refpolicy/policy/modules/services/mailman.te

   1
   2 policy_module(mailman,1.1.3)
   3
   4 ########################################
   5 #
   6 # Declarations
   7 #
   8
   9 mailman_domain_template(cgi)
  10
  11 type mailman_data_t;
  12 files_type(mailman_data_t)
  13
  14 type mailman_archive_t;
  15 files_type(mailman_archive_t)
  16
  17 type mailman_log_t;
  18 logging_log_file(mailman_log_t)
  19
  20 type mailman_lock_t;
  21 files_lock_file(mailman_lock_t)
  22
  23 mailman_domain_template(mail)
  24 init_daemon_domain(mailman_mail_t,mailman_mail_exec_t)
  25
  26 mailman_domain_template(queue)
  27
  28 ########################################
  29 #
  30 # Mailman CGI local policy
  31 #
  32
  33 # cjp: the template invocation for queue should be
  34 # in the below optional policy; however, there are no
  35 # optionals for file contexts yet, so it is promoted
  36 # to global scope until such facilities exist.
  37
  38 optional_policy(`
  39         allow mailman_cgi_t mailman_archive_t:dir create_dir_perms;
  40         allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms;
  41         allow mailman_cgi_t mailman_archive_t:file create_file_perms;
  42
  43         kernel_tcp_recvfrom(mailman_cgi_t)
  44
  45         term_use_controlling_term(mailman_cgi_t)
  46
  47         files_search_spool(mailman_cgi_t)
  48
  49         mta_tcp_connect_all_mailservers(mailman_cgi_t)
  50
  51         apache_sigchld(mailman_cgi_t)
  52         apache_use_fds(mailman_cgi_t)
  53         apache_dontaudit_append_log(mailman_cgi_t)
  54         apache_search_sys_script_state(mailman_cgi_t)
  55 ')
  56
  57 ########################################
  58 #
  59 # Mailman mail local policy
  60 #
  61
  62 allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
  63
  64 mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
  65
  66 ifdef(`TODO',`
  67 optional_policy(`
  68         allow mailman_mail_t qmail_spool_t:file { read ioctl getattr };
  69         # do we really need this?
  70         allow mailman_mail_t qmail_lspawn_t:fifo_file write;
  71 ')
  72 ')
  73
  74 ########################################
  75 #
  76 # Mailman queue local policy
  77 #
  78
  79 allow mailman_queue_t self:capability { setgid setuid };
  80 allow mailman_queue_t self:process signal;
  81 allow mailman_queue_t self:fifo_file rw_file_perms;
  82 allow mailman_queue_t self:unix_dgram_socket create_socket_perms;
  83 allow mailman_queue_t self:netlink_route_socket r_netlink_socket_perms;
  84
  85 allow mailman_queue_t mailman_archive_t:dir create_dir_perms;
  86 allow mailman_queue_t mailman_archive_t:file create_file_perms;
  87 allow mailman_queue_t mailman_archive_t:lnk_file create_lnk_perms;
  88
  89 kernel_read_proc_symlinks(mailman_queue_t)
  90 kernel_tcp_recvfrom(mailman_queue_t)
  91
  92 auth_domtrans_chk_passwd(mailman_queue_t)
  93
  94 files_dontaudit_search_pids(mailman_queue_t)
  95
  96 # for su
  97 seutil_dontaudit_search_config(mailman_queue_t)
  98
  99 # some of the following could probably be changed to dontaudit, someone who
 100 # knows mailman well should test this out and send the changes
 101 userdom_search_sysadm_home_dirs(mailman_queue_t)
 102 userdom_getattr_sysadm_home_dirs(mailman_queue_t)
 103
 104 mta_tcp_connect_all_mailservers(mailman_queue_t)
 105
 106 su_exec(mailman_queue_t)
 107
 108 optional_policy(`
 109         cron_system_entry(mailman_queue_t,mailman_queue_exec_t)
 110 ')
 111
 112 optional_policy(`
 113         nscd_socket_use(mailman_queue_t)
 114 ')