[people/stevee/selinux-policy.git] / policy / modules / services / amavis.te


policy_module(amavis,1.1.0)

########################################
#
# Declarations
#

type amavis_t;
type amavis_exec_t;
domain_type(amavis_t)
init_daemon_domain(amavis_t, amavis_exec_t)

# configuration files
type amavis_etc_t;
files_type(amavis_etc_t)

# pid files
type amavis_var_run_t;
files_pid_file(amavis_var_run_t)

# var/lib files
type amavis_var_lib_t;
files_type(amavis_var_lib_t)

# log files
type amavis_var_log_t;
logging_log_file(amavis_var_log_t)

# tmp files
type amavis_tmp_t;
files_tmp_file(amavis_tmp_t)

# virus quarantine
type amavis_quarantine_t;
files_type(amavis_quarantine_t)

type amavis_spool_t;
files_type(amavis_spool_t)

########################################
#
# amavis local policy
#

allow amavis_t self:capability { kill chown dac_override setgid setuid };
dontaudit amavis_t self:capability sys_tty_config;
allow amavis_t self:process { signal sigchld signull };
allow amavis_t self:fifo_file rw_file_perms;
allow amavis_t self:unix_stream_socket create_stream_socket_perms;
allow amavis_t self:unix_dgram_socket create_socket_perms;
allow amavis_t self:tcp_socket { listen accept };

# configuration files
allow amavis_t amavis_etc_t:dir r_dir_perms;
allow amavis_t amavis_etc_t:file r_file_perms;
allow amavis_t amavis_etc_t:lnk_file { getattr read };

# mail quarantine
allow amavis_t amavis_quarantine_t:file create_file_perms;
allow amavis_t amavis_quarantine_t:sock_file create_file_perms;
allow amavis_t amavis_quarantine_t:dir create_dir_perms;

# Spool Files
files_search_spool(amavis_t)
allow amavis_t amavis_spool_t:dir manage_dir_perms;
allow amavis_t amavis_spool_t:file manage_file_perms;
allow amavis_t amavis_spool_t:sock_file manage_file_perms;
type_transition amavis_t amavis_spool_t:sock_file amavis_var_run_t;

# tmp files
allow amavis_t amavis_tmp_t:file create_file_perms;
allow amavis_t amavis_tmp_t:dir { rw_dir_perms setattr };
files_tmp_filetrans(amavis_t,amavis_tmp_t,file)

# var/lib files for amavis
allow amavis_t amavis_var_lib_t:file create_file_perms;
allow amavis_t amavis_var_lib_t:sock_file create_file_perms;
allow amavis_t amavis_var_lib_t:dir create_dir_perms;

# log files
allow amavis_t amavis_var_log_t:file create_file_perms;
allow amavis_t amavis_var_log_t:sock_file create_file_perms;
allow amavis_t amavis_var_log_t:dir { rw_dir_perms setattr };
logging_log_filetrans(amavis_t,amavis_var_log_t,{ sock_file file dir })

# pid file
allow amavis_t amavis_var_run_t:file manage_file_perms;
allow amavis_t amavis_var_run_t:sock_file manage_file_perms;
allow amavis_t amavis_var_run_t:dir rw_dir_perms;
files_pid_filetrans(amavis_t,amavis_var_run_t, { file sock_file })

kernel_read_kernel_sysctls(amavis_t)
# amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
kernel_dontaudit_list_proc(amavis_t)
kernel_dontaudit_read_proc_symlinks(amavis_t)
kernel_dontaudit_read_system_state(amavis_t)

# find perl
corecmd_exec_bin(amavis_t)
corecmd_search_sbin(amavis_t)

corenet_non_ipsec_sendrecv(amavis_t)
corenet_tcp_sendrecv_all_if(amavis_t)
corenet_tcp_sendrecv_all_nodes(amavis_t)
corenet_tcp_bind_all_nodes(amavis_t)
corenet_udp_bind_all_nodes(amavis_t)
# amavis uses well-defined ports
corenet_tcp_sendrecv_amavisd_recv_port(amavis_t)
corenet_tcp_sendrecv_amavisd_send_port(amavis_t)
# just the other side not. ;-)
corenet_tcp_sendrecv_all_ports(amavis_t)
# connect to backchannel port
corenet_tcp_connect_amavisd_send_port(amavis_t)
# bind to incoming port
corenet_tcp_bind_amavisd_recv_port(amavis_t)
corenet_udp_bind_generic_port(amavis_t)
corenet_tcp_connect_razor_port(amavis_t)

dev_read_rand(amavis_t)
dev_read_urand(amavis_t)

domain_use_interactive_fds(amavis_t)

files_read_etc_files(amavis_t)
files_read_etc_runtime_files(amavis_t)
files_read_usr_files(amavis_t)

auth_dontaudit_read_shadow(amavis_t)

init_use_fds(amavis_t)
init_use_script_ptys(amavis_t)
init_stream_connect_script(amavis_t)

libs_use_ld_so(amavis_t)
libs_use_shared_libs(amavis_t)

logging_send_syslog_msg(amavis_t)

miscfiles_read_localization(amavis_t)

sysnet_dns_name_resolve(amavis_t)
sysnet_use_ldap(amavis_t)

userdom_dontaudit_search_sysadm_home_dirs(amavis_t)

