]>
Commit | Line | Data |
---|---|---|
8a0a9944 | 1 | |
5d4f4b53 | 2 | policy_module(amavis, 1.8.0) |
8a0a9944 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | type amavis_t; | |
10 | type amavis_exec_t; | |
11 | domain_type(amavis_t) | |
12 | init_daemon_domain(amavis_t, amavis_exec_t) | |
13 | ||
14 | # configuration files | |
15 | type amavis_etc_t; | |
967fd1ba CP |
16 | files_config_file(amavis_etc_t) |
17 | ||
18 | type amavis_initrc_exec_t; | |
19 | init_script_file(amavis_initrc_exec_t) | |
8a0a9944 CP |
20 | |
21 | # pid files | |
22 | type amavis_var_run_t; | |
23 | files_pid_file(amavis_var_run_t) | |
24 | ||
25 | # var/lib files | |
26 | type amavis_var_lib_t; | |
27 | files_type(amavis_var_lib_t) | |
28 | ||
29 | # log files | |
30 | type amavis_var_log_t; | |
31 | logging_log_file(amavis_var_log_t) | |
32 | ||
33 | # tmp files | |
34 | type amavis_tmp_t; | |
35 | files_tmp_file(amavis_tmp_t) | |
36 | ||
37 | # virus quarantine | |
38 | type amavis_quarantine_t; | |
39 | files_type(amavis_quarantine_t) | |
40 | ||
87eb5c84 CP |
41 | type amavis_spool_t; |
42 | files_type(amavis_spool_t) | |
43 | ||
8a0a9944 CP |
44 | ######################################## |
45 | # | |
46 | # amavis local policy | |
47 | # | |
48 | ||
87eb5c84 | 49 | allow amavis_t self:capability { kill chown dac_override setgid setuid }; |
8a0a9944 CP |
50 | dontaudit amavis_t self:capability sys_tty_config; |
51 | allow amavis_t self:process { signal sigchld signull }; | |
c0868a7a | 52 | allow amavis_t self:fifo_file rw_fifo_file_perms; |
8a0a9944 CP |
53 | allow amavis_t self:unix_stream_socket create_stream_socket_perms; |
54 | allow amavis_t self:unix_dgram_socket create_socket_perms; | |
55 | allow amavis_t self:tcp_socket { listen accept }; | |
747ab184 | 56 | allow amavis_t self:netlink_route_socket r_netlink_socket_perms; |
8a0a9944 CP |
57 | |
58 | # configuration files | |
c0868a7a | 59 | allow amavis_t amavis_etc_t:dir list_dir_perms; |
0bfccda4 CP |
60 | read_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t) |
61 | read_lnk_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t) | |
8a0a9944 | 62 | |
967fd1ba CP |
63 | can_exec(amavis_t, amavis_exec_t) |
64 | ||
8a0a9944 | 65 | # mail quarantine |
0bfccda4 CP |
66 | manage_dirs_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t) |
67 | manage_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t) | |
68 | manage_sock_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t) | |
8a0a9944 | 69 | |
87eb5c84 | 70 | # Spool Files |
0bfccda4 CP |
71 | manage_dirs_pattern(amavis_t, amavis_spool_t, amavis_spool_t) |
72 | manage_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) | |
ee6608ba | 73 | manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) |
0bfccda4 CP |
74 | manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) |
75 | filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file) | |
a5e2133b | 76 | files_search_spool(amavis_t) |
87eb5c84 | 77 | |
8a0a9944 | 78 | # tmp files |
0bfccda4 | 79 | manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t) |
c0868a7a | 80 | allow amavis_t amavis_tmp_t:dir setattr; |
8a0a9944 CP |
81 | files_tmp_filetrans(amavis_t,amavis_tmp_t,file) |
82 | ||
83 | # var/lib files for amavis | |
0bfccda4 CP |
84 | manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) |
85 | manage_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) | |
86 | manage_sock_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) | |
747ab184 | 87 | files_search_var_lib(amavis_t) |
8a0a9944 CP |
88 | |
89 | # log files | |
c0868a7a | 90 | allow amavis_t amavis_var_log_t:dir setattr; |
0bfccda4 CP |
