|
@@ -1,566 +0,0 @@
|
|
|
-policy_module(spamassassin, 2.9.9)
|
|
|
-
|
|
|
-require {
|
|
|
- type etc_mail_t;
|
|
|
-}
|
|
|
-
|
|
|
-########################################
|
|
|
-#
|
|
|
-# Declarations
|
|
|
-#
|
|
|
-
|
|
|
-## <desc>
|
|
|
-## <p>
|
|
|
-## Determine whether spamassassin
|
|
|
-## clients can use the network.
|
|
|
-## </p>
|
|
|
-## </desc>
|
|
|
-gen_tunable(spamassassin_can_network, false)
|
|
|
-
|
|
|
-## <desc>
|
|
|
-## <p>
|
|
|
-## Determine whether spamd can manage
|
|
|
-## generic user home content.
|
|
|
-## </p>
|
|
|
-## </desc>
|
|
|
-gen_tunable(spamd_enable_home_dirs, false)
|
|
|
-
|
|
|
-type spamd_update_t;
|
|
|
-type spamd_update_exec_t;
|
|
|
-init_system_domain(spamd_update_t, spamd_update_exec_t)
|
|
|
-
|
|
|
-type spamassassin_t;
|
|
|
-type spamassassin_exec_t;
|
|
|
-typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
|
|
|
-typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t };
|
|
|
-userdom_user_application_domain(spamassassin_t, spamassassin_exec_t)
|
|
|
-
|
|
|
-type spamassassin_home_t;
|
|
|
-typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
|
|
|
-typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
|
|
|
-userdom_user_home_content(spamassassin_home_t)
|
|
|
-
|
|
|
-type spamassassin_tmp_t;
|
|
|
-typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
|
|
|
-typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
|
|
|
-userdom_user_tmp_file(spamassassin_tmp_t)
|
|
|
-
|
|
|
-type spamc_t;
|
|
|
-type spamc_exec_t;
|
|
|
-typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
|
|
|
-typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
|
|
|
-userdom_user_application_domain(spamc_t, spamc_exec_t)
|
|
|
-role system_r types spamc_t;
|
|
|
-
|
|
|
-type spamc_tmp_t;
|
|
|
-typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
|
|
|
-typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
|
|
|
-userdom_user_tmp_file(spamc_tmp_t)
|
|
|
-
|
|
|
-type spamd_t;
|
|
|
-type spamd_exec_t;
|
|
|
-init_daemon_domain(spamd_t, spamd_exec_t)
|
|
|
-
|
|
|
-type spamd_compiled_t;
|
|
|
-files_type(spamd_compiled_t)
|
|
|
-
|
|
|
-type spamd_etc_t;
|
|
|
-files_config_file(spamd_etc_t)
|
|
|
-
|
|
|
-type spamd_home_t;
|
|
|
-userdom_user_home_content(spamd_home_t)
|
|
|
-
|
|
|
-type spamd_initrc_exec_t;
|
|
|
-init_script_file(spamd_initrc_exec_t)
|
|
|
-
|
|
|
-type spamd_log_t;
|
|
|
-logging_log_file(spamd_log_t)
|
|
|
-
|
|
|
-type spamd_spool_t;
|
|
|
-files_type(spamd_spool_t)
|
|
|
-
|
|
|
-type spamd_tmp_t;
|
|
|
-files_tmp_file(spamd_tmp_t)
|
|
|
-
|
|
|
-type spamd_var_lib_t;
|
|
|
-files_type(spamd_var_lib_t)
|
|
|
-
|
|
|
-type spamd_var_run_t;
|
|
|
-files_pid_file(spamd_var_run_t)
|
|
|
-
|
|
|
-type spamd_unit_t;
|
|
|
-init_unit_file(spamd_unit_t)
|
|
|
-
|
|
|
-########################################
|
|
|
-#
|
|
|
-# Standalone local policy
|
|
|
-#
|
|
|
-
|
|
|
-allow spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
|
-allow spamassassin_t self:fd use;
|
|
|
-allow spamassassin_t self:fifo_file rw_fifo_file_perms;
|
|
|
-allow spamassassin_t self:unix_dgram_socket sendto;
|
|
|
-allow spamassassin_t self:unix_stream_socket { accept connectto listen };
|
|
|
-
|
|
|
-manage_dirs_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
|
|
|
-manage_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
|
|
|
-manage_lnk_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
|
|
