]>
Commit | Line | Data |
---|---|---|
4bf4ed9e | 1 | ## <summary>Policy common to all email tranfer agents.</summary> |
6b93833b | 2 | |
12ae7557 CP |
3 | ######################################## |
4 | ## <summary> | |
5 | ## MTA stub interface. No access allowed. | |
6 | ## </summary> | |
f7eaeebb | 7 | ## <param name="domain" unused="true"> |
885b83ec | 8 | ## <summary> |
f7eaeebb | 9 | ## Domain allowed access. |
885b83ec | 10 | ## </summary> |
12ae7557 CP |
11 | ## </param> |
12 | # | |
13 | interface(`mta_stub',` | |
14 | gen_require(` | |
15 | type sendmail_exec_t; | |
16 | ') | |
17 | ') | |
18 | ||
6b93833b | 19 | ####################################### |
451c1e3d | 20 | ## <summary> |
08cd98b7 | 21 | ## Basic mail transfer agent domain template. |
451c1e3d CP |
22 | ## </summary> |
23 | ## <desc> | |
24 | ## <p> | |
25 | ## This template creates a derived domain which is | |
26 | ## a email transfer agent, which sends mail on | |
27 | ## behalf of the user. | |
28 | ## </p> | |
29 | ## <p> | |
08cd98b7 | 30 | ## This is the basic types and rules, common |
1504ff3e | 31 | ## to the system agent and user agents. |
451c1e3d CP |
32 | ## </p> |
33 | ## </desc> | |
08cd98b7 | 34 | ## <param name="domain_prefix"> |
885b83ec | 35 | ## <summary> |
08cd98b7 | 36 | ## The prefix of the domain (e.g., user |
451c1e3d | 37 | ## is the prefix for user_t). |
885b83ec | 38 | ## </summary> |
451c1e3d | 39 | ## </param> |
6b93833b | 40 | # |
08cd98b7 CP |
41 | template(`mta_base_mail_template',` |
42 | ||
6b19be33 CP |
43 | gen_require(` |
44 | attribute user_mail_domain; | |
45 | type sendmail_exec_t; | |
46 | ') | |
47 | ||
08cd98b7 CP |
48 | ############################## |
49 | # | |
50 | # $1_mail_t declarations | |
51 | # | |
0efe52ae | 52 | |
04926d07 | 53 | type $1_mail_t, user_mail_domain; |
0bfccda4 | 54 | application_domain($1_mail_t, sendmail_exec_t) |
6b93833b | 55 | |
9fd4b818 CP |
56 | type $1_mail_tmp_t; |
57 | files_tmp_file($1_mail_tmp_t) | |
6b93833b | 58 | |
0c73cd25 CP |
59 | ############################## |
60 | # | |
61 | # $1_mail_t local policy | |
62 | # | |
075c4fda | 63 | |
0c73cd25 | 64 | allow $1_mail_t self:capability { setuid setgid chown }; |
0a10b1fa | 65 | allow $1_mail_t self:process { signal_perms setrlimit }; |
0a10b1fa | 66 | allow $1_mail_t self:tcp_socket create_socket_perms; |
075c4fda | 67 | |
0c73cd25 | 68 | # re-exec itself |
0a10b1fa | 69 | can_exec($1_mail_t, sendmail_exec_t) |
c0868a7a | 70 | allow $1_mail_t sendmail_exec_t:lnk_file read_lnk_file_perms; |
075c4fda | 71 | |
445522dc | 72 | kernel_read_kernel_sysctls($1_mail_t) |
075c4fda | 73 | |
19006686 CP |
74 | corenet_all_recvfrom_unlabeled($1_mail_t) |
75 | corenet_all_recvfrom_netlabel($1_mail_t) | |
668b3093 | 76 | corenet_tcp_sendrecv_generic_if($1_mail_t) |
c1262146 | 77 | corenet_tcp_sendrecv_generic_node($1_mail_t) |
0fd9dc55 | 78 | corenet_tcp_sendrecv_all_ports($1_mail_t) |
cff75c90 | 79 | corenet_tcp_connect_all_ports($1_mail_t) |
08cd98b7 | 80 | corenet_tcp_connect_smtp_port($1_mail_t) |
b8373ee1 | 81 | corenet_sendrecv_smtp_client_packets($1_mail_t) |
075c4fda | 82 | |
c9428d33 | 83 | corecmd_exec_bin($1_mail_t) |
075c4fda | 84 | |
8fd36732 | 85 | files_read_etc_files($1_mail_t) |
b24f35d8 | 86 | files_search_spool($1_mail_t) |
246839f3 CP |
87 | # It wants to check for nscd |
88 | files_dontaudit_search_pids($1_mail_t) | |
6b93833b | 89 | |
09e21686 CP |
90 | auth_use_nsswitch($1_mail_t) |
91 | ||
c9428d33 | 92 | logging_send_syslog_msg($1_mail_t) |
075c4fda | 93 | |
0c73cd25 | 94 | miscfiles_read_localization($1_mail_t) |
075c4fda | 95 | |
bb7170f6 | 96 | optional_policy(` |
fc0e8ce9 CP |
