[people/stevee/selinux-policy.git] / policy / modules / services / exim.te

policy_module(exim, 1.5.0)

########################################
#
# Declarations
#

## <desc>
## <p>
## Allow exim to connect to databases (postgres, mysql)
## </p>
## </desc>
gen_tunable(exim_can_connect_db, false)

## <desc>
## <p>
## Allow exim to read unprivileged user files.
## </p>
## </desc>
gen_tunable(exim_read_user_files, false)

## <desc>
## <p>
## Allow exim to create, read, write, and delete
## unprivileged user files.
## </p>
## </desc>
gen_tunable(exim_manage_user_files, false)

type exim_t;
type exim_exec_t;
init_daemon_domain(exim_t, exim_exec_t)
mta_mailserver(exim_t, exim_exec_t)
mta_mailserver_user_agent(exim_t)
application_executable_file(exim_exec_t)
mta_agent_executable(exim_exec_t)

type exim_initrc_exec_t;
init_script_file(exim_initrc_exec_t)

type exim_log_t;
logging_log_file(exim_log_t)

type exim_spool_t;
files_type(exim_spool_t)

type exim_tmp_t;
files_tmp_file(exim_tmp_t)

type exim_var_run_t;
files_pid_file(exim_var_run_t)

########################################
#
# exim local policy
#

allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource };
allow exim_t self:process { setrlimit setpgid };
allow exim_t self:fifo_file rw_fifo_file_perms;
allow exim_t self:unix_stream_socket create_stream_socket_perms;
allow exim_t self:tcp_socket create_stream_socket_perms;
allow exim_t self:udp_socket create_socket_perms;

can_exec(exim_t, exim_exec_t)

manage_files_pattern(exim_t, exim_log_t, exim_log_t)
logging_log_filetrans(exim_t, exim_log_t, { file dir })

manage_dirs_pattern(exim_t, exim_spool_t, exim_spool_t)
manage_files_pattern(exim_t, exim_spool_t, exim_spool_t)
manage_sock_files_pattern(exim_t, exim_spool_t, exim_spool_t)
files_spool_filetrans(exim_t, exim_spool_t, { file dir sock_file })

manage_dirs_pattern(exim_t, exim_tmp_t, exim_tmp_t)
manage_files_pattern(exim_t, exim_tmp_t, exim_tmp_t)
files_tmp_filetrans(exim_t, exim_tmp_t, { file dir })

manage_dirs_pattern(exim_t, exim_var_run_t, exim_var_run_t)
manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t)
files_pid_filetrans(exim_t, exim_var_run_t, { file dir })

kernel_read_kernel_sysctls(exim_t)
kernel_read_network_state(exim_t)
kernel_dontaudit_read_system_state(exim_t)

corecmd_search_bin(exim_t)

corenet_all_recvfrom_unlabeled(exim_t)
corenet_all_recvfrom_netlabel(exim_t)
corenet_tcp_sendrecv_generic_if(exim_t)
corenet_udp_sendrecv_generic_if(exim_t)
corenet_tcp_sendrecv_generic_node(exim_t)
corenet_udp_sendrecv_generic_node(exim_t)
corenet_tcp_sendrecv_all_ports(exim_t)
corenet_tcp_bind_generic_node(exim_t)
corenet_tcp_bind_smtp_port(exim_t)
corenet_tcp_bind_amavisd_send_port(exim_t)
corenet_tcp_connect_auth_port(exim_t)
corenet_tcp_connect_smtp_port(exim_t)
corenet_tcp_connect_ldap_port(exim_t)
corenet_tcp_connect_inetd_child_port(exim_t)
# connect to spamassassin
corenet_tcp_connect_spamd_port(exim_t)

dev_read_rand(exim_t)
dev_read_urand(exim_t)

