## Filter used for removing unsolicited email. ######################################## ## ## Role access for spamassassin. ## ## ## ## Role allowed access. ## ## ## ## ## User domain for the role. ## ## # interface(`spamassassin_role',` gen_require(` type spamc_t, spamc_exec_t, spamc_tmp_t; type spamassassin_t, spamassassin_exec_t, spamd_home_t; type spamassassin_home_t, spamassassin_tmp_t; ') role $1 types { spamc_t spamassassin_t }; domtrans_pattern($2, spamassassin_exec_t, spamassassin_t) domtrans_pattern($2, spamc_exec_t, spamc_t) allow $2 { spamc_t spamassassin_t}:process { ptrace signal_perms }; ps_process_pattern($2, { spamc_t spamassassin_t }) allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:file { manage_file_perms relabel_file_perms }; allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; userdom_user_home_dir_filetrans($2, spamassassin_home_t, dir, ".spamassassin") userdom_user_home_dir_filetrans($2, spamd_home_t, dir, ".spamd") ') ######################################## ## ## Execute the standalone spamassassin ## program in the caller directory. ## ## ## ## Domain allowed access. ## ## # interface(`spamassassin_exec',` gen_require(` type spamassassin_exec_t; ') corecmd_search_bin($1) can_exec($1, spamassassin_exec_t) ') ######################################## ## ## Send generic signals to spamd. ## ## ## ## Domain allowed access. ## ## # interface(`spamassassin_signal_spamd',` gen_require(` type spamd_t; ') allow $1 spamd_t:process signal; ') ######################################## ## ## Execute spamd in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`spamassassin_exec_spamd',` gen_require(` type spamd_exec_t; ') corecmd_search_bin($1) can_exec($1, spamd_exec_t) ') ######################################## ## ## Execute spamc in the spamc domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`spamassassin_domtrans_client',` gen_require(` type spamc_t, spamc_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, spamc_exec_t, spamc_t) ') ######################################## ## ## Execute spamc in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`spamassassin_exec_client',` gen_require(` type spamc_exec_t; ') corecmd_search_bin($1) can_exec($1, spamc_exec_t) ') ######################################## ## ## Send kill signals to spamc. ## ## ## ## Domain allowed access. ## ## # interface(`spamassassin_kill_client',` gen_require(` type spamc_t; ') allow $1 spamc_t:process sigkill; ') ######################################## ## ## Execute spamassassin standalone client ## in the user spamassassin domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`spamassassin_domtrans_local_client',` gen_require(` type spamassassin_t, spamassassin_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, spamassassin_exec_t, spamassassin_t) ') ######################################## ## ## Create, read, write, and delete ## spamd home content. ## ## ## ## Domain allowed access. ## ## # interface(`spamassassin_manage_spamd_home_content',` gen_require(` type spamd_home_t; ') userdom_search_user_home_dirs($1) allow $1 spamd_home_t:dir manage_dir_perms; allow $1 spamd_home_t:file manage_file_perms; allow $1 spamd_home_t:lnk_file manage_lnk_file_perms; ') ######################################## ## ## Relabel spamd home content. ## ## ## ## Domain allowed access. ## ## # interface(`spamassassin_relabel_spamd_home_content',` gen_require(` type spamd_home_t; ') userdom_search_user_home_dirs($1) allow $1 spamd_home_t:dir relabel_dir_perms; allow $1 spamd_home_t:file relabel_file_perms; allow $1 spamd_home_t:lnk_file relabel_lnk_file_perms; ') ######################################## ## ## Create objects in user home ## directories with the spamd home type. ## ## ## ## Domain allowed access. ## ## ## ## ## Class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # interface(`spamassassin_home_filetrans_spamd_home',` gen_require(` type spamd_home_t; ') userdom_user_home_dir_filetrans($1, spamd_home_t, $2, $3) ') ######################################## ## ## Read spamd lib files. ## ## ## ## Domain allowed access. ## ## # interface(`spamassassin_read_lib_files',` gen_require(` type spamd_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) ') ######################################## ## ## Create, read, write, and delete ## spamd lib files. ## ## ## ## Domain allowed access. ## ## # interface(`spamassassin_manage_lib_files',` gen_require(` type spamd_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) ') ######################################## ## ## Read spamd pid files. ## ## ## ## Domain allowed access. ## ## # interface(`spamassassin_read_spamd_pid_files',` gen_require(` type spamd_var_run_t; ') files_search_pids($1) read_files_pattern($1, spamd_var_run_t, spamd_var_run_t) ') ######################################## ## ## Read temporary spamd files. ## ## ## ## Domain allowed access. ## ## # interface(`spamassassin_read_spamd_tmp_files',` gen_require(` type spamd_tmp_t; ') allow $1 spamd_tmp_t:file read_file_perms; ') ######################################## ## ## Do not audit attempts to get ## attributes of temporary spamd sockets. ## ## ## ## Domain to not audit. ## ## # interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` gen_require(` type spamd_tmp_t; ') dontaudit $1 spamd_tmp_t:sock_file getattr; ') ######################################## ## ## Connect to spamd with a unix ## domain stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`spamassassin_stream_connect_spamd',` gen_require(` type spamd_t, spamd_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t) ') ######################################## ## ## All of the rules required to ## administrate an spamassassin environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # interface(`spamassassin_admin',` gen_require(` type spamd_t, spamd_tmp_t, spamd_log_t; type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t; type spamd_initrc_exec_t; ') allow $1 spamd_t:process { ptrace signal_perms }; ps_process_pattern($1, spamd_t) init_startstop_service($1, $2, spamd_t, spamd_initrc_exec_t) files_list_tmp($1) admin_pattern($1, spamd_tmp_t) logging_list_logs($1) admin_pattern($1, spamd_log_t) files_list_spool($1) admin_pattern($1, spamd_spool_t) files_list_var_lib($1) admin_pattern($1, spamd_var_lib_t) files_list_pids($1) admin_pattern($1, spamd_var_run_t) # This makes it impossible to apply _admin if _role has already been applied #spamassassin_role($2, $1) ')