97 | postfix_domtrans_user_mail_handler($1_mail_t) |
98 | ') | |
99 | ||
bb7170f6 | 100 | optional_policy(` |
08cd98b7 CP |
101 | procmail_exec($1_mail_t) |
102 | ') | |
103 | ||
65e131f0 CP |
104 | optional_policy(` |
105 | qmail_domtrans_inject($1_mail_t) | |
106 | ') | |
107 | ||
bb7170f6 | 108 | optional_policy(` |
9fd4b818 CP |
109 | gen_require(` |
110 | type etc_mail_t, mail_spool_t, mqueue_spool_t; | |
111 | ') | |
112 | ||
0bfccda4 CP |
113 | manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) |
114 | manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) | |
103fe280 | 115 | files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir }) |
08cd98b7 | 116 | |
82d2775c | 117 | allow $1_mail_t etc_mail_t:dir search_dir_perms; |
08cd98b7 CP |
118 | |
119 | # Write to /var/spool/mail and /var/spool/mqueue. | |
0bfccda4 CP |
120 | manage_files_pattern($1_mail_t, mail_spool_t, mail_spool_t) |
121 | manage_files_pattern($1_mail_t, mqueue_spool_t, mqueue_spool_t) | |
08cd98b7 CP |
122 | |
123 | # Check available space. | |
124 | fs_getattr_xattr_fs($1_mail_t) | |
125 | ||
126 | files_read_etc_runtime_files($1_mail_t) | |
127 | ||
128 | # Write to /var/log/sendmail.st | |
129 | sendmail_manage_log($1_mail_t) | |
130 | sendmail_create_log($1_mail_t) | |
131 | ') | |
132 | ||
08cd98b7 CP |
133 | ') |
134 | ||
296273a7 | 135 | ######################################## |
08cd98b7 | 136 | ## <summary> |
296273a7 | 137 | ## Role access for mta |
08cd98b7 | 138 | ## </summary> |
296273a7 | 139 | ## <param name="role"> |
885b83ec | 140 | ## <summary> |
296273a7 | 141 | ## Role allowed access |
885b83ec | 142 | ## </summary> |
08cd98b7 | 143 | ## </param> |
296273a7 | 144 | ## <param name="domain"> |
885b83ec | 145 | ## <summary> |
296273a7 | 146 | ## User domain for the role |
885b83ec | 147 | ## </summary> |
08cd98b7 CP |
148 | ## </param> |
149 | # | |
296273a7 | 150 | interface(`mta_role',` |
6b19be33 CP |
151 | gen_require(` |
152 | attribute mta_user_agent; | |
296273a7 | 153 | type user_mail_t, sendmail_exec_t; |
6b19be33 | 154 | ') |
9417cb7a | 155 | |
296273a7 | 156 | role $1 types { user_mail_t mta_user_agent }; |
08cd98b7 CP |
157 | |
158 | # Transition from the user domain to the derived domain. | |
296273a7 | 159 | domtrans_pattern($2, sendmail_exec_t, user_mail_t) |
08cd98b7 CP |
160 | allow $2 sendmail_exec_t:lnk_file { getattr read }; |
161 | ||
296273a7 CP |
162 | allow mta_user_agent $2:fd use; |
163 | allow mta_user_agent $2:process sigchld; | |
164 | allow mta_user_agent $2:fifo_file { read write }; | |
1504ff3e CP |
165 | ') |
166 | ||
ac9db9b5 CP |
167 | ######################################## |
168 | ## <summary> | |
169 | ## Make the specified domain usable for a mail server. | |
170 | ## </summary> | |
171 | ## <param name="type"> | |
172 | ## <summary> | |
173 | ## Type to be used as a mail server domain. | |
174 | ## </summary> | |
175 | ## </param> | |
8f3a0a95 CP |
176 | ## <param name="entry_point"> |
177 | ## <summary> | |
178 | ## Type of the program to be used as an entry point to this domain. | |
179 | ## </summary> | |
180 | ## </param> | |
075c4fda | 181 | # |
199895e2 | 182 | interface(`mta_mailserver',` |
5e6f9e5a CP |
183 | gen_require(` |
184 | attribute mailserver_domain; | |
185 | ') | |
0c73cd25 | 186 | |
c9428d33 | 187 | init_daemon_domain($1,$2) |
0c73cd25 | 188 | typeattribute $1 mailserver_domain; |
075c4fda CP |
189 | ') |
190 | ||
36095d11 CP |
191 | ######################################## |
192 | ## <summary> | |
193 | ## Make the specified type a MTA executable file. | |
194 | ## </summary> | |
195 | ## <param name="type"> | |
196 | ## <summary> | |
