#
template(`mta_base_mail_template',`
+ gen_require(`
+ attribute user_mail_domain;
+ type sendmail_exec_t;
+ ')
+
##############################
#
# $1_mail_t declarations
#
type $1_mail_t, user_mail_domain;
- domain_type($1_mail_t)
- domain_entry_file($1_mail_t,sendmail_exec_t)
+ application_domain($1_mail_t,sendmail_exec_t)
type $1_mail_tmp_t;
files_tmp_file($1_mail_tmp_t)
# re-exec itself
can_exec($1_mail_t, sendmail_exec_t)
- allow $1_mail_t sendmail_exec_t:lnk_file r_file_perms;
+ allow $1_mail_t sendmail_exec_t:lnk_file read_lnk_file_perms;
kernel_read_kernel_sysctls($1_mail_t)
- corenet_non_ipsec_sendrecv($1_mail_t)
+ corenet_all_recvfrom_unlabeled($1_mail_t)
+ corenet_all_recvfrom_netlabel($1_mail_t)
corenet_tcp_sendrecv_all_if($1_mail_t)
corenet_tcp_sendrecv_all_nodes($1_mail_t)
corenet_tcp_sendrecv_all_ports($1_mail_t)
corenet_sendrecv_smtp_client_packets($1_mail_t)
corecmd_exec_bin($1_mail_t)
- corecmd_search_sbin($1_mail_t)
files_read_etc_files($1_mail_t)
files_search_spool($1_mail_t)
type etc_mail_t, mail_spool_t, mqueue_spool_t;
')
- allow $1_mail_t $1_mail_tmp_t:dir create_dir_perms;
- allow $1_mail_t $1_mail_tmp_t:file create_file_perms;
+ manage_dirs_pattern($1_mail_t,$1_mail_tmp_t,$1_mail_tmp_t)
+ manage_files_pattern($1_mail_t,$1_mail_tmp_t,$1_mail_tmp_t)
files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
allow $1_mail_t etc_mail_t:dir { getattr search };
# Write to /var/spool/mail and /var/spool/mqueue.
- allow $1_mail_t mail_spool_t:dir rw_dir_perms;
- allow $1_mail_t mail_spool_t:file create_file_perms;
- allow $1_mail_t mqueue_spool_t:dir rw_dir_perms;
- allow $1_mail_t mqueue_spool_t:file create_file_perms;
+ manage_files_pattern($1_mail_t,mail_spool_t,mail_spool_t)
+ manage_files_pattern($1_mail_t,mqueue_spool_t,mqueue_spool_t)
# Check available space.
fs_getattr_xattr_fs($1_mail_t)
## </param>
#
template(`mta_per_role_template',`
+ gen_require(`
+ attribute mta_user_agent;
+ attribute mailserver_delivery;
+ ')
##############################
#
#
# Transition from the user domain to the derived domain.
- domain_auto_trans($2, sendmail_exec_t, $1_mail_t)
+ domtrans_pattern($2, sendmail_exec_t, $1_mail_t)
allow $2 sendmail_exec_t:lnk_file { getattr read };
- allow $2 $1_mail_t:fd use;
- allow $1_mail_t $2:fd use;
- allow $1_mail_t $2:fifo_file rw_file_perms;
- allow $1_mail_t $2:process sigchld;
-
domain_use_interactive_fds($1_mail_t)
userdom_use_user_terminals($1,$1_mail_t)
type $1_mail_t;
')
- ifdef(`strict_policy',`
- # allow the sysadmin to do "mail someone < /home/user/whatever"
- userdom_read_unpriv_users_home_content_files($1_mail_t)
- ')
+ # allow the sysadmin to do "mail someone < /home/user/whatever"
+ userdom_read_unpriv_users_home_content_files($1_mail_t)
optional_policy(`
gen_require(`
allow mta_user_agent $2:fifo_file { read write };
- allow $1_mail_t etc_aliases_t:dir create_dir_perms;
- allow $1_mail_t etc_aliases_t:file create_file_perms;
- allow $1_mail_t etc_aliases_t:lnk_file create_lnk_perms;
- allow $1_mail_t etc_aliases_t:sock_file create_file_perms;
- allow $1_mail_t etc_aliases_t:fifo_file create_file_perms;
+ manage_dirs_pattern($1_mail_t,etc_aliases_t,etc_aliases_t)
+ manage_files_pattern($1_mail_t,etc_aliases_t,etc_aliases_t)
+ manage_lnk_files_pattern($1_mail_t,etc_aliases_t,etc_aliases_t)
+ manage_fifo_files_pattern($1_mail_t,etc_aliases_t,etc_aliases_t)
+ manage_sock_files_pattern($1_mail_t,etc_aliases_t,etc_aliases_t)
files_etc_filetrans($1_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file })
# postfix needs this for newaliases
typeattribute $1 mailserver_delivery;
- allow $1 mail_spool_t:dir ra_dir_perms;
- allow $1 mail_spool_t:file { create ioctl read getattr lock append };
- allow $1 mail_spool_t:lnk_file { create read getattr };
