## Filter used for removing unsolicited email. ######################################## ## ## Role access for spamassassin. ## ## ## ## Role allowed access. ## ## ## ## ## User domain for the role. ## ## # interface(`spamassassin_role',` gen_require(` type spamc_t, spamc_exec_t, spamc_tmp_t; type spamassassin_t, spamassassin_exec_t, spamd_home_t; type spamassassin_home_t, spamassassin_tmp_t; ') role $1 types { spamc_t spamassassin_t }; domtrans_pattern($2, spamassassin_exec_t, spamassassin_t) domtrans_pattern($2, spamc_exec_t, spamc_t) admin_process_pattern($2, { spamc_t spamassassin_t }) allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:file { manage_file_perms relabel_file_perms }; allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; userdom_user_home_dir_filetrans($2, spamassassin_home_t, dir, ".spamassassin") userdom_user_home_dir_filetrans($2, spamd_home_t, dir, ".spamd") ') ######################################## ## ## Execute sa-update in the spamd-update domain, ## and allow the specified role ## the spamd-update domain. Also allow transitive ## access to the private gpg domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # interface(`spamassassin_run_update',` gen_require(` type spamd_gpg_t, spamd_update_exec_t, spamd_update_t; ') role $2 types { spamd_gpg_t spamd_update_t }; domtrans_pattern($1, spamd_update_exec_t, spamd_update_t) ') ######################################## ## ## Execute the standalone spamassassin ## program in the caller directory. ## ## ## ## Domain allowed access. ## ## # interface(`spamassassin_exec',` gen_require(` type spamassassin_exec_t; ') corecmd_search_bin($1) can_exec($1, spamassassin_exec_t) ') ######################################## ## ## Send generic signals to spamd. ## ## ## ## Domain allowed access. ## ## # interface(`spamassassin_signal_spamd',` gen_require(` type spamd_t; ') allow $1 spamd_t:process signal; ') ######################################## ## ## reload SA service ## ## ## ## Domain allowed access. ## ## ## # interface(`spamassassin_reload',` gen_require(` type spamassassin_unit_t; class service reload; ') allow $1 spamassassin_unit_t:service reload; ') ######################################## ## ## Get SA service status ## ## ## ## Domain allowed access. ## ## ## # interface(`spamassassin_status',` gen_require(` type spamassassin_unit_t; class service status; ') allow $1 spamassassin_unit_t:service status; ') ######################################## ## ## Execute spamd in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`spamassassin_exec_spamd',` gen_require(` type spamd_exec_t; ') corecmd_search_bin($1) can_exec($1, spamd_exec_t) ') ######################################## ## ## Execute spamc in the spamc domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`spamassassin_domtrans_client',` gen_require(` type spamc_t, spamc_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, spamc_exec_t, spamc_t) ') ######################################## ## ## Execute spamc in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`spamassassin_exec_client',` gen_require(` type spamc_exec_t; ') corecmd_search_bin($1) can_exec($1, spamc_exec_t) ') ######################################## ## ## Send kill signals to spamc. ## ## ## ## Domain allowed access. ## ## # interface(`spamassassin_kill_client',` gen_require(` type spamc_t; ') allow $1 spamc_t:process sigkill; ') ######################################## ## ## Execute spamassassin standalone client ## in the user spamassassin domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`spamassassin_domtrans_local_client',` gen_require(` type spamassassin_t, spamassassin_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, spamassassin_exec_t, spamassassin_t) ') ######################################## ## ## Create, read, write, and delete ## spamd home content. ## ## ## ## Domain allowed access. ## ## # interface(`spamassassin_manage_spamd_home_content',` gen_require(` type spamd_home_t; ') userdom_search_user_home_dirs($1) allow $1 spamd_home_t:dir manage_dir_perms; allow $1 spamd_home_t:file manage_file_perms; allow $1 spamd_home_t:lnk_file manage_lnk_file_perms; ') ######################################## ## ## Relabel spamd home content. ## ## ## ## Domain allowed access. ## ## # interface(`spamassassin_relabel_spamd_home_content',` gen_require(` type spamd_home_t; ') userdom_search_user_home_dirs($1) allow $1 spamd_home_t:dir relabel_dir_perms; allow $1 spamd_home_t:file relabel_file_perms; allow $1 spamd_home_t:lnk_file relabel_lnk_file_perms; ') ######################################## ## ## Create objects in user home ## directories with the spamd home type. ## ## ## ## Domain allowed access. ## ## ## ## ## Class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # interface(`spamassassin_home_filetrans_spamd_home',` gen_require(` type spamd_home_t; ') userdom_user_home_dir_filetrans($1, spamd_home_t, $2, $3) ') ######################################## ## ## Read spamd lib files. ## ## ## ## Domain allowed access. ## ## # interface(`spamassassin_read_lib_files',` gen_require(` type spamd_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) ') ######################################## ## ## Create, read, write, and delete ## spamd lib files. ## ## ## ## Domain allowed access. ## ## # interface(`spamassassin_manage_lib_files',` gen_require(` type spamd_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) ') ######################################## ## ## Read spamd pid files. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`spamassassin_read_spamd_pid_files',` refpolicywarn(`$0($*) has been deprecated, please use spamassassin_read_spamd_runtime_files() instead.') spamassassin_read_spamd_runtime_files($1) ') ######################################## ## ## Read spamd runtime files. ## ## ## ## Domain allowed access. ## ## # interface(`spamassassin_read_spamd_runtime_files',` gen_require(` type spamd_runtime_t; ') files_search_pids($1) read_files_pattern($1, spamd_runtime_t, spamd_runtime_t) ') ######################################## ## ## Read temporary spamd files. ## ## ## ## Domain allowed access. ## ## # interface(`spamassassin_read_spamd_tmp_files',` gen_require(` type spamd_tmp_t; ') allow $1 spamd_tmp_t:file read_file_perms; ') ######################################## ## ## Do not audit attempts to get ## attributes of temporary spamd sockets. ## ## ## ## Domain to not audit. ## ## # interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` gen_require(` type spamd_tmp_t; ') dontaudit $1 spamd_tmp_t:sock_file getattr; ') ######################################## ## ## Connect to spamd with a unix ## domain stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`spamassassin_stream_connect_spamd',` gen_require(` type spamd_t, spamd_runtime_t; ') files_search_pids($1) stream_connect_pattern($1, spamd_runtime_t, spamd_runtime_t, spamd_t) ') ######################################## ## ## All of the rules required to ## administrate an spamassassin environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # interface(`spamassassin_admin',` gen_require(` type spamd_t, spamd_tmp_t, spamd_log_t; type spamd_spool_t, spamd_var_lib_t, spamd_runtime_t; type spamd_initrc_exec_t, spamassassin_unit_t; type spamd_gpg_t, spamd_update_t, spamd_update_tmp_t; ') admin_process_pattern($1, { spamd_t spamd_gpg_t spamd_update_t }) init_startstop_service($1, $2, spamd_t, spamd_initrc_exec_t, spamassassin_unit_t) files_list_tmp($1) admin_pattern($1, { spamd_tmp_t spamd_update_tmp_t }) logging_list_logs($1) admin_pattern($1, spamd_log_t) files_list_spool($1) admin_pattern($1, spamd_spool_t) files_list_var_lib($1) admin_pattern($1, spamd_var_lib_t) files_list_pids($1) admin_pattern($1, spamd_runtime_t) # This makes it impossible to apply _admin if _role has already been applied #spamassassin_role($2, $1) # sa-update spamassassin_run_update($1, $2) ')