197 | ## Type to be used as a mail client. | |
198 | ## </summary> | |
199 | ## </param> | |
200 | # | |
201 | interface(`mta_agent_executable',` | |
202 | gen_require(` | |
203 | attribute mta_exec_type; | |
204 | ') | |
205 | ||
206 | typeattribute $1 mta_exec_type; | |
207 | ||
208 | application_executable_file($1) | |
209 | ') | |
210 | ||
211 | ######################################## | |
212 | ## <summary> | |
213 | ## Make the specified type by a system MTA. | |
214 | ## </summary> | |
215 | ## <param name="type"> | |
216 | ## <summary> | |
217 | ## Type to be used as a mail client. | |
218 | ## </summary> | |
219 | ## </param> | |
220 | # | |
221 | interface(`mta_system_content',` | |
222 | gen_require(` | |
223 | attribute mailcontent_type; | |
224 | ') | |
225 | ||
226 | typeattribute $1 mailcontent_type; | |
227 | ') | |
228 | ||
e5f80603 CP |
229 | ######################################## |
230 | ## <summary> | |
231 | ## Modified mailserver interface for | |
232 | ## sendmail daemon use. | |
233 | ## </summary> | |
234 | ## <desc> | |
235 | ## <p> | |
236 | ## A modified MTA mail server interface for | |
237 | ## the sendmail program. It's design does | |
238 | ## not fit well with policy, and using the | |
239 | ## regular interface causes a type_transition | |
240 | ## conflict if direct running of init scripts | |
241 | ## is enabled. | |
242 | ## </p> | |
243 | ## <p> | |
244 | ## This interface should most likely only be used | |
245 | ## by the sendmail policy. | |
246 | ## </p> | |
247 | ## </desc> | |
248 | ## <param name="domain"> | |
885b83ec | 249 | ## <summary> |
e5f80603 | 250 | ## The type to be used for the mail server. |
885b83ec | 251 | ## </summary> |
e5f80603 | 252 | ## </param> |
b34db7a8 | 253 | # |
199895e2 | 254 | interface(`mta_sendmail_mailserver',` |
5e6f9e5a | 255 | gen_require(` |
e5f80603 | 256 | attribute mailserver_domain; |
5e6f9e5a CP |
257 | type sendmail_exec_t; |
258 | ') | |
0c73cd25 | 259 | |
3f67f722 | 260 | init_system_domain($1, sendmail_exec_t) |
e5f80603 | 261 | typeattribute $1 mailserver_domain; |
7bba9d31 CP |
262 | ') |
263 | ||
246839f3 CP |
264 | ####################################### |
265 | ## <summary> | |
266 | ## Make a type a mailserver type used | |
267 | ## for sending mail. | |
268 | ## </summary> | |
269 | ## <param name="domain"> | |
885b83ec | 270 | ## <summary> |
246839f3 | 271 | ## Mail server domain type used for sending mail. |
885b83ec | 272 | ## </summary> |
246839f3 CP |
273 | ## </param> |
274 | # | |
275 | interface(`mta_mailserver_sender',` | |
276 | gen_require(` | |
277 | attribute mailserver_sender; | |
278 | ') | |
279 | ||
280 | typeattribute $1 mailserver_sender; | |
281 | ') | |
282 | ||
283 | ####################################### | |
284 | ## <summary> | |
285 | ## Make a type a mailserver type used | |
286 | ## for delivering mail to local users. | |
287 | ## </summary> | |
288 | ## <param name="domain"> | |
885b83ec | 289 | ## <summary> |
246839f3 | 290 | ## Mail server domain type used for delivering mail. |
885b83ec | 291 | ## </summary> |
246839f3 CP |
292 | ## </param> |
293 | # | |
294 | interface(`mta_mailserver_delivery',` | |
295 | gen_require(` | |
296 | attribute mailserver_delivery; | |
88dd3896 | 297 | type mail_spool_t; |
246839f3 CP |
298 | ') |
299 | ||
300 | typeattribute $1 mailserver_delivery; | |
799a0b43 | 301 | |
c0868a7a | 302 | allow $1 mail_spool_t:dir list_dir_perms; |
0bfccda4 CP |
303 | create_files_pattern($1, mail_spool_t, mail_spool_t) |
304 | read_files_pattern($1, mail_spool_t, mail_spool_t) | |
305 | create_lnk_files_pattern($1, mail_spool_t, mail_spool_t) | |
