[people/stevee/selinux-policy.git] / policy / modules / services / qmail.if

## <summary>Qmail Mail Server</summary>

########################################
## <summary>
##	Template for qmail parent/sub-domain pairs
## </summary>
## <param name="child_prefix">
##	<summary>
##	The prefix of the child domain
##	</summary>
## </param>
## <param name="parent_domain">
##	<summary>
##	The name of the parent domain.
##	</summary>
## </param>
#
template(`qmail_child_domain_template',`
	type $1_t;
	domain_type($1_t)
	type $1_exec_t;
	domain_entry_file($1_t, $1_exec_t)
	domain_auto_trans($2, $1_exec_t, $1_t)
	role system_r types $1_t;

	allow $1_t self:process signal_perms;

	allow $1_t $2:fd use;
	allow $1_t $2:fifo_file rw_file_perms;
	allow $1_t $2:process sigchld;

	allow $1_t qmail_etc_t:dir list_dir_perms;
	allow $1_t qmail_etc_t:file read_file_perms;
	allow $1_t qmail_etc_t:lnk_file read_lnk_file_perms;

	allow $1_t qmail_start_t:fd use;

	kernel_list_proc($2)
	kernel_read_proc_symlinks($2)

	corecmd_search_bin($1_t)

	files_search_var($1_t)

	fs_getattr_xattr_fs($1_t)

	miscfiles_read_localization($1_t)
')

########################################
## <summary>
##	Transition to qmail_inject_t
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access
##	</summary>
## </param>
#
interface(`qmail_domtrans_inject',`
	gen_require(`
		type qmail_inject_t, qmail_inject_exec_t;
	')

	domtrans_pattern($1, qmail_inject_exec_t, qmail_inject_t)

	ifdef(`distro_debian',`
		files_search_usr($1)
		corecmd_search_bin($1)
	',`
		files_search_var($1)
		corecmd_search_bin($1)
	')
')

########################################
## <summary>
##	Transition to qmail_queue_t
## </summary>
## <param name="domain">
##	<summary>
##		Domain allowed access
##	</summary>
## </param>
#
interface(`qmail_domtrans_queue',`
	gen_require(`
		type qmail_queue_t, qmail_queue_exec_t;
	')

	domtrans_pattern($1, qmail_queue_exec_t, qmail_queue_t)

	ifdef(`distro_debian',`
		files_search_usr($1)
		corecmd_search_bin($1)
	',`
		files_search_var($1)
		corecmd_search_bin($1)
	')
')

########################################
## <summary>
##	Read qmail configuration files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`qmail_read_config',`
	gen_require(`
		type qmail_etc_t;
	')

	allow $1 qmail_etc_t:dir list_dir_perms;
	allow $1 qmail_etc_t:file read_file_perms;
	allow $1 qmail_etc_t:lnk_file read_lnk_file_perms;
	files_search_var($1)

	ifdef(`distro_debian',`
		# handle /etc/qmail
		files_search_etc($1)
	')
')

########################################
## <summary>
##	Define the specified domain as a qmail-smtp service. 
##	Needed by antivirus/antispam filters.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access
##	</summary>
## </param>
## <param name="entrypoint">
##	<summary>
##	The type associated with the process program.
##	</summary>
## </param>
#
interface(`qmail_smtpd_service_domain',`
	gen_require(`
		type qmail_smtpd_t;
	')

