[people/stevee/selinux-policy.git] / policy / modules / services / amavis.te


policy_module(amavis, 1.11.0)

########################################
#
# Declarations
#

type amavis_t;
type amavis_exec_t;
domain_type(amavis_t)
init_daemon_domain(amavis_t, amavis_exec_t)

# configuration files
type amavis_etc_t;
files_config_file(amavis_etc_t)

type amavis_initrc_exec_t;
init_script_file(amavis_initrc_exec_t)

# pid files
type amavis_var_run_t;
files_pid_file(amavis_var_run_t)

# var/lib files
type amavis_var_lib_t;
files_type(amavis_var_lib_t)

# log files
type amavis_var_log_t;
logging_log_file(amavis_var_log_t)

# tmp files
type amavis_tmp_t;
files_tmp_file(amavis_tmp_t)

# virus quarantine
type amavis_quarantine_t;
files_type(amavis_quarantine_t)

type amavis_spool_t;
files_type(amavis_spool_t)

########################################
#
# amavis local policy
#

allow amavis_t self:capability { kill chown dac_override setgid setuid };
dontaudit amavis_t self:capability sys_tty_config;
allow amavis_t self:process { signal sigchld signull };
allow amavis_t self:fifo_file rw_fifo_file_perms;
allow amavis_t self:unix_stream_socket create_stream_socket_perms;
allow amavis_t self:unix_dgram_socket create_socket_perms;
allow amavis_t self:tcp_socket { listen accept };
allow amavis_t self:netlink_route_socket r_netlink_socket_perms;

# configuration files
allow amavis_t amavis_etc_t:dir list_dir_perms;
read_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t)
read_lnk_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t)

can_exec(amavis_t, amavis_exec_t)

# mail quarantine
manage_dirs_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t)
manage_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t)
manage_sock_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t)

# Spool Files
manage_dirs_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
manage_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file)
files_search_spool(amavis_t)

# tmp files
manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
allow amavis_t amavis_tmp_t:dir setattr;
files_tmp_filetrans(amavis_t, amavis_tmp_t, file)

# var/lib files for amavis
manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
manage_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
manage_sock_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
files_search_var_lib(amavis_t)

# log files
allow amavis_t amavis_var_log_t:dir setattr;
manage_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir })

# pid file
manage_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
manage_sock_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
files_pid_filetrans(amavis_t, amavis_var_run_t, { file sock_file })

kernel_read_kernel_sysctls(amavis_t)
# amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
kernel_dontaudit_list_proc(amavis_t)
kernel_dontaudit_read_proc_symlinks(amavis_t)
kernel_dontaudit_read_system_state(amavis_t)

# find perl
corecmd_exec_bin(amavis_t)

corenet_all_recvfrom_unlabeled(amavis_t)
corenet_all_recvfrom_netlabel(amavis_t)
corenet_tcp_sendrecv_generic_if(amavis_t)
corenet_tcp_sendrecv_generic_node(amavis_t)
corenet_tcp_bind_generic_node(amavis_t)
corenet_udp_bind_generic_node(amavis_t)
# amavis uses well-defined ports
corenet_tcp_sendrecv_amavisd_recv_port(amavis_t)
corenet_tcp_sendrecv_amavisd_send_port(amavis_t)
# just the other side not. ;-)
corenet_tcp_sendrecv_all_ports(amavis_t)
# connect to backchannel port
corenet_tcp_connect_amavisd_send_port(amavis_t)
# bind to incoming port
corenet_tcp_bind_amavisd_recv_port(amavis_t)
corenet_udp_bind_generic_port(amavis_t)
corenet_dontaudit_udp_bind_all_ports(amavis_t)
corenet_tcp_connect_razor_port(amavis_t)

dev_read_rand(amavis_t)
dev_read_urand(amavis_t)

domain_use_interactive_fds(amavis_t)

files_read_etc_files(amavis_t)
files_read_etc_runtime_files(amavis_t)
files_read_usr_files(amavis_t)

fs_getattr_xattr_fs(amavis_t)

auth_dontaudit_read_shadow(amavis_t)

# uses uptime which reads utmp - redhat bug 561383
init_read_utmp(amavis_t)
init_stream_connect_script(amavis_t)

logging_send_syslog_msg(amavis_t)

miscfiles_read_certs(amavis_t)
miscfiles_read_localization(amavis_t)

sysnet_dns_name_resolve(amavis_t)
sysnet_use_ldap(amavis_t)

userdom_dontaudit_search_user_home_dirs(amavis_t)