306 | read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) | |
88dd3896 | 307 | |
bb7170f6 | 308 | optional_policy(` |
29ce0009 CP |
309 | dovecot_manage_spool($1) |
310 | ') | |
311 | ||
bb7170f6 | 312 | optional_policy(` |
799a0b43 CP |
313 | # so MTA can access /var/lib/mailman/mail/wrapper |
314 | files_search_var_lib($1) | |
315 | ||
316 | mailman_domtrans($1) | |
317 | mailman_read_data_symlinks($1) | |
318 | ') | |
246839f3 CP |
319 | ') |
320 | ||
321 | ####################################### | |
322 | ## <summary> | |
323 | ## Make a type a mailserver type used | |
324 | ## for sending mail on behalf of local | |
325 | ## users to the local mail spool. | |
326 | ## </summary> | |
327 | ## <param name="domain"> | |
885b83ec | 328 | ## <summary> |
246839f3 | 329 | ## Mail server domain type used for sending local mail. |
885b83ec | 330 | ## </summary> |
246839f3 CP |
331 | ## </param> |
332 | # | |
333 | interface(`mta_mailserver_user_agent',` | |
334 | gen_require(` | |
e749cd12 | 335 | attribute mta_user_agent; |
246839f3 CP |
336 | ') |
337 | ||
e749cd12 CP |
338 | typeattribute $1 mta_user_agent; |
339 | ||
bb7170f6 | 340 | optional_policy(` |
e749cd12 | 341 | # apache should set close-on-exec |
1815bad1 CP |
342 | apache_dontaudit_rw_stream_sockets($1) |
343 | apache_dontaudit_rw_sys_script_stream_sockets($1) | |
e749cd12 | 344 | ') |
246839f3 CP |
345 | ') |
346 | ||
ac9db9b5 CP |
347 | ######################################## |
348 | ## <summary> | |
349 | ## Send mail from the system. | |
350 | ## </summary> | |
351 | ## <param name="domain"> | |
352 | ## <summary> | |
353 | ## Domain allowed access. | |
354 | ## </summary> | |
355 | ## </param> | |
075c4fda | 356 | # |
199895e2 | 357 | interface(`mta_send_mail',` |
5e6f9e5a | 358 | gen_require(` |
88dd3896 | 359 | attribute mta_user_agent; |
36095d11 CP |
360 | type system_mail_t; |
361 | attribute mta_exec_type; | |
5e6f9e5a | 362 | ') |
0c73cd25 | 363 | |
36095d11 CP |
364 | allow $1 mta_exec_type:lnk_file read_lnk_file_perms; |
365 | domtrans_pattern($1, mta_exec_type, system_mail_t) | |
953541a9 | 366 | |
953541a9 CP |
367 | allow mta_user_agent $1:fd use; |
368 | allow mta_user_agent $1:process sigchld; | |
369 | allow mta_user_agent $1:fifo_file { read write }; | |
075c4fda CP |
370 | ') |
371 | ||
88bc7af3 CP |
372 | ######################################## |
373 | ## <summary> | |
374 | ## Execute send mail in a specified domain. | |
375 | ## </summary> | |
376 | ## <desc> | |
ff8f0a63 | 377 | ## <p> |
88bc7af3 | 378 | ## Execute send mail in a specified domain. |
ff8f0a63 CP |
379 | ## </p> |
380 | ## <p> | |
381 | ## No interprocess communication (signals, pipes, | |
382 | ## etc.) is provided by this interface since | |
383 | ## the domains are not owned by this module. | |
384 | ## </p> | |
88bc7af3 CP |
385 | ## </desc> |
386 | ## <param name="source_domain"> | |
387 | ## <summary> | |
388 | ## Domain to transition from. | |
389 | ## </summary> | |
390 | ## </param> | |
391 | ## <param name="target_domain"> | |
392 | ## <summary> | |
393 | ## Domain to transition to. | |
394 | ## </summary> | |
395 | ## </param> | |
396 | # | |
397 | interface(`mta_sendmail_domtrans',` | |
398 | gen_require(` | |
399 | type sendmail_exec_t; | |
400 | ') | |
401 | ||
402 | files_search_usr($1) | |
8021cb4f | 403 | corecmd_read_bin_symlinks($1) |
0bfccda4 | 404 | domain_auto_trans($1, sendmail_exec_t, $2) |
88bc7af3 CP |
405 | ') |
406 | ||
ac9db9b5 CP |
407 | ######################################## |
408 | ## <summary> | |
409 | ## Execute sendmail in the caller domain. | |
410 | ## </summary> | |
411 | ## <param name="domain"> | |
