1 ## <summary>Mailman is for managing electronic mail discussion and e-newsletter lists</summary>
3 #######################################
5 ## The template to define a mailmain domain.
9 ## This template creates a domain to be used for
10 ## a new mailman daemon.
13 ## <param name="userdomain_prefix">
15 ## The type of daemon to be used eg, cgi would give mailman_cgi_
19 template(`mailman_domain_template', `
21 domain_type(mailman_$1_t)
22 role system_r types mailman_$1_t;
24 type mailman_$1_exec_t;
25 domain_entry_file(mailman_$1_t, mailman_$1_exec_t)
27 type mailman_$1_tmp_t;
28 files_tmp_file(mailman_$1_tmp_t)
30 allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms;
31 allow mailman_$1_t self:tcp_socket create_stream_socket_perms;
32 allow mailman_$1_t self:udp_socket create_socket_perms;
34 allow mailman_$1_t mailman_data_t:dir create_dir_perms;
35 allow mailman_$1_t mailman_data_t:file create_file_perms;
36 allow mailman_$1_t mailman_data_t:lnk_file create_lnk_perms;
38 allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
39 allow mailman_$1_t mailman_lock_t:file create_file_perms;
40 files_lock_filetrans(mailman_$1_t,mailman_lock_t,file)
42 allow mailman_$1_t mailman_log_t:dir rw_dir_perms;
43 allow mailman_$1_t mailman_log_t:file create_file_perms;
44 logging_log_filetrans(mailman_$1_t,mailman_log_t,file)
46 allow mailman_$1_t mailman_$1_tmp_t:dir create_dir_perms;
47 allow mailman_$1_t mailman_$1_tmp_t:file create_file_perms;
48 files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir })
50 kernel_read_kernel_sysctls(mailman_$1_t)
51 kernel_read_system_state(mailman_$1_t)
53 corenet_tcp_sendrecv_all_if(mailman_$1_t)
54 corenet_udp_sendrecv_all_if(mailman_$1_t)
55 corenet_raw_sendrecv_all_if(mailman_$1_t)
56 corenet_tcp_sendrecv_all_nodes(mailman_$1_t)
57 corenet_udp_sendrecv_all_nodes(mailman_$1_t)
58 corenet_raw_sendrecv_all_nodes(mailman_$1_t)
59 corenet_tcp_sendrecv_all_ports(mailman_$1_t)
60 corenet_udp_sendrecv_all_ports(mailman_$1_t)
61 corenet_non_ipsec_sendrecv(mailman_$1_t)
62 corenet_tcp_bind_all_nodes(mailman_$1_t)
63 corenet_udp_bind_all_nodes(mailman_$1_t)
64 corenet_tcp_connect_smtp_port(mailman_$1_t)
66 fs_getattr_xattr_fs(mailman_$1_t)
68 corecmd_exec_all_executables(mailman_$1_t)
70 files_exec_etc_files(mailman_$1_t)
71 files_list_usr(mailman_$1_t)
72 files_list_var(mailman_$1_t)
73 files_list_var_lib(mailman_$1_t)
74 files_read_var_lib_symlinks(mailman_$1_t)
75 files_read_etc_runtime_files(mailman_$1_t)
77 libs_use_ld_so(mailman_$1_t)
78 libs_use_shared_libs(mailman_$1_t)
79 libs_exec_ld_so(mailman_$1_t)
80 libs_exec_lib_files(mailman_$1_t)
82 logging_send_syslog_msg(mailman_$1_t)
84 miscfiles_read_localization(mailman_$1_t)
86 sysnet_read_config(mailman_$1_t)
89 mount_send_nfs_client_request(mailman_$1_t)
93 nis_use_ypbind(mailman_$1_t)
97 #######################################
99 ## Execute mailman in the mailman domain.
101 ## <param name="domain">
103 ## Domain allowed access.