# Cron handling
cron_use_fds(amavis_t)
cron_use_system_job_fds(amavis_t)
cron_rw_pipes(amavis_t)

mta_read_config(amavis_t)

optional_policy(`
	clamav_stream_connect(amavis_t)
	clamav_domtrans_clamscan(amavis_t)
')

optional_policy(`
	dcc_domtrans_client(amavis_t)
	dcc_stream_connect_dccifd(amavis_t)
')

optional_policy(`
	postfix_read_config(amavis_t)
')

optional_policy(`
	pyzor_domtrans(amavis_t)
	pyzor_signal(amavis_t)
')

optional_policy(`
	razor_domtrans(amavis_t)
')

optional_policy(`
	spamassassin_exec(amavis_t)
	spamassassin_exec_client(amavis_t)
	spamassassin_read_lib_files(amavis_t)
')
Commit	Line	Data
8a0a9944	1
29af4c13	2	policy_module(amavis, 1.11.0)
8a0a9944 CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type amavis_t;
	10	type amavis_exec_t;
	11	domain_type(amavis_t)
	12	init_daemon_domain(amavis_t, amavis_exec_t)
	13
	14	# configuration files
	15	type amavis_etc_t;
967fd1ba CP	16	files_config_file(amavis_etc_t)
	17
	18	type amavis_initrc_exec_t;
	19	init_script_file(amavis_initrc_exec_t)
8a0a9944 CP	20
	21	# pid files
	22	type amavis_var_run_t;
	23	files_pid_file(amavis_var_run_t)
	24
	25	# var/lib files
	26	type amavis_var_lib_t;
	27	files_type(amavis_var_lib_t)
	28
	29	# log files
	30	type amavis_var_log_t;
	31	logging_log_file(amavis_var_log_t)
	32
	33	# tmp files
	34	type amavis_tmp_t;
	35	files_tmp_file(amavis_tmp_t)
	36
	37	# virus quarantine
	38	type amavis_quarantine_t;
	39	files_type(amavis_quarantine_t)
	40
87eb5c84 CP	41	type amavis_spool_t;
	42	files_type(amavis_spool_t)
	43
8a0a9944 CP	44	########################################
	45	#
	46	# amavis local policy
	47	#
	48
87eb5c84	49	allow amavis_t self:capability { kill chown dac_override setgid setuid };
8a0a9944 CP	50	dontaudit amavis_t self:capability sys_tty_config;
8a0a9944 CP	51	allow amavis_t self:process { signal sigchld signull };
c0868a7a	52	allow amavis_t self:fifo_file rw_fifo_file_perms;
8a0a9944 CP	53	allow amavis_t self:unix_stream_socket create_stream_socket_perms;
	54	allow amavis_t self:unix_dgram_socket create_socket_perms;
	55	allow amavis_t self:tcp_socket { listen accept };
747ab184	56	allow amavis_t self:netlink_route_socket r_netlink_socket_perms;
8a0a9944 CP	57
8a0a9944 CP	58	# configuration files
c0868a7a	59	allow amavis_t amavis_etc_t:dir list_dir_perms;
0bfccda4 CP	60	read_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t)
0bfccda4 CP	61	read_lnk_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t)
8a0a9944	62
967fd1ba CP	63	can_exec(amavis_t, amavis_exec_t)
967fd1ba CP	64
8a0a9944	65	# mail quarantine
0bfccda4 CP	66	manage_dirs_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t)
	67	manage_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t)
	68	manage_sock_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t)
8a0a9944	69
87eb5c84	70	# Spool Files
0bfccda4 CP	71	manage_dirs_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
0bfccda4 CP	72	manage_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
ee6608ba	73	manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
0bfccda4 CP	74	manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
0bfccda4 CP	75	filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file)
a5e2133b	76	files_search_spool(amavis_t)
87eb5c84	77
8a0a9944	78	# tmp files
0bfccda4	79	manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
c0868a7a	80	allow amavis_t amavis_tmp_t:dir setattr;
3f67f722	81	files_tmp_filetrans(amavis_t, amavis_tmp_t, file)
8a0a9944 CP	82
8a0a9944 CP	83	# var/lib files for amavis
0bfccda4 CP	84	manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
	85	manage_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
	86	manage_sock_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