412 | ## <summary> | |
413 | ## Domain allowed access. | |
414 | ## </summary> | |
415 | ## </param> | |
075c4fda | 416 | # |
88bc7af3 | 417 | interface(`mta_sendmail_exec',` |
5e6f9e5a CP |
418 | gen_require(` |
419 | type sendmail_exec_t; | |
420 | ') | |
0c73cd25 | 421 | |
0a10b1fa | 422 | can_exec($1, sendmail_exec_t) |
075c4fda CP |
423 | ') |
424 | ||
f932d8e3 CP |
425 | ######################################## |
426 | ## <summary> | |
427 | ## Read mail server configuration. | |
428 | ## </summary> | |
429 | ## <param name="domain"> | |
885b83ec | 430 | ## <summary> |
cc5df23b | 431 | ## Domain allowed access. |
885b83ec | 432 | ## </summary> |
f932d8e3 | 433 | ## </param> |
bbcd3c97 | 434 | ## <rolecap/> |
f932d8e3 CP |
435 | # |
436 | interface(`mta_read_config',` | |
437 | gen_require(` | |
438 | type etc_mail_t; | |
439 | ') | |
440 | ||
441 | files_search_etc($1) | |
30705b6b | 442 | allow $1 etc_mail_t:dir list_dir_perms; |
0bfccda4 CP |
443 | read_files_pattern($1, etc_mail_t, etc_mail_t) |
444 | read_lnk_files_pattern($1, etc_mail_t, etc_mail_t) | |
f932d8e3 CP |
445 | ') |
446 | ||
daa0e0b0 | 447 | ######################################## |
f7ebea06 | 448 | ## <summary> |
414e4151 | 449 | ## Read mail address aliases. |
f7ebea06 | 450 | ## </summary> |
414e4151 | 451 | ## <param name="domain"> |
885b83ec | 452 | ## <summary> |
cc5df23b | 453 | ## Domain allowed access. |
885b83ec | 454 | ## </summary> |
414e4151 | 455 | ## </param> |
daa0e0b0 | 456 | # |
199895e2 | 457 | interface(`mta_read_aliases',` |
5e6f9e5a CP |
458 | gen_require(` |
459 | type etc_aliases_t; | |
5e6f9e5a | 460 | ') |
0c73cd25 | 461 | |
5e6f9e5a | 462 | files_search_etc($1) |
c0868a7a | 463 | allow $1 etc_aliases_t:file read_file_perms; |
daa0e0b0 CP |
464 | ') |
465 | ||
aa7c463e CP |
466 | ######################################## |
467 | ## <summary> | |
468 | ## Create, read, write, and delete mail address aliases. | |
469 | ## </summary> | |
470 | ## <param name="domain"> | |
471 | ## <summary> | |
472 | ## Domain allowed access. | |
473 | ## </summary> | |
474 | ## </param> | |
475 | # | |
476 | interface(`mta_manage_aliases',` | |
477 | gen_require(` | |
478 | type etc_aliases_t; | |
479 | ') | |
480 | ||
481 | files_search_etc($1) | |
482 | manage_files_pattern($1, etc_aliases_t, etc_aliases_t) | |
483 | manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t) | |
484 | ') | |
485 | ||
cc5df23b CP |
486 | ######################################## |
487 | ## <summary> | |
488 | ## Type transition files created in /etc | |
489 | ## to the mail address aliases type. | |
490 | ## </summary> | |
491 | ## <param name="domain"> | |
885b83ec | 492 | ## <summary> |
cc5df23b | 493 | ## Domain allowed access. |
885b83ec | 494 | ## </summary> |
cc5df23b CP |
495 | ## </param> |
496 | # | |
103fe280 | 497 | interface(`mta_etc_filetrans_aliases',` |
cc5df23b CP |
498 | gen_require(` |
499 | type etc_aliases_t; | |
500 | ') | |
501 | ||
0bfccda4 | 502 | files_etc_filetrans($1, etc_aliases_t, file) |
cc5df23b CP |
503 | ') |
504 | ||
ac9db9b5 CP |
505 | ######################################## |
506 | ## <summary> | |
507 | ## Read and write mail aliases. | |
508 | ## </summary> | |
509 | ## <param name="domain"> | |
510 | ## <summary> | |
511 | ## Domain allowed access. | |
512 | ## </summary> | |
513 | ## </param> | |
bbcd3c97 | 514 | ## <rolecap/> |
7bba9d31 | 515 | # |
199895e2 | 516 | interface(`mta_rw_aliases',` |
5e6f9e5a CP |
517 | gen_require(` |
518 | type etc_aliases_t; | |
5e6f9e5a | 519 | ') |
0c73cd25 | 520 | |
5e6f9e5a | 521 | files_search_etc($1) |
04926d07 | 522 | allow $1 etc_aliases_t:file { rw_file_perms setattr }; |
