selinux-refpolicy/mls/macros/program/exim_macros.te

76 lines
2.2 KiB
Plaintext

#DESC Exim - Mail server
#
# Author: David Hampton <hampton@employees.org>
# From postfix.te by Russell Coker <russell@coker.com.au>
# Depends: mta.te
#
##########
# Permissions common to the exim daemon, and exim invoked by a user to
# send a file
##########
define(`exim_common',`
# Networking - All instances need to talk to other mail hosts and
# amavisd
can_network_tcp($1_t);
allow $1_t smtp_port_t:tcp_socket name_connect;
## can_network_client_tcp($1_t, smtp_port_t);
## ifdef(`amavis.te', `
## can_network_client_tcp($1_t, amavisd_recv_port_t);
## allow $1_t amavisd_recv_port_t:tcp_socket { recv_msg send_msg };
## ')
can_resolve($1_t);
# Exim forks children to do its work.
general_domain_access($1_t)
# Certs and SSL
r_dir_file($1_t, cert_t)
allow $1_t { random_device_t urandom_device_t }:chr_file r_file_perms;
general_proc_read_access($1_t)
read_locale($1_t)
allow $1_t etc_t:file { getattr read };
allow $1_t sbin_t:dir search;
allow $1_t tmp_t:dir getattr;
allow $1_t self:fifo_file { read write };
can_exec($1_t, exim_exec_t)
allow $1_t self:capability { chown fowner dac_override setgid setuid };
allow $1_t self:process setrlimit;
# Have to walk through /var/xxx to get to /var/xxx/exim
allow $1_t var_log_t:dir search;
allow $1_t var_spool_t:dir search;
# Exim creates a spool file per message
create_dir_file($1_t, exim_spool_t);
# It also creates a log file per message
create_dir_file($1_t, exim_log_t);
# The database is modified by every message
allow $1_t exim_spool_db_t:dir search;
allow $1_t exim_spool_db_t:file rw_file_perms;
# Checking the existence of mailman lists
allow $1_t mailman_data_t:file getattr;
# Trying to read mtab
dontaudit $1_t etc_runtime_t:file { getattr read };
')
define(`exim_user_domain',`
########################################
########################################
application_domain(exim_$1, `, mta_delivery_agent, mail_server_domain, mail_server_sender, nscd_client_domain, privlog');
in_user_role(exim_$1_t)
domain_auto_trans($1_t, exim_exec_t, exim_$1_t)
exim_common(exim_$1)
role $1_r types exim_$1_t;
allow exim_$1_t $1_tmp_t:file { getattr read };
allow exim_$1_t $1_devpts_t:chr_file rw_file_perms;
allow exim_$1_t sshd_t:fd use;
')