]>
Commit | Line | Data |
---|---|---|
6b93833b | 1 | |
fb63d0b5 | 2 | policy_module(mta,1.3.3) |
6b93833b | 3 | |
075c4fda CP |
4 | ######################################## |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
246839f3 CP |
9 | attribute mta_user_agent; |
10 | attribute mailserver_delivery; | |
11 | attribute mailserver_domain; | |
12 | attribute mailserver_sender; | |
13 | ||
04926d07 CP |
14 | attribute user_mail_domain; |
15 | ||
6b93833b | 16 | type etc_aliases_t; |
8fd36732 | 17 | files_type(etc_aliases_t) |
6b93833b CP |
18 | |
19 | type etc_mail_t; | |
9bbc757a | 20 | files_config_file(etc_mail_t) |
6b93833b CP |
21 | |
22 | type mqueue_spool_t; | |
8fd36732 | 23 | files_type(mqueue_spool_t) |
6b93833b CP |
24 | |
25 | type mail_spool_t; | |
8fd36732 | 26 | files_type(mail_spool_t) |
075c4fda CP |
27 | |
28 | type sendmail_exec_t; | |
8fd36732 | 29 | files_type(sendmail_exec_t) |
075c4fda | 30 | |
08cd98b7 | 31 | mta_base_mail_template(system) |
075c4fda CP |
32 | role system_r types system_mail_t; |
33 | ||
12ae7557 CP |
34 | # cjp: need to resolve this, but require{} |
35 | # does not work in the else part of the optional | |
08cd98b7 | 36 | #ifdef(`strict_policy',` |
bb7170f6 | 37 | # optional_policy(`',` |
12ae7557 CP |
38 | # init_system_domain(system_mail_t,sendmail_exec_t) |
39 | # ') | |
40 | #') | |
7bba9d31 | 41 | |
075c4fda CP |
42 | ######################################## |
43 | # | |
44 | # System mail local policy | |
45 | # | |
46 | ||
8cf67141 CP |
47 | # newalias required this, not sure if it is needed in 'if' file |
48 | allow system_mail_t self:capability { dac_override }; | |
49 | ||
f13da83f | 50 | allow system_mail_t etc_mail_t:dir { getattr search }; |
e8d0a659 CP |
51 | allow system_mail_t etc_mail_t:file r_file_perms; |
52 | ||
075c4fda CP |
53 | kernel_read_system_state(system_mail_t) |
54 | kernel_read_network_state(system_mail_t) | |
55 | ||
98a8ead4 | 56 | dev_read_rand(system_mail_t) |
f0c985ca | 57 | dev_read_urand(system_mail_t) |
075c4fda | 58 | |
93727e3f CP |
59 | fs_read_eventpollfs(system_mail_t) |
60 | ||
1815bad1 | 61 | init_use_script_ptys(system_mail_t) |
075c4fda | 62 | |
246839f3 CP |
63 | userdom_use_sysadm_terms(system_mail_t) |
64 | ||
65 | ifdef(`targeted_policy',` | |
fe9d17fe CP |
66 | typealias system_mail_t alias sysadm_mail_t; |
67 | ||
246839f3 CP |
68 | allow system_mail_t mail_spool_t:dir create_dir_perms; |
69 | allow system_mail_t mail_spool_t:file create_file_perms; | |
70 | allow system_mail_t mail_spool_t:lnk_file create_lnk_perms; | |
71 | allow system_mail_t mail_spool_t:fifo_file rw_file_perms; | |
72 | ||
73 | allow system_mail_t mqueue_spool_t:dir create_dir_perms; | |
74 | allow system_mail_t mqueue_spool_t:file create_file_perms; | |
75 | allow system_mail_t mqueue_spool_t:lnk_file create_lnk_perms; | |
76 | ||
88dd3896 CP |
77 | # for reading .forward - maybe we need a new type for it? |
78 | # also for delivering mail to maildir | |
79 | # cjp: fix this to generic_user interfaces | |
103fe280 CP |
80 | userdom_manage_user_home_content_dirs(user,mailserver_delivery) |
81 | userdom_manage_generic_user_home_content_files(mailserver_delivery) | |
82 | userdom_manage_generic_user_home_content_symlinks(mailserver_delivery) | |
83 | userdom_manage_generic_user_home_content_sockets(mailserver_delivery) | |
84 | userdom_manage_generic_user_home_content_pipes(mailserver_delivery) | |
85 | userdom_generic_user_home_dir_filetrans_generic_user_home_content(mailserver_delivery,{ dir file lnk_file sock_file fifo_file }) | |
88dd3896 | 86 | |
af4752bc | 87 | # cjp: another require-in-else to resolve |
bb7170f6 | 88 | # optional_policy(`',` |
fb63d0b5 | 89 | corecmd_exec_all_executables(system_mail_t) |
246839f3 CP |
90 | |
91 | files_exec_etc_files(system_mail_t) | |
92 | ||
246839f3 CP |
93 | libs_exec_ld_so(system_mail_t) |
94 | libs_exec_lib_files(system_mail_t) | |
af4752bc | 95 | # ') |
246839f3 CP |
96 | ') |
97 | ||
bb7170f6 | 98 | optional_policy(` |
e749cd12 CP |