7bba9d31 CP |
523 | ') |
524 | ||
799a0b43 CP |
525 | ####################################### |
526 | ## <summary> | |
527 | ## Do not audit attempts to read and write TCP | |
528 | ## sockets of mail delivery domains. | |
529 | ## </summary> | |
530 | ## <param name="domain"> | |
885b83ec | 531 | ## <summary> |
799a0b43 | 532 | ## Mail server domain. |
885b83ec | 533 | ## </summary> |
799a0b43 CP |
534 | ## </param> |
535 | # | |
1815bad1 | 536 | interface(`mta_dontaudit_rw_delivery_tcp_sockets',` |
799a0b43 | 537 | gen_require(` |
77f6e2cd | 538 | attribute mailserver_delivery; |
799a0b43 CP |
539 | ') |
540 | ||
541 | dontaudit $1 mailserver_delivery:tcp_socket { read write }; | |
542 | ') | |
543 | ||
544 | ####################################### | |
545 | ## <summary> | |
33c7e6b4 | 546 | ## Connect to all mail servers over TCP. (Deprecated) |
799a0b43 CP |
547 | ## </summary> |
548 | ## <param name="domain"> | |
885b83ec | 549 | ## <summary> |
799a0b43 | 550 | ## Mail server domain. |
885b83ec | 551 | ## </summary> |
799a0b43 CP |
552 | ## </param> |
553 | # | |
554 | interface(`mta_tcp_connect_all_mailservers',` | |
33c7e6b4 | 555 | refpolicywarn(`$0($*) has been deprecated.') |
799a0b43 CP |
556 | ') |
557 | ||
a42ca7eb CP |
558 | ####################################### |
559 | ## <summary> | |
560 | ## Do not audit attempts to read a symlink | |
561 | ## in the mail spool. | |
562 | ## </summary> | |
563 | ## <param name="domain"> | |
885b83ec | 564 | ## <summary> |
a42ca7eb | 565 | ## Domain allowed access. |
885b83ec | 566 | ## </summary> |
a42ca7eb CP |
567 | ## </param> |
568 | # | |
1815bad1 | 569 | interface(`mta_dontaudit_read_spool_symlinks',` |
a42ca7eb CP |
570 | gen_require(` |
571 | type mail_spool_t; | |
a42ca7eb CP |
572 | ') |
573 | ||
574 | dontaudit $1 mail_spool_t:lnk_file read; | |
575 | ') | |
576 | ||
ac9db9b5 CP |
577 | ######################################## |
578 | ## <summary> | |
579 | ## Get the attributes of mail spool files. | |
580 | ## </summary> | |
581 | ## <param name="domain"> | |
582 | ## <summary> | |
583 | ## Domain allowed access. | |
584 | ## </summary> | |
585 | ## </param> | |
4bf4ed9e | 586 | # |
199895e2 | 587 | interface(`mta_getattr_spool',` |
5e6f9e5a CP |
588 | gen_require(` |
589 | type mail_spool_t; | |
5e6f9e5a | 590 | ') |
0c73cd25 | 591 | |
c9428d33 | 592 | files_search_spool($1) |
c0868a7a | 593 | allow $1 mail_spool_t:dir list_dir_perms; |
0c73cd25 CP |
594 | allow $1 mail_spool_t:lnk_file read; |
595 | allow $1 mail_spool_t:file getattr; | |
4bf4ed9e CP |
596 | ') |
597 | ||
ac9db9b5 CP |
598 | ######################################## |
599 | ## <summary> | |
600 | ## Do not audit attempts to get the attributes | |
601 | ## of mail spool files. | |
602 | ## </summary> | |
603 | ## <param name="domain"> | |
604 | ## <summary> | |
605 | ## Domain to not audit. | |
606 | ## </summary> | |
607 | ## </param> | |
608 | # | |
1815bad1 | 609 | interface(`mta_dontaudit_getattr_spool_files',` |
0f5d13fe CP |
610 | gen_require(` |
611 | type mail_spool_t; | |
612 | ') | |
613 | ||
614 | files_dontaudit_search_spool($1) | |
615 | dontaudit $1 mail_spool_t:dir search; | |
616 | dontaudit $1 mail_spool_t:lnk_file read; | |
617 | dontaudit $1 mail_spool_t:file getattr; | |
618 | ') | |
619 | ||
a089b6d0 CP |
620 | ####################################### |
621 | ## <summary> | |
622 | ## Create private objects in the | |
623 | ## mail spool directory. | |
624 | ## </summary> | |
625 | ## <param name="domain"> | |
885b83ec | 626 | ## <summary> |
a089b6d0 | 627 | ## Domain allowed access. |
885b83ec | 628 | ## </summary> |
a089b6d0 CP |