747ab184	87	files_search_var_lib(amavis_t)
8a0a9944 CP	88
8a0a9944 CP	89	# log files
c0868a7a	90	allow amavis_t amavis_var_log_t:dir setattr;
0bfccda4 CP	91	manage_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
	92	manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
	93	logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir })
8a0a9944 CP	94
8a0a9944 CP	95	# pid file
0bfccda4 CP	96	manage_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
	97	manage_sock_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
	98	files_pid_filetrans(amavis_t, amavis_var_run_t, { file sock_file })
8a0a9944	99
87eb5c84	100	kernel_read_kernel_sysctls(amavis_t)
8a0a9944 CP	101	# amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
8a0a9944 CP	102	kernel_dontaudit_list_proc(amavis_t)
522b59bb	103	kernel_dontaudit_read_proc_symlinks(amavis_t)
87eb5c84	104	kernel_dontaudit_read_system_state(amavis_t)
8a0a9944 CP	105
	106	# find perl
	107	corecmd_exec_bin(amavis_t)
8a0a9944	108
19006686 CP	109	corenet_all_recvfrom_unlabeled(amavis_t)
19006686 CP	110	corenet_all_recvfrom_netlabel(amavis_t)
668b3093	111	corenet_tcp_sendrecv_generic_if(amavis_t)
c1262146 CP	112	corenet_tcp_sendrecv_generic_node(amavis_t)
	113	corenet_tcp_bind_generic_node(amavis_t)
	114	corenet_udp_bind_generic_node(amavis_t)
8a0a9944 CP	115	# amavis uses well-defined ports
	116	corenet_tcp_sendrecv_amavisd_recv_port(amavis_t)
	117	corenet_tcp_sendrecv_amavisd_send_port(amavis_t)
	118	# just the other side not. ;-)
	119	corenet_tcp_sendrecv_all_ports(amavis_t)
	120	# connect to backchannel port
	121	corenet_tcp_connect_amavisd_send_port(amavis_t)
	122	# bind to incoming port
	123	corenet_tcp_bind_amavisd_recv_port(amavis_t)
522b59bb	124	corenet_udp_bind_generic_port(amavis_t)
ee6608ba	125	corenet_dontaudit_udp_bind_all_ports(amavis_t)
a5e2133b	126	corenet_tcp_connect_razor_port(amavis_t)
8a0a9944 CP	127
	128	dev_read_rand(amavis_t)
	129	dev_read_urand(amavis_t)
	130
	131	domain_use_interactive_fds(amavis_t)
	132
	133	files_read_etc_files(amavis_t)
	134	files_read_etc_runtime_files(amavis_t)
	135	files_read_usr_files(amavis_t)
	136
5894c3e4 CP	137	fs_getattr_xattr_fs(amavis_t)
5894c3e4 CP	138
8a0a9944 CP	139	auth_dontaudit_read_shadow(amavis_t)
8a0a9944 CP	140
6a035482 JS	141	# uses uptime which reads utmp - redhat bug 561383
6a035482 JS	142	init_read_utmp(amavis_t)
87eb5c84	143	init_stream_connect_script(amavis_t)
8a0a9944	144
8a0a9944 CP	145	logging_send_syslog_msg(amavis_t)
8a0a9944 CP	146
6a035482	147	miscfiles_read_certs(amavis_t)
8a0a9944 CP	148	miscfiles_read_localization(amavis_t)
	149
	150	sysnet_dns_name_resolve(amavis_t)
13d7cec6	151	sysnet_use_ldap(amavis_t)
8a0a9944	152
296273a7 CP	153	userdom_dontaudit_search_user_home_dirs(amavis_t)
296273a7 CP	154
8a0a9944 CP	155	# Cron handling
	156	cron_use_fds(amavis_t)
	157	cron_use_system_job_fds(amavis_t)
	158	cron_rw_pipes(amavis_t)
	159
	160	mta_read_config(amavis_t)
	161
bb7170f6	162	optional_policy(`
8a0a9944	163	clamav_stream_connect(amavis_t)
87eb5c84	164	clamav_domtrans_clamscan(amavis_t)
8a0a9944 CP	165	')
8a0a9944 CP	166
6ba4d964 CP	167	optional_policy(`
	168	dcc_domtrans_client(amavis_t)
	169	dcc_stream_connect_dccifd(amavis_t)
	170	')
	171
a5e2133b CP	172	optional_policy(`
	173	postfix_read_config(amavis_t)
	174	')
	175
e9935943 CP	176	optional_policy(`
e9935943 CP	177	pyzor_domtrans(amavis_t)
6dd721a6	178	pyzor_signal(amavis_t)
e9935943 CP	179	')
e9935943 CP	180
20e929e0 CP	181	optional_policy(`
	182	razor_domtrans(amavis_t)
	183	')
	184
bb7170f6	185	optional_policy(`
8a0a9944 CP	186	spamassassin_exec(amavis_t)
8a0a9944 CP	187	spamassassin_exec_client(amavis_t)
747ab184	188	spamassassin_read_lib_files(amavis_t)
8a0a9944	189	')