refpolicy/policy/modules/services/mailman.if

   1 ## <summary>Mailman is for managing electronic mail discussion and e-newsletter lists</summary>
   2
   3 #######################################
   4 ## <summary>
   5 ##      The template to define a mailmain domain.
   6 ## </summary>
   7 ## <desc>
   8 ##      <p>
   9 ##      This template creates a domain to be used for
  10 ##      a new mailman daemon.
  11 ##      </p>
  12 ## </desc>
  13 ## <param name="userdomain_prefix">
  14 ##      <summary>
  15 ##      The type of daemon to be used eg, cgi would give mailman_cgi_
  16 ##      </summary>
  17 ## </param>
  18 #
  19 template(`mailman_domain_template', `
  20         type mailman_$1_t;
  21         domain_type(mailman_$1_t)
  22         role system_r types mailman_$1_t;
  23
  24         type mailman_$1_exec_t;
  25         domain_entry_file(mailman_$1_t, mailman_$1_exec_t)
  26
  27         type mailman_$1_tmp_t;
  28         files_tmp_file(mailman_$1_tmp_t)
  29
  30         allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms;
  31         allow mailman_$1_t self:tcp_socket create_stream_socket_perms;
  32         allow mailman_$1_t self:udp_socket create_socket_perms;
  33
  34         allow mailman_$1_t mailman_data_t:dir create_dir_perms;
  35         allow mailman_$1_t mailman_data_t:file create_file_perms;
  36         allow mailman_$1_t mailman_data_t:lnk_file create_lnk_perms;
  37
  38         allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
  39         allow mailman_$1_t mailman_lock_t:file create_file_perms;
  40         files_lock_filetrans(mailman_$1_t,mailman_lock_t,file)
  41
  42         allow mailman_$1_t mailman_log_t:dir rw_dir_perms;
  43         allow mailman_$1_t mailman_log_t:file create_file_perms;
  44         logging_log_filetrans(mailman_$1_t,mailman_log_t,file)
  45
  46         allow mailman_$1_t mailman_$1_tmp_t:dir create_dir_perms;
  47         allow mailman_$1_t mailman_$1_tmp_t:file create_file_perms;
  48         files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir })
  49
  50         kernel_read_kernel_sysctls(mailman_$1_t)
  51         kernel_read_system_state(mailman_$1_t)
  52
  53         corenet_tcp_sendrecv_all_if(mailman_$1_t)
  54         corenet_udp_sendrecv_all_if(mailman_$1_t)
  55         corenet_raw_sendrecv_all_if(mailman_$1_t)
  56         corenet_tcp_sendrecv_all_nodes(mailman_$1_t)
  57         corenet_udp_sendrecv_all_nodes(mailman_$1_t)
  58         corenet_raw_sendrecv_all_nodes(mailman_$1_t)
  59         corenet_tcp_sendrecv_all_ports(mailman_$1_t)
  60         corenet_udp_sendrecv_all_ports(mailman_$1_t)
  61         corenet_non_ipsec_sendrecv(mailman_$1_t)
  62         corenet_tcp_bind_all_nodes(mailman_$1_t)
  63         corenet_udp_bind_all_nodes(mailman_$1_t)
  64         corenet_tcp_connect_smtp_port(mailman_$1_t)
  65
  66         fs_getattr_xattr_fs(mailman_$1_t)
  67
  68         corecmd_exec_all_executables(mailman_$1_t)
  69
  70         files_exec_etc_files(mailman_$1_t)
  71         files_list_usr(mailman_$1_t)
  72         files_list_var(mailman_$1_t)
  73         files_list_var_lib(mailman_$1_t)
  74         files_read_var_lib_symlinks(mailman_$1_t)
  75         files_read_etc_runtime_files(mailman_$1_t)
  76
  77         libs_use_ld_so(mailman_$1_t)
  78         libs_use_shared_libs(mailman_$1_t)
  79         libs_exec_ld_so(mailman_$1_t)
  80         libs_exec_lib_files(mailman_$1_t)
  81
  82         logging_send_syslog_msg(mailman_$1_t)
  83
  84         miscfiles_read_localization(mailman_$1_t)
  85
  86         sysnet_read_config(mailman_$1_t)
  87
  88         optional_policy(`
  89                 mount_send_nfs_client_request(mailman_$1_t)
  90         ')
  91
  92         optional_policy(`
  93                 nis_use_ypbind(mailman_$1_t)
  94         ')
  95 ')
  96
  97 #######################################
  98 ## <summary>
  99 ##      Execute mailman in the mailman domain.