629 | ## </param> |
630 | ## <param name="private type"> | |
885b83ec | 631 | ## <summary> |
a089b6d0 | 632 | ## The type of the object to be created. |
885b83ec | 633 | ## </summary> |
a089b6d0 | 634 | ## </param> |
1c1ac67f | 635 | ## <param name="object"> |
885b83ec | 636 | ## <summary> |
1c1ac67f | 637 | ## The object class of the object being created. |
885b83ec | 638 | ## </summary> |
a089b6d0 CP |
639 | ## </param> |
640 | # | |
103fe280 | 641 | interface(`mta_spool_filetrans',` |
a089b6d0 CP |
642 | gen_require(` |
643 | type mail_spool_t; | |
644 | ') | |
645 | ||
646 | files_search_spool($1) | |
0bfccda4 | 647 | filetrans_pattern($1, mail_spool_t, $2, $3) |
a089b6d0 CP |
648 | ') |
649 | ||
ac9db9b5 CP |
650 | ######################################## |
651 | ## <summary> | |
652 | ## Read and write the mail spool. | |
653 | ## </summary> | |
654 | ## <param name="domain"> | |
655 | ## <summary> | |
656 | ## Domain allowed access. | |
657 | ## </summary> | |
658 | ## </param> | |
b16c6b8c | 659 | # |
199895e2 | 660 | interface(`mta_rw_spool',` |
5e6f9e5a CP |
661 | gen_require(` |
662 | type mail_spool_t; | |
5e6f9e5a | 663 | ') |
0c73cd25 | 664 | |
c9428d33 | 665 | files_search_spool($1) |
c0868a7a CP |
666 | allow $1 mail_spool_t:dir list_dir_perms; |
667 | allow $1 mail_spool_t:file setattr; | |
0bfccda4 CP |
668 | rw_files_pattern($1, mail_spool_t, mail_spool_t) |
669 | read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) | |
b16c6b8c CP |
670 | ') |
671 | ||
246839f3 CP |
672 | ####################################### |
673 | ## <summary> | |
674 | ## Create, read, and write the mail spool. | |
675 | ## </summary> | |
676 | ## <param name="domain"> | |
885b83ec | 677 | ## <summary> |
246839f3 | 678 | ## Domain allowed access. |
885b83ec | 679 | ## </summary> |
246839f3 CP |
680 | ## </param> |
681 | # | |
682 | interface(`mta_append_spool',` | |
683 | gen_require(` | |
684 | type mail_spool_t; | |
246839f3 CP |
685 | ') |
686 | ||
687 | files_search_spool($1) | |
c0868a7a | 688 | allow $1 mail_spool_t:dir list_dir_perms; |
0bfccda4 CP |
689 | create_files_pattern($1, mail_spool_t, mail_spool_t) |
690 | write_files_pattern($1, mail_spool_t, mail_spool_t) | |
691 | read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) | |
246839f3 CP |
692 | ') |
693 | ||
04926d07 CP |
694 | ####################################### |
695 | ## <summary> | |
696 | ## Delete from the mail spool. | |
697 | ## </summary> | |
698 | ## <param name="domain"> | |
885b83ec | 699 | ## <summary> |
04926d07 | 700 | ## Domain allowed access. |
885b83ec | 701 | ## </summary> |
04926d07 CP |
702 | ## </param> |
703 | # | |
704 | interface(`mta_delete_spool',` | |
705 | gen_require(` | |
706 | type mail_spool_t; | |
707 | ') | |
708 | ||
709 | files_search_spool($1) | |
0bfccda4 | 710 | delete_files_pattern($1, mail_spool_t, mail_spool_t) |
04926d07 CP |
711 | ') |
712 | ||
ac9db9b5 CP |
713 | ######################################## |
714 | ## <summary> | |
715 | ## Create, read, write, and delete mail spool files. | |
716 | ## </summary> | |
717 | ## <param name="domain"> | |
718 | ## <summary> | |
719 | ## Domain allowed access. | |
720 | ## </summary> | |
721 | ## </param> | |
7bba9d31 | 722 | # |
199895e2 | 723 | interface(`mta_manage_spool',` |
5e6f9e5a CP |
724 | gen_require(` |
725 | type mail_spool_t; | |
5e6f9e5a | 726 | ') |
0c73cd25 | 727 | |
c9428d33 | 728 | files_search_spool($1) |
0bfccda4 CP |
729 | manage_dirs_pattern($1, mail_spool_t, mail_spool_t) |
730 | manage_files_pattern($1, mail_spool_t, mail_spool_t) | |
731 | manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t) | |
7bba9d31 CP |
