]> git.ipfire.org Git - people/stevee/selinux-policy.git/blob - policy/modules/services/spamassassin.te
projects / people / stevee / selinux-policy.git / blob
? search:


a370364325fa880c98d8c068450229d10c764aa7
[people/stevee/selinux-policy.git] / policy / modules / services / spamassassin.te
1 policy_module(spamassassin, 2.4.0)
2
3 ########################################
4 #
5 # Declarations
6 #
7
8 ## <desc>
9 ## <p>
10 ## Allow user spamassassin clients to use the network.
11 ## </p>
12 ## </desc>
13 gen_tunable(spamassassin_can_network, false)
14
15 ## <desc>
16 ## <p>
17 ## Allow spamd to read/write user home directories.
18 ## </p>
19 ## </desc>
20 gen_tunable(spamd_enable_home_dirs, true)
21
22 ifdef(`distro_redhat',`
23 # spamassassin client executable
24 type spamc_t;
25 type spamc_exec_t;
26 application_domain(spamc_t, spamc_exec_t)
27 role system_r types spamc_t;
28
29 type spamd_etc_t;
30 files_config_file(spamd_etc_t)
31
32 typealias spamc_exec_t alias spamassassin_exec_t;
33 typealias spamc_t alias spamassassin_t;
34
35 type spamc_home_t;
36 userdom_user_home_content(spamc_home_t)
37 typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
38 typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
39 typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t };
40 typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t };
41
42 type spamc_tmp_t;
43 files_tmp_file(spamc_tmp_t)
44 typealias spamc_tmp_t alias spamassassin_tmp_t;
45 typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
46 typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
47
48 typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
49 typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
50 ',`
51 type spamassassin_t;
52 type spamassassin_exec_t;
53 typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
54 typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t };
55 application_domain(spamassassin_t, spamassassin_exec_t)
56 ubac_constrained(spamassassin_t)
57
58 type spamassassin_home_t;
59 typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
60 typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
61 userdom_user_home_content(spamassassin_home_t)
62
63 type spamassassin_tmp_t;
64 typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
65 typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
66 files_tmp_file(spamassassin_tmp_t)
67 ubac_constrained(spamassassin_tmp_t)
68
69 type spamc_t;
70 type spamc_exec_t;
71 typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
72 typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
73 application_domain(spamc_t, spamc_exec_t)
74 ubac_constrained(spamc_t)
75
76 type spamc_tmp_t;
77 typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
78 typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
79 files_tmp_file(spamc_tmp_t)
80 ubac_constrained(spamc_tmp_t)
81 ')
82
83 type spamd_update_t;
84 type spamd_update_exec_t;
85 application_domain(spamd_update_t, spamd_update_exec_t)
86 cron_system_entry(spamd_update_t, spamd_update_exec_t)
87 role system_r types spamd_update_t;
88
89 type spamd_t;
90 type spamd_exec_t;
91 init_daemon_domain(spamd_t, spamd_exec_t)
92
93 type spamd_compiled_t;
94 files_type(spamd_compiled_t)
95
96 type spamd_initrc_exec_t;
97 init_script_file(spamd_initrc_exec_t)
98
99 type spamd_log_t;
100 logging_log_file(spamd_log_t)
101
102 type spamd_spool_t;
103 files_spool_file(spamd_spool_t)
104
105 type spamd_tmp_t;
106 files_tmp_file(spamd_tmp_t)
107
108 # var/lib files
109 type spamd_var_lib_t;
110 files_type(spamd_var_lib_t)
111
112 type spamd_var_run_t;
113 files_pid_file(spamd_var_run_t)
114
115 ##############################
116 #
117 # Standalone program local policy
118 #
119
120 allow spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
121 allow spamassassin_t self:fd use;
122 allow spamassassin_t self:fifo_file rw_fifo_file_perms;
123 allow spamassassin_t self:sock_file read_sock_file_perms;
124 allow spamassassin_t self:unix_dgram_socket create_socket_perms;
125 allow spamassassin_t self:unix_stream_socket create_stream_socket_perms;
126 allow spamassassin_t self:unix_dgram_socket sendto;
127 allow spamassassin_t self:unix_stream_socket connectto;
128 allow spamassassin_t self:shm create_shm_perms;
129 allow spamassassin_t self:sem create_sem_perms;
