]>
Commit | Line | Data |
---|---|---|
29af4c13 | 1 | policy_module(exim, 1.5.0) |
6bf8bf4f CP |
2 | |
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
80348b73 CP |
8 | ## <desc> |
9 | ## <p> | |
10 | ## Allow exim to connect to databases (postgres, mysql) | |
11 | ## </p> | |
12 | ## </desc> | |
13 | gen_tunable(exim_can_connect_db, false) | |
14 | ||
6bf8bf4f CP |
15 | ## <desc> |
16 | ## <p> | |
17 | ## Allow exim to read unprivileged user files. | |
18 | ## </p> | |
19 | ## </desc> | |
0bfccda4 | 20 | gen_tunable(exim_read_user_files, false) |
6bf8bf4f CP |
21 | |
22 | ## <desc> | |
23 | ## <p> | |
24 | ## Allow exim to create, read, write, and delete | |
25 | ## unprivileged user files. | |
26 | ## </p> | |
27 | ## </desc> | |
0bfccda4 | 28 | gen_tunable(exim_manage_user_files, false) |
6bf8bf4f CP |
29 | |
30 | type exim_t; | |
31 | type exim_exec_t; | |
32 | init_daemon_domain(exim_t, exim_exec_t) | |
80348b73 CP |
33 | mta_mailserver(exim_t, exim_exec_t) |
34 | mta_mailserver_user_agent(exim_t) | |
35 | application_executable_file(exim_exec_t) | |
36 | mta_agent_executable(exim_exec_t) | |
6bf8bf4f | 37 | |
3eaa9939 DW |
38 | type exim_initrc_exec_t; |
39 | init_script_file(exim_initrc_exec_t) | |
40 | ||
6bf8bf4f CP |
41 | type exim_log_t; |
42 | logging_log_file(exim_log_t) | |
43 | ||
44 | type exim_spool_t; | |
45 | files_type(exim_spool_t) | |
46 | ||
47 | type exim_tmp_t; | |
48 | files_tmp_file(exim_tmp_t) | |
49 | ||
50 | type exim_var_run_t; | |
51 | files_pid_file(exim_var_run_t) | |
52 | ||
53 | ######################################## | |
54 | # | |
55 | # exim local policy | |
56 | # | |
57 | ||
3f67f722 | 58 | allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource }; |
80348b73 | 59 | allow exim_t self:process { setrlimit setpgid }; |
6bf8bf4f CP |
60 | allow exim_t self:fifo_file rw_fifo_file_perms; |
61 | allow exim_t self:unix_stream_socket create_stream_socket_perms; | |
62 | allow exim_t self:tcp_socket create_stream_socket_perms; | |
80348b73 | 63 | allow exim_t self:udp_socket create_socket_perms; |
6bf8bf4f | 64 | |
3f67f722 | 65 | can_exec(exim_t, exim_exec_t) |
6bf8bf4f CP |
66 | |
67 | manage_files_pattern(exim_t, exim_log_t, exim_log_t) | |
68 | logging_log_filetrans(exim_t, exim_log_t, { file dir }) | |
69 | ||
70 | manage_dirs_pattern(exim_t, exim_spool_t, exim_spool_t) | |
71 | manage_files_pattern(exim_t, exim_spool_t, exim_spool_t) | |
72 | manage_sock_files_pattern(exim_t, exim_spool_t, exim_spool_t) | |
0bfccda4 | 73 | files_spool_filetrans(exim_t, exim_spool_t, { file dir sock_file }) |
6bf8bf4f CP |
74 | |
75 | manage_dirs_pattern(exim_t, exim_tmp_t, exim_tmp_t) | |
76 | manage_files_pattern(exim_t, exim_tmp_t, exim_tmp_t) | |
77 | files_tmp_filetrans(exim_t, exim_tmp_t, { file dir }) | |
78 | ||
79 | manage_dirs_pattern(exim_t, exim_var_run_t, exim_var_run_t) | |
80 | manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t) | |
81 | files_pid_filetrans(exim_t, exim_var_run_t, { file dir }) | |
82 | ||
83 | kernel_read_kernel_sysctls(exim_t) | |
80348b73 | 84 | kernel_read_network_state(exim_t) |
d57a0943 CP |
85 | kernel_dontaudit_read_system_state(exim_t) |
86 | ||
6bf8bf4f CP |
87 | corecmd_search_bin(exim_t) |
88 | ||
89 | corenet_all_recvfrom_unlabeled(exim_t) | |
80348b73 | 90 | corenet_all_recvfrom_netlabel(exim_t) |
668b3093 | 91 | corenet_tcp_sendrecv_generic_if(exim_t) |
80348b73 | 92 | corenet_udp_sendrecv_generic_if(exim_t) |
c1262146 | 93 | corenet_tcp_sendrecv_generic_node(exim_t) |
80348b73 | 94 | corenet_udp_sendrecv_generic_node(exim_t) |
6bf8bf4f | 95 | corenet_tcp_sendrecv_all_ports(exim_t) |
c1262146 | 96 | corenet_tcp_bind_generic_node(exim_t) |
6bf8bf4f CP |
97 | corenet_tcp_bind_smtp_port(exim_t) |
98 | corenet_tcp_bind_amavisd_send_port(exim_t) | |
