spamassassin.if 8.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406
  1. ## <summary>Filter used for removing unsolicited email.</summary>
  2. ########################################
  3. ## <summary>
  4. ## Role access for spamassassin.
  5. ## </summary>
  6. ## <param name="role">
  7. ## <summary>
  8. ## Role allowed access.
  9. ## </summary>
  10. ## </param>
  11. ## <param name="domain">
  12. ## <summary>
  13. ## User domain for the role.
  14. ## </summary>
  15. ## </param>
  16. #
  17. interface(`spamassassin_role',`
  18. gen_require(`
  19. type spamc_t, spamc_exec_t, spamc_tmp_t;
  20. type spamassassin_t, spamassassin_exec_t, spamd_home_t;
  21. type spamassassin_home_t, spamassassin_tmp_t;
  22. ')
  23. role $1 types { spamc_t spamassassin_t };
  24. domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
  25. domtrans_pattern($2, spamc_exec_t, spamc_t)
  26. allow $2 { spamc_t spamassassin_t}:process { ptrace signal_perms };
  27. ps_process_pattern($2, { spamc_t spamassassin_t })
  28. allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
  29. allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:file { manage_file_perms relabel_file_perms };
  30. allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
  31. userdom_user_home_dir_filetrans($2, spamassassin_home_t, dir, ".spamassassin")
  32. userdom_user_home_dir_filetrans($2, spamd_home_t, dir, ".spamd")
  33. ')
  34. ########################################
  35. ## <summary>
  36. ## Execute the standalone spamassassin
  37. ## program in the caller directory.
  38. ## </summary>
  39. ## <param name="domain">
  40. ## <summary>
  41. ## Domain allowed access.
  42. ## </summary>
  43. ## </param>
  44. #
  45. interface(`spamassassin_exec',`
  46. gen_require(`
  47. type spamassassin_exec_t;
  48. ')
  49. corecmd_search_bin($1)
  50. can_exec($1, spamassassin_exec_t)
  51. ')
  52. ########################################
  53. ## <summary>
  54. ## Send generic signals to spamd.
  55. ## </summary>
  56. ## <param name="domain">
  57. ## <summary>
  58. ## Domain allowed access.
  59. ## </summary>
  60. ## </param>
  61. #
  62. interface(`spamassassin_signal_spamd',`
  63. gen_require(`
  64. type spamd_t;
  65. ')
  66. allow $1 spamd_t:process signal;
  67. ')
  68. ########################################
  69. ## <summary>
  70. ## Execute spamd in the caller domain.
  71. ## </summary>
  72. ## <param name="domain">
  73. ## <summary>
  74. ## Domain allowed access.
  75. ## </summary>
  76. ## </param>
  77. #
  78. interface(`spamassassin_exec_spamd',`
  79. gen_require(`
  80. type spamd_exec_t;
  81. ')
  82. corecmd_search_bin($1)
  83. can_exec($1, spamd_exec_t)
  84. ')
  85. ########################################
  86. ## <summary>
  87. ## Execute spamc in the spamc domain.
  88. ## </summary>
  89. ## <param name="domain">
  90. ## <summary>
  91. ## Domain allowed to transition.
  92. ## </summary>
  93. ## </param>
  94. #
  95. interface(`spamassassin_domtrans_client',`
  96. gen_require(`
  97. type spamc_t, spamc_exec_t;
  98. ')
  99. corecmd_search_bin($1)
  100. domtrans_pattern($1, spamc_exec_t, spamc_t)
  101. ')
  102. ########################################
  103. ## <summary>
  104. ## Execute spamc in the caller domain.
  105. ## </summary>
  106. ## <param name="domain">
  107. ## <summary>
  108. ## Domain allowed access.
  109. ## </summary>
  110. ## </param>
  111. #
  112. interface(`spamassassin_exec_client',`
  113. gen_require(`
  114. type spamc_exec_t;
  115. ')
  116. corecmd_search_bin($1)
  117. can_exec($1, spamc_exec_t)
  118. ')
  119. ########################################
  120. ## <summary>
  121. ## Send kill signals to spamc.
