add spamassassin
This commit is contained in:
Chris PeBenito
parent
385dcd4e70
commit
f932d8e3cb
|
|
@ -12,6 +12,7 @@
|
|||
networkmanager
|
||||
pegasus
|
||||
radius
|
||||
spamassassin
|
||||
xdm
|
||||
|
||||
* Wed Oct 19 2005 Chris PeBenito <selinux@tresys.com> - 20051019
|
||||
|
|
|
|||
|
|
@ -101,6 +101,9 @@ gen_tunable(read_untrusted_content,false)
|
|||
## Allow ssh to run from inetd instead of as a daemon.
|
||||
gen_tunable(run_ssh_inetd,false)
|
||||
|
||||
## Allow user spamassassin clients to use the network.
|
||||
gen_tunable(spamassassin_can_network,false)
|
||||
|
||||
## Allow squid to connect to all ports, not just
|
||||
## HTTP, FTP, and Gopher ports.
|
||||
gen_tunable(squid_connect_any,false)
|
||||
|
|
|
|||
|
|
@ -1,12 +1,11 @@
|
|||
|
||||
/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
|
||||
/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
|
||||
/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
|
||||
|
||||
ifdef(`sendmail.te',`',`
|
||||
/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
||||
|
||||
/usr/sbin/sendmail(.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
||||
')
|
||||
|
||||
/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
|
||||
|
||||
|
|
|
|||
|
|
@ -329,6 +329,24 @@ interface(`mta_exec',`
|
|||
can_exec($1, sendmail_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read mail server configuration.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`mta_read_config',`
|
||||
gen_require(`
|
||||
type etc_mail_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow spamd_t etc_mail_t:dir list_dir_perms;
|
||||
allow spamd_t etc_mail_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read mail address aliases.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
# sendmail file contexts
|
||||
/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
|
||||
|
||||
/var/log/sendmail\.st -- gen_context(system_u:object_r:sendmail_log_t,s0)
|
||||
/var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0)
|
||||
|
|
|
|||
|
|
@ -0,0 +1,11 @@
|
|||
|
||||
/usr/bin/sa-learn -- gen_context(system_u:object_r:spamd_exec_t,s0)
|
||||
/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0)
|
||||
/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
|
||||
|
||||
/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
|
||||
/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0)
|
||||
|
||||
ifdef(`targeted_policy',`',`
|
||||
HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
|
||||
')
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
## <summary>Filter used for removing unsolicited email.</summary>
|
||||
|
||||
# cjp: TODO: integrate old spamassassin_macros.te
|
||||
|
|
@ -0,0 +1,158 @@
|
|||
|
||||
policy_module(spamassassin,0.9)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
# spamassassin client executable
|
||||
type spamc_exec_t;
|
||||
files_type(spamc_exec_t)
|
||||
|
||||
type spamd_t;
|
||||
type spamd_exec_t;
|
||||
init_daemon_domain(spamd_t,spamd_exec_t)
|
||||
|
||||
type spamd_tmp_t;
|
||||
files_tmp_file(spamd_tmp_t)
|
||||
|
||||
type spamd_var_run_t;
|
||||
files_pid_file(spamd_var_run_t)
|
||||
|
||||
type spamassassin_exec_t;
|
||||
files_type(spamassassin_exec_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Spamassassin daemon local policy
