1 policy_module(spamassassin, 2.4.0)
3 ########################################
10 ## Allow user spamassassin clients to use the network.
13 gen_tunable(spamassassin_can_network, false)
17 ## Allow spamd to read/write user home directories.
20 gen_tunable(spamd_enable_home_dirs, true)
22 ifdef(`distro_redhat',`
23 # spamassassin client executable
26 application_domain(spamc_t, spamc_exec_t)
27 role system_r types spamc_t;
30 files_config_file(spamd_etc_t)
32 typealias spamc_exec_t alias spamassassin_exec_t;
33 typealias spamc_t alias spamassassin_t;
36 userdom_user_home_content(spamc_home_t)
37 typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
38 typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
39 typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t };
40 typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t };
43 files_tmp_file(spamc_tmp_t)
44 typealias spamc_tmp_t alias spamassassin_tmp_t;
45 typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
46 typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
48 typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
49 typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
52 type spamassassin_exec_t;
53 typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
54 typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t };
55 application_domain(spamassassin_t, spamassassin_exec_t)
56 ubac_constrained(spamassassin_t)
58 type spamassassin_home_t;
59 typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
60 typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
61 userdom_user_home_content(spamassassin_home_t)
63 type spamassassin_tmp_t;
64 typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
65 typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
66 files_tmp_file(spamassassin_tmp_t)
67 ubac_constrained(spamassassin_tmp_t)
71 typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
72 typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
73 application_domain(spamc_t, spamc_exec_t)
74 ubac_constrained(spamc_t)
77 typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
78 typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
79 files_tmp_file(spamc_tmp_t)
80 ubac_constrained(spamc_tmp_t)
84 type spamd_update_exec_t;
85 application_domain(spamd_update_t, spamd_update_exec_t)
86 cron_system_entry(spamd_update_t, spamd_update_exec_t)
87 role system_r types spamd_update_t;
91 init_daemon_domain(spamd_t, spamd_exec_t)
93 type spamd_compiled_t;
94 files_type(spamd_compiled_t)
96 type spamd_initrc_exec_t;
97 init_script_file(spamd_initrc_exec_t)
100 logging_log_file(spamd_log_t)
103 files_spool_file(spamd_spool_t)
106 files_tmp_file(spamd_tmp_t)
109 type spamd_var_lib_t;
110 files_type(spamd_var_lib_t)
112 type spamd_var_run_t;
113 files_pid_file(spamd_var_run_t)
115 ##############################
117 # Standalone program local policy
120 allow spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
121 allow spamassassin_t self:fd use;
122 allow spamassassin_t self:fifo_file rw_fifo_file_perms;
123 allow spamassassin_t self:sock_file read_sock_file_perms;
124 allow spamassassin_t self:unix_dgram_socket create_socket_perms;
125 allow spamassassin_t self:unix_stream_socket create_stream_socket_perms;
126 allow spamassassin_t self:unix_dgram_socket sendto;
127 allow spamassassin_t self:unix_stream_socket connectto;
128 allow spamassassin_t self:shm create_shm_perms;
129 allow spamassassin_t self:sem create_sem_perms;
130 allow spamassassin_t self:msgq create_msgq_perms;
131 allow spamassassin_t self:msg { send receive };
133 manage_dirs_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
134 manage_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
135 manage_lnk_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
136 manage_fifo_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
137 manage_sock_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
138 userdom_user_home_dir_filetrans(spamassassin_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
140 manage_dirs_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t)
141 manage_files_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t)
142 files_tmp_filetrans(spamassassin_t, spamassassin_tmp_t, { file dir })
144 manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
145 manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
146 manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
147 manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
148 manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
149 userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
151 kernel_read_kernel_sysctls(spamassassin_t)
153 dev_read_urand(spamassassin_t)
155 fs_search_auto_mountpoints(spamassassin_t)
156 fs_getattr_all_fs(spamassassin_t)
158 # this should probably be removed
159 corecmd_list_bin(spamassassin_t)