|
-manage_fifo_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
|
|
|
-manage_sock_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
|
|
|
-userdom_user_home_dir_filetrans(spamassassin_t, spamassassin_home_t, dir, ".spamassassin")
|
|
|
-
|
|
|
-manage_dirs_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t)
|
|
|
-manage_files_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t)
|
|
|
-files_tmp_filetrans(spamassassin_t, spamassassin_tmp_t, { file dir })
|
|
|
-
|
|
|
-kernel_read_kernel_sysctls(spamassassin_t)
|
|
|
-
|
|
|
-dev_read_urand(spamassassin_t)
|
|
|
-
|
|
|
-fs_getattr_all_fs(spamassassin_t)
|
|
|
-fs_search_auto_mountpoints(spamassassin_t)
|
|
|
-
|
|
|
-domain_use_interactive_fds(spamassassin_t)
|
|
|
-
|
|
|
-files_read_etc_files(spamassassin_t)
|
|
|
-files_read_etc_runtime_files(spamassassin_t)
|
|
|
-files_list_home(spamassassin_t)
|
|
|
-files_read_usr_files(spamassassin_t)
|
|
|
-files_dontaudit_search_var(spamassassin_t)
|
|
|
-
|
|
|
-logging_send_syslog_msg(spamassassin_t)
|
|
|
-
|
|
|
-miscfiles_read_localization(spamassassin_t)
|
|
|
-
|
|
|
-sysnet_dns_name_resolve(spamassassin_t)
|
|
|
-
|
|
|
-tunable_policy(`spamassassin_can_network',`
|
|
|
- allow spamassassin_t self:tcp_socket { accept listen };
|
|
|
-
|
|
|
- corenet_all_recvfrom_unlabeled(spamassassin_t)
|
|
|
- corenet_all_recvfrom_netlabel(spamassassin_t)
|
|
|
- corenet_tcp_sendrecv_generic_if(spamassassin_t)
|
|
|
- corenet_tcp_sendrecv_generic_node(spamassassin_t)
|
|
|
- corenet_tcp_sendrecv_all_ports(spamassassin_t)
|
|
|
-
|
|
|
- corenet_tcp_connect_all_ports(spamassassin_t)
|
|
|
- corenet_sendrecv_all_client_packets(spamassassin_t)
|
|
|
-')
|
|
|
-
|
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
|
- fs_manage_nfs_dirs(spamassassin_t)
|
|
|
- fs_manage_nfs_files(spamassassin_t)
|
|
|
- fs_manage_nfs_symlinks(spamassassin_t)
|
|
|
-')
|
|
|
-
|
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
|
- fs_manage_cifs_dirs(spamassassin_t)
|
|
|
- fs_manage_cifs_files(spamassassin_t)
|
|
|
- fs_manage_cifs_symlinks(spamassassin_t)
|
|
|
-')
|
|
|
-
|
|
|
-optional_policy(`
|
|
|
- tunable_policy(`spamassassin_can_network && allow_ypbind',`
|
|
|
- nis_use_ypbind_uncond(spamassassin_t)
|
|
|
- ')
|
|
|
-')
|
|
|
-
|
|
|
-optional_policy(`
|
|
|
- mta_read_config(spamassassin_t)
|
|
|
- sendmail_stub(spamassassin_t)
|
|
|
-')
|
|
|
-
|
|
|
-########################################
|
|
|
-#
|
|
|
-# Client local policy
|
|
|
-#
|
|
|
-
|
|
|
-allow spamc_t self:capability dac_override;
|
|
|
-allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
|
-allow spamc_t self:fd use;
|
|
|
-allow spamc_t self:fifo_file rw_fifo_file_perms;
|
|
|
-allow spamc_t self:unix_dgram_socket sendto;
|
|
|
-allow spamc_t self:unix_stream_socket { accept connectto listen };
|
|
|
-allow spamc_t self:tcp_socket { accept listen };
|
|
|
-allow spamc_t node_t:udp_socket node_bind;
|
|
|
-
|
|
|
-manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
|
|
|
-manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
|
|
|
-files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir })
|
|
|
-
|
|
|
-manage_dirs_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t)
|
|
|
-manage_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t)
|
|
|
-manage_lnk_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t)
|
|
|
-manage_fifo_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t)
|
|
|