  122. ## </summary>
  123. ## <param name="domain">
  124. ## <summary>
  125. ## Domain allowed access.
  126. ## </summary>
  127. ## </param>
  128. #
  129. interface(`spamassassin_kill_client',`
  130. gen_require(`
  131. type spamc_t;
  132. ')
  133. allow $1 spamc_t:process sigkill;
  134. ')
  135. ########################################
  136. ## <summary>
  137. ## Execute spamassassin standalone client
  138. ## in the user spamassassin domain.
  139. ## </summary>
  140. ## <param name="domain">
  141. ## <summary>
  142. ## Domain allowed to transition.
  143. ## </summary>
  144. ## </param>
  145. #
  146. interface(`spamassassin_domtrans_local_client',`
  147. gen_require(`
  148. type spamassassin_t, spamassassin_exec_t;
  149. ')
  150. corecmd_search_bin($1)
  151. domtrans_pattern($1, spamassassin_exec_t, spamassassin_t)
  152. ')
  153. ########################################
  154. ## <summary>
  155. ## Create, read, write, and delete
  156. ## spamd home content.
  157. ## </summary>
  158. ## <param name="domain">
  159. ## <summary>
  160. ## Domain allowed access.
  161. ## </summary>
  162. ## </param>
  163. #
  164. interface(`spamassassin_manage_spamd_home_content',`
  165. gen_require(`
  166. type spamd_home_t;
  167. ')
  168. userdom_search_user_home_dirs($1)
  169. allow $1 spamd_home_t:dir manage_dir_perms;
  170. allow $1 spamd_home_t:file manage_file_perms;
  171. allow $1 spamd_home_t:lnk_file manage_lnk_file_perms;
  172. ')
  173. ########################################
  174. ## <summary>
  175. ## Relabel spamd home content.
  176. ## </summary>
  177. ## <param name="domain">
  178. ## <summary>
  179. ## Domain allowed access.
  180. ## </summary>
  181. ## </param>
  182. #
  183. interface(`spamassassin_relabel_spamd_home_content',`
  184. gen_require(`
  185. type spamd_home_t;
  186. ')
  187. userdom_search_user_home_dirs($1)
  188. allow $1 spamd_home_t:dir relabel_dir_perms;
  189. allow $1 spamd_home_t:file relabel_file_perms;
  190. allow $1 spamd_home_t:lnk_file relabel_lnk_file_perms;
  191. ')
  192. ########################################
  193. ## <summary>
  194. ## Create objects in user home
  195. ## directories with the spamd home type.
  196. ## </summary>
  197. ## <param name="domain">
  198. ## <summary>
  199. ## Domain allowed access.
  200. ## </summary>
  201. ## </param>
  202. ## <param name="object_class">
  203. ## <summary>
  204. ## Class of the object being created.
  205. ## </summary>
  206. ## </param>
  207. ## <param name="name" optional="true">
  208. ## <summary>
  209. ## The name of the object being created.
  210. ## </summary>
  211. ## </param>
  212. #
  213. interface(`spamassassin_home_filetrans_spamd_home',`
  214. gen_require(`
  215. type spamd_home_t;
  216. ')
  217. userdom_user_home_dir_filetrans($1, spamd_home_t, $2, $3)
  218. ')
  219. ########################################
  220. ## <summary>
  221. ## Read spamd lib files.
  222. ## </summary>
  223. ## <param name="domain">
  224. ## <summary>
  225. ## Domain allowed access.
  226. ## </summary>
  227. ## </param>
  228. #
  229. interface(`spamassassin_read_lib_files',`
  230. gen_require(`
  231. type spamd_var_lib_t;
  232. ')
  233. files_search_var_lib($1)
  234. read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
  235. ')
  236. ########################################
  237. ## <summary>
  238. ## Create, read, write, and delete
  239. ## spamd lib files.