# Cron handling
cron_use_fds(amavis_t)
cron_use_system_job_fds(amavis_t)
cron_rw_pipes(amavis_t)

mta_read_config(amavis_t)

ifdef(`targeted_policy',`
	term_dontaudit_use_generic_ptys(amavis_t)
	term_dontaudit_use_unallocated_ttys(amavis_t)
')

optional_policy(`
	clamav_stream_connect(amavis_t)
	clamav_domtrans_clamscan(amavis_t)
')

optional_policy(`
	dcc_domtrans_client(amavis_t)
	dcc_stream_connect_dccifd(amavis_t)
')

optional_policy(`
	postfix_read_config(amavis_t)
')

optional_policy(`
	pyzor_domtrans(amavis_t)
')

optional_policy(`
	razor_domtrans(amavis_t)
')

optional_policy(`
	spamassassin_exec(amavis_t)
	spamassassin_exec_client(amavis_t)
')
Commit	Line	Data
8a0a9944	1
a52b4d4f	2	policy_module(amavis,1.1.0)
8a0a9944 CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type amavis_t;
	10	type amavis_exec_t;
	11	domain_type(amavis_t)
	12	init_daemon_domain(amavis_t, amavis_exec_t)
	13
	14	# configuration files
	15	type amavis_etc_t;
	16	files_type(amavis_etc_t)
	17
	18	# pid files
	19	type amavis_var_run_t;
	20	files_pid_file(amavis_var_run_t)
	21
	22	# var/lib files
	23	type amavis_var_lib_t;
	24	files_type(amavis_var_lib_t)
	25
	26	# log files
	27	type amavis_var_log_t;
	28	logging_log_file(amavis_var_log_t)
	29
	30	# tmp files
	31	type amavis_tmp_t;
	32	files_tmp_file(amavis_tmp_t)
	33
	34	# virus quarantine
	35	type amavis_quarantine_t;
	36	files_type(amavis_quarantine_t)
	37
87eb5c84 CP	38	type amavis_spool_t;
	39	files_type(amavis_spool_t)
	40
8a0a9944 CP	41	########################################
	42	#
	43	# amavis local policy
	44	#
	45
87eb5c84	46	allow amavis_t self:capability { kill chown dac_override setgid setuid };
8a0a9944 CP	47	dontaudit amavis_t self:capability sys_tty_config;
	48	allow amavis_t self:process { signal sigchld signull };
	49	allow amavis_t self:fifo_file rw_file_perms;
	50	allow amavis_t self:unix_stream_socket create_stream_socket_perms;
	51	allow amavis_t self:unix_dgram_socket create_socket_perms;
	52	allow amavis_t self:tcp_socket { listen accept };
	53
	54	# configuration files
	55	allow amavis_t amavis_etc_t:dir r_dir_perms;
	56	allow amavis_t amavis_etc_t:file r_file_perms;
	57	allow amavis_t amavis_etc_t:lnk_file { getattr read };
	58
	59	# mail quarantine
	60	allow amavis_t amavis_quarantine_t:file create_file_perms;
	61	allow amavis_t amavis_quarantine_t:sock_file create_file_perms;
	62	allow amavis_t amavis_quarantine_t:dir create_dir_perms;
	63
87eb5c84	64	# Spool Files
a5e2133b	65	files_search_spool(amavis_t)
87eb5c84 CP	66	allow amavis_t amavis_spool_t:dir manage_dir_perms;
87eb5c84 CP	67	allow amavis_t amavis_spool_t:file manage_file_perms;
522b59bb	68	allow amavis_t amavis_spool_t:sock_file manage_file_perms;
a5e2133b	69	type_transition amavis_t amavis_spool_t:sock_file amavis_var_run_t;
87eb5c84	70
8a0a9944 CP	71	# tmp files
	72	allow amavis_t amavis_tmp_t:file create_file_perms;
	73	allow amavis_t amavis_tmp_t:dir { rw_dir_perms setattr };
	74	files_tmp_filetrans(amavis_t,amavis_tmp_t,file)
	75
	76	# var/lib files for amavis
	77	allow amavis_t amavis_var_lib_t:file create_file_perms;
	78	allow amavis_t amavis_var_lib_t:sock_file create_file_perms;
	79	allow amavis_t amavis_var_lib_t:dir create_dir_perms;
8a0a9944 CP	80
	81	# log files
	82	allow amavis_t amavis_var_log_t:file create_file_perms;