+ allow $1 mail_spool_t:dir list_dir_perms;
+ create_files_pattern($1,mail_spool_t,mail_spool_t)
+ read_files_pattern($1,mail_spool_t,mail_spool_t)
+ create_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
+ read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
optional_policy(`
dovecot_manage_spool($1)
type system_mail_t, sendmail_exec_t;
')
- allow $1 sendmail_exec_t:lnk_file r_file_perms;
+ allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms;
domain_auto_trans($1, sendmail_exec_t, system_mail_t)
allow $1 system_mail_t:fd use;
')
files_search_usr($1)
- corecmd_read_sbin_symlinks($1)
+ corecmd_read_bin_symlinks($1)
domain_auto_trans($1,sendmail_exec_t,$2)
')
files_search_etc($1)
allow $1 etc_mail_t:dir list_dir_perms;
- allow $1 etc_mail_t:file r_file_perms;
- allow $1 etc_mail_t:lnk_file { getattr read };
+ read_files_pattern($1,etc_mail_t,etc_mail_t)
+ read_lnk_files_pattern($1,etc_mail_t,etc_mail_t)
')
########################################
')
files_search_etc($1)
- allow $1 etc_aliases_t:file r_file_perms;
+ allow $1 etc_aliases_t:file read_file_perms;
')
########################################
')
files_search_spool($1)
- allow $1 mail_spool_t:dir r_dir_perms;
+ allow $1 mail_spool_t:dir list_dir_perms;
allow $1 mail_spool_t:lnk_file read;
allow $1 mail_spool_t:file getattr;
')
')
files_search_spool($1)
- allow $1 mail_spool_t:dir rw_dir_perms;
- type_transition $1 mail_spool_t:$3 $2;
+ filetrans_pattern($1,mail_spool_t,$2,$3)
')
########################################
')
files_search_spool($1)
- allow $1 mail_spool_t:dir r_dir_perms;
- allow $1 mail_spool_t:lnk_file { getattr read };
- allow $1 mail_spool_t:file { rw_file_perms setattr };
+ allow $1 mail_spool_t:dir list_dir_perms;
+ allow $1 mail_spool_t:file setattr;
+ rw_files_pattern($1,mail_spool_t,mail_spool_t)
+ read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
')
#######################################
')
files_search_spool($1)
- allow $1 mail_spool_t:dir ra_dir_perms;
- allow $1 mail_spool_t:lnk_file { getattr read };
- allow $1 mail_spool_t:file create_file_perms;
+ allow $1 mail_spool_t:dir list_dir_perms;
+ create_files_pattern($1,mail_spool_t,mail_spool_t)
+ write_files_pattern($1,mail_spool_t,mail_spool_t)
+ read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
')
#######################################
')
files_search_spool($1)
- allow $1 mail_spool_t:dir { list_dir_perms write remove_name };
- allow $1 mail_spool_t:file unlink;
+ delete_files_pattern($1,mail_spool_t,mail_spool_t)
')
########################################
')
files_search_spool($1)
- allow $1 mail_spool_t:dir manage_dir_perms;
- allow $1 mail_spool_t:lnk_file create_lnk_perms;
- allow $1 mail_spool_t:file manage_file_perms;
+ manage_dirs_pattern($1,mail_spool_t,mail_spool_t)
+ manage_files_pattern($1,mail_spool_t,mail_spool_t)
+ manage_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
+')
+
+########################################
+## <summary>
+## Search mail queue dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_search_queue',`
+ gen_require(`
+ type mqueue_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 mqueue_spool_t:dir search_dir_perms;
')
#######################################
type mqueue_spool_t;
')
+ dontaudit $1 mqueue_spool_t:dir search_dir_perms;
dontaudit $1 mqueue_spool_t:file { getattr read write };
')
')
files_search_spool($1)
- allow $1 mqueue_spool_t:dir rw_dir_perms;
- allow $1 mqueue_spool_t:file create_file_perms;
+ manage_files_pattern($1,mqueue_spool_t,mqueue_spool_t)
')
#######################################
type sendmail_exec_t;
')
- allow $1 sendmail_exec_t:file r_file_perms;
+ allow $1 sendmail_exec_t:file read_file_perms;
')
#######################################
projects / people / stevee / selinux-policy.git / blobdiff