selinux-refpolicy/policy/modules/services/exim.te
Dominick Grift 8340621920 Implement miscfiles_cert_type().
This is based on Fedoras' miscfiles_cert_type implementation.
The idea was that openvpn needs to be able read home certificates (home_cert_t) which is not implemented in refpolicy yet, as well as generic cert_t certificates.

Note that openvpn is allowed to read all cert_types, as i know that it needs access to both generic cert_t as well as (future) home_cert_t. Dwalsh noted that other domains may need this as well but because i do not know exactly which domains i will not changes any other domains call to generic cert type interfaces.

Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-10 11:05:46 -04:00

204 lines
4.8 KiB
Plaintext

policy_module(exim, 1.5.0)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow exim to connect to databases (postgres, mysql)
## </p>
## </desc>
gen_tunable(exim_can_connect_db, false)
## <desc>
## <p>
## Allow exim to read unprivileged user files.
## </p>
## </desc>
gen_tunable(exim_read_user_files, false)
## <desc>
## <p>
## Allow exim to create, read, write, and delete
## unprivileged user files.
## </p>
## </desc>
gen_tunable(exim_manage_user_files, false)
type exim_t;
type exim_exec_t;
init_daemon_domain(exim_t, exim_exec_t)
mta_mailserver(exim_t, exim_exec_t)
mta_mailserver_user_agent(exim_t)
application_executable_file(exim_exec_t)
mta_agent_executable(exim_exec_t)
type exim_log_t;
logging_log_file(exim_log_t)
type exim_spool_t;
files_type(exim_spool_t)
type exim_tmp_t;
files_tmp_file(exim_tmp_t)
type exim_var_run_t;
files_pid_file(exim_var_run_t)
########################################
#
# exim local policy
#
allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource };
allow exim_t self:process { setrlimit setpgid };
allow exim_t self:fifo_file rw_fifo_file_perms;
allow exim_t self:unix_stream_socket create_stream_socket_perms;
allow exim_t self:tcp_socket create_stream_socket_perms;
allow exim_t self:udp_socket create_socket_perms;
can_exec(exim_t, exim_exec_t)
manage_files_pattern(exim_t, exim_log_t, exim_log_t)
logging_log_filetrans(exim_t, exim_log_t, { file dir })
manage_dirs_pattern(exim_t, exim_spool_t, exim_spool_t)
manage_files_pattern(exim_t, exim_spool_t, exim_spool_t)
manage_sock_files_pattern(exim_t, exim_spool_t, exim_spool_t)
files_spool_filetrans(exim_t, exim_spool_t, { file dir sock_file })
manage_dirs_pattern(exim_t, exim_tmp_t, exim_tmp_t)
manage_files_pattern(exim_t, exim_tmp_t, exim_tmp_t)
files_tmp_filetrans(exim_t, exim_tmp_t, { file dir })
manage_dirs_pattern(exim_t, exim_var_run_t, exim_var_run_t)
manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t)
files_pid_filetrans(exim_t, exim_var_run_t, { file dir })
kernel_read_kernel_sysctls(exim_t)
kernel_read_network_state(exim_t)
kernel_dontaudit_read_system_state(exim_t)
corecmd_search_bin(exim_t)
corenet_all_recvfrom_unlabeled(exim_t)
corenet_all_recvfrom_netlabel(exim_t)
corenet_tcp_sendrecv_generic_if(exim_t)
corenet_udp_sendrecv_generic_if(exim_t)
corenet_tcp_sendrecv_generic_node(exim_t)
corenet_udp_sendrecv_generic_node(exim_t)
corenet_tcp_sendrecv_all_ports(exim_t)
corenet_tcp_bind_generic_node(exim_t)
corenet_tcp_bind_smtp_port(exim_t)
corenet_tcp_bind_amavisd_send_port(exim_t)
corenet_tcp_connect_auth_port(exim_t)
corenet_tcp_connect_smtp_port(exim_t)
corenet_tcp_connect_ldap_port(exim_t)
corenet_tcp_connect_inetd_child_port(exim_t)
# connect to spamassassin
corenet_tcp_connect_spamd_port(exim_t)
dev_read_rand(exim_t)
dev_read_urand(exim_t)
# Init script handling
domain_use_interactive_fds(exim_t)
files_search_usr(exim_t)
files_search_var(exim_t)
files_read_etc_files(exim_t)
files_read_etc_runtime_files(exim_t)
files_getattr_all_mountpoints(exim_t)
fs_getattr_xattr_fs(exim_t)
fs_list_inotifyfs(exim_t)
auth_use_nsswitch(exim_t)
logging_send_syslog_msg(exim_t)
miscfiles_read_localization(exim_t)
miscfiles_read_generic_certs(exim_t)
userdom_dontaudit_search_user_home_dirs(exim_t)
mta_read_aliases(exim_t)
mta_read_config(exim_t)
mta_manage_spool(exim_t)
mta_mailserver_delivery(exim_t)
tunable_policy(`exim_can_connect_db',`
corenet_tcp_connect_mysqld_port(exim_t)
corenet_sendrecv_mysqld_client_packets(exim_t)
corenet_tcp_connect_postgresql_port(exim_t)
corenet_sendrecv_postgresql_client_packets(exim_t)
')
tunable_policy(`exim_read_user_files',`
userdom_read_user_home_content_files(exim_t)
userdom_read_user_tmp_files(exim_t)
')
tunable_policy(`exim_manage_user_files',`
userdom_manage_user_home_content_dirs(exim_t)
userdom_read_user_tmp_files(exim_t)
userdom_write_user_tmp_files(exim_t)
')
optional_policy(`
clamav_domtrans_clamscan(exim_t)
clamav_stream_connect(exim_t)
')
optional_policy(`
cron_read_pipes(exim_t)
cron_rw_system_job_pipes(exim_t)
')
optional_policy(`
cyrus_stream_connect(exim_t)
')
optional_policy(`
kerberos_keytab_template(exim, exim_t)
')
optional_policy(`
mailman_read_data_files(exim_t)
mailman_domtrans(exim_t)
')
optional_policy(`
tunable_policy(`exim_can_connect_db',`
mysql_stream_connect(exim_t)
')
')
optional_policy(`
tunable_policy(`exim_can_connect_db',`
postgresql_stream_connect(exim_t)
')
')
optional_policy(`
procmail_domtrans(exim_t)
')
optional_policy(`
sasl_connect(exim_t)
')
optional_policy(`
# https://bugzilla.redhat.com/show_bug.cgi?id=512710
# uses sendmail for outgoing mail and exim
# for incoming mail
sendmail_manage_tmp_files(exim_t)
')
optional_policy(`
spamassassin_exec(exim_t)
spamassassin_exec_client(exim_t)
')