91 | manage_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t) |
92 | manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t) | |
93 | logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir }) | |
8a0a9944 CP |
94 | |
95 | # pid file | |
0bfccda4 CP |
96 | manage_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t) |
97 | manage_sock_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t) | |
98 | files_pid_filetrans(amavis_t, amavis_var_run_t, { file sock_file }) | |
8a0a9944 | 99 | |
87eb5c84 | 100 | kernel_read_kernel_sysctls(amavis_t) |
8a0a9944 CP |
101 | # amavis tries to access /proc/self/stat, /etc/shadow and /root - perl... |
102 | kernel_dontaudit_list_proc(amavis_t) | |
522b59bb | 103 | kernel_dontaudit_read_proc_symlinks(amavis_t) |
87eb5c84 | 104 | kernel_dontaudit_read_system_state(amavis_t) |
8a0a9944 CP |
105 | |
106 | # find perl | |
107 | corecmd_exec_bin(amavis_t) | |
8a0a9944 | 108 | |
19006686 CP |
109 | corenet_all_recvfrom_unlabeled(amavis_t) |
110 | corenet_all_recvfrom_netlabel(amavis_t) | |
8a0a9944 CP |
111 | corenet_tcp_sendrecv_all_if(amavis_t) |
112 | corenet_tcp_sendrecv_all_nodes(amavis_t) | |
522b59bb CP |
113 | corenet_tcp_bind_all_nodes(amavis_t) |
114 | corenet_udp_bind_all_nodes(amavis_t) | |
8a0a9944 CP |
115 | # amavis uses well-defined ports |
116 | corenet_tcp_sendrecv_amavisd_recv_port(amavis_t) | |
117 | corenet_tcp_sendrecv_amavisd_send_port(amavis_t) | |
118 | # just the other side not. ;-) | |
119 | corenet_tcp_sendrecv_all_ports(amavis_t) | |
120 | # connect to backchannel port | |
121 | corenet_tcp_connect_amavisd_send_port(amavis_t) | |
122 | # bind to incoming port | |
123 | corenet_tcp_bind_amavisd_recv_port(amavis_t) | |
522b59bb | 124 | corenet_udp_bind_generic_port(amavis_t) |
ee6608ba | 125 | corenet_dontaudit_udp_bind_all_ports(amavis_t) |
a5e2133b | 126 | corenet_tcp_connect_razor_port(amavis_t) |
8a0a9944 CP |
127 | |
128 | dev_read_rand(amavis_t) | |
129 | dev_read_urand(amavis_t) | |
130 | ||
131 | domain_use_interactive_fds(amavis_t) | |
132 | ||
133 | files_read_etc_files(amavis_t) | |
134 | files_read_etc_runtime_files(amavis_t) | |
135 | files_read_usr_files(amavis_t) | |
136 | ||
137 | auth_dontaudit_read_shadow(amavis_t) | |
138 | ||
87eb5c84 | 139 | init_stream_connect_script(amavis_t) |
8a0a9944 | 140 | |
8a0a9944 CP |
141 | logging_send_syslog_msg(amavis_t) |
142 | ||
143 | miscfiles_read_localization(amavis_t) | |
144 | ||
145 | sysnet_dns_name_resolve(amavis_t) | |
13d7cec6 | 146 | sysnet_use_ldap(amavis_t) |
8a0a9944 | 147 | |
8a0a9944 CP |
148 | # Cron handling |
149 | cron_use_fds(amavis_t) | |
150 | cron_use_system_job_fds(amavis_t) | |
151 | cron_rw_pipes(amavis_t) | |
152 | ||
153 | mta_read_config(amavis_t) | |
154 | ||
e9c6cda7 CP |
155 | sysadm_dontaudit_search_home_dirs(amavis_t) |
156 | ||
bb7170f6 | 157 | optional_policy(` |
8a0a9944 | 158 | clamav_stream_connect(amavis_t) |
87eb5c84 | 159 | clamav_domtrans_clamscan(amavis_t) |
8a0a9944 CP |
160 | ') |
161 | ||
6ba4d964 CP |
162 | optional_policy(` |
163 | dcc_domtrans_client(amavis_t) | |
164 | dcc_stream_connect_dccifd(amavis_t) | |
165 | ') | |
166 | ||
a5e2133b CP |
167 | optional_policy(` |
168 | postfix_read_config(amavis_t) | |
169 | ') | |
170 | ||
e9935943 CP |
171 | optional_policy(` |
172 | pyzor_domtrans(amavis_t) | |
6dd721a6 | 173 | pyzor_signal(amavis_t) |
e9935943 CP |
174 | ') |
175 | ||
20e929e0 CP |
176 | optional_policy(` |
177 | razor_domtrans(amavis_t) | |
178 | ') | |
179 | ||
bb7170f6 | 180 | optional_policy(` |
8a0a9944 CP |
181 | spamassassin_exec(amavis_t) |
182 | spamassassin_exec_client(amavis_t) | |
747ab184 | 183 | spamassassin_read_lib_files(amavis_t) |
8a0a9944 | 184 | ') |