160 corecmd_read_bin_symlinks(spamassassin_t)
161 corecmd_read_bin_files(spamassassin_t)
162 corecmd_read_bin_pipes(spamassassin_t)
163 corecmd_read_bin_sockets(spamassassin_t)
165 domain_use_interactive_fds(spamassassin_t)
167 files_read_etc_files(spamassassin_t)
168 files_read_etc_runtime_files(spamassassin_t)
169 files_list_home(spamassassin_t)
170 files_read_usr_files(spamassassin_t)
171 files_dontaudit_search_var(spamassassin_t)
173 logging_send_syslog_msg(spamassassin_t)
175 miscfiles_read_localization(spamassassin_t)
177 # cjp: this could probably be removed
178 seutil_read_config(spamassassin_t)
180 sysnet_dns_name_resolve(spamassassin_t)
182 # set tunable if you have spamassassin do DNS lookups
183 tunable_policy(`spamassassin_can_network',`
184 allow spamassassin_t self:tcp_socket create_stream_socket_perms;
185 allow spamassassin_t self:udp_socket create_socket_perms;
187 corenet_all_recvfrom_unlabeled(spamassassin_t)
188 corenet_all_recvfrom_netlabel(spamassassin_t)
189 corenet_tcp_sendrecv_generic_if(spamassassin_t)
190 corenet_udp_sendrecv_generic_if(spamassassin_t)
191 corenet_tcp_sendrecv_generic_node(spamassassin_t)
192 corenet_udp_sendrecv_generic_node(spamassassin_t)
193 corenet_tcp_sendrecv_all_ports(spamassassin_t)
194 corenet_udp_sendrecv_all_ports(spamassassin_t)
195 corenet_tcp_connect_all_ports(spamassassin_t)
196 corenet_sendrecv_all_client_packets(spamassassin_t)
197 corenet_udp_bind_generic_node(spamassassin_t)
198 corenet_udp_bind_generic_port(spamassassin_t)
199 corenet_dontaudit_udp_bind_all_ports(spamassassin_t)
201 sysnet_read_config(spamassassin_t)
204 tunable_policy(`spamd_enable_home_dirs',`
205 userdom_manage_user_home_content_dirs(spamd_t)
206 userdom_manage_user_home_content_files(spamd_t)
207 userdom_manage_user_home_content_symlinks(spamd_t)
210 tunable_policy(`use_nfs_home_dirs',`
211 fs_manage_nfs_dirs(spamassassin_t)
212 fs_manage_nfs_files(spamassassin_t)
213 fs_manage_nfs_symlinks(spamassassin_t)
216 tunable_policy(`use_samba_home_dirs',`
217 fs_manage_cifs_dirs(spamassassin_t)
218 fs_manage_cifs_files(spamassassin_t)
219 fs_manage_cifs_symlinks(spamassassin_t)
223 # Write pid file and socket in ~/.evolution/cache/tmp
224 evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file })
228 tunable_policy(`spamassassin_can_network && allow_ypbind',`
229 nis_use_ypbind_uncond(spamassassin_t)
234 mta_read_config(spamassassin_t)
235 sendmail_stub(spamassassin_t)
236 sendmail_dontaudit_rw_unix_stream_sockets(spamassassin_t)
237 sendmail_dontaudit_rw_tcp_sockets(spamassassin_t)
240 ########################################
242 # Client local policy
245 allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
246 allow spamc_t self:fd use;
247 allow spamc_t self:fifo_file rw_fifo_file_perms;
248 allow spamc_t self:sock_file read_sock_file_perms;
249 allow spamc_t self:shm create_shm_perms;
250 allow spamc_t self:sem create_sem_perms;
251 allow spamc_t self:msgq create_msgq_perms;
252 allow spamc_t self:msg { send receive };
253 allow spamc_t self:unix_dgram_socket create_socket_perms;
254 allow spamc_t self:unix_stream_socket create_stream_socket_perms;
255 allow spamc_t self:unix_dgram_socket sendto;
256 allow spamc_t self:unix_stream_socket connectto;
257 allow spamc_t self:tcp_socket create_stream_socket_perms;
258 allow spamc_t self:udp_socket create_socket_perms;
260 can_exec(spamc_t, spamc_exec_t)
262 manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
263 manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
264 files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir })
266 manage_dirs_pattern(spamc_t, spamc_home_t, spamc_home_t)
267 manage_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
268 manage_lnk_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
269 manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
270 manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
271 userdom_user_home_dir_filetrans(spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file })
272 userdom_append_user_home_content_files(spamc_t)
274 list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
275 read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
277 # Allow connecting to a local spamd
278 allow spamc_t spamd_t:unix_stream_socket connectto;
279 allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
280 spamd_stream_connect(spamc_t)
282 kernel_read_kernel_sysctls(spamc_t)
283 kernel_read_system_state(spamc_t)
285 corecmd_exec_bin(spamc_t)
287 corenet_all_recvfrom_unlabeled(spamc_t)
288 corenet_all_recvfrom_netlabel(spamc_t)
289 corenet_tcp_sendrecv_generic_if(spamc_t)
290 corenet_udp_sendrecv_generic_if(spamc_t)
291 corenet_tcp_sendrecv_generic_node(spamc_t)
292 corenet_udp_sendrecv_generic_node(spamc_t)
293 corenet_tcp_sendrecv_all_ports(spamc_t)
294 corenet_udp_sendrecv_all_ports(spamc_t)