  240. ## </summary>
  241. ## <param name="domain">
  242. ## <summary>
  243. ## Domain allowed access.
  244. ## </summary>
  245. ## </param>
  246. #
  247. interface(`spamassassin_manage_lib_files',`
  248. gen_require(`
  249. type spamd_var_lib_t;
  250. ')
  251. files_search_var_lib($1)
  252. manage_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
  253. ')
  254. ########################################
  255. ## <summary>
  256. ## Read spamd pid files.
  257. ## </summary>
  258. ## <param name="domain">
  259. ## <summary>
  260. ## Domain allowed access.
  261. ## </summary>
  262. ## </param>
  263. #
  264. interface(`spamassassin_read_spamd_pid_files',`
  265. gen_require(`
  266. type spamd_var_run_t;
  267. ')
  268. files_search_pids($1)
  269. read_files_pattern($1, spamd_var_run_t, spamd_var_run_t)
  270. ')
  271. ########################################
  272. ## <summary>
  273. ## Read temporary spamd files.
  274. ## </summary>
  275. ## <param name="domain">
  276. ## <summary>
  277. ## Domain allowed access.
  278. ## </summary>
  279. ## </param>
  280. #
  281. interface(`spamassassin_read_spamd_tmp_files',`
  282. gen_require(`
  283. type spamd_tmp_t;
  284. ')
  285. allow $1 spamd_tmp_t:file read_file_perms;
  286. ')
  287. ########################################
  288. ## <summary>
  289. ## Do not audit attempts to get
  290. ## attributes of temporary spamd sockets.
  291. ## </summary>
  292. ## <param name="domain">
  293. ## <summary>
  294. ## Domain to not audit.
  295. ## </summary>
  296. ## </param>
  297. #
  298. interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
  299. gen_require(`
  300. type spamd_tmp_t;
  301. ')
  302. dontaudit $1 spamd_tmp_t:sock_file getattr;
  303. ')
  304. ########################################
  305. ## <summary>
  306. ## Connect to spamd with a unix
  307. ## domain stream socket.
  308. ## </summary>
  309. ## <param name="domain">
  310. ## <summary>
  311. ## Domain allowed access.
  312. ## </summary>
  313. ## </param>
  314. #
  315. interface(`spamassassin_stream_connect_spamd',`
  316. gen_require(`
  317. type spamd_t, spamd_var_run_t;
  318. ')
  319. files_search_pids($1)
  320. stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
  321. ')
  322. ########################################
  323. ## <summary>
  324. ## All of the rules required to
  325. ## administrate an spamassassin environment.
  326. ## </summary>
  327. ## <param name="domain">
  328. ## <summary>
  329. ## Domain allowed access.
  330. ## </summary>
  331. ## </param>
  332. ## <param name="role">
  333. ## <summary>
  334. ## Role allowed access.
  335. ## </summary>
  336. ## </param>
  337. ## <rolecap/>
  338. #
  339. interface(`spamassassin_admin',`
  340. gen_require(`
  341. type spamd_t, spamd_tmp_t, spamd_log_t;
  342. type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t;
  343. type spamd_initrc_exec_t;
  344. ')
  345. allow $1 spamd_t:process { ptrace signal_perms };
  346. ps_process_pattern($1, spamd_t)
  347. init_startstop_service($1, $2, spamd_t, spamd_initrc_exec_t)
  348. files_list_tmp($1)
  349. admin_pattern($1, spamd_tmp_t)
  350. logging_list_logs($1)
  351. admin_pattern($1, spamd_log_t)
  352. files_list_spool($1)
  353. admin_pattern($1, spamd_spool_t)
  354. files_list_var_lib($1)
  355. admin_pattern($1, spamd_var_lib_t)
  356. files_list_pids($1)
  357. admin_pattern($1, spamd_var_run_t)
  358. # This makes it impossible to apply _admin if _role has already been applied
  359. #spamassassin_role($2, $1)
  360. ')