	83	allow amavis_t amavis_var_log_t:sock_file create_file_perms;
	84	allow amavis_t amavis_var_log_t:dir { rw_dir_perms setattr };
	85	logging_log_filetrans(amavis_t,amavis_var_log_t,{ sock_file file dir })
	86
	87	# pid file
	88	allow amavis_t amavis_var_run_t:file manage_file_perms;
	89	allow amavis_t amavis_var_run_t:sock_file manage_file_perms;
	90	allow amavis_t amavis_var_run_t:dir rw_dir_perms;
	91	files_pid_filetrans(amavis_t,amavis_var_run_t, { file sock_file })
	92
87eb5c84	93	kernel_read_kernel_sysctls(amavis_t)
8a0a9944 CP	94	# amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
8a0a9944 CP	95	kernel_dontaudit_list_proc(amavis_t)
522b59bb	96	kernel_dontaudit_read_proc_symlinks(amavis_t)
87eb5c84	97	kernel_dontaudit_read_system_state(amavis_t)
8a0a9944 CP	98
	99	# find perl
	100	corecmd_exec_bin(amavis_t)
	101	corecmd_search_sbin(amavis_t)
	102
	103	corenet_non_ipsec_sendrecv(amavis_t)
	104	corenet_tcp_sendrecv_all_if(amavis_t)
	105	corenet_tcp_sendrecv_all_nodes(amavis_t)
522b59bb CP	106	corenet_tcp_bind_all_nodes(amavis_t)
522b59bb CP	107	corenet_udp_bind_all_nodes(amavis_t)
8a0a9944 CP	108	# amavis uses well-defined ports
	109	corenet_tcp_sendrecv_amavisd_recv_port(amavis_t)
	110	corenet_tcp_sendrecv_amavisd_send_port(amavis_t)
	111	# just the other side not. ;-)
	112	corenet_tcp_sendrecv_all_ports(amavis_t)
	113	# connect to backchannel port
	114	corenet_tcp_connect_amavisd_send_port(amavis_t)
	115	# bind to incoming port
	116	corenet_tcp_bind_amavisd_recv_port(amavis_t)
522b59bb	117	corenet_udp_bind_generic_port(amavis_t)
a5e2133b	118	corenet_tcp_connect_razor_port(amavis_t)
8a0a9944 CP	119
	120	dev_read_rand(amavis_t)
	121	dev_read_urand(amavis_t)
	122
	123	domain_use_interactive_fds(amavis_t)
	124
	125	files_read_etc_files(amavis_t)
	126	files_read_etc_runtime_files(amavis_t)
	127	files_read_usr_files(amavis_t)
	128
	129	auth_dontaudit_read_shadow(amavis_t)
	130
	131	init_use_fds(amavis_t)
	132	init_use_script_ptys(amavis_t)
87eb5c84	133	init_stream_connect_script(amavis_t)
8a0a9944 CP	134
	135	libs_use_ld_so(amavis_t)
	136	libs_use_shared_libs(amavis_t)
	137
	138	logging_send_syslog_msg(amavis_t)
	139
	140	miscfiles_read_localization(amavis_t)
	141
	142	sysnet_dns_name_resolve(amavis_t)
13d7cec6	143	sysnet_use_ldap(amavis_t)
8a0a9944 CP	144
	145	userdom_dontaudit_search_sysadm_home_dirs(amavis_t)
	146
	147	# Cron handling
	148	cron_use_fds(amavis_t)
	149	cron_use_system_job_fds(amavis_t)
	150	cron_rw_pipes(amavis_t)
	151
	152	mta_read_config(amavis_t)
	153
87eb5c84 CP	154	ifdef(`targeted_policy',`
87eb5c84 CP	155	term_dontaudit_use_generic_ptys(amavis_t)
8708d9be	156	term_dontaudit_use_unallocated_ttys(amavis_t)
87eb5c84 CP	157	')
87eb5c84 CP	158
bb7170f6	159	optional_policy(`
8a0a9944	160	clamav_stream_connect(amavis_t)
87eb5c84	161	clamav_domtrans_clamscan(amavis_t)
8a0a9944 CP	162	')
8a0a9944 CP	163
6ba4d964 CP	164	optional_policy(`
	165	dcc_domtrans_client(amavis_t)
	166	dcc_stream_connect_dccifd(amavis_t)
	167	')
	168
a5e2133b CP	169	optional_policy(`
	170	postfix_read_config(amavis_t)
	171	')
	172
e9935943 CP	173	optional_policy(`
	174	pyzor_domtrans(amavis_t)
	175	')
	176
20e929e0 CP	177	optional_policy(`
	178	razor_domtrans(amavis_t)
	179	')
	180
bb7170f6	181	optional_policy(`
8a0a9944 CP	182	spamassassin_exec(amavis_t)
	183	spamassassin_exec_client(amavis_t)
	184	')