1 policy_module(spamassassin, 2.4.0)
3 ########################################
10 ## Allow user spamassassin clients to use the network.
13 gen_tunable(spamassassin_can_network, false)
17 ## Allow spamd to read/write user home directories.
20 gen_tunable(spamd_enable_home_dirs, true)
22 ifdef(`distro_redhat',`
23 # spamassassin client executable
26 application_domain(spamc_t, spamc_exec_t)
27 role system_r types spamc_t;
30 files_config_file(spamd_etc_t)
32 typealias spamc_exec_t alias spamassassin_exec_t;
33 typealias spamc_t alias spamassassin_t;
36 userdom_user_home_content(spamc_home_t)
37 typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
38 typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
39 typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t };
40 typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t };
43 files_tmp_file(spamc_tmp_t)
44 typealias spamc_tmp_t alias spamassassin_tmp_t;
45 typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
46 typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
48 typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
49 typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
52 type spamassassin_exec_t;
53 typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
54 typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t };
55 application_domain(spamassassin_t, spamassassin_exec_t)
56 ubac_constrained(spamassassin_t)
58 type spamassassin_home_t;
59 typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
60 typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
61 userdom_user_home_content(spamassassin_home_t)
63 type spamassassin_tmp_t;
64 typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
65 typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
66 files_tmp_file(spamassassin_tmp_t)
67 ubac_constrained(spamassassin_tmp_t)
71 typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
72 typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
73 application_domain(spamc_t, spamc_exec_t)
74 ubac_constrained(spamc_t)
77 typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
78 typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
79 files_tmp_file(spamc_tmp_t)
80 ubac_constrained(spamc_tmp_t)
84 type spamd_update_exec_t;
85 application_domain(spamd_update_t, spamd_update_exec_t)
86 cron_system_entry(spamd_update_t, spamd_update_exec_t)
87 role system_r types spamd_update_t;
91 init_daemon_domain(spamd_t, spamd_exec_t)
93 type spamd_compiled_t;
94 files_type(spamd_compiled_t)
96 type spamd_initrc_exec_t;
97 init_script_file(spamd_initrc_exec_t)
100 logging_log_file(spamd_log_t)
103 files_spool_file(spamd_spool_t)
106 files_tmp_file(spamd_tmp_t)
109 type spamd_var_lib_t;
110 files_type(spamd_var_lib_t)
112 type spamd_var_run_t;
113 files_pid_file(spamd_var_run_t)
115 ##############################
117 # Standalone program local policy
120 allow spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
121 allow spamassassin_t self:fd use;
122 allow spamassassin_t self:fifo_file rw_fifo_file_perms;
123 allow spamassassin_t self:sock_file read_sock_file_perms;
124 allow spamassassin_t self:unix_dgram_socket create_socket_perms;
125 allow spamassassin_t self:unix_stream_socket create_stream_socket_perms;
126 allow spamassassin_t self:unix_dgram_socket sendto;
127 allow spamassassin_t self:unix_stream_socket connectto;
128 allow spamassassin_t self:shm create_shm_perms;
129 allow spamassassin_t self:sem create_sem_perms;
130 allow spamassassin_t self:msgq create_msgq_perms;
131 allow spamassassin_t self:msg { send receive };
133 manage_dirs_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
134 manage_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
135 manage_lnk_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
136 manage_fifo_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
137 manage_sock_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
138 userdom_user_home_dir_filetrans(spamassassin_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
140 manage_dirs_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t)
141 manage_files_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t)
142 files_tmp_filetrans(spamassassin_t, spamassassin_tmp_t, { file dir })
144 manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
145 manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
146 manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
147 manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
148 manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
149 userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
150 userdom_home_manager(spamassassin_t)
