_script_state(mailman_cgi_t) |
92f08c71 CP |
58 | apache_read_config(mailman_cgi_t) |
59 | apache_dontaudit_rw_stream_sockets(mailman_cgi_t) | |
799a0b43 CP |
60 | ') |
61 | ||
62 | ######################################## | |
63 | # | |
64 | # Mailman mail local policy | |
65 | # | |
66 | ||
92f08c71 | 67 | allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config }; |
d542026b DG |
68 | allow mailman_mail_t self:process { signal signull }; |
69 | allow mailman_mail_t self:unix_dgram_socket create_socket_perms; | |
92f08c71 CP |
70 | |
71 | manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) | |
72 | manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) | |
73 | manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) | |
74 | ||
ce50f4c7 MG |
75 | manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) |
76 | manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) | |
77 | files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir }) | |
edc93b69 | 78 | |
f46748f8 MG |
79 | # make NNTP gateway working |
80 | corenet_tcp_connect_innd_port(mailman_mail_t) | |
81 | corenet_tcp_connect_spamd_port(mailman_mail_t) | |
82 | ||
06ae0889 MG |
83 | dev_read_urand(mailman_mail_t) |
84 | ||
92f08c71 CP |
85 | files_search_spool(mailman_mail_t) |
86 | ||
87 | fs_rw_anon_inodefs_files(mailman_mail_t) | |
799a0b43 | 88 | |
1815bad1 | 89 | mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t) |
92f08c71 | 90 | mta_dontaudit_rw_queue(mailman_mail_t) |
799a0b43 | 91 | |
3624ef76 CP |
92 | optional_policy(` |
93 | courier_read_spool(mailman_mail_t) | |
94 | ') | |
95 | ||
bb7170f6 | 96 | optional_policy(` |
92f08c71 | 97 | cron_read_pipes(mailman_mail_t) |
799a0b43 | 98 | ') |
92f08c71 CP |
99 | |
100 | optional_policy(` | |
101 | postfix_search_spool(mailman_mail_t) | |
96741dc7 | 102 | postfix_rw_master_pipes(mailman_mail_t) |
799a0b43 CP |
103 | ') |
104 | ||
105 | ######################################## | |
106 | # | |
107 | # Mailman queue local policy | |
108 | # | |
109 | ||
110 | allow mailman_queue_t self:capability { setgid setuid }; | |
111 | allow mailman_queue_t self:process signal; | |
c0868a7a | 112 | allow mailman_queue_t self:fifo_file rw_fifo_file_perms; |
799a0b43 | 113 | allow mailman_queue_t self:unix_dgram_socket create_socket_perms; |
799a0b43 | 114 | |
0bfccda4 CP |
115 | manage_dirs_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t) |
116 | manage_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t) | |
117 | manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t) | |
799a0b43 CP |
118 | |
119 | kernel_read_proc_symlinks(mailman_queue_t) | |
799a0b43 | 120 | |
f46748f8 MG |
121 | corenet_tcp_connect_innd_port(mailman_queue_t) |
122 | ||
799a0b43 CP |
123 | auth_domtrans_chk_passwd(mailman_queue_t) |
124 | ||
125 | files_dontaudit_search_pids(mailman_queue_t) | |
126 | ||
127 | # for su | |
128 | seutil_dontaudit_search_config(mailman_queue_t) | |
129 | ||
130 | # some of the following could probably be changed to dontaudit, someone who | |
131 | # knows mailman well should test this out and send the changes | |
296273a7 CP |
132 | userdom_search_user_home_dirs(mailman_queue_t) |
133 | ||
92f08c71 CP |
134 | optional_policy(` |
135 | apache_read_config(mailman_queue_t) | |
136 | ') | |
799a0b43 | 137 | |
bb7170f6 | 138 | optional_policy(` |
0bfccda4 | 139 | cron_system_entry(mailman_queue_t, mailman_queue_exec_t) |
799a0b43 | 140 | ') |
92f08c71 CP |
141 | |
142 | optional_policy(` | |
143 | su_exec(mailman_queue_t) | |
c6fa935f | 144 | ') |