99 | corenet_tcp_connect_auth_port(exim_t) | |
d57a0943 CP |
100 | corenet_tcp_connect_smtp_port(exim_t) |
101 | corenet_tcp_connect_ldap_port(exim_t) | |
6bf8bf4f | 102 | corenet_tcp_connect_inetd_child_port(exim_t) |
80348b73 CP |
103 | # connect to spamassassin |
104 | corenet_tcp_connect_spamd_port(exim_t) | |
6bf8bf4f | 105 | |
d57a0943 CP |
106 | dev_read_rand(exim_t) |
107 | dev_read_urand(exim_t) | |
108 | ||
6bf8bf4f CP |
109 | # Init script handling |
110 | domain_use_interactive_fds(exim_t) | |
111 | ||
80348b73 CP |
112 | files_search_usr(exim_t) |
113 | files_search_var(exim_t) | |
6bf8bf4f | 114 | files_read_etc_files(exim_t) |
80348b73 | 115 | files_read_etc_runtime_files(exim_t) |
84a45c96 | 116 | files_getattr_all_mountpoints(exim_t) |
80348b73 CP |
117 | |
118 | fs_getattr_xattr_fs(exim_t) | |
119 | fs_list_inotifyfs(exim_t) | |
6bf8bf4f CP |
120 | |
121 | auth_use_nsswitch(exim_t) | |
122 | ||
6bf8bf4f CP |
123 | logging_send_syslog_msg(exim_t) |
124 | ||
125 | miscfiles_read_localization(exim_t) | |
83406219 | 126 | miscfiles_read_generic_certs(exim_t) |
6bf8bf4f | 127 | |
296273a7 | 128 | userdom_dontaudit_search_user_home_dirs(exim_t) |
6bf8bf4f CP |
129 | |
130 | mta_read_aliases(exim_t) | |
80348b73 CP |
131 | mta_read_config(exim_t) |
132 | mta_manage_spool(exim_t) | |
133 | mta_mailserver_delivery(exim_t) | |
134 | ||
135 | tunable_policy(`exim_can_connect_db',` | |
136 | corenet_tcp_connect_mysqld_port(exim_t) | |
137 | corenet_sendrecv_mysqld_client_packets(exim_t) | |
3f67f722 CP |
138 | corenet_tcp_connect_postgresql_port(exim_t) |
139 | corenet_sendrecv_postgresql_client_packets(exim_t) | |
80348b73 | 140 | ') |
6bf8bf4f CP |
141 | |
142 | tunable_policy(`exim_read_user_files',` | |
296273a7 CP |
143 | userdom_read_user_home_content_files(exim_t) |
144 | userdom_read_user_tmp_files(exim_t) | |
6bf8bf4f CP |
145 | ') |
146 | ||
147 | tunable_policy(`exim_manage_user_files',` | |
296273a7 CP |
148 | userdom_manage_user_home_content_dirs(exim_t) |
149 | userdom_read_user_tmp_files(exim_t) | |
150 | userdom_write_user_tmp_files(exim_t) | |
6bf8bf4f | 151 | ') |
80348b73 CP |
152 | |
153 | optional_policy(` | |
154 | clamav_domtrans_clamscan(exim_t) | |
155 | clamav_stream_connect(exim_t) | |
156 | ') | |
157 | ||
158 | optional_policy(` | |
159 | cron_read_pipes(exim_t) | |
160 | cron_rw_system_job_pipes(exim_t) | |
161 | ') | |
162 | ||
163 | optional_policy(` | |
164 | cyrus_stream_connect(exim_t) | |
165 | ') | |
166 | ||
167 | optional_policy(` | |
168 | kerberos_keytab_template(exim, exim_t) | |
169 | ') | |
170 | ||
171 | optional_policy(` | |
172 | mailman_read_data_files(exim_t) | |
173 | mailman_domtrans(exim_t) | |
174 | ') | |
175 | ||
3eaa9939 DW |
176 | optional_policy(` |
177 | nagios_search_spool(exim_t) | |
178 | ') | |
179 | ||
80348b73 CP |
180 | optional_policy(` |
181 | tunable_policy(`exim_can_connect_db',` | |
182 | mysql_stream_connect(exim_t) | |
183 | ') | |
184 | ') | |
185 | ||
186 | optional_policy(` | |
187 | tunable_policy(`exim_can_connect_db',` | |
188 | postgresql_stream_connect(exim_t) | |
189 | ') | |
190 | ') | |
191 | ||
192 | optional_policy(` | |
193 | procmail_domtrans(exim_t) | |
3eaa9939 | 194 | procmail_read_home_files(exim_t) |
80348b73 CP |
195 | ') |
196 | ||
197 | optional_policy(` | |
198 | sasl_connect(exim_t) | |
199 | ') | |
200 | ||
9a1f0d21 | 201 | optional_policy(` |
4931c57e CP |
202 | # https://bugzilla.redhat.com/show_bug.cgi?id=512710 |
203 | # uses sendmail for outgoing mail and exim | |
204 | # for incoming mail | |
9a1f0d21 JS |
205 | sendmail_manage_tmp_files(exim_t) |
206 | ') | |
207 | ||
80348b73 CP |
208 | optional_policy(` |
209 | spamassassin_exec(exim_t) | |
210 | spamassassin_exec_client(exim_t) | |
211 | ') |