summaryrefslogtreecommitdiff
path: root/policy/modules/services/mta.te
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/services/mta.te')
-rw-r--r--policy/modules/services/mta.te194
1 files changed, 194 insertions, 0 deletions
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
new file mode 100644
index 00000000..2e9d8a70
--- /dev/null
+++ b/policy/modules/services/mta.te
@@ -0,0 +1,194 @@
+
+policy_module(mta,1.3.7)
+
+########################################
+#
+# Declarations
+#
+
+attribute mta_user_agent;
+attribute mailserver_delivery;
+attribute mailserver_domain;
+attribute mailserver_sender;
+
+attribute user_mail_domain;
+
+type etc_aliases_t;
+files_type(etc_aliases_t)
+
+type etc_mail_t;
+files_config_file(etc_mail_t)
+
+type mqueue_spool_t;
+files_type(mqueue_spool_t)
+
+type mail_spool_t;
+files_type(mail_spool_t)
+
+type sendmail_exec_t;
+files_type(sendmail_exec_t)
+
+mta_base_mail_template(system)
+role system_r types system_mail_t;
+
+# cjp: need to resolve this, but require{}
+# does not work in the else part of the optional
+#ifdef(`strict_policy',`
+# optional_policy(`',`
+# init_system_domain(system_mail_t,sendmail_exec_t)
+# ')
+#')
+
+########################################
+#
+# System mail local policy
+#
+
+# newalias required this, not sure if it is needed in 'if' file
+allow system_mail_t self:capability { dac_override };
+
+allow system_mail_t etc_mail_t:dir { getattr search };
+allow system_mail_t etc_mail_t:file r_file_perms;
+
+kernel_read_system_state(system_mail_t)
+kernel_read_network_state(system_mail_t)
+
+dev_read_rand(system_mail_t)
+dev_read_urand(system_mail_t)
+
+init_use_script_ptys(system_mail_t)
+
+userdom_use_sysadm_terms(system_mail_t)
+
+ifdef(`targeted_policy',`
+ typealias system_mail_t alias sysadm_mail_t;
+
+ allow system_mail_t mail_spool_t:dir create_dir_perms;
+ allow system_mail_t mail_spool_t:file create_file_perms;
+ allow system_mail_t mail_spool_t:lnk_file create_lnk_perms;
+ allow system_mail_t mail_spool_t:fifo_file rw_file_perms;
+
+ allow system_mail_t mqueue_spool_t:dir create_dir_perms;
+ allow system_mail_t mqueue_spool_t:file create_file_perms;
+ allow system_mail_t mqueue_spool_t:lnk_file create_lnk_perms;
+
+ # for reading .forward - maybe we need a new type for it?
+ # also for delivering mail to maildir
+ userdom_manage_generic_user_home_content_dirs(mailserver_delivery)
+ userdom_manage_generic_user_home_content_files(mailserver_delivery)
+ userdom_manage_generic_user_home_content_symlinks(mailserver_delivery)
+ userdom_manage_generic_user_home_content_sockets(mailserver_delivery)
+ userdom_manage_generic_user_home_content_pipes(mailserver_delivery)
+ userdom_generic_user_home_dir_filetrans_generic_user_home_content(mailserver_delivery,{ dir file lnk_file sock_file fifo_file })
+
+# cjp: another require-in-else to resolve
+# optional_policy(`',`
+ corecmd_exec_all_executables(system_mail_t)
+
+ files_exec_etc_files(system_mail_t)
+
+ libs_exec_ld_so(system_mail_t)
+ libs_exec_lib_files(system_mail_t)
+# ')
+')
+
+optional_policy(`
+ apache_read_squirrelmail_data(system_mail_t)
+ apache_append_squirrelmail_data(system_mail_t)
+
+ # apache should set close-on-exec
+ apache_dontaudit_append_log(system_mail_t)
+ apache_dontaudit_rw_stream_sockets(system_mail_t)
+ apache_dontaudit_rw_tcp_sockets(system_mail_t)
+ apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
+')
+
+optional_policy(`
+ arpwatch_manage_tmp_files(system_mail_t)
+
+ ifdef(`hide_broken_symptoms', `
+ arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
+ ')
+')
+
+optional_policy(`
+ cron_read_system_job_tmp_files(system_mail_t)
+ cron_dontaudit_write_pipes(system_mail_t)
+')
+
+optional_policy(`
+ cvs_read_data(system_mail_t)
+')
+
+optional_policy(`
+ logrotate_read_tmp_files(system_mail_t)
+')
+
+optional_policy(`
+ logwatch_read_tmp_files(system_mail_t)
+')
+
+optional_policy(`
+ nagios_read_tmp_files(system_mail_t)
+')
+
+optional_policy(`
+ allow system_mail_t etc_aliases_t:dir create_dir_perms;
+ allow system_mail_t etc_aliases_t:file create_file_perms;
+ allow system_mail_t etc_aliases_t:lnk_file create_lnk_perms;
+ allow system_mail_t etc_aliases_t:sock_file create_file_perms;
+ allow system_mail_t etc_aliases_t:fifo_file create_file_perms;
+ files_etc_filetrans(system_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file })
+
+ domain_use_interactive_fds(system_mail_t)
+
+ # postfix needs this for newaliases
+ files_getattr_tmp_dirs(system_mail_t)
+
+ postfix_exec_master(system_mail_t)
+ postfix_read_config(system_mail_t)
+ postfix_search_spool(system_mail_t)
+
+ ifdef(`distro_redhat',`
+ # compatability for old default main.cf
+ postfix_config_filetrans(system_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file })
+ ')
+
+ optional_policy(`
+ cron_rw_tcp_sockets(system_mail_t)
+ ')
+')
+
+optional_policy(`
+ qmail_domtrans_inject(system_mail_t)
+')
+
+optional_policy(`
+ sxid_read_log(system_mail_t)
+')
+
+optional_policy(`
+ userdom_dontaudit_use_unpriv_users_ptys(system_mail_t)
+
+ optional_policy(`
+ cron_dontaudit_append_system_job_tmp_files(system_mail_t)
+ ')
+')
+
+optional_policy(`
+ smartmon_read_tmp_files(system_mail_t)
+')
+
+# should break this up among sections:
+
+optional_policy(`
+ # why is mail delivered to a directory of type arpwatch_data_t?
+ arpwatch_search_data(mailserver_delivery)
+ arpwatch_manage_tmp_files(mta_user_agent)
+ ifdef(`hide_broken_symptoms', `
+ arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
+ ')
+ optional_policy(`
+ cron_read_system_job_tmp_files(mta_user_agent)
+ ')
+')
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-22 18:03:25 +0000