130 allow spamassassin_t self:msgq create_msgq_perms;
131 allow spamassassin_t self:msg { send receive };
132
133 manage_dirs_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
134 manage_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
135 manage_lnk_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
136 manage_fifo_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
137 manage_sock_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
138 userdom_user_home_dir_filetrans(spamassassin_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
139
140 manage_dirs_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t)
141 manage_files_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t)
142 files_tmp_filetrans(spamassassin_t, spamassassin_tmp_t, { file dir })
143
144 manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
145 manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
146 manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
147 manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
148 manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
149 userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
150
151 kernel_read_kernel_sysctls(spamassassin_t)
152
153 dev_read_urand(spamassassin_t)
154
155 fs_search_auto_mountpoints(spamassassin_t)
156 fs_getattr_all_fs(spamassassin_t)
157
158 # this should probably be removed
159 corecmd_list_bin(spamassassin_t)
160 corecmd_read_bin_symlinks(spamassassin_t)
161 corecmd_read_bin_files(spamassassin_t)
162 corecmd_read_bin_pipes(spamassassin_t)
163 corecmd_read_bin_sockets(spamassassin_t)
164
165 domain_use_interactive_fds(spamassassin_t)
166
167 files_read_etc_files(spamassassin_t)
168 files_read_etc_runtime_files(spamassassin_t)
169 files_list_home(spamassassin_t)
170 files_read_usr_files(spamassassin_t)
171 files_dontaudit_search_var(spamassassin_t)
172
173 logging_send_syslog_msg(spamassassin_t)
174
175 miscfiles_read_localization(spamassassin_t)
176
177 # cjp: this could probably be removed
178 seutil_read_config(spamassassin_t)
179
180 sysnet_dns_name_resolve(spamassassin_t)
181
182 # set tunable if you have spamassassin do DNS lookups
183 tunable_policy(`spamassassin_can_network',`
184 allow spamassassin_t self:tcp_socket create_stream_socket_perms;
185 allow spamassassin_t self:udp_socket create_socket_perms;
186
187 corenet_all_recvfrom_unlabeled(spamassassin_t)
188 corenet_all_recvfrom_netlabel(spamassassin_t)
189 corenet_tcp_sendrecv_generic_if(spamassassin_t)
190 corenet_udp_sendrecv_generic_if(spamassassin_t)
191 corenet_tcp_sendrecv_generic_node(spamassassin_t)
192 corenet_udp_sendrecv_generic_node(spamassassin_t)
193 corenet_tcp_sendrecv_all_ports(spamassassin_t)
194 corenet_udp_sendrecv_all_ports(spamassassin_t)
195 corenet_tcp_connect_all_ports(spamassassin_t)
196 corenet_sendrecv_all_client_packets(spamassassin_t)
197 corenet_udp_bind_generic_node(spamassassin_t)
198 corenet_udp_bind_generic_port(spamassassin_t)
199 corenet_dontaudit_udp_bind_all_ports(spamassassin_t)
200
201 sysnet_read_config(spamassassin_t)
202 ')
203
204 tunable_policy(`spamd_enable_home_dirs',`
205 userdom_manage_user_home_content_dirs(spamd_t)
206 userdom_manage_user_home_content_files(spamd_t)
207 userdom_manage_user_home_content_symlinks(spamd_t)
208 ')
209
210 tunable_policy(`use_nfs_home_dirs',`
211 fs_manage_nfs_dirs(spamassassin_t)
212 fs_manage_nfs_files(spamassassin_t)
213 fs_manage_nfs_symlinks(spamassassin_t)
214 ')
215
216 tunable_policy(`use_samba_home_dirs',`
217 fs_manage_cifs_dirs(spamassassin_t)
218 fs_manage_cifs_files(spamassassin_t)
219 fs_manage_cifs_symlinks(spamassassin_t)
220 ')
221
222 optional_policy(`
223 # Write pid file and socket in ~/.evolution/cache/tmp
224 evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file })
225 ')
226
227 optional_policy(`
228 tunable_policy(`spamassassin_can_network && allow_ypbind',`
229 nis_use_ypbind_uncond(spamassassin_t)
230 ')
231 ')
232
233 optional_policy(`
234 mta_read_config(spamassassin_t)
235 sendmail_stub(spamassassin_t)
236 sendmail_dontaudit_rw_unix_stream_sockets(spamassassin_t)
237 sendmail_dontaudit_rw_tcp_sockets(spamassassin_t)
238 ')
239
240 ########################################
241 #
242 # Client local policy
243 #
244
245 allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
246 allow spamc_t self:fd use;