# Init script handling
domain_use_interactive_fds(exim_t)

files_search_usr(exim_t)
files_search_var(exim_t)
files_read_etc_files(exim_t)
files_read_etc_runtime_files(exim_t)
files_getattr_all_mountpoints(exim_t)

fs_getattr_xattr_fs(exim_t)
fs_list_inotifyfs(exim_t)

auth_use_nsswitch(exim_t)

logging_send_syslog_msg(exim_t)

miscfiles_read_localization(exim_t)
miscfiles_read_generic_certs(exim_t)

userdom_dontaudit_search_user_home_dirs(exim_t)

mta_read_aliases(exim_t)
mta_read_config(exim_t)
mta_manage_spool(exim_t)
mta_mailserver_delivery(exim_t)

tunable_policy(`exim_can_connect_db',`
	corenet_tcp_connect_mysqld_port(exim_t)
	corenet_sendrecv_mysqld_client_packets(exim_t)
	corenet_tcp_connect_postgresql_port(exim_t)
	corenet_sendrecv_postgresql_client_packets(exim_t)
')

tunable_policy(`exim_read_user_files',`
	userdom_read_user_home_content_files(exim_t)
	userdom_read_user_tmp_files(exim_t)
')

tunable_policy(`exim_manage_user_files',`
	userdom_manage_user_home_content_dirs(exim_t)
	userdom_read_user_tmp_files(exim_t)
	userdom_write_user_tmp_files(exim_t)
')

optional_policy(`
	clamav_domtrans_clamscan(exim_t)
	clamav_stream_connect(exim_t)
')

optional_policy(`
	cron_read_pipes(exim_t)
	cron_rw_system_job_pipes(exim_t)
')

optional_policy(`
	cyrus_stream_connect(exim_t)
')

optional_policy(`
	kerberos_keytab_template(exim, exim_t)
')

optional_policy(`
	mailman_read_data_files(exim_t)
	mailman_domtrans(exim_t)
')

optional_policy(`
    nagios_search_spool(exim_t)
')

optional_policy(`
	tunable_policy(`exim_can_connect_db',`
		mysql_stream_connect(exim_t)
	')
')

optional_policy(`
	tunable_policy(`exim_can_connect_db',`
		postgresql_stream_connect(exim_t)
	')
')

optional_policy(`
	procmail_domtrans(exim_t)
	procmail_read_home_files(exim_t)
')

optional_policy(`
	sasl_connect(exim_t)
')

optional_policy(`
	# https://bugzilla.redhat.com/show_bug.cgi?id=512710
	# uses sendmail for outgoing mail and exim
	# for incoming mail
	sendmail_manage_tmp_files(exim_t)
')

