selinux-refpolicy/mls/domains/program/spamd.te

#DESC Spamd - Spamassassin daemon
#
# Author: Colin Walters <walters@debian.org>
# X-Debian-Packages: spamassassin
# Depends: spamassassin.te
#

daemon_domain(spamd)

tmp_domain(spamd)

general_domain_access(spamd_t)
uses_shlib(spamd_t)
read_sysctl(spamd_t)

# Various Perl bits
allow spamd_t lib_t:file rx_file_perms;
dontaudit spamd_t shadow_t:file { getattr read };
dontaudit spamd_t initrc_var_run_t:file { read write lock };
dontaudit spamd_t sysadm_home_dir_t:dir { getattr search };

can_network_server(spamd_t)
allow spamd_t spamd_port_t:tcp_socket name_bind;
allow spamd_t port_type:udp_socket name_bind;
dontaudit spamd_t reserved_port_type:udp_socket name_bind;
can_ypbind(spamd_t)
can_resolve(spamd_t)
allow spamd_t self:capability net_bind_service;

allow spamd_t proc_t:file { getattr read };

# Spamassassin, when run as root and using per-user config files,
# setuids to the user running spamc.  Comment this if you are not
# using this ability.
allow spamd_t self:capability { setuid setgid dac_override sys_tty_config };

allow spamd_t { bin_t sbin_t }:dir { getattr search };
can_exec(spamd_t, bin_t)

ifdef(`sendmail.te', `
allow spamd_t etc_mail_t:dir { getattr read search };
allow spamd_t etc_mail_t:file { getattr ioctl read };
')
allow spamd_t { etc_t etc_runtime_t }:file { getattr ioctl read };

ifdef(`amavis.te', `
# for bayes tokens
allow spamd_t var_lib_t:dir { getattr search };
rw_dir_create_file(spamd_t, amavisd_lib_t)
')

allow spamd_t usr_t:file { getattr ioctl read };
allow spamd_t usr_t:lnk_file { getattr read };
allow spamd_t urandom_device_t:chr_file { getattr read };

system_crond_entry(spamd_exec_t, spamd_t)
ifdef(`targeted_policy', `home_domain_access(spamd_t, user)')
add fc mls policy 2005-11-22 19:28:03 +00:00			`#DESC Spamd - Spamassassin daemon`
			`#`
			`# Author: Colin Walters <walters@debian.org>`
			`# X-Debian-Packages: spamassassin`
			`# Depends: spamassassin.te`
			`#`

			`daemon_domain(spamd)`

			`tmp_domain(spamd)`

			`general_domain_access(spamd_t)`
			`uses_shlib(spamd_t)`
			`read_sysctl(spamd_t)`

			`# Various Perl bits`
			`allow spamd_t lib_t:file rx_file_perms;`
			`dontaudit spamd_t shadow_t:file { getattr read };`
			`dontaudit spamd_t initrc_var_run_t:file { read write lock };`
			`dontaudit spamd_t sysadm_home_dir_t:dir { getattr search };`

			`can_network_server(spamd_t)`
			`allow spamd_t spamd_port_t:tcp_socket name_bind;`
			`allow spamd_t port_type:udp_socket name_bind;`
			`dontaudit spamd_t reserved_port_type:udp_socket name_bind;`
			`can_ypbind(spamd_t)`
			`can_resolve(spamd_t)`
			`allow spamd_t self:capability net_bind_service;`

			`allow spamd_t proc_t:file { getattr read };`

			`# Spamassassin, when run as root and using per-user config files,`
			`# setuids to the user running spamc. Comment this if you are not`
			`# using this ability.`
			`allow spamd_t self:capability { setuid setgid dac_override sys_tty_config };`

			`allow spamd_t { bin_t sbin_t }:dir { getattr search };`
			`can_exec(spamd_t, bin_t)`

			ifdef(`sendmail.te', `
			`allow spamd_t etc_mail_t:dir { getattr read search };`
			`allow spamd_t etc_mail_t:file { getattr ioctl read };`
			`')`
			`allow spamd_t { etc_t etc_runtime_t }:file { getattr ioctl read };`

			ifdef(`amavis.te', `
			`# for bayes tokens`
			`allow spamd_t var_lib_t:dir { getattr search };`
			`rw_dir_create_file(spamd_t, amavisd_lib_t)`
			`')`

			`allow spamd_t usr_t:file { getattr ioctl read };`
			`allow spamd_t usr_t:lnk_file { getattr read };`
			`allow spamd_t urandom_device_t:chr_file { getattr read };`

			`system_crond_entry(spamd_exec_t, spamd_t)`
			ifdef(`targeted_policy', `home_domain_access(spamd_t, user)')