[people/stevee/selinux-policy.git] / policy / modules / services / milter.if

## <summary>Milter mail filters</summary>

########################################
## <summary>
##	Create a set of derived types for various
##	mail filter applications using the milter interface.
## </summary>
## <param name="milter_name">
##	<summary>
##	The name to be used for deriving type names.
##	</summary>
## </param>
#
template(`milter_template',`
	# attributes common to all milters
	gen_require(`
		attribute milter_data_type, milter_domains;
	')

	type $1_milter_t, milter_domains;
	type $1_milter_exec_t;
	init_daemon_domain($1_milter_t, $1_milter_exec_t)
	role system_r types $1_milter_t;

	# Type for the milter data (e.g. the socket used to communicate with the MTA)
	type $1_milter_data_t, milter_data_type;
	files_type($1_milter_data_t)

	allow $1_milter_t self:fifo_file rw_fifo_file_perms;

	# Allow communication with MTA over a unix-domain socket
	# Note: usage with TCP sockets requires additional policy
	manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)

	# Create other data files and directories in the data directory
	manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)

	files_read_etc_files($1_milter_t)

	kernel_dontaudit_read_system_state($1_milter_t)

	miscfiles_read_localization($1_milter_t)

	logging_send_syslog_msg($1_milter_t)
')

########################################
## <summary>
##	MTA communication with milter sockets
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`milter_stream_connect_all',`
	gen_require(`
		attribute milter_data_type, milter_domains;
	')

	getattr_dirs_pattern($1, milter_data_type, milter_data_type)
	stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains)
')

########################################
## <summary>
##	Allow getattr of milter sockets
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`milter_getattr_all_sockets',`
	gen_require(`
		attribute milter_data_type;
	')

	getattr_dirs_pattern($1, milter_data_type, milter_data_type)
	getattr_sock_files_pattern($1, milter_data_type, milter_data_type)
')

########################################
## <summary>
##	Allow setattr of milter dirs
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`milter_setattr_all_dirs',`
	gen_require(`
		attribute milter_data_type;
	')

	setattr_dirs_pattern($1, milter_data_type, milter_data_type)
')

########################################
## <summary>
##	Manage spamassassin milter state
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`milter_manage_spamass_state',`
	gen_require(`
		type spamass_milter_state_t;
	')

	files_search_var_lib($1)
	manage_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
	manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
	manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
')

#######################################
## <summary>
##      Delete dkim-milter PID files.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
#
interface(`milter_delete_dkim_pid_files',`
        gen_require(`
                type dkim_milter_data_t;
        ')

        files_search_pids($1)
        delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
')
Commit	Line	Data
b9e5238a CP	1	## <summary>Milter mail filters</summary>
	2
	3	########################################
	4	## <summary>
	5	## Create a set of derived types for various
	6	## mail filter applications using the milter interface.
	7	## </summary>
	8	## <param name="milter_name">
	9	## <summary>
	10	## The name to be used for deriving type names.
	11	## </summary>
	12	## </param>
	13	#
	14	template(`milter_template',`
	15	# attributes common to all milters
	16	gen_require(`
	17	attribute milter_data_type, milter_domains;
	18	')
	19
	20	type $1_milter_t, milter_domains;
	21	type $1_milter_exec_t;
	22	init_daemon_domain($1_milter_t, $1_milter_exec_t)
	23	role system_r types $1_milter_t;
	24
	25	# Type for the milter data (e.g. the socket used to communicate with the MTA)
	26	type $1_milter_data_t, milter_data_type;
26410ddf	27	files_type($1_milter_data_t)
b9e5238a CP	28
	29	allow $1_milter_t self:fifo_file rw_fifo_file_perms;
	30
	31	# Allow communication with MTA over a unix-domain socket
	32	# Note: usage with TCP sockets requires additional policy
	33	manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
	34
	35	# Create other data files and directories in the data directory
	36	manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
	37
0000b795 CP	38	files_read_etc_files($1_milter_t)
0000b795 CP	39
3eaa9939 DW	40	kernel_dontaudit_read_system_state($1_milter_t)
3eaa9939 DW	41
b9e5238a CP	42	miscfiles_read_localization($1_milter_t)
	43
	44	logging_send_syslog_msg($1_milter_t)
	45	')
	46
	47	########################################
	48	## <summary>
	49	## MTA communication with milter sockets
	50	## </summary>
	51	## <param name="domain">
	52	## <summary>
	53	## Domain allowed access.
	54	## </summary>
	55	## </param>
	56	#
	57	interface(`milter_stream_connect_all',`
	58	gen_require(`
	59	attribute milter_data_type, milter_domains;
	60	')
	61
	62	getattr_dirs_pattern($1, milter_data_type, milter_data_type)
	63	stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains)
	64	')
	65
	66	########################################
	67	## <summary>
	68	## Allow getattr of milter sockets
	69	## </summary>
	70	## <param name="domain">
	71	## <summary>
	72	## Domain allowed access.
	73	## </summary>
	74	## </param>
	75	#
	76	interface(`milter_getattr_all_sockets',`
	77	gen_require(`
	78	attribute milter_data_type;
	79	')
	80
	81	getattr_dirs_pattern($1, milter_data_type, milter_data_type)
	82	getattr_sock_files_pattern($1, milter_data_type, milter_data_type)
	83	')
0cf1d560	84
3eaa9939 DW	85	########################################
	86	## <summary>
	87	## Allow setattr of milter dirs
	88	## </summary>
	89	## <param name="domain">
	90	## <summary>
	91	## Domain allowed access.
	92	## </summary>
	93	## </param>
	94	#
	95	interface(`milter_setattr_all_dirs',`
	96	gen_require(`
	97	attribute milter_data_type;
	98	')
	99
	100	setattr_dirs_pattern($1, milter_data_type, milter_data_type)
	101	')
	102
0cf1d560 CP	103	########################################
	104	## <summary>
	105	## Manage spamassassin milter state
	106	## </summary>
	107	## <param name="domain">
	108	## <summary>
	109	## Domain allowed access.
	110	## </summary>
	111	## </param>
	112	#
	113	interface(`milter_manage_spamass_state',`
	114	gen_require(`
	115	type spamass_milter_state_t;
	116	')
	117
	118	files_search_var_lib($1)
	119	manage_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
	120	manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
	121	manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
	122	')
dfe675b8 DW	123
	124	#######################################
	125	## <summary>
	126	## Delete dkim-milter PID files.
	127	## </summary>
	128	## <param name="domain">
	129	## <summary>
	130	## Domain allowed access.
	131	## </summary>
	132	## </param>
	133	#
	134	interface(`milter_delete_dkim_pid_files',`
	135	gen_require(`
	136	type dkim_milter_data_t;
	137	')
	138
	139	files_search_pids($1)
	140	delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
	141	')