295 corenet_tcp_connect_all_ports(spamc_t)
296 corenet_sendrecv_all_client_packets(spamc_t)
297 corenet_tcp_connect_spamd_port(spamc_t)
299 fs_search_auto_mountpoints(spamc_t)
301 # cjp: these should probably be removed:
302 corecmd_list_bin(spamc_t)
303 corecmd_read_bin_symlinks(spamc_t)
304 corecmd_read_bin_files(spamc_t)
305 corecmd_read_bin_pipes(spamc_t)
306 corecmd_read_bin_sockets(spamc_t)
308 domain_use_interactive_fds(spamc_t)
310 files_read_etc_files(spamc_t)
311 files_read_etc_runtime_files(spamc_t)
312 files_read_usr_files(spamc_t)
313 files_dontaudit_search_var(spamc_t)
314 # cjp: this may be removable:
315 files_list_home(spamc_t)
316 files_list_var_lib(spamc_t)
318 fs_search_auto_mountpoints(spamc_t)
320 logging_send_syslog_msg(spamc_t)
322 auth_use_nsswitch(spamc_t)
324 miscfiles_read_localization(spamc_t)
326 # cjp: this should probably be removed:
327 seutil_read_config(spamc_t)
329 sysnet_read_config(spamc_t)
331 tunable_policy(`use_nfs_home_dirs',`
332 fs_manage_nfs_dirs(spamc_t)
333 fs_manage_nfs_files(spamc_t)
334 fs_manage_nfs_symlinks(spamc_t)
337 tunable_policy(`use_samba_home_dirs',`
338 fs_manage_cifs_dirs(spamc_t)
339 fs_manage_cifs_files(spamc_t)
340 fs_manage_cifs_symlinks(spamc_t)
345 abrt_stream_connect(spamc_t)
349 # Allow connection to spamd socket above
350 evolution_stream_connect(spamc_t)
354 milter_manage_spamass_state(spamc_t)
358 postfix_domtrans_postdrop(spamc_t)
359 postfix_search_spool(spamc_t)
360 postfix_rw_local_pipes(spamc_t)
361 postfix_rw_master_pipes(spamc_t)
365 mta_send_mail(spamc_t)
366 mta_read_config(spamc_t)
367 mta_read_queue(spamc_t)
368 sendmail_stub(spamc_t)
369 sendmail_rw_pipes(spamc_t)
370 sendmail_dontaudit_rw_tcp_sockets(spamc_t)
373 ########################################
375 # Server local policy
378 # Spamassassin, when run as root and using per-user config files,
379 # setuids to the user running spamc. Comment this if you are not
380 # using this ability.
382 allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config };
383 dontaudit spamd_t self:capability sys_tty_config;
384 allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
385 allow spamd_t self:fd use;
386 allow spamd_t self:fifo_file rw_fifo_file_perms;
387 allow spamd_t self:sock_file read_sock_file_perms;
388 allow spamd_t self:shm create_shm_perms;
389 allow spamd_t self:sem create_sem_perms;
390 allow spamd_t self:msgq create_msgq_perms;
391 allow spamd_t self:msg { send receive };
392 allow spamd_t self:unix_dgram_socket create_socket_perms;
393 allow spamd_t self:unix_stream_socket create_stream_socket_perms;
394 allow spamd_t self:unix_dgram_socket sendto;
395 allow spamd_t self:unix_stream_socket connectto;
396 allow spamd_t self:tcp_socket create_stream_socket_perms;
397 allow spamd_t self:udp_socket create_socket_perms;
399 can_exec(spamd_t, spamd_compiled_t)
400 manage_dirs_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
401 manage_files_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
403 manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t)
404 logging_log_filetrans(spamd_t, spamd_log_t, file)
406 manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
407 manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
408 manage_sock_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
409 files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
411 manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
412 manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
413 files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
415 # var/lib files for spamd
416 allow spamd_t spamd_var_lib_t:dir list_dir_perms;
417 manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
418 manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
420 manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
421 manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
422 manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
423 files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
425 can_exec(spamd_t, spamd_exec_t)
427 kernel_read_all_sysctls(spamd_t)
428 kernel_read_system_state(spamd_t)
430 corenet_all_recvfrom_unlabeled(spamd_t)
431 corenet_all_recvfrom_netlabel(spamd_t)
432 corenet_tcp_sendrecv_generic_if(spamd_t)
433 corenet_udp_sendrecv_generic_if(spamd_t)
434 corenet_tcp_sendrecv_generic_node(spamd_t)
435 corenet_udp_sendrecv_generic_node(spamd_t)
436 corenet_tcp_sendrecv_all_ports(spamd_t)
437 corenet_udp_sendrecv_all_ports(spamd_t)
438 corenet_tcp_bind_generic_node(spamd_t)
439 corenet_tcp_bind_spamd_port(spamd_t)
440 corenet_tcp_connect_razor_port(spamd_t)
441 corenet_tcp_connect_smtp_port(spamd_t)
442 corenet_sendrecv_razor_client_packets(spamd_t)
443 corenet_sendrecv_spamd_server_packets(spamd_t)
444 # spamassassin 3.1 needs this for its
445 # DnsResolver.pm module which binds to
446 # random ports >= 1024.