247 allow spamc_t self:fifo_file rw_fifo_file_perms;
248 allow spamc_t self:sock_file read_sock_file_perms;
249 allow spamc_t self:shm create_shm_perms;
250 allow spamc_t self:sem create_sem_perms;
251 allow spamc_t self:msgq create_msgq_perms;
252 allow spamc_t self:msg { send receive };
253 allow spamc_t self:unix_dgram_socket create_socket_perms;
254 allow spamc_t self:unix_stream_socket create_stream_socket_perms;
255 allow spamc_t self:unix_dgram_socket sendto;
256 allow spamc_t self:unix_stream_socket connectto;
257 allow spamc_t self:tcp_socket create_stream_socket_perms;
258 allow spamc_t self:udp_socket create_socket_perms;
259
260 can_exec(spamc_t, spamc_exec_t)
261
262 manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
263 manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
264 files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir })
265
266 manage_dirs_pattern(spamc_t, spamc_home_t, spamc_home_t)
267 manage_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
268 manage_lnk_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
269 manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
270 manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
271 userdom_user_home_dir_filetrans(spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file })
272 userdom_append_user_home_content_files(spamc_t)
273
274 list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
275 read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
276
277 # Allow connecting to a local spamd
278 allow spamc_t spamd_t:unix_stream_socket connectto;
279 allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
280 spamd_stream_connect(spamc_t)
281
282 kernel_read_kernel_sysctls(spamc_t)
283 kernel_read_system_state(spamc_t)
284
285 corecmd_exec_bin(spamc_t)
286
287 corenet_all_recvfrom_unlabeled(spamc_t)
288 corenet_all_recvfrom_netlabel(spamc_t)
289 corenet_tcp_sendrecv_generic_if(spamc_t)
290 corenet_udp_sendrecv_generic_if(spamc_t)
291 corenet_tcp_sendrecv_generic_node(spamc_t)
292 corenet_udp_sendrecv_generic_node(spamc_t)
293 corenet_tcp_sendrecv_all_ports(spamc_t)
294 corenet_udp_sendrecv_all_ports(spamc_t)
295 corenet_tcp_connect_all_ports(spamc_t)
296 corenet_sendrecv_all_client_packets(spamc_t)
297 corenet_tcp_connect_spamd_port(spamc_t)
298
299 fs_search_auto_mountpoints(spamc_t)
300
301 # cjp: these should probably be removed:
302 corecmd_list_bin(spamc_t)
303 corecmd_read_bin_symlinks(spamc_t)
304 corecmd_read_bin_files(spamc_t)
305 corecmd_read_bin_pipes(spamc_t)
306 corecmd_read_bin_sockets(spamc_t)
307
308 domain_use_interactive_fds(spamc_t)
309
310 files_read_etc_files(spamc_t)
311 files_read_etc_runtime_files(spamc_t)
312 files_read_usr_files(spamc_t)
313 files_dontaudit_search_var(spamc_t)
314 # cjp: this may be removable:
315 files_list_home(spamc_t)
316 files_list_var_lib(spamc_t)
317
318 fs_search_auto_mountpoints(spamc_t)
319
320 logging_send_syslog_msg(spamc_t)
321
322 auth_use_nsswitch(spamc_t)
323
324 miscfiles_read_localization(spamc_t)
325
326 # cjp: this should probably be removed:
327 seutil_read_config(spamc_t)
328
329 sysnet_read_config(spamc_t)
330
331 tunable_policy(`use_nfs_home_dirs',`
332 fs_manage_nfs_dirs(spamc_t)
333 fs_manage_nfs_files(spamc_t)
334 fs_manage_nfs_symlinks(spamc_t)
335 ')
336
337 tunable_policy(`use_samba_home_dirs',`
338 fs_manage_cifs_dirs(spamc_t)
339 fs_manage_cifs_files(spamc_t)
340 fs_manage_cifs_symlinks(spamc_t)
341 ')
342
343
344 optional_policy(`
345 abrt_stream_connect(spamc_t)
346 ')
347
348 optional_policy(`
349 # Allow connection to spamd socket above
350 evolution_stream_connect(spamc_t)
351 ')
352
353 optional_policy(`
354 milter_manage_spamass_state(spamc_t)
355 ')
356
357 optional_policy(`
358 postfix_domtrans_postdrop(spamc_t)
359 postfix_search_spool(spamc_t)
360 postfix_rw_local_pipes(spamc_t)
361 postfix_rw_master_pipes(spamc_t)
362 ')
363
364 optional_policy(`
365 mta_send_mail(spamc_t)
366 mta_read_config(spamc_t)
367 mta_read_queue(spamc_t)
368 sendmail_stub(spamc_t)
369 sendmail_rw_pipes(spamc_t)
370 sendmail_dontaudit_rw_tcp_sockets(spamc_t)
371 ')
372
373 ########################################
374 #
375 # Server local policy
376 #
377
378 # Spamassassin, when run as root and using per-user config files,
379 # setuids to the user running spamc. Comment this if you are not
380 # using this ability.