 100 ## </summary>
 101 ## <param name="domain">
 102 ##      <summary>
 103 ##      Domain allowed access.
 104 ##      </summary>
 105 ## </param>
 106 #
 107 interface(`mailman_domtrans',`
 108         gen_require(`
 109                 type mailman_mail_exec_t, mailman_mail_t;
 110         ')
 111
 112         domain_auto_trans($1, mailman_mail_exec_t, mailman_mail_t)
 113
 114         allow $1 mailman_mail_t:fd use;
 115         allow mailman_mail_t $1:fd use;
 116         allow mailman_mail_t $1:fifo_file rw_file_perms;
 117         allow mailman_mail_t $1:process sigchld;
 118 ')
 119
 120 #######################################
 121 ## <summary>
 122 ##      Execute mailman CGI scripts in the
 123 ##      mailman CGI domain.
 124 ## </summary>
 125 ## <param name="domain">
 126 ##      <summary>
 127 ##      Domain allowed access.
 128 ##      </summary>
 129 ## </param>
 130 #
 131 interface(`mailman_domtrans_cgi',`
 132         gen_require(`
 133                 type mailman_cgi_exec_t, mailman_cgi_t;
 134         ')
 135
 136         domain_auto_trans($1, mailman_cgi_exec_t, mailman_cgi_t)
 137
 138         allow $1 mailman_cgi_t:fd use;
 139         allow mailman_cgi_t $1:fd use;
 140         allow mailman_cgi_t $1:fifo_file rw_file_perms;
 141         allow mailman_cgi_t $1:process sigchld;
 142 ')
 143
 144 #######################################
 145 ## <summary>
 146 ##      Execute mailman in the caller domain.
 147 ## </summary>
 148 ## <param name="domain">
 149 ##      <summary>
 150 ##      Domain allowd access.
 151 ##      </summary>
 152 ## </param>
 153 #
 154 interface(`mailman_exec',`
 155         gen_require(`
 156                 type mailman_mail_exec_t;
 157         ')
 158
 159         can_exec($1,mailman_mail_exec_t)
 160 ')
 161
 162 #######################################
 163 ## <summary>
 164 ##      Send generic signals to the mailman cgi domain.
 165 ## </summary>
 166 ## <param name="domain">
 167 ##      <summary>
 168 ##      Domain allowed access.
 169 ##      </summary>
 170 ## </param>
 171 #
 172 interface(`mailman_signal_cgi',`
 173         gen_require(`
 174                 type mailman_cgi_t;
 175         ')
 176
 177         allow $1 mailman_cgi_t:process signal;
 178 ')
 179
 180 #######################################
 181 ## <summary>
 182 ##      Allow domain to search data directories.
 183 ## </summary>
 184 ## <param name="domain">
 185 ##      <summary>
 186 ##      Domain allowed access.
 187 ##      </summary>
 188 ## </param>
 189 #
 190 interface(`mailman_search_data',`
 191         gen_require(`
 192                 type mailman_data_t;
 193         ')
 194
 195         allow $1 mailman_data_t:dir search_dir_perms;
 196 ')
 197
 198 #######################################
 199 ## <summary>
 200 ##      Allow domain to to read mailman data files.
 201 ## </summary>
 202 ## <param name="domain">
 203 ##      <summary>
 204 ##      Domain allowed access.
