projects / people / stevee / selinux-policy.git / blame
| Commit | Line | Data |
|---|---|---|
| 8a0a9944 | 1 | |
| 6ba4d964 | 2 | policy_module(amavis,1.0.2) |
| 8a0a9944 CP |
3 | |
| 4 | ######################################## | |
| 5 | # | |
| 6 | # Declarations | |
| 7 | # | |
| 8 | ||
| 9 | type amavis_t; | |
| 10 | type amavis_exec_t; | |
| 11 | domain_type(amavis_t) | |
| 12 | init_daemon_domain(amavis_t, amavis_exec_t) | |
| 13 | ||
| 14 | # configuration files | |
| 15 | type amavis_etc_t; | |
| 16 | files_type(amavis_etc_t) | |
| 17 | ||
| 18 | # pid files | |
| 19 | type amavis_var_run_t; | |
| 20 | files_pid_file(amavis_var_run_t) | |
| 21 | ||
| 22 | # var/lib files | |
| 23 | type amavis_var_lib_t; | |
| 24 | files_type(amavis_var_lib_t) | |
| 25 | ||
| 26 | # log files | |
| 27 | type amavis_var_log_t; | |
| 28 | logging_log_file(amavis_var_log_t) | |
| 29 | ||
| 30 | # tmp files | |
| 31 | type amavis_tmp_t; | |
| 32 | files_tmp_file(amavis_tmp_t) | |
| 33 | ||
| 34 | # virus quarantine | |
| 35 | type amavis_quarantine_t; | |
| 36 | files_type(amavis_quarantine_t) | |
| 37 | ||
| 38 | ######################################## | |
| 39 | # | |
| 40 | # amavis local policy | |
| 41 | # | |
| 42 | ||
| 43 | allow amavis_t self:capability { chown dac_override setgid setuid }; | |
| 44 | dontaudit amavis_t self:capability sys_tty_config; | |
| 45 | allow amavis_t self:process { signal sigchld signull }; | |
| 46 | allow amavis_t self:fifo_file rw_file_perms; | |
| 47 | allow amavis_t self:unix_stream_socket create_stream_socket_perms; | |
| 48 | allow amavis_t self:unix_dgram_socket create_socket_perms; | |
| 49 | allow amavis_t self:tcp_socket { listen accept }; | |
| 50 | ||
| 51 | # configuration files | |
| 52 | allow amavis_t amavis_etc_t:dir r_dir_perms; | |
| 53 | allow amavis_t amavis_etc_t:file r_file_perms; | |
| 54 | allow amavis_t amavis_etc_t:lnk_file { getattr read }; | |
| 55 | ||
| 56 | # mail quarantine | |
| 57 | allow amavis_t amavis_quarantine_t:file create_file_perms; | |
| 58 | allow amavis_t amavis_quarantine_t:sock_file create_file_perms; | |
| 59 | allow amavis_t amavis_quarantine_t:dir create_dir_perms; | |
| 60 | ||
| 61 | # tmp files | |
| 62 | allow amavis_t amavis_tmp_t:file create_file_perms; | |
| 63 | allow amavis_t amavis_tmp_t:dir { rw_dir_perms setattr }; | |
| 64 | files_tmp_filetrans(amavis_t,amavis_tmp_t,file) | |
| 65 | ||
| 66 | # var/lib files for amavis | |
| 67 | allow amavis_t amavis_var_lib_t:file create_file_perms; | |
| 68 | allow amavis_t amavis_var_lib_t:sock_file create_file_perms; | |
| 69 | allow amavis_t amavis_var_lib_t:dir create_dir_perms; | |
| 70 | files_var_filetrans(amavis_t,amavis_var_lib_t,{ file dir sock_file }) | |
| 71 | files_var_lib_filetrans(amavis_t,amavis_var_lib_t,file) | |
| 72 | ||
| 73 | # log files | |
| 74 | allow amavis_t amavis_var_log_t:file create_file_perms; | |
| 75 | allow amavis_t amavis_var_log_t:sock_file create_file_perms; | |