381
382 allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config };
383 dontaudit spamd_t self:capability sys_tty_config;
384 allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
385 allow spamd_t self:fd use;
386 allow spamd_t self:fifo_file rw_fifo_file_perms;
387 allow spamd_t self:sock_file read_sock_file_perms;
388 allow spamd_t self:shm create_shm_perms;
389 allow spamd_t self:sem create_sem_perms;
390 allow spamd_t self:msgq create_msgq_perms;
391 allow spamd_t self:msg { send receive };
392 allow spamd_t self:unix_dgram_socket create_socket_perms;
393 allow spamd_t self:unix_stream_socket create_stream_socket_perms;
394 allow spamd_t self:unix_dgram_socket sendto;
395 allow spamd_t self:unix_stream_socket connectto;
396 allow spamd_t self:tcp_socket create_stream_socket_perms;
397 allow spamd_t self:udp_socket create_socket_perms;
398
399 can_exec(spamd_t, spamd_compiled_t)
400 manage_dirs_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
401 manage_files_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
402
403 manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t)
404 logging_log_filetrans(spamd_t, spamd_log_t, file)
405
406 manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
407 manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
408 manage_sock_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
409 files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
410
411 manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
412 manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
413 files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
414
415 # var/lib files for spamd
416 allow spamd_t spamd_var_lib_t:dir list_dir_perms;
417 manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
418 manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
419
420 manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
421 manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
422 manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
423 files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
424
425 can_exec(spamd_t, spamd_exec_t)
426
427 kernel_read_all_sysctls(spamd_t)
428 kernel_read_system_state(spamd_t)
429
430 corenet_all_recvfrom_unlabeled(spamd_t)
431 corenet_all_recvfrom_netlabel(spamd_t)
432 corenet_tcp_sendrecv_generic_if(spamd_t)
433 corenet_udp_sendrecv_generic_if(spamd_t)
434 corenet_tcp_sendrecv_generic_node(spamd_t)
435 corenet_udp_sendrecv_generic_node(spamd_t)
436 corenet_tcp_sendrecv_all_ports(spamd_t)
437 corenet_udp_sendrecv_all_ports(spamd_t)
438 corenet_tcp_bind_generic_node(spamd_t)
439 corenet_tcp_bind_spamd_port(spamd_t)
440 corenet_tcp_connect_razor_port(spamd_t)
441 corenet_tcp_connect_smtp_port(spamd_t)
442 corenet_sendrecv_razor_client_packets(spamd_t)
443 corenet_sendrecv_spamd_server_packets(spamd_t)
444 # spamassassin 3.1 needs this for its
445 # DnsResolver.pm module which binds to
446 # random ports >= 1024.