447 corenet_udp_bind_generic_node(spamd_t)
448 corenet_udp_bind_generic_port(spamd_t)
449 corenet_udp_bind_imaze_port(spamd_t)
450 corenet_dontaudit_udp_bind_all_ports(spamd_t)
451 corenet_sendrecv_imaze_server_packets(spamd_t)
452 corenet_sendrecv_generic_server_packets(spamd_t)
454 dev_read_sysfs(spamd_t)
455 dev_read_urand(spamd_t)
457 fs_getattr_all_fs(spamd_t)
458 fs_search_auto_mountpoints(spamd_t)
460 auth_dontaudit_read_shadow(spamd_t)
462 corecmd_exec_bin(spamd_t)
464 domain_use_interactive_fds(spamd_t)
466 files_read_usr_files(spamd_t)
467 files_read_etc_files(spamd_t)
468 files_read_etc_runtime_files(spamd_t)
470 files_read_var_lib_files(spamd_t)
472 init_dontaudit_rw_utmp(spamd_t)
474 auth_use_nsswitch(spamd_t)
476 logging_send_syslog_msg(spamd_t)
478 miscfiles_read_localization(spamd_t)
480 userdom_use_unpriv_users_fds(spamd_t)
481 userdom_search_user_home_dirs(spamd_t)
484 exim_manage_spool_dirs(spamd_t)
485 exim_manage_spool_files(spamd_t)
488 tunable_policy(`use_nfs_home_dirs',`
489 fs_manage_nfs_dirs(spamd_t)
490 fs_manage_nfs_files(spamd_t)
493 tunable_policy(`use_samba_home_dirs',`
494 fs_manage_cifs_dirs(spamd_t)
495 fs_manage_cifs_files(spamd_t)
499 amavis_manage_lib_files(spamd_t)
503 cron_system_entry(spamd_t, spamd_exec_t)
507 daemontools_service_domain(spamd_t, spamd_exec_t)
511 dcc_domtrans_cdcc(spamd_t)
512 dcc_domtrans_client(spamd_t)
513 dcc_signal_client(spamd_t)
514 dcc_stream_connect_dccifd(spamd_t)
518 milter_manage_spamass_state(spamd_t)
522 mysql_tcp_connect(spamd_t)
523 mysql_search_db(spamd_t)
524 mysql_stream_connect(spamd_t)
528 postfix_read_config(spamd_t)
532 postgresql_tcp_connect(spamd_t)
533 postgresql_stream_connect(spamd_t)
537 pyzor_domtrans(spamd_t)
538 pyzor_signal(spamd_t)
542 razor_domtrans(spamd_t)
543 razor_read_lib_files(spamd_t)
544 tunable_policy(`spamd_enable_home_dirs',`
545 razor_manage_user_home_files(spamd_t)
550 seutil_sigchld_newrole(spamd_t)
554 sendmail_stub(spamd_t)
555 mta_read_config(spamd_t)
559 udev_read_db(spamd_t)
562 ########################################
564 # spamd_update local policy
567 allow spamd_update_t self:fifo_file manage_fifo_file_perms;
568 allow spamd_update_t self:unix_stream_socket create_stream_socket_perms;
569 dontaudit spamd_update_t self:capability dac_override;
571 manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
572 manage_files_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
573 files_tmp_filetrans(spamd_update_t, spamd_tmp_t, { file dir })
575 allow spamd_update_t spamd_var_lib_t:dir list_dir_perms;
576 manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
577 manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
579 allow spamd_update_t spamd_tmp_t:file read_file_perms;
581 kernel_read_system_state(spamd_update_t)
584 corenet_tcp_connect_http_port(spamd_update_t)
586 corecmd_exec_bin(spamd_update_t)
587 corecmd_exec_shell(spamd_update_t)
589 dev_read_urand(spamd_update_t)
591 domain_use_interactive_fds(spamd_update_t)
593 files_read_etc_files(spamd_update_t)
594 files_read_usr_files(spamd_update_t)
596 auth_use_nsswitch(spamd_update_t)
597 auth_dontaudit_read_shadow(spamd_update_t)
599 miscfiles_read_localization(spamd_update_t)
601 mta_read_config(spamd_update_t)
603 userdom_use_inherited_user_ptys(spamd_update_t)
606 gpg_domtrans(spamd_update_t)