732 | ') |
733 | ||
a39a9313 CP |
734 | ######################################## |
735 | ## <summary> | |
736 | ## Search mail queue dirs. | |
737 | ## </summary> | |
738 | ## <param name="domain"> | |
739 | ## <summary> | |
740 | ## Domain allowed access. | |
741 | ## </summary> | |
742 | ## </param> | |
743 | # | |
744 | interface(`mta_search_queue',` | |
745 | gen_require(` | |
746 | type mqueue_spool_t; | |
747 | ') | |
748 | ||
749 | files_search_spool($1) | |
750 | allow $1 mqueue_spool_t:dir search_dir_perms; | |
751 | ') | |
752 | ||
9ff89c44 CP |
753 | ####################################### |
754 | ## <summary> | |
755 | ## Read the mail queue. | |
756 | ## </summary> | |
757 | ## <param name="domain"> | |
758 | ## <summary> | |
759 | ## Domain allowed access. | |
760 | ## </summary> | |
761 | ## </param> | |
762 | # | |
763 | interface(`mta_read_queue',` | |
764 | gen_require(` | |
765 | type mqueue_spool_t; | |
766 | ') | |
767 | ||
768 | read_files_pattern($1, mqueue_spool_t, mqueue_spool_t) | |
769 | files_search_spool($1) | |
770 | ') | |
771 | ||
3e6c816d CP |
772 | ####################################### |
773 | ## <summary> | |
774 | ## Do not audit attempts to read and | |
775 | ## write the mail queue. | |
776 | ## </summary> | |
777 | ## <param name="domain"> | |
885b83ec | 778 | ## <summary> |
3e6c816d | 779 | ## Domain to not audit. |
885b83ec | 780 | ## </summary> |
3e6c816d CP |
781 | ## </param> |
782 | # | |
783 | interface(`mta_dontaudit_rw_queue',` | |
784 | gen_require(` | |
785 | type mqueue_spool_t; | |
786 | ') | |
787 | ||
d6d16b97 | 788 | dontaudit $1 mqueue_spool_t:dir search_dir_perms; |
3e6c816d CP |
789 | dontaudit $1 mqueue_spool_t:file { getattr read write }; |
790 | ') | |
791 | ||
ac9db9b5 CP |
792 | ######################################## |
793 | ## <summary> | |
794 | ## Create, read, write, and delete | |
795 | ## mail queue files. | |
796 | ## </summary> | |
797 | ## <param name="domain"> | |
798 | ## <summary> | |
799 | ## Domain allowed access. | |
800 | ## </summary> | |
801 | ## </param> | |
7bba9d31 | 802 | # |
199895e2 | 803 | interface(`mta_manage_queue',` |
5e6f9e5a CP |
804 | gen_require(` |
805 | type mqueue_spool_t; | |
5e6f9e5a | 806 | ') |
0c73cd25 | 807 | |
b24f35d8 | 808 | files_search_spool($1) |
0bfccda4 | 809 | manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t) |
7bba9d31 | 810 | ') |
04926d07 CP |
811 | |
812 | ####################################### | |
813 | ## <summary> | |
814 | ## Read sendmail binary. | |
ef5ca0fb | 815 | ## </summary> |
04926d07 | 816 | ## <param name="domain"> |
885b83ec | 817 | ## <summary> |
04926d07 | 818 | ## Domain allowed access. |
885b83ec | 819 | ## </summary> |
04926d07 CP |
820 | ## </param> |
821 | # | |
822 | # cjp: added for postfix | |
823 | interface(`mta_read_sendmail_bin',` | |
824 | gen_require(` | |
60789e16 | 825 | type sendmail_exec_t; |
04926d07 CP |
826 | ') |
827 | ||
c0868a7a | 828 | allow $1 sendmail_exec_t:file read_file_perms; |
04926d07 CP |
829 | ') |
830 | ||
831 | ####################################### | |
832 | ## <summary> | |
833 | ## Read and write unix domain stream sockets | |
834 | ## of user mail domains. | |
835 | ## </summary> | |
836 | ## <param name="domain"> | |
885b83ec | 837 | ## <summary> |
04926d07 | 838 | ## Domain allowed access. |
885b83ec | 839 | ## </summary> |
04926d07 CP |
840 | ## </param> |
841 | # | |
1815bad1 | 842 | interface(`mta_rw_user_mail_stream_sockets',` |
04926d07 CP |
843 | gen_require(` |
844 | attribute user_mail_domain; | |
845 | ') | |
846 | ||
847 | allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; | |
848 | ') |