447 corenet_udp_bind_generic_node(spamd_t)
448 corenet_udp_bind_generic_port(spamd_t)
449 corenet_udp_bind_imaze_port(spamd_t)
450 corenet_dontaudit_udp_bind_all_ports(spamd_t)
451 corenet_sendrecv_imaze_server_packets(spamd_t)
452 corenet_sendrecv_generic_server_packets(spamd_t)
453
454 dev_read_sysfs(spamd_t)
455 dev_read_urand(spamd_t)
456
457 fs_getattr_all_fs(spamd_t)
458 fs_search_auto_mountpoints(spamd_t)
459
460 auth_dontaudit_read_shadow(spamd_t)
461
462 corecmd_exec_bin(spamd_t)
463
464 domain_use_interactive_fds(spamd_t)
465
466 files_read_usr_files(spamd_t)
467 files_read_etc_files(spamd_t)
468 files_read_etc_runtime_files(spamd_t)
469 # /var/lib/spamassin
470 files_read_var_lib_files(spamd_t)
471
472 init_dontaudit_rw_utmp(spamd_t)
473
474 auth_use_nsswitch(spamd_t)
475
476 logging_send_syslog_msg(spamd_t)
477
478 miscfiles_read_localization(spamd_t)
479
480 userdom_use_unpriv_users_fds(spamd_t)
481 userdom_search_user_home_dirs(spamd_t)
482
483 optional_policy(`
484 exim_manage_spool_dirs(spamd_t)
485 exim_manage_spool_files(spamd_t)
486 ')
487
488 tunable_policy(`use_nfs_home_dirs',`
489 fs_manage_nfs_dirs(spamd_t)
490 fs_manage_nfs_files(spamd_t)
491 ')
492
493 tunable_policy(`use_samba_home_dirs',`
494 fs_manage_cifs_dirs(spamd_t)
495 fs_manage_cifs_files(spamd_t)
496 ')
497
498 optional_policy(`
499 amavis_manage_lib_files(spamd_t)
500 ')
501
502 optional_policy(`
503 cron_system_entry(spamd_t, spamd_exec_t)
504 ')
505
506 optional_policy(`
507 daemontools_service_domain(spamd_t, spamd_exec_t)
508 ')
509
510 optional_policy(`
511 dcc_domtrans_cdcc(spamd_t)
512 dcc_domtrans_client(spamd_t)
513 dcc_signal_client(spamd_t)
514 dcc_stream_connect_dccifd(spamd_t)
515 ')
516
517 optional_policy(`
518 milter_manage_spamass_state(spamd_t)
519 ')
520
521 optional_policy(`
522 mysql_tcp_connect(spamd_t)
523 mysql_search_db(spamd_t)
524 mysql_stream_connect(spamd_t)
525 ')
526
527 optional_policy(`
528 postfix_read_config(spamd_t)
529 ')
530
531 optional_policy(`
532 postgresql_tcp_connect(spamd_t)
533 postgresql_stream_connect(spamd_t)
534 ')
535
536 optional_policy(`
537 pyzor_domtrans(spamd_t)
538 pyzor_signal(spamd_t)
539 ')
540
541 optional_policy(`
542 razor_domtrans(spamd_t)
543 razor_read_lib_files(spamd_t)
544 tunable_policy(`spamd_enable_home_dirs',`
545 razor_manage_user_home_files(spamd_t)
546 ')
547 ')
548
549 optional_policy(`
550 seutil_sigchld_newrole(spamd_t)
551 ')
552
553 optional_policy(`
554 sendmail_stub(spamd_t)
555 mta_read_config(spamd_t)
556 ')
557
558 optional_policy(`
559 udev_read_db(spamd_t)
560 ')
561
562 ########################################
563 #
564 # spamd_update local policy
565 #
566
567 allow spamd_update_t self:fifo_file manage_fifo_file_perms;
568 allow spamd_update_t self:unix_stream_socket create_stream_socket_perms;
569 dontaudit spamd_update_t self:capability dac_override;
570
571 manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
572 manage_files_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
573 files_tmp_filetrans(spamd_update_t, spamd_tmp_t, { file dir })
574
575 allow spamd_update_t spamd_var_lib_t:dir list_dir_perms;
576 manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
577 manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
578
579 allow spamd_update_t spamd_tmp_t:file read_file_perms;
580
581 kernel_read_system_state(spamd_update_t)
582
583 # for updating rules
584 corenet_tcp_connect_http_port(spamd_update_t)
585
586 corecmd_exec_bin(spamd_update_t)
587 corecmd_exec_shell(spamd_update_t)
588
589 dev_read_urand(spamd_update_t)
590
591 domain_use_interactive_fds(spamd_update_t)
592
593 files_read_etc_files(spamd_update_t)
594 files_read_usr_files(spamd_update_t)
595
596 auth_use_nsswitch(spamd_update_t)
597 auth_dontaudit_read_shadow(spamd_update_t)
598
599 miscfiles_read_localization(spamd_update_t)
600
601 mta_read_config(spamd_update_t)
602
603 userdom_use_inherited_user_ptys(spamd_update_t)
604
605 optional_policy(`
606 gpg_domtrans(spamd_update_t)
607 ')
608
The IPFire selinux policy.