	domtrans_pattern(qmail_smtpd_t, $2, $1)
')
Commit	Line	Data
65e131f0 CP	1	## <summary>Qmail Mail Server</summary>
65e131f0 CP	2
65e131f0 CP	3	########################################
	4	## <summary>
	5	## Template for qmail parent/sub-domain pairs
	6	## </summary>
	7	## <param name="child_prefix">
	8	## <summary>
	9	## The prefix of the child domain
	10	## </summary>
	11	## </param>
	12	## <param name="parent_domain">
	13	## <summary>
	14	## The name of the parent domain.
	15	## </summary>
	16	## </param>
	17	#
	18	template(`qmail_child_domain_template',`
	19	type $1_t;
	20	domain_type($1_t)
	21	type $1_exec_t;
0bfccda4	22	domain_entry_file($1_t, $1_exec_t)
65e131f0 CP	23	domain_auto_trans($2, $1_exec_t, $1_t)
	24	role system_r types $1_t;
	25
	26	allow $1_t self:process signal_perms;
	27
	28	allow $1_t $2:fd use;
	29	allow $1_t $2:fifo_file rw_file_perms;
	30	allow $1_t $2:process sigchld;
	31
82d2775c CP	32	allow $1_t qmail_etc_t:dir list_dir_perms;
	33	allow $1_t qmail_etc_t:file read_file_perms;
	34	allow $1_t qmail_etc_t:lnk_file read_lnk_file_perms;
65e131f0 CP	35
	36	allow $1_t qmail_start_t:fd use;
	37
	38	kernel_list_proc($2)
	39	kernel_read_proc_symlinks($2)
	40
	41	corecmd_search_bin($1_t)
	42
	43	files_search_var($1_t)
	44
	45	fs_getattr_xattr_fs($1_t)
65e131f0 CP	46
	47	miscfiles_read_localization($1_t)
	48	')
	49
	50	########################################
	51	## <summary>
	52	## Transition to qmail_inject_t
	53	## </summary>
	54	## <param name="domain">
	55	## <summary>
	56	## Domain allowed access
	57	## </summary>
	58	## </param>
	59	#
	60	interface(`qmail_domtrans_inject',`
	61	gen_require(`
0bfccda4	62	type qmail_inject_t, qmail_inject_exec_t;
65e131f0 CP	63	')
65e131f0 CP	64
c0868a7a	65	domtrans_pattern($1, qmail_inject_exec_t, qmail_inject_t)
65e131f0 CP	66
	67	ifdef(`distro_debian',`
	68	files_search_usr($1)
8021cb4f	69	corecmd_search_bin($1)
65e131f0 CP	70	',`
	71	files_search_var($1)
	72	corecmd_search_bin($1)
	73	')
	74	')
	75
	76	########################################
	77	## <summary>
	78	## Transition to qmail_queue_t
	79	## </summary>
	80	## <param name="domain">
	81	## <summary>
	82	## Domain allowed access
	83	## </summary>
	84	## </param>
	85	#
	86	interface(`qmail_domtrans_queue',`
	87	gen_require(`
0bfccda4	88	type qmail_queue_t, qmail_queue_exec_t;
65e131f0 CP	89	')
65e131f0 CP	90
c0868a7a	91	domtrans_pattern($1, qmail_queue_exec_t, qmail_queue_t)
65e131f0 CP	92
	93	ifdef(`distro_debian',`
	94	files_search_usr($1)
8021cb4f	95	corecmd_search_bin($1)
65e131f0 CP	96	',`
	97	files_search_var($1)
	98	corecmd_search_bin($1)
	99	')
	100	')
	101
	102	########################################
	103	## <summary>
	104	## Read qmail configuration files.
	105	## </summary>
	106	## <param name="domain">
	107	## <summary>
	108	## Domain allowed access.
	109	## </summary>
	110	## </param>
bbcd3c97	111	## <rolecap/>
65e131f0 CP	112	#
	113	interface(`qmail_read_config',`
	114	gen_require(`
	115	type qmail_etc_t;
	116	')
	117
82d2775c CP	118	allow $1 qmail_etc_t:dir list_dir_perms;
	119	allow $1 qmail_etc_t:file read_file_perms;
	120	allow $1 qmail_etc_t:lnk_file read_lnk_file_perms;
65e131f0 CP	121	files_search_var($1)
	122
	123	ifdef(`distro_debian',`
	124	# handle /etc/qmail
	125	files_search_etc($1)
	126	')
	127	')
	128
	129	########################################
	130	## <summary>
	131	## Define the specified domain as a qmail-smtp service.
	132	## Needed by antivirus/antispam filters.
	133	## </summary>
	134	## <param name="domain">
	135	## <summary>
	136	## Domain allowed access
	137	## </summary>
	138	## </param>
	139	## <param name="entrypoint">
	140	## <summary>
	141	## The type associated with the process program.
	142	## </summary>
	143	## </param>
	144	#
	145	interface(`qmail_smtpd_service_domain',`
	146	gen_require(`
	147	type qmail_smtpd_t;
	148	')
	149
3f67f722	150	domtrans_pattern(qmail_smtpd_t, $2, $1)
65e131f0	151	')