|
||||
#
|
||||
|
||||
# Spamassassin, when run as root and using per-user config files,
|
||||
# setuids to the user running spamc. Comment this if you are not
|
||||
# using this ability.
|
||||
|
||||
allow spamd_t self:capability { setuid setgid dac_override sys_tty_config };
|
||||
dontaudit spamd_t self:capability sys_tty_config;
|
||||
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow spamd_t self:fd use;
|
||||
allow spamd_t self:fifo_file rw_file_perms;
|
||||
allow spamd_t self:shm create_shm_perms;
|
||||
allow spamd_t self:sem create_sem_perms;
|
||||
allow spamd_t self:msgq create_msgq_perms;
|
||||
allow spamd_t self:msg { send receive };
|
||||
allow spamd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow spamd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow spamd_t self:unix_dgram_socket sendto;
|
||||
allow spamd_t self:unix_stream_socket connectto;
|
||||
allow spamd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow spamd_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow spamd_t spamd_tmp_t:dir create_dir_perms;
|
||||
allow spamd_t spamd_tmp_t:file create_file_perms;
|
||||
files_create_tmp_files(spamd_t, spamd_tmp_t, { file dir })
|
||||
|
||||
allow spamd_t spamd_var_run_t:file create_file_perms;
|
||||
allow spamd_t spamd_var_run_t:dir rw_dir_perms;
|
||||
files_create_pid(spamd_t,spamd_var_run_t)
|
||||
|
||||
kernel_read_all_sysctl(spamd_t)
|
||||
kernel_read_system_state(spamd_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(spamd_t)
|
||||
corenet_udp_sendrecv_all_if(spamd_t)
|
||||
corenet_raw_sendrecv_all_if(spamd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(spamd_t)
|
||||
corenet_udp_sendrecv_all_nodes(spamd_t)
|
||||
corenet_raw_sendrecv_all_nodes(spamd_t)
|
||||
corenet_tcp_bind_all_nodes(spamd_t)
|
||||
corenet_udp_bind_all_nodes(spamd_t)
|
||||
corenet_tcp_sendrecv_all_ports(spamd_t)
|
||||
corenet_tcp_bind_spamd_port(spamd_t)
|
||||
|
||||
dev_read_sysfs(spamd_t)
|
||||
dev_read_urand(spamd_t)
|
||||
|
||||
fs_getattr_all_fs(spamd_t)
|
||||
fs_search_auto_mountpoints(spamd_t)
|
||||
|
||||
term_dontaudit_use_console(spamd_t)
|
||||
|
||||
auth_dontaudit_read_shadow(spamd_t)
|
||||
|
||||
corecmd_exec_bin(spamd_t)
|
||||
corecmd_search_sbin(spamd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(spamd_t)
|
||||
|
||||
files_read_usr_files(spamd_t)
|
||||
files_read_etc_files(spamd_t)
|
||||
files_read_etc_runtime_files(spamd_t)
|
||||
|
||||
init_use_fd(spamd_t)
|
||||
init_use_script_pty(spamd_t)
|
||||
init_dontaudit_rw_script_pid(spamd_t)
|
||||
|
||||
libs_use_ld_so(spamd_t)
|
||||
libs_use_shared_libs(spamd_t)
|
||||
# Various Perl bits
|
||||
libs_use_lib(spamd_t)
|
||||
|
||||
logging_send_syslog_msg(spamd_t)
|
||||
|
||||
miscfiles_read_localization(spamd_t)
|
||||
|
||||
sysnet_read_config(spamd_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(spamd_t)
|
||||
userdom_search_unpriv_user_home_dirs(spamd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(spamd_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_tty(spamd_t)
|
||||
term_dontaudit_use_generic_pty(spamd_t)
|
||||
files_dontaudit_read_root_file(spamd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_files(spamd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_files(spamd_t)
|
||||
')
|
||||
|
||||
optional_policy(`cron.te',`
|
||||
cron_system_entry(spamd_t,spamd_exec_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(spamd_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(spamd_t)
|
||||
')
|
||||
|
||||
optional_policy(`sendmail.te',`
|
||||
sendmail_stub(spamd_t)
|
||||
mta_read_config(spamd_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev.te', `
|
||||
udev_read_db(spamd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(spamd_t)
|
||||
')
|
||||
|
||||
optional_policy(`amavis.te', `
|
||||
# for bayes tokens
|
||||
allow spamd_t var_lib_t:dir { getattr search };
|
||||
allow spamd_t amavisd_lib_t:dir rw_dir_perms;
|
||||
allow spamd_t amavisd_lib_t:file create_file_perms;
|
||||
allow spamd_t amavisd_lib_t:lnk_file create_lnk_perms;
|
||||
')
|
||||
') dnl end TODO
|
||||
|
|
@ -195,6 +195,26 @@ interface(`libs_exec_lib_files',`
|
|||
can_exec($1,lib_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Load and execute functions from generic
|
||||
## lib files as shared libraries.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`libs_use_lib',`
|
||||
gen_require(`
|
||||
type lib_t;
|
||||
')
|
||||
|
||||
files_list_usr($1)
|
||||
allow $1 lib_t:dir r_dir_perms;
|
||||
allow $1 lib_t:lnk_file r_file_perms;
|
||||
allow $1 lib_t:file rx_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel files to the type used in library directories.
|
||||
|
|
@ -223,9 +243,6 @@ interface(`libs_relabelto_lib_files',`
|
|||
interface(`libs_use_shared_libs',`
|
||||
gen_require(`
|
||||
type lib_t, shlib_t, texrel_shlib_t;
|
||||
class dir r_dir_perms;
|
||||
class lnk_file r_file_perms;
|
||||
class file { rx_file_perms execmod };
|
||||
')
|
||||
|
||||
files_list_usr($1)
|
||||
|
|
|
|||
|
|
@ -1799,7 +1799,7 @@ interface(`userdom_dontaudit_search_sysadm_home_dir',`
|
|||
type sysadm_home_dir_t;
|
||||
')
|
||||
|
||||
dontaudit $1 sysadm_home_dir_t:dir { getattr search };
|
||||
dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
@ -2223,7 +2223,8 @@ interface(`userdom_search_unpriv_user_home_dirs',`
|
|||
attribute user_home_dir_type;
|
||||
')
|
||||
|
||||
allow $1 user_home_dir_type:dir search;
|
||||
files_search_home($1)
|
||||
allow $1 user_home_dir_type:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
|||
Loading…
Reference in New Issue