 205 ##      </summary>
 206 ## </param>
 207 #
 208 interface(`mailman_read_data_files',`
 209         gen_require(`
 210                 type mailman_data_t;
 211         ')
 212
 213         allow $1 mailman_data_t:dir search_dir_perms;
 214         allow $1 mailman_data_t:file read_file_perms;
 215 ')
 216
 217 #######################################
 218 ## <summary>
 219 ##      Allow domain to to create mailman data files
 220 ##      and write the directory.
 221 ## </summary>
 222 ## <param name="domain">
 223 ##      <summary>
 224 ##      Domain allowed access.
 225 ##      </summary>
 226 ## </param>
 227 #
 228 interface(`mailman_manage_data_files',`
 229         gen_require(`
 230                 type mailman_data_t;
 231         ')
 232
 233         allow $1 mailman_data_t:dir rw_dir_perms;
 234         allow $1 mailman_data_t:file manage_file_perms;
 235 ')
 236
 237 #######################################
 238 ## <summary>
 239 ##      List the contents of mailman data directories.
 240 ## </summary>
 241 ## <param name="domain">
 242 ##      <summary>
 243 ##      Domain allowed access.
 244 ##      </summary>
 245 ## </param>
 246 #
 247 interface(`mailman_list_data',`
 248         gen_require(`
 249                 type mailman_data_t;
 250         ')
 251
 252         allow $1 mailman_data_t:dir r_dir_perms;
 253 ')
 254
 255 #######################################
 256 ## <summary>
 257 ##      Allow read acces to mailman data symbolic links.
 258 ## </summary>
 259 ## <param name="domain">
 260 ##      <summary>
 261 ##      Domain allowed access.
 262 ##      </summary>
 263 ## </param>
 264 #
 265 interface(`mailman_read_data_symlinks',`
 266         gen_require(`
 267                 type mailman_data_t;
 268         ')
 269
 270         allow $1 mailman_data_t:dir search;
 271         allow $1 mailman_data_t:lnk_file read;
 272 ')
 273
 274 #######################################
 275 ## <summary>
 276 ##      Create, read, write, and delete
 277 ##      mailman logs.
 278 ## </summary>
 279 ## <param name="domain">
 280 ##      <summary>
 281 ##      Domain allowed access.
 282 ##      </summary>
 283 ## </param>
 284 #
 285 interface(`mailman_manage_log',`
 286         gen_require(`
 287                 type mailman_log_t;
 288         ')
 289
 290         allow $1 mailman_log_t:dir rw_dir_perms;
 291         allow $1 mailman_log_t:file create_file_perms;
 292         allow $1 mailman_log_t:lnk_file create_lnk_perms;
 293 ')
 294
 295 #######################################
 296 ## <summary>
 297 ##      Allow domain to read mailman archive files.
 298 ## </summary>
 299 ## <param name="domain">
 300 ##      <summary>
 301 ##      Domain allowed access.
 302 ##      </summary>
 303 ## </param>
 304 #
 305 interface(`mailman_read_archive',`
 306         gen_require(`
 307                 type mailman_archive_t;
 308         ')
 309
 310         allow $1 mailman_archive_t:dir list_dir_perms;
 311         allow $1 mailman_archive_t:file r_file_perms;
 312         allow $1 mailman_archive_t:lnk_file { getattr read };
 313 ')
 314
 315
 316 #######################################
 317 ## <summary>
 318 ##      Execute mailman_queue in the mailman_queue domain.
 319 ## </summary>
 320 ## <param name="domain">
 321 ##      <summary>
 322 ##      Domain allowed access.
 323 ##      </summary>
 324 ## </param>
 325 #
 326 interface(`mailman_domtrans_queue',`
 327         gen_require(`
 328                 type mailman_queue_exec_t, mailman_queue_t;
 329         ')
 330
 331         domain_auto_trans($1, mailman_queue_exec_t, mailman_queue_t)
 332
 333         allow $1 mailman_queue_t:fd use;
 334         allow mailman_queue_t $1:fd use;
 335         allow mailman_queue_t $1:fifo_file rw_file_perms;
 336         allow mailman_queue_t $1:process sigchld;
 337 ')
 338