optional_policy(`
	spamassassin_exec(exim_t)
	spamassassin_exec_client(exim_t)
')
Commit	Line	Data
29af4c13	1	policy_module(exim, 1.5.0)
6bf8bf4f CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
80348b73 CP	8	## <desc>
	9	## <p>
	10	## Allow exim to connect to databases (postgres, mysql)
	11	## </p>
	12	## </desc>
	13	gen_tunable(exim_can_connect_db, false)
	14
6bf8bf4f CP	15	## <desc>
	16	## <p>
	17	## Allow exim to read unprivileged user files.
	18	## </p>
	19	## </desc>
0bfccda4	20	gen_tunable(exim_read_user_files, false)
6bf8bf4f CP	21
	22	## <desc>
	23	## <p>
	24	## Allow exim to create, read, write, and delete
	25	## unprivileged user files.
	26	## </p>
	27	## </desc>
0bfccda4	28	gen_tunable(exim_manage_user_files, false)
6bf8bf4f CP	29
	30	type exim_t;
	31	type exim_exec_t;
	32	init_daemon_domain(exim_t, exim_exec_t)
80348b73 CP	33	mta_mailserver(exim_t, exim_exec_t)
	34	mta_mailserver_user_agent(exim_t)
	35	application_executable_file(exim_exec_t)
	36	mta_agent_executable(exim_exec_t)
6bf8bf4f	37
3eaa9939 DW	38	type exim_initrc_exec_t;
	39	init_script_file(exim_initrc_exec_t)
	40
6bf8bf4f CP	41	type exim_log_t;
	42	logging_log_file(exim_log_t)
	43
	44	type exim_spool_t;
	45	files_type(exim_spool_t)
	46
	47	type exim_tmp_t;
	48	files_tmp_file(exim_tmp_t)
	49
	50	type exim_var_run_t;
	51	files_pid_file(exim_var_run_t)
	52
	53	########################################
	54	#
	55	# exim local policy
	56	#
	57
3f67f722	58	allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource };
80348b73	59	allow exim_t self:process { setrlimit setpgid };
6bf8bf4f CP	60	allow exim_t self:fifo_file rw_fifo_file_perms;
	61	allow exim_t self:unix_stream_socket create_stream_socket_perms;
	62	allow exim_t self:tcp_socket create_stream_socket_perms;
80348b73	63	allow exim_t self:udp_socket create_socket_perms;
6bf8bf4f	64
3f67f722	65	can_exec(exim_t, exim_exec_t)
6bf8bf4f CP	66
	67	manage_files_pattern(exim_t, exim_log_t, exim_log_t)
	68	logging_log_filetrans(exim_t, exim_log_t, { file dir })
	69
	70	manage_dirs_pattern(exim_t, exim_spool_t, exim_spool_t)
	71	manage_files_pattern(exim_t, exim_spool_t, exim_spool_t)
	72	manage_sock_files_pattern(exim_t, exim_spool_t, exim_spool_t)
0bfccda4	73	files_spool_filetrans(exim_t, exim_spool_t, { file dir sock_file })
6bf8bf4f CP	74
	75	manage_dirs_pattern(exim_t, exim_tmp_t, exim_tmp_t)
	76	manage_files_pattern(exim_t, exim_tmp_t, exim_tmp_t)
	77	files_tmp_filetrans(exim_t, exim_tmp_t, { file dir })
	78
	79	manage_dirs_pattern(exim_t, exim_var_run_t, exim_var_run_t)
	80	manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t)
	81	files_pid_filetrans(exim_t, exim_var_run_t, { file dir })
	82
	83	kernel_read_kernel_sysctls(exim_t)
80348b73	84	kernel_read_network_state(exim_t)
d57a0943 CP	85	kernel_dontaudit_read_system_state(exim_t)
d57a0943 CP	86
6bf8bf4f CP	87	corecmd_search_bin(exim_t)
	88
	89	corenet_all_recvfrom_unlabeled(exim_t)
80348b73	90	corenet_all_recvfrom_netlabel(exim_t)
668b3093	91	corenet_tcp_sendrecv_generic_if(exim_t)
80348b73	92	corenet_udp_sendrecv_generic_if(exim_t)
c1262146	93	corenet_tcp_sendrecv_generic_node(exim_t)
80348b73	94	corenet_udp_sendrecv_generic_node(exim_t)
6bf8bf4f	95	corenet_tcp_sendrecv_all_ports(exim_t)
c1262146	96	corenet_tcp_bind_generic_node(exim_t)
6bf8bf4f CP	97	corenet_tcp_bind_smtp_port(exim_t)