152 kernel_read_kernel_sysctls(spamassassin_t)
154 dev_read_urand(spamassassin_t)
156 fs_search_auto_mountpoints(spamassassin_t)
157 fs_getattr_all_fs(spamassassin_t)
159 # this should probably be removed
160 corecmd_list_bin(spamassassin_t)
161 corecmd_read_bin_symlinks(spamassassin_t)
162 corecmd_read_bin_files(spamassassin_t)
163 corecmd_read_bin_pipes(spamassassin_t)
164 corecmd_read_bin_sockets(spamassassin_t)
166 domain_use_interactive_fds(spamassassin_t)
168 files_read_etc_files(spamassassin_t)
169 files_read_etc_runtime_files(spamassassin_t)
170 files_list_home(spamassassin_t)
171 files_read_usr_files(spamassassin_t)
172 files_dontaudit_search_var(spamassassin_t)
174 logging_send_syslog_msg(spamassassin_t)
176 miscfiles_read_localization(spamassassin_t)
178 # cjp: this could probably be removed
179 seutil_read_config(spamassassin_t)
181 sysnet_dns_name_resolve(spamassassin_t)
183 # set tunable if you have spamassassin do DNS lookups
184 tunable_policy(`spamassassin_can_network',`
185 allow spamassassin_t self:tcp_socket create_stream_socket_perms;
186 allow spamassassin_t self:udp_socket create_socket_perms;
188 corenet_all_recvfrom_unlabeled(spamassassin_t)
189 corenet_all_recvfrom_netlabel(spamassassin_t)
190 corenet_tcp_sendrecv_generic_if(spamassassin_t)
191 corenet_udp_sendrecv_generic_if(spamassassin_t)
192 corenet_tcp_sendrecv_generic_node(spamassassin_t)
193 corenet_udp_sendrecv_generic_node(spamassassin_t)
194 corenet_tcp_sendrecv_all_ports(spamassassin_t)
195 corenet_udp_sendrecv_all_ports(spamassassin_t)
196 corenet_tcp_connect_all_ports(spamassassin_t)
197 corenet_sendrecv_all_client_packets(spamassassin_t)
198 corenet_udp_bind_generic_node(spamassassin_t)
199 corenet_udp_bind_generic_port(spamassassin_t)
200 corenet_dontaudit_udp_bind_all_ports(spamassassin_t)
202 sysnet_read_config(spamassassin_t)
205 tunable_policy(`spamd_enable_home_dirs',`
206 userdom_manage_user_home_content_dirs(spamd_t)
207 userdom_manage_user_home_content_files(spamd_t)
208 userdom_manage_user_home_content_symlinks(spamd_t)
212 # Write pid file and socket in ~/.evolution/cache/tmp
213 evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file })
217 tunable_policy(`spamassassin_can_network && allow_ypbind',`
218 nis_use_ypbind_uncond(spamassassin_t)
223 mta_read_config(spamassassin_t)
224 sendmail_stub(spamassassin_t)
225 sendmail_dontaudit_rw_unix_stream_sockets(spamassassin_t)
226 sendmail_dontaudit_rw_tcp_sockets(spamassassin_t)
229 ########################################
231 # Client local policy
234 allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
235 allow spamc_t self:fd use;
236 allow spamc_t self:fifo_file rw_fifo_file_perms;
237 allow spamc_t self:sock_file read_sock_file_perms;
238 allow spamc_t self:shm create_shm_perms;
239 allow spamc_t self:sem create_sem_perms;
240 allow spamc_t self:msgq create_msgq_perms;
241 allow spamc_t self:msg { send receive };
242 allow spamc_t self:unix_dgram_socket create_socket_perms;
243 allow spamc_t self:unix_stream_socket create_stream_socket_perms;
244 allow spamc_t self:unix_dgram_socket sendto;
245 allow spamc_t self:unix_stream_socket connectto;
246 allow spamc_t self:tcp_socket create_stream_socket_perms;
247 allow spamc_t self:udp_socket create_socket_perms;
249 can_exec(spamc_t, spamc_exec_t)
251 manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
252 manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
253 files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir })
255 manage_dirs_pattern(spamc_t, spamc_home_t, spamc_home_t)
256 manage_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
257 manage_lnk_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
258 manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
259 manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
260 userdom_user_home_dir_filetrans(spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file })
261 userdom_append_user_home_content_files(spamc_t)
263 list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
264 read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
266 # Allow connecting to a local spamd
267 allow spamc_t spamd_t:unix_stream_socket connectto;
268 allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
269 spamd_stream_connect(spamc_t)
271 kernel_read_kernel_sysctls(spamc_t)
272 kernel_read_system_state(spamc_t)
274 corecmd_exec_bin(spamc_t)
276 corenet_all_recvfrom_unlabeled(spamc_t)
277 corenet_all_recvfrom_netlabel(spamc_t)
278 corenet_tcp_sendrecv_generic_if(spamc_t)
279 corenet_udp_sendrecv_generic_if(spamc_t)
280 corenet_tcp_sendrecv_generic_node(spamc_t)
281 corenet_udp_sendrecv_generic_node(spamc_t)
282 corenet_tcp_sendrecv_all_ports(spamc_t)