107 interface(`mailman_domtrans',`
109 type mailman_mail_exec_t, mailman_mail_t;
112 domain_auto_trans($1, mailman_mail_exec_t, mailman_mail_t)
114 allow $1 mailman_mail_t:fd use;
115 allow mailman_mail_t $1:fd use;
116 allow mailman_mail_t $1:fifo_file rw_file_perms;
117 allow mailman_mail_t $1:process sigchld;
120 #######################################
122 ## Execute mailman CGI scripts in the
123 ## mailman CGI domain.
125 ## <param name="domain">
127 ## Domain allowed access.
131 interface(`mailman_domtrans_cgi',`
133 type mailman_cgi_exec_t, mailman_cgi_t;
136 domain_auto_trans($1, mailman_cgi_exec_t, mailman_cgi_t)
138 allow $1 mailman_cgi_t:fd use;
139 allow mailman_cgi_t $1:fd use;
140 allow mailman_cgi_t $1:fifo_file rw_file_perms;
141 allow mailman_cgi_t $1:process sigchld;
144 #######################################
146 ## Execute mailman in the caller domain.
148 ## <param name="domain">
150 ## Domain allowd access.
154 interface(`mailman_exec',`
156 type mailman_mail_exec_t;
159 can_exec($1,mailman_mail_exec_t)
162 #######################################
164 ## Send generic signals to the mailman cgi domain.
166 ## <param name="domain">
168 ## Domain allowed access.
172 interface(`mailman_signal_cgi',`
177 allow $1 mailman_cgi_t:process signal;
180 #######################################
182 ## Allow domain to search data directories.
184 ## <param name="domain">
186 ## Domain allowed access.
190 interface(`mailman_search_data',`
195 allow $1 mailman_data_t:dir search_dir_perms;
198 #######################################
200 ## Allow domain to to read mailman data files.
202 ## <param name="domain">
204 ## Domain allowed access.
208 interface(`mailman_read_data_files',`
213 allow $1 mailman_data_t:dir search_dir_perms;
214 allow $1 mailman_data_t:file read_file_perms;
217 #######################################
219 ## Allow domain to to create mailman data files
220 ## and write the directory.
222 ## <param name="domain">
224 ## Domain allowed access.
228 interface(`mailman_manage_data_files',`
233 allow $1 mailman_data_t:dir rw_dir_perms;
234 allow $1 mailman_data_t:file manage_file_perms;
237 #######################################
239 ## List the contents of mailman data directories.
241 ## <param name="domain">
243 ## Domain allowed access.
247 interface(`mailman_list_data',`
252 allow $1 mailman_data_t:dir r_dir_perms;
255 #######################################
257 ## Allow read acces to mailman data symbolic links.
259 ## <param name="domain">
261 ## Domain allowed access.
265 interface(`mailman_read_data_symlinks',`
270 allow $1 mailman_data_t:dir search;
271 allow $1 mailman_data_t:lnk_file read;
274 #######################################
276 ## Create, read, write, and delete
279 ## <param name="domain">
281 ## Domain allowed access.
285 interface(`mailman_manage_log',`
290 allow $1 mailman_log_t:dir rw_dir_perms;
291 allow $1 mailman_log_t:file create_file_perms;
292 allow $1 mailman_log_t:lnk_file create_lnk_perms;
295 #######################################
297 ## Allow domain to read mailman archive files.
299 ## <param name="domain">
301 ## Domain allowed access.
305 interface(`mailman_read_archive',`
307 type mailman_archive_t;
310 allow $1 mailman_archive_t:dir list_dir_perms;
311 allow $1 mailman_archive_t:file r_file_perms;
312 allow $1 mailman_archive_t:lnk_file { getattr read };
316 #######################################
318 ## Execute mailman_queue in the mailman_queue domain.
320 ## <param name="domain">
322 ## Domain allowed access.
326 interface(`mailman_domtrans_queue',`
328 type mailman_queue_exec_t, mailman_queue_t;
331 domain_auto_trans($1, mailman_queue_exec_t, mailman_queue_t)
333 allow $1 mailman_queue_t:fd use;
334 allow mailman_queue_t $1:fd use;
335 allow mailman_queue_t $1:fifo_file rw_file_perms;
336 allow mailman_queue_t $1:process sigchld;