99 | apache_read_squirrelmail_data(system_mail_t) |
100 | apache_append_squirrelmail_data(system_mail_t) | |
101 | ||
102 | # apache should set close-on-exec | |
103 | apache_dontaudit_append_log(system_mail_t) | |
1815bad1 CP |
104 | apache_dontaudit_rw_stream_sockets(system_mail_t) |
105 | apache_dontaudit_rw_tcp_sockets(system_mail_t) | |
106 | apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) | |
e749cd12 CP |
107 | ') |
108 | ||
bb7170f6 | 109 | optional_policy(` |
1504ff3e CP |
110 | arpwatch_manage_tmp_files(system_mail_t) |
111 | ||
112 | ifdef(`hide_broken_symptoms', ` | |
1815bad1 | 113 | arpwatch_dontaudit_rw_packet_sockets(system_mail_t) |
1504ff3e | 114 | ') |
e8d0a659 CP |
115 | ') |
116 | ||
bb7170f6 | 117 | optional_policy(` |
246839f3 | 118 | cron_read_system_job_tmp_files(system_mail_t) |
1815bad1 | 119 | cron_dontaudit_write_pipes(system_mail_t) |
246839f3 CP |
120 | ') |
121 | ||
bb7170f6 | 122 | optional_policy(` |
93070cba CP |
123 | cvs_read_data(system_mail_t) |
124 | ') | |
125 | ||
bb7170f6 | 126 | optional_policy(` |
246839f3 CP |
127 | logrotate_read_tmp_files(system_mail_t) |
128 | ') | |
129 | ||
bb7170f6 | 130 | optional_policy(` |
020cbefc CP |
131 | logwatch_read_tmp_files(system_mail_t) |
132 | ') | |
133 | ||
f1e604bb CP |
134 | optional_policy(` |
135 | nagios_read_tmp_files(system_mail_t) | |
136 | ') | |
137 | ||
bb7170f6 | 138 | optional_policy(` |
04926d07 CP |
139 | allow system_mail_t etc_aliases_t:dir create_dir_perms; |
140 | allow system_mail_t etc_aliases_t:file create_file_perms; | |
141 | allow system_mail_t etc_aliases_t:lnk_file create_lnk_perms; | |
142 | allow system_mail_t etc_aliases_t:sock_file create_file_perms; | |
143 | allow system_mail_t etc_aliases_t:fifo_file create_file_perms; | |
103fe280 | 144 | files_etc_filetrans(system_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file }) |
04926d07 | 145 | |
15722ec9 | 146 | domain_use_interactive_fds(system_mail_t) |
d3f715d2 | 147 | |
1504ff3e | 148 | # postfix needs this for newaliases |
9e04f5c5 | 149 | files_getattr_tmp_dirs(system_mail_t) |
725926c5 | 150 | |
1504ff3e | 151 | postfix_exec_master(system_mail_t) |
b0d2243c CP |
152 | postfix_read_config(system_mail_t) |
153 | postfix_search_spool(system_mail_t) | |
7bba9d31 | 154 | |
1504ff3e CP |
155 | ifdef(`distro_redhat',` |
156 | # compatability for old default main.cf | |
103fe280 | 157 | postfix_config_filetrans(system_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file }) |
1504ff3e CP |
158 | ') |
159 | ||
bb7170f6 | 160 | optional_policy(` |
e1ee92b2 | 161 | cron_rw_tcp_sockets(system_mail_t) |
1504ff3e | 162 | ') |
246839f3 CP |
163 | ') |
164 | ||
65e131f0 CP |
165 | optional_policy(` |
166 | qmail_domtrans_inject(system_mail_t) | |
167 | ') | |
168 | ||
bb7170f6 | 169 | optional_policy(` |
1815bad1 | 170 | userdom_dontaudit_use_unpriv_users_ptys(system_mail_t) |
df00b2e2 | 171 | |
bb7170f6 | 172 | optional_policy(` |
1504ff3e | 173 | cron_dontaudit_append_system_job_tmp_files(system_mail_t) |
df00b2e2 | 174 | ') |
7bba9d31 | 175 | ') |
075c4fda | 176 | |
bb7170f6 | 177 | optional_policy(` |
1815bad1 | 178 | smartmon_read_tmp_files(system_mail_t) |
871b6855 CP |
179 | ') |
180 | ||
1504ff3e | 181 | # should break this up among sections: |
725926c5 | 182 | |
bb7170f6 | 183 | optional_policy(` |
4483ee84 | 184 | # why is mail delivered to a directory of type arpwatch_data_t? |
725926c5 | 185 | arpwatch_search_data(mailserver_delivery) |
4483ee84 CP |
186 | arpwatch_manage_tmp_files(mta_user_agent) |
187 | ifdef(`hide_broken_symptoms', ` | |
1815bad1 | 188 | arpwatch_dontaudit_rw_packet_sockets(mta_user_agent) |
4483ee84 | 189 | ') |
bb7170f6 | 190 | optional_policy(` |
1504ff3e CP |
191 | cron_read_system_job_tmp_files(mta_user_agent) |
192 | ') | |
4483ee84 | 193 | ') |
a77e6524 CP |
194 | |
195 | ifdef(`TODO',` | |
196 | # for the start script to run make -C /etc/mail | |
197 | allow initrc_t etc_mail_t:dir rw_dir_perms; | |
198 | allow initrc_t etc_mail_t:file create_file_perms; | |
199 | ') |