283 corenet_udp_sendrecv_all_ports(spamc_t)
284 corenet_tcp_connect_all_ports(spamc_t)
285 corenet_sendrecv_all_client_packets(spamc_t)
286 corenet_tcp_connect_spamd_port(spamc_t)
288 fs_search_auto_mountpoints(spamc_t)
290 # cjp: these should probably be removed:
291 corecmd_list_bin(spamc_t)
292 corecmd_read_bin_symlinks(spamc_t)
293 corecmd_read_bin_files(spamc_t)
294 corecmd_read_bin_pipes(spamc_t)
295 corecmd_read_bin_sockets(spamc_t)
297 domain_use_interactive_fds(spamc_t)
299 files_read_etc_files(spamc_t)
300 files_read_etc_runtime_files(spamc_t)
301 files_read_usr_files(spamc_t)
302 files_dontaudit_search_var(spamc_t)
303 # cjp: this may be removable:
304 files_list_home(spamc_t)
305 files_list_var_lib(spamc_t)
307 fs_search_auto_mountpoints(spamc_t)
309 logging_send_syslog_msg(spamc_t)
311 auth_use_nsswitch(spamc_t)
313 miscfiles_read_localization(spamc_t)
315 # cjp: this should probably be removed:
316 seutil_read_config(spamc_t)
318 sysnet_read_config(spamc_t)
320 userdom_home_manager(spamc_t)
323 abrt_stream_connect(spamc_t)
327 # Allow connection to spamd socket above
328 evolution_stream_connect(spamc_t)
332 milter_manage_spamass_state(spamc_t)
336 postfix_domtrans_postdrop(spamc_t)
337 postfix_search_spool(spamc_t)
338 postfix_rw_local_pipes(spamc_t)
339 postfix_rw_master_pipes(spamc_t)
343 mta_send_mail(spamc_t)
344 mta_read_config(spamc_t)
345 mta_read_queue(spamc_t)
346 sendmail_stub(spamc_t)
347 sendmail_rw_pipes(spamc_t)
348 sendmail_dontaudit_rw_tcp_sockets(spamc_t)
351 ########################################
353 # Server local policy
356 # Spamassassin, when run as root and using per-user config files,
357 # setuids to the user running spamc. Comment this if you are not
358 # using this ability.
360 allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config };
361 dontaudit spamd_t self:capability sys_tty_config;
362 allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
363 allow spamd_t self:fd use;
364 allow spamd_t self:fifo_file rw_fifo_file_perms;
365 allow spamd_t self:sock_file read_sock_file_perms;
366 allow spamd_t self:shm create_shm_perms;
367 allow spamd_t self:sem create_sem_perms;
368 allow spamd_t self:msgq create_msgq_perms;
369 allow spamd_t self:msg { send receive };
370 allow spamd_t self:unix_dgram_socket create_socket_perms;
371 allow spamd_t self:unix_stream_socket create_stream_socket_perms;
372 allow spamd_t self:unix_dgram_socket sendto;
373 allow spamd_t self:unix_stream_socket connectto;
374 allow spamd_t self:tcp_socket create_stream_socket_perms;
375 allow spamd_t self:udp_socket create_socket_perms;
377 can_exec(spamd_t, spamd_compiled_t)
378 manage_dirs_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
379 manage_files_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
381 manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t)
382 logging_log_filetrans(spamd_t, spamd_log_t, file)
384 manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
385 manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
386 manage_sock_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
387 files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
389 manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
390 manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
391 files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
393 # var/lib files for spamd
394 allow spamd_t spamd_var_lib_t:dir list_dir_perms;
395 manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
396 manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
398 manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
399 manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
400 manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
401 files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
403 can_exec(spamd_t, spamd_exec_t)
405 kernel_read_all_sysctls(spamd_t)
406 kernel_read_system_state(spamd_t)
408 corenet_all_recvfrom_unlabeled(spamd_t)
409 corenet_all_recvfrom_netlabel(spamd_t)
410 corenet_tcp_sendrecv_generic_if(spamd_t)
411 corenet_udp_sendrecv_generic_if(spamd_t)
412 corenet_tcp_sendrecv_generic_node(spamd_t)
413 corenet_udp_sendrecv_generic_node(spamd_t)
414 corenet_tcp_sendrecv_all_ports(spamd_t)
415 corenet_udp_sendrecv_all_ports(spamd_t)
416 corenet_tcp_bind_generic_node(spamd_t)
417 corenet_tcp_bind_spamd_port(spamd_t)
418 corenet_tcp_connect_razor_port(spamd_t)
419 corenet_tcp_connect_smtp_port(spamd_t)
420 corenet_sendrecv_razor_client_packets(spamd_t)
421 corenet_sendrecv_spamd_server_packets(spamd_t)
422 # spamassassin 3.1 needs this for its
423 # DnsResolver.pm module which binds to
424 # random ports >= 1024.