	98	corenet_tcp_bind_amavisd_send_port(exim_t)
	99	corenet_tcp_connect_auth_port(exim_t)
d57a0943 CP	100	corenet_tcp_connect_smtp_port(exim_t)
d57a0943 CP	101	corenet_tcp_connect_ldap_port(exim_t)
6bf8bf4f	102	corenet_tcp_connect_inetd_child_port(exim_t)
80348b73 CP	103	# connect to spamassassin
80348b73 CP	104	corenet_tcp_connect_spamd_port(exim_t)
6bf8bf4f	105
d57a0943 CP	106	dev_read_rand(exim_t)
	107	dev_read_urand(exim_t)
	108
6bf8bf4f CP	109	# Init script handling
	110	domain_use_interactive_fds(exim_t)
	111
80348b73 CP	112	files_search_usr(exim_t)
80348b73 CP	113	files_search_var(exim_t)
6bf8bf4f	114	files_read_etc_files(exim_t)
80348b73	115	files_read_etc_runtime_files(exim_t)
84a45c96	116	files_getattr_all_mountpoints(exim_t)
80348b73 CP	117
	118	fs_getattr_xattr_fs(exim_t)
	119	fs_list_inotifyfs(exim_t)
6bf8bf4f CP	120
	121	auth_use_nsswitch(exim_t)
	122
6bf8bf4f CP	123	logging_send_syslog_msg(exim_t)
	124
	125	miscfiles_read_localization(exim_t)
83406219	126	miscfiles_read_generic_certs(exim_t)
6bf8bf4f	127
296273a7	128	userdom_dontaudit_search_user_home_dirs(exim_t)
6bf8bf4f CP	129
6bf8bf4f CP	130	mta_read_aliases(exim_t)
80348b73 CP	131	mta_read_config(exim_t)
	132	mta_manage_spool(exim_t)
	133	mta_mailserver_delivery(exim_t)
	134
	135	tunable_policy(`exim_can_connect_db',`
	136	corenet_tcp_connect_mysqld_port(exim_t)
	137	corenet_sendrecv_mysqld_client_packets(exim_t)
3f67f722 CP	138	corenet_tcp_connect_postgresql_port(exim_t)
3f67f722 CP	139	corenet_sendrecv_postgresql_client_packets(exim_t)
80348b73	140	')
6bf8bf4f CP	141
6bf8bf4f CP	142	tunable_policy(`exim_read_user_files',`
296273a7 CP	143	userdom_read_user_home_content_files(exim_t)
296273a7 CP	144	userdom_read_user_tmp_files(exim_t)
6bf8bf4f CP	145	')
	146
	147	tunable_policy(`exim_manage_user_files',`
296273a7 CP	148	userdom_manage_user_home_content_dirs(exim_t)
	149	userdom_read_user_tmp_files(exim_t)
	150	userdom_write_user_tmp_files(exim_t)
6bf8bf4f	151	')
80348b73 CP	152
	153	optional_policy(`
	154	clamav_domtrans_clamscan(exim_t)
	155	clamav_stream_connect(exim_t)
	156	')
	157
	158	optional_policy(`
	159	cron_read_pipes(exim_t)
	160	cron_rw_system_job_pipes(exim_t)
	161	')
	162
	163	optional_policy(`
	164	cyrus_stream_connect(exim_t)
	165	')
	166
	167	optional_policy(`
	168	kerberos_keytab_template(exim, exim_t)
	169	')
	170
	171	optional_policy(`
	172	mailman_read_data_files(exim_t)
	173	mailman_domtrans(exim_t)
	174	')
	175
3eaa9939 DW	176	optional_policy(`
	177	nagios_search_spool(exim_t)
	178	')
	179
80348b73 CP	180	optional_policy(`
	181	tunable_policy(`exim_can_connect_db',`
	182	mysql_stream_connect(exim_t)
	183	')
	184	')
	185
	186	optional_policy(`
	187	tunable_policy(`exim_can_connect_db',`
	188	postgresql_stream_connect(exim_t)
	189	')
	190	')
	191
	192	optional_policy(`
	193	procmail_domtrans(exim_t)
3eaa9939	194	procmail_read_home_files(exim_t)
80348b73 CP	195	')
	196
	197	optional_policy(`
	198	sasl_connect(exim_t)
	199	')
	200
9a1f0d21	201	optional_policy(`
4931c57e CP	202	# https://bugzilla.redhat.com/show_bug.cgi?id=512710
	203	# uses sendmail for outgoing mail and exim
	204	# for incoming mail
9a1f0d21 JS	205	sendmail_manage_tmp_files(exim_t)
	206	')
	207
80348b73 CP	208	optional_policy(`
	209	spamassassin_exec(exim_t)
	210	spamassassin_exec_client(exim_t)
	211	')