selinux-refpolicy/policy/modules/services/mailman.te

111 lines
2.7 KiB
Plaintext
Raw Normal View History

2005-10-11 15:36:53 +00:00
policy_module(mailman, 1.6.2)
2005-10-11 15:36:53 +00:00
########################################
#
# Declarations
#
mailman_domain_template(cgi)
type mailman_data_t;
files_type(mailman_data_t)
type mailman_archive_t;
files_type(mailman_archive_t)
type mailman_log_t;
logging_log_file(mailman_log_t)
type mailman_lock_t;
files_lock_file(mailman_lock_t)
mailman_domain_template(mail)
init_daemon_domain(mailman_mail_t, mailman_mail_exec_t)
2005-10-11 15:36:53 +00:00
mailman_domain_template(queue)
########################################
#
# Mailman CGI local policy
#
# cjp: the template invocation for cgi should be
2005-10-11 15:36:53 +00:00
# in the below optional policy; however, there are no
# optionals for file contexts yet, so it is promoted
# to global scope until such facilities exist.
optional_policy(`
dev_read_urand(mailman_cgi_t)
manage_dirs_pattern(mailman_cgi_t, mailman_archive_t, mailman_archive_t)
manage_files_pattern(mailman_cgi_t, mailman_archive_t, mailman_archive_t)
manage_lnk_files_pattern(mailman_cgi_t, mailman_archive_t, mailman_archive_t)
2005-10-11 15:36:53 +00:00
files_search_spool(mailman_cgi_t)
2005-10-11 15:36:53 +00:00
term_use_controlling_term(mailman_cgi_t)
# for python pre-compile foolishness
libs_dontaudit_write_lib_dirs(mailman_cgi_t)
2005-10-11 15:36:53 +00:00
apache_sigchld(mailman_cgi_t)
apache_use_fds(mailman_cgi_t)
2005-10-11 15:36:53 +00:00
apache_dontaudit_append_log(mailman_cgi_t)
2005-11-29 21:27:15 +00:00
apache_search_sys_script_state(mailman_cgi_t)
optional_policy(`
nscd_socket_use(mailman_cgi_t)
')
2005-10-11 15:36:53 +00:00
')
########################################
#
# Mailman mail local policy
#
allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
2006-02-02 21:08:12 +00:00
mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
2005-10-11 15:36:53 +00:00
ifdef(`TODO',`
optional_policy(`
2005-10-11 15:36:53 +00:00
allow mailman_mail_t qmail_spool_t:file { read ioctl getattr };
# do we really need this?
allow mailman_mail_t qmail_lspawn_t:fifo_file write;
')
')
########################################
#
# Mailman queue local policy
#
allow mailman_queue_t self:capability { setgid setuid };
allow mailman_queue_t self:process signal;
2006-12-12 20:08:08 +00:00
allow mailman_queue_t self:fifo_file rw_fifo_file_perms;
2005-10-11 15:36:53 +00:00
allow mailman_queue_t self:unix_dgram_socket create_socket_perms;
manage_dirs_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
manage_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
2005-10-11 15:36:53 +00:00
kernel_read_proc_symlinks(mailman_queue_t)
auth_domtrans_chk_passwd(mailman_queue_t)
files_dontaudit_search_pids(mailman_queue_t)
# for su
seutil_dontaudit_search_config(mailman_queue_t)
# some of the following could probably be changed to dontaudit, someone who
# knows mailman well should test this out and send the changes
2008-11-05 16:10:46 +00:00
userdom_search_user_home_dirs(mailman_queue_t)
su_exec(mailman_queue_t)
2005-10-11 15:36:53 +00:00
optional_policy(`
cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
2005-10-11 15:36:53 +00:00
')