425 corenet_udp_bind_generic_node(spamd_t)
426 corenet_udp_bind_generic_port(spamd_t)
427 corenet_udp_bind_imaze_port(spamd_t)
428 corenet_dontaudit_udp_bind_all_ports(spamd_t)
429 corenet_sendrecv_imaze_server_packets(spamd_t)
430 corenet_sendrecv_generic_server_packets(spamd_t)
432 dev_read_sysfs(spamd_t)
433 dev_read_urand(spamd_t)
435 fs_getattr_all_fs(spamd_t)
436 fs_search_auto_mountpoints(spamd_t)
438 auth_dontaudit_read_shadow(spamd_t)
440 corecmd_exec_bin(spamd_t)
442 domain_use_interactive_fds(spamd_t)
444 files_read_usr_files(spamd_t)
445 files_read_etc_files(spamd_t)
446 files_read_etc_runtime_files(spamd_t)
448 files_read_var_lib_files(spamd_t)
450 init_dontaudit_rw_utmp(spamd_t)
452 auth_use_nsswitch(spamd_t)
454 logging_send_syslog_msg(spamd_t)
456 miscfiles_read_localization(spamd_t)
458 userdom_use_unpriv_users_fds(spamd_t)
459 userdom_search_user_home_dirs(spamd_t)
460 userdom_home_manager(spamd_t)
463 clamav_stream_connect(spamd_t)
467 exim_manage_spool_dirs(spamd_t)
468 exim_manage_spool_files(spamd_t)
472 amavis_manage_lib_files(spamd_t)
476 cron_system_entry(spamd_t, spamd_exec_t)
480 daemontools_service_domain(spamd_t, spamd_exec_t)
484 dcc_domtrans_cdcc(spamd_t)
485 dcc_domtrans_client(spamd_t)
486 dcc_signal_client(spamd_t)
487 dcc_stream_connect_dccifd(spamd_t)
491 milter_manage_spamass_state(spamd_t)
495 mysql_tcp_connect(spamd_t)
496 mysql_search_db(spamd_t)
497 mysql_stream_connect(spamd_t)
501 postfix_read_config(spamd_t)
505 postgresql_tcp_connect(spamd_t)
506 postgresql_stream_connect(spamd_t)
510 pyzor_domtrans(spamd_t)
511 pyzor_signal(spamd_t)
515 razor_domtrans(spamd_t)
516 razor_read_lib_files(spamd_t)
517 tunable_policy(`spamd_enable_home_dirs',`
518 razor_manage_user_home_files(spamd_t)
523 seutil_sigchld_newrole(spamd_t)
527 mta_send_mail(spamd_t)
528 sendmail_stub(spamd_t)
529 mta_read_config(spamd_t)
533 udev_read_db(spamd_t)
536 ########################################
538 # spamd_update local policy
541 allow spamd_update_t self:fifo_file manage_fifo_file_perms;
542 allow spamd_update_t self:unix_stream_socket create_stream_socket_perms;
543 dontaudit spamd_update_t self:capability dac_override;
545 manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
546 manage_files_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
547 files_tmp_filetrans(spamd_update_t, spamd_tmp_t, { file dir })
549 allow spamd_update_t spamd_var_lib_t:dir list_dir_perms;
550 manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
551 manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
553 allow spamd_update_t spamd_tmp_t:file read_file_perms;
555 kernel_read_system_state(spamd_update_t)
558 corenet_tcp_connect_http_port(spamd_update_t)
560 corecmd_exec_bin(spamd_update_t)
561 corecmd_exec_shell(spamd_update_t)
563 dev_read_urand(spamd_update_t)
565 domain_use_interactive_fds(spamd_update_t)
567 files_read_etc_files(spamd_update_t)
568 files_read_usr_files(spamd_update_t)
570 auth_use_nsswitch(spamd_update_t)
571 auth_dontaudit_read_shadow(spamd_update_t)
573 miscfiles_read_localization(spamd_update_t)
575 mta_read_config(spamd_update_t)
577 userdom_use_inherited_user_ptys(spamd_update_t)
580 gpg_domtrans(spamd_update_t)