]>
Commit | Line | Data |
---|---|---|
8a0a9944 | 1 | |
812f30af | 2 | policy_module(amavis, 1.10.2) |
8a0a9944 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | type amavis_t; | |
10 | type amavis_exec_t; | |
11 | domain_type(amavis_t) | |
12 | init_daemon_domain(amavis_t, amavis_exec_t) | |
13 | ||
14 | # configuration files | |
15 | type amavis_etc_t; | |
967fd1ba CP |
16 | files_config_file(amavis_etc_t) |
17 | ||
18 | type amavis_initrc_exec_t; | |
19 | init_script_file(amavis_initrc_exec_t) | |
8a0a9944 CP |
20 | |
21 | # pid files | |
22 | type amavis_var_run_t; | |
23 | files_pid_file(amavis_var_run_t) | |
24 | ||
25 | # var/lib files | |
26 | type amavis_var_lib_t; | |
27 | files_type(amavis_var_lib_t) | |
28 | ||
29 | # log files | |
30 | type amavis_var_log_t; | |
31 | logging_log_file(amavis_var_log_t) | |
32 | ||
33 | # tmp files | |
34 | type amavis_tmp_t; | |
35 | files_tmp_file(amavis_tmp_t) | |
36 | ||
37 | # virus quarantine | |
38 | type amavis_quarantine_t; | |
39 | files_type(amavis_quarantine_t) | |
40 | ||
87eb5c84 CP |
41 | type amavis_spool_t; |
42 | files_type(amavis_spool_t) | |
43 | ||
8a0a9944 CP |
44 | ######################################## |
45 | # | |
46 | # amavis local policy | |
47 | # | |
48 | ||
87eb5c84 | 49 | allow amavis_t self:capability { kill chown dac_override setgid setuid }; |
8a0a9944 CP |
50 | dontaudit amavis_t self:capability sys_tty_config; |
51 | allow amavis_t self:process { signal sigchld signull }; | |
c0868a7a | 52 | allow amavis_t self:fifo_file rw_fifo_file_perms; |
8a0a9944 CP |
53 | allow amavis_t self:unix_stream_socket create_stream_socket_perms; |
54 | allow amavis_t self:unix_dgram_socket create_socket_perms; | |
55 | allow amavis_t self:tcp_socket { listen accept }; | |
747ab184 | 56 | allow amavis_t self:netlink_route_socket r_netlink_socket_perms; |
8a0a9944 CP |
57 | |
58 | # configuration files | |
c0868a7a | 59 | allow amavis_t amavis_etc_t:dir list_dir_perms; |
0bfccda4 CP |
60 | read_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t) |
61 | read_lnk_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t) | |
8a0a9944 | 62 | |
967fd1ba CP |
63 | can_exec(amavis_t, amavis_exec_t) |
64 | ||
8a0a9944 | 65 | # mail quarantine |
0bfccda4 CP |
66 | manage_dirs_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t) |
67 | manage_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t) | |
68 | manage_sock_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t) | |
8a0a9944 | 69 | |
87eb5c84 | 70 | # Spool Files |
0bfccda4 CP |
71 | manage_dirs_pattern(amavis_t, amavis_spool_t, amavis_spool_t) |
72 | manage_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) | |
ee6608ba | 73 | manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) |
0bfccda4 CP |
74 | manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) |
75 | filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file) | |
a5e2133b | 76 | files_search_spool(amavis_t) |
87eb5c84 | 77 | |
8a0a9944 | 78 | # tmp files |
0bfccda4 | 79 | manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t) |
c0868a7a | 80 | allow amavis_t amavis_tmp_t:dir setattr; |
3f67f722 | 81 | files_tmp_filetrans(amavis_t, amavis_tmp_t, file) |
8a0a9944 CP |
82 | |
83 | # var/lib files for amavis | |
0bfccda4 CP |
84 | manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) |
85 | manage_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) | |
86 | manage_sock_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) | |
747ab184 | 87 | files_search_var_lib(amavis_t) |
8a0a9944 CP |
88 | |
89 | # log files | |
c0868a7a | 90 | allow amavis_t amavis_var_log_t:dir setattr; |
0bfccda4 CP |
91 | manage_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t) |
