policy/modules/services/amavis.te

   1
   2 policy_module(amavis, 1.8.0)
   3
   4 ########################################
   5 #
   6 # Declarations
   7 #
   8
   9 type amavis_t;
  10 type amavis_exec_t;
  11 domain_type(amavis_t)
  12 init_daemon_domain(amavis_t, amavis_exec_t)
  13
  14 # configuration files
  15 type amavis_etc_t;
  16 files_config_file(amavis_etc_t)
  17
  18 type amavis_initrc_exec_t;
  19 init_script_file(amavis_initrc_exec_t)
  20
  21 # pid files
  22 type amavis_var_run_t;
  23 files_pid_file(amavis_var_run_t)
  24
  25 # var/lib files
  26 type amavis_var_lib_t;
  27 files_type(amavis_var_lib_t)
  28
  29 # log files
  30 type amavis_var_log_t;
  31 logging_log_file(amavis_var_log_t)
  32
  33 # tmp files
  34 type amavis_tmp_t;
  35 files_tmp_file(amavis_tmp_t)
  36
  37 # virus quarantine
  38 type amavis_quarantine_t;
  39 files_type(amavis_quarantine_t)
  40
  41 type amavis_spool_t;
  42 files_type(amavis_spool_t)
  43
  44 ########################################
  45 #
  46 # amavis local policy
  47 #
  48
  49 allow amavis_t self:capability { kill chown dac_override setgid setuid };
  50 dontaudit amavis_t self:capability sys_tty_config;
  51 allow amavis_t self:process { signal sigchld signull };
  52 allow amavis_t self:fifo_file rw_fifo_file_perms;
  53 allow amavis_t self:unix_stream_socket create_stream_socket_perms;
  54 allow amavis_t self:unix_dgram_socket create_socket_perms;
  55 allow amavis_t self:tcp_socket { listen accept };
  56 allow amavis_t self:netlink_route_socket r_netlink_socket_perms;
  57
  58 # configuration files
  59 allow amavis_t amavis_etc_t:dir list_dir_perms;
  60 read_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t)
  61 read_lnk_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t)
  62
  63 can_exec(amavis_t, amavis_exec_t)
  64
  65 # mail quarantine
  66 manage_dirs_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t)
  67 manage_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t)
  68 manage_sock_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t)
  69
  70 # Spool Files
  71 manage_dirs_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
  72 manage_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
  73 manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
  74 manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
  75 filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file)
  76 files_search_spool(amavis_t)
  77
  78 # tmp files
  79 manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
  80 allow amavis_t amavis_tmp_t:dir setattr;
  81 files_tmp_filetrans(amavis_t,amavis_tmp_t,file)
  82
  83 # var/lib files for amavis
  84 manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
  85 manage_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
  86 manage_sock_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
  87 files_search_var_lib(amavis_t)
  88
  89 # log files
  90 allow amavis_t amavis_var_log_t:dir setattr;
  91 manage_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
  92 manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
  93 logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir })
  94
  95 # pid file
  96 manage_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
  97 manage_sock_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
  98 files_pid_filetrans(amavis_t, amavis_var_run_t, { file sock_file })
  99
 100 kernel_read_kernel_sysctls(amavis_t)
 101 # amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
 102 kernel_dontaudit_list_proc(amavis_t)
 103 kernel_dontaudit_read_proc_symlinks(amavis_t)
 104 kernel_dontaudit_read_system_state(amavis_t)
 105
 106 # find perl
 107 corecmd_exec_bin(amavis_t)
 108
 109 corenet_all_recvfrom_unlabeled(amavis_t)
 110 corenet_all_recvfrom_netlabel(amavis_t)
 111 corenet_tcp_sendrecv_all_if(amavis_t)
 112 corenet_tcp_sendrecv_all_nodes(amavis_t)
 113 corenet_tcp_bind_all_nodes(amavis_t)
 114 corenet_udp_bind_all_nodes(amavis_t)
 115 # amavis uses well-defined ports
 116 corenet_tcp_sendrecv_amavisd_recv_port(amavis_t)
 117 corenet_tcp_sendrecv_amavisd_send_port(amavis_t)
 118 # just the other side not. ;-)
 119 corenet_tcp_sendrecv_all_ports(amavis_t)
 120 # connect to backchannel port
 121 corenet_tcp_connect_amavisd_send_port(amavis_t)
 122 # bind to incoming port
 123 corenet_tcp_bind_amavisd_recv_port(amavis_t)
 124 corenet_udp_bind_generic_port(amavis_t)
 125 corenet_dontaudit_udp_bind_all_ports(amavis_t)
 126 corenet_tcp_connect_razor_port(amavis_t)
 127
 128 dev_read_rand(amavis_t)
 129 dev_read_urand(amavis_t)
 130
 131 domain_use_interactive_fds(amavis_t)
 132
 133 files_read_etc_files(amavis_t)
 134 files_read_etc_runtime_files(amavis_t)
 135 files_read_usr_files(amavis_t)
 136
 137 auth_dontaudit_read_shadow(amavis_t)
 138
 139 init_stream_connect_script(amavis_t)
 140
 141 libs_use_ld_so(amavis_t)
 142 libs_use_shared_libs(amavis_t)
 143
 144 logging_send_syslog_msg(amavis_t)
 145
 146 miscfiles_read_localization(amavis_t)
 147
 148 sysnet_dns_name_resolve(amavis_t)
 149 sysnet_use_ldap(amavis_t)
 150
 151 # Cron handling
 152 cron_use_fds(amavis_t)
 153 cron_use_system_job_fds(amavis_t)
 154 cron_rw_pipes(amavis_t)
 155
 156 mta_read_config(amavis_t)
 157
 158 sysadm_dontaudit_search_home_dirs(amavis_t)
 159
 160 optional_policy(`
 161         clamav_stream_connect(amavis_t)
 162         clamav_domtrans_clamscan(amavis_t)
 163 ')
 164
 165 optional_policy(`
 166         dcc_domtrans_client(amavis_t)
 167         dcc_stream_connect_dccifd(amavis_t)
 168 ')
 169
 170 optional_policy(`
 171         postfix_read_config(amavis_t)
 172 ')
 173
 174 optional_policy(`
 175         pyzor_domtrans(amavis_t)
 176         pyzor_signal(amavis_t)
 177 ')
 178
 179 optional_policy(`
 180         razor_domtrans(amavis_t)
 181 ')
 182
 183 optional_policy(`
 184         spamassassin_exec(amavis_t)
 185         spamassassin_exec_client(amavis_t)
 186         spamassassin_read_lib_files(amavis_t)
 187 ')