]>
Commit | Line | Data |
---|---|---|
8a0a9944 | 1 | |
6ba4d964 | 2 | policy_module(amavis,1.0.2) |
8a0a9944 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | type amavis_t; | |
10 | type amavis_exec_t; | |
11 | domain_type(amavis_t) | |
12 | init_daemon_domain(amavis_t, amavis_exec_t) | |
13 | ||
14 | # configuration files | |
15 | type amavis_etc_t; | |
16 | files_type(amavis_etc_t) | |
17 | ||
18 | # pid files | |
19 | type amavis_var_run_t; | |
20 | files_pid_file(amavis_var_run_t) | |
21 | ||
22 | # var/lib files | |
23 | type amavis_var_lib_t; | |
24 | files_type(amavis_var_lib_t) | |
25 | ||
26 | # log files | |
27 | type amavis_var_log_t; | |
28 | logging_log_file(amavis_var_log_t) | |
29 | ||
30 | # tmp files | |
31 | type amavis_tmp_t; | |
32 | files_tmp_file(amavis_tmp_t) | |
33 | ||
34 | # virus quarantine | |
35 | type amavis_quarantine_t; | |
36 | files_type(amavis_quarantine_t) | |
37 | ||
38 | ######################################## | |
39 | # | |
40 | # amavis local policy | |
41 | # | |
42 | ||
43 | allow amavis_t self:capability { chown dac_override setgid setuid }; | |
44 | dontaudit amavis_t self:capability sys_tty_config; | |
45 | allow amavis_t self:process { signal sigchld signull }; | |
46 | allow amavis_t self:fifo_file rw_file_perms; | |
47 | allow amavis_t self:unix_stream_socket create_stream_socket_perms; | |
48 | allow amavis_t self:unix_dgram_socket create_socket_perms; | |
49 | allow amavis_t self:tcp_socket { listen accept }; | |
50 | ||
51 | # configuration files | |
52 | allow amavis_t amavis_etc_t:dir r_dir_perms; | |
53 | allow amavis_t amavis_etc_t:file r_file_perms; | |
54 | allow amavis_t amavis_etc_t:lnk_file { getattr read }; | |
55 | ||
56 | # mail quarantine | |
57 | allow amavis_t amavis_quarantine_t:file create_file_perms; | |
58 | allow amavis_t amavis_quarantine_t:sock_file create_file_perms; | |
59 | allow amavis_t amavis_quarantine_t:dir create_dir_perms; | |
60 | ||
61 | # tmp files | |
62 | allow amavis_t amavis_tmp_t:file create_file_perms; | |
63 | allow amavis_t amavis_tmp_t:dir { rw_dir_perms setattr }; | |
64 | files_tmp_filetrans(amavis_t,amavis_tmp_t,file) | |
65 | ||
66 | # var/lib files for amavis | |
67 | allow amavis_t amavis_var_lib_t:file create_file_perms; | |
68 | allow amavis_t amavis_var_lib_t:sock_file create_file_perms; | |
69 | allow amavis_t amavis_var_lib_t:dir create_dir_perms; | |
70 | files_var_filetrans(amavis_t,amavis_var_lib_t,{ file dir sock_file }) | |
71 | files_var_lib_filetrans(amavis_t,amavis_var_lib_t,file) | |
72 | ||
73 | # log files | |
74 | allow amavis_t amavis_var_log_t:file create_file_perms; | |
75 | allow amavis_t amavis_var_log_t:sock_file create_file_perms; | |
76 | allow amavis_t amavis_var_log_t:dir { rw_dir_perms setattr }; | |
77 | logging_log_filetrans(amavis_t,amavis_var_log_t,{ sock_file file dir }) | |
78 | ||
79 | # pid file | |
80 | allow amavis_t amavis_var_run_t:file manage_file_perms; | |
81 | allow amavis_t amavis_var_run_t:sock_file manage_file_perms; | |
82 | allow amavis_t amavis_var_run_t:dir rw_dir_perms; | |
83 | files_pid_filetrans(amavis_t,amavis_var_run_t, { file sock_file }) | |
84 | ||
85 | # amavis tries to access /proc/self/stat, /etc/shadow and /root - perl... | |
86 | kernel_dontaudit_list_proc(amavis_t) | |
87 | ||
88 | # find perl | |
89 | corecmd_exec_bin(amavis_t) | |
90 | corecmd_search_sbin(amavis_t) | |
91 | ||
92 | corenet_non_ipsec_sendrecv(amavis_t) | |
93 | corenet_tcp_sendrecv_all_if(amavis_t) | |
94 | corenet_tcp_sendrecv_all_nodes(amavis_t) | |
95 | # amavis uses well-defined ports | |
96 | corenet_tcp_sendrecv_amavisd_recv_port(amavis_t) | |
97 | corenet_tcp_sendrecv_amavisd_send_port(amavis_t) | |
98 | # just the other side not. ;-) | |
99 | corenet_tcp_sendrecv_all_ports(amavis_t) | |
100 | # connect to backchannel port | |
101 | corenet_tcp_connect_amavisd_send_port(amavis_t) | |
102 | # bind to incoming port | |
103 | corenet_tcp_bind_amavisd_recv_port(amavis_t) | |
104 | ||
105 | dev_read_rand(amavis_t) | |
106 | dev_read_urand(amavis_t) | |
107 | ||
108 | domain_use_interactive_fds(amavis_t) | |
109 | ||
110 | files_read_etc_files(amavis_t) | |
111 | files_read_etc_runtime_files(amavis_t) | |
112 | files_read_usr_files(amavis_t) | |
113 | ||
114 | auth_dontaudit_read_shadow(amavis_t) | |
115 | ||
116 | init_use_fds(amavis_t) | |
117 | init_use_script_ptys(amavis_t) | |
118 | ||
119 | libs_use_ld_so(amavis_t) | |
120 | libs_use_shared_libs(amavis_t) | |
121 | ||
122 | logging_send_syslog_msg(amavis_t) | |
123 | ||
124 | miscfiles_read_localization(amavis_t) | |
125 | ||
126 | sysnet_dns_name_resolve(amavis_t) | |
127 | ||
128 | userdom_dontaudit_search_sysadm_home_dirs(amavis_t) | |
129 | ||
130 | # Cron handling | |
131 | cron_use_fds(amavis_t) | |
132 | cron_use_system_job_fds(amavis_t) | |
133 | cron_rw_pipes(amavis_t) | |
134 | ||
135 | mta_read_config(amavis_t) | |
136 | ||
bb7170f6 | 137 | optional_policy(` |
8a0a9944 CP |
138 | clamav_stream_connect(amavis_t) |
139 | ') | |
140 | ||
6ba4d964 CP |
141 | optional_policy(` |
142 | dcc_domtrans_client(amavis_t) | |
143 | dcc_stream_connect_dccifd(amavis_t) | |
144 | ') | |
145 | ||
bb7170f6 | 146 | optional_policy(` |
8a0a9944 CP |
147 | ldap_use(amavis_t) |
148 | ') | |
149 | ||
e9935943 CP |
150 | optional_policy(` |
151 | pyzor_domtrans(amavis_t) | |
152 | ') | |
153 | ||
bb7170f6 | 154 | optional_policy(` |
8a0a9944 CP |
155 | spamassassin_exec(amavis_t) |
156 | spamassassin_exec_client(amavis_t) | |
157 | ') |