92 | manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t) | |
93 | logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir }) | |
8a0a9944 CP |
94 | |
95 | # pid file | |
0bfccda4 CP |
96 | manage_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t) |
97 | manage_sock_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t) | |
98 | files_pid_filetrans(amavis_t, amavis_var_run_t, { file sock_file }) | |
8a0a9944 | 99 | |
87eb5c84 | 100 | kernel_read_kernel_sysctls(amavis_t) |
8a0a9944 CP |
101 | # amavis tries to access /proc/self/stat, /etc/shadow and /root - perl... |
102 | kernel_dontaudit_list_proc(amavis_t) | |
522b59bb | 103 | kernel_dontaudit_read_proc_symlinks(amavis_t) |
87eb5c84 | 104 | kernel_dontaudit_read_system_state(amavis_t) |
8a0a9944 CP |
105 | |
106 | # find perl | |
107 | corecmd_exec_bin(amavis_t) | |
8a0a9944 | 108 | |
19006686 CP |
109 | corenet_all_recvfrom_unlabeled(amavis_t) |
110 | corenet_all_recvfrom_netlabel(amavis_t) | |
668b3093 | 111 | corenet_tcp_sendrecv_generic_if(amavis_t) |
c1262146 CP |
112 | corenet_tcp_sendrecv_generic_node(amavis_t) |
113 | corenet_tcp_bind_generic_node(amavis_t) | |
114 | corenet_udp_bind_generic_node(amavis_t) | |
8a0a9944 CP |
115 | # amavis uses well-defined ports |
116 | corenet_tcp_sendrecv_amavisd_recv_port(amavis_t) | |
117 | corenet_tcp_sendrecv_amavisd_send_port(amavis_t) | |
118 | # just the other side not. ;-) | |
119 | corenet_tcp_sendrecv_all_ports(amavis_t) | |
120 | # connect to backchannel port | |
121 | corenet_tcp_connect_amavisd_send_port(amavis_t) | |
122 | # bind to incoming port | |
123 | corenet_tcp_bind_amavisd_recv_port(amavis_t) | |
522b59bb | 124 | corenet_udp_bind_generic_port(amavis_t) |
ee6608ba | 125 | corenet_dontaudit_udp_bind_all_ports(amavis_t) |
a5e2133b | 126 | corenet_tcp_connect_razor_port(amavis_t) |
8a0a9944 CP |
127 | |
128 | dev_read_rand(amavis_t) | |
129 | dev_read_urand(amavis_t) | |
130 | ||
131 | domain_use_interactive_fds(amavis_t) | |
132 | ||
133 | files_read_etc_files(amavis_t) | |
134 | files_read_etc_runtime_files(amavis_t) | |
135 | files_read_usr_files(amavis_t) | |
136 | ||
5894c3e4 CP |
137 | fs_getattr_xattr_fs(amavis_t) |
138 | ||
8a0a9944 CP |
139 | auth_dontaudit_read_shadow(amavis_t) |
140 | ||
87eb5c84 | 141 | init_stream_connect_script(amavis_t) |
8a0a9944 | 142 | |
8a0a9944 CP |
143 | logging_send_syslog_msg(amavis_t) |
144 | ||
145 | miscfiles_read_localization(amavis_t) | |
146 | ||
147 | sysnet_dns_name_resolve(amavis_t) | |
13d7cec6 | 148 | sysnet_use_ldap(amavis_t) |
8a0a9944 | 149 | |
296273a7 CP |
150 | userdom_dontaudit_search_user_home_dirs(amavis_t) |
151 | ||
8a0a9944 CP |
152 | # Cron handling |
153 | cron_use_fds(amavis_t) | |
154 | cron_use_system_job_fds(amavis_t) | |
155 | cron_rw_pipes(amavis_t) | |
156 | ||
157 | mta_read_config(amavis_t) | |
158 | ||
bb7170f6 | 159 | optional_policy(` |
8a0a9944 | 160 | clamav_stream_connect(amavis_t) |
87eb5c84 | 161 | clamav_domtrans_clamscan(amavis_t) |
8a0a9944 CP |
162 | ') |
163 | ||
6ba4d964 CP |
164 | optional_policy(` |
165 | dcc_domtrans_client(amavis_t) | |
166 | dcc_stream_connect_dccifd(amavis_t) | |
167 | ') | |
168 | ||
a5e2133b CP |
169 | optional_policy(` |
170 | postfix_read_config(amavis_t) | |
171 | ') | |
172 | ||
e9935943 CP |
173 | optional_policy(` |
174 | pyzor_domtrans(amavis_t) | |
6dd721a6 | 175 | pyzor_signal(amavis_t) |
e9935943 CP |
176 | ') |
177 | ||
20e929e0 CP |
178 | optional_policy(` |
179 | razor_domtrans(amavis_t) | |
180 | ') | |
181 | ||
bb7170f6 | 182 | optional_policy(` |
8a0a9944 CP |
183 | spamassassin_exec(amavis_t) |
184 | spamassassin_exec_client(amavis_t) | |
747ab184 | 185 | spamassassin_read_lib_files(amavis_t) |
8a0a9944 | 186 | ') |