| 76 | allow amavis_t amavis_var_log_t:dir { rw_dir_perms setattr }; | |
| 77 | logging_log_filetrans(amavis_t,amavis_var_log_t,{ sock_file file dir }) | |
| 78 | ||
| 79 | # pid file | |
| 80 | allow amavis_t amavis_var_run_t:file manage_file_perms; | |
| 81 | allow amavis_t amavis_var_run_t:sock_file manage_file_perms; | |
| 82 | allow amavis_t amavis_var_run_t:dir rw_dir_perms; | |
| 83 | files_pid_filetrans(amavis_t,amavis_var_run_t, { file sock_file }) | |
| 84 | ||
| 85 | # amavis tries to access /proc/self/stat, /etc/shadow and /root - perl... | |
| 86 | kernel_dontaudit_list_proc(amavis_t) | |
| 87 | ||
| 88 | # find perl | |
| 89 | corecmd_exec_bin(amavis_t) | |
| 90 | corecmd_search_sbin(amavis_t) | |
| 91 | ||
| 92 | corenet_non_ipsec_sendrecv(amavis_t) | |
| 93 | corenet_tcp_sendrecv_all_if(amavis_t) | |
| 94 | corenet_tcp_sendrecv_all_nodes(amavis_t) | |
| 95 | # amavis uses well-defined ports | |
| 96 | corenet_tcp_sendrecv_amavisd_recv_port(amavis_t) | |
| 97 | corenet_tcp_sendrecv_amavisd_send_port(amavis_t) | |
| 98 | # just the other side not. ;-) | |
| 99 | corenet_tcp_sendrecv_all_ports(amavis_t) | |
| 100 | # connect to backchannel port | |
| 101 | corenet_tcp_connect_amavisd_send_port(amavis_t) | |
| 102 | # bind to incoming port | |
| 103 | corenet_tcp_bind_amavisd_recv_port(amavis_t) | |
| 104 | ||
| 105 | dev_read_rand(amavis_t) | |
| 106 | dev_read_urand(amavis_t) | |
| 107 | ||
| 108 | domain_use_interactive_fds(amavis_t) | |
| 109 | ||
| 110 | files_read_etc_files(amavis_t) | |
| 111 | files_read_etc_runtime_files(amavis_t) | |
| 112 | files_read_usr_files(amavis_t) | |
| 113 | ||
| 114 | auth_dontaudit_read_shadow(amavis_t) | |
| 115 | ||
| 116 | init_use_fds(amavis_t) | |
| 117 | init_use_script_ptys(amavis_t) | |
| 118 | ||
| 119 | libs_use_ld_so(amavis_t) | |
| 120 | libs_use_shared_libs(amavis_t) | |
| 121 | ||
| 122 | logging_send_syslog_msg(amavis_t) | |
| 123 | ||
| 124 | miscfiles_read_localization(amavis_t) | |
| 125 | ||
| 126 | sysnet_dns_name_resolve(amavis_t) | |
| 127 | ||
| 128 | userdom_dontaudit_search_sysadm_home_dirs(amavis_t) | |
| 129 | ||
| 130 | # Cron handling | |
| 131 | cron_use_fds(amavis_t) | |
| 132 | cron_use_system_job_fds(amavis_t) | |
| 133 | cron_rw_pipes(amavis_t) | |
| 134 | ||
| 135 | mta_read_config(amavis_t) | |
| 136 | ||
| bb7170f6 | 137 | optional_policy(` |
| 8a0a9944 CP |
138 | clamav_stream_connect(amavis_t) |
| 139 | ') | |
| 140 | ||
| 6ba4d964 CP |
141 | optional_policy(` |
| 142 | dcc_domtrans_client(amavis_t) | |
| 143 | dcc_stream_connect_dccifd(amavis_t) | |
| 144 | ') | |
| 145 | ||
| bb7170f6 | 146 | optional_policy(` |
| 8a0a9944 CP |
147 | ldap_use(amavis_t) |
| 148 | ') | |
| 149 | ||
| e9935943 CP |
150 | optional_policy(` |
| 151 | pyzor_domtrans(amavis_t) | |
| 152 | ') | |
| 153 | ||
| bb7170f6 | 154 | optional_policy(` |
| 8a0a9944 CP |
155 | spamassassin_exec(amavis_t) |
| 156 | spamassassin_exec_client(amavis_t) | |
| 157 | ') |