-manage_sock_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t)
|
|
|
-userdom_user_home_dir_filetrans(spamc_t, spamassassin_home_t, dir, ".spamassassin")
|
|
|
-
|
|
|
-list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
|
|
|
-read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
|
|
|
-list_dirs_pattern(spamc_t, spamd_etc_t, spamd_etc_t)
|
|
|
-read_files_pattern(spamc_t, spamd_etc_t, spamd_etc_t)
|
|
|
-
|
|
|
-stream_connect_pattern(spamc_t, { spamd_var_run_t spamd_tmp_t }, { spamd_var_run_t spamd_tmp_t }, spamd_t)
|
|
|
-
|
|
|
-kernel_read_kernel_sysctls(spamc_t)
|
|
|
-kernel_read_system_state(spamc_t)
|
|
|
-
|
|
|
-corenet_all_recvfrom_unlabeled(spamc_t)
|
|
|
-corenet_all_recvfrom_netlabel(spamc_t)
|
|
|
-corenet_tcp_sendrecv_generic_if(spamc_t)
|
|
|
-corenet_tcp_sendrecv_generic_node(spamc_t)
|
|
|
-corenet_tcp_sendrecv_all_ports(spamc_t)
|
|
|
-
|
|
|
-corenet_sendrecv_all_client_packets(spamc_t)
|
|
|
-corenet_tcp_connect_all_ports(spamc_t)
|
|
|
-
|
|
|
-corecmd_exec_bin(spamc_t)
|
|
|
-
|
|
|
-domain_use_interactive_fds(spamc_t)
|
|
|
-
|
|
|
-fs_getattr_all_fs(spamc_t)
|
|
|
-fs_search_auto_mountpoints(spamc_t)
|
|
|
-
|
|
|
-files_read_etc_runtime_files(spamc_t)
|
|
|
-files_read_usr_files(spamc_t)
|
|
|
-files_dontaudit_search_var(spamc_t)
|
|
|
-files_list_home(spamc_t)
|
|
|
-files_list_var_lib(spamc_t)
|
|
|
-
|
|
|
-auth_use_nsswitch(spamc_t)
|
|
|
-
|
|
|
-logging_send_syslog_msg(spamc_t)
|
|
|
-
|
|
|
-miscfiles_read_localization(spamc_t)
|
|
|
-
|
|
|
-dovecot_domtrans_deliver(spamc_t)
|
|
|
-
|
|
|
-search_dirs_pattern(spamc_t, etc_mail_t, etc_mail_t)
|
|
|
-search_dirs_pattern(spamc_t, spamd_etc_t, spamd_etc_t)
|
|
|
-
|
|
|
-mysql_stream_connect(spamc_t)
|
|
|
-
|
|
|
-auth_read_shadow(spamc_t)
|
|
|
-corecmd_exec_shell(spamc_t)
|
|
|
-
|
|
|
-dev_read_urand(spamc_t)
|
|
|
-
|
|
|
-userdom_use_inherited_user_terminals(spamc_t)
|
|
|
-userdom_read_user_tmp_files(spamc_t)
|
|
|
-
|
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
|
- fs_manage_nfs_dirs(spamc_t)
|
|
|
- fs_manage_nfs_files(spamc_t)
|
|
|
- fs_manage_nfs_symlinks(spamc_t)
|
|
|
-')
|
|
|
-
|
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
|
- fs_manage_cifs_dirs(spamc_t)
|
|
|
- fs_manage_cifs_files(spamc_t)
|
|
|
- fs_manage_cifs_symlinks(spamc_t)
|
|
|
-')
|
|
|
-
|
|
|
-optional_policy(`
|
|
|
- abrt_stream_connect(spamc_t)
|
|
|
-')
|
|
|
-
|
|
|
-optional_policy(`
|
|
|
- amavis_manage_spool_files(spamc_t)
|
|
|
-')
|
|
|
-
|
|
|
-optional_policy(`
|
|
|
- evolution_stream_connect(spamc_t)
|
|
|
-')
|
|
|
-
|
|
|
-optional_policy(`
|
|
|
- milter_manage_spamass_state(spamc_t)
|
|
|
-')
|
|
|
-
|
|
|
-optional_policy(`
|
|
|
- mta_send_mail(spamc_t)
|
|
|
- mta_read_config(spamc_t)
|
|
|
- mta_read_queue(spamc_t)
|
|
|
- sendmail_rw_pipes(spamc_t)
|
|
|
- sendmail_stub(spamc_t)
|
|
|
-')
|
|
|
-
|
|
|
-optional_policy(`
|
|
|
- postfix_domtrans_postdrop(spamc_t)
|
|
|
- postfix_search_spool(spamc_t)
|
|
|
- postfix_rw_local_pipes(spamc_t)
|
|
|
- postfix_rw_inherited_master_pipes(spamc_t)
|
|
|
-')
|
|
|
-
|
|
|
-########################################
|
|
|
-#
|
|
|
-# Daemon local policy
|
|
|
-#
|
|
|
-
|
|
|
-allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config };
|
|
|
-dontaudit spamd_t self:capability sys_tty_config;
|
|
|
-allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
|
-allow spamd_t self:fd use;
|
|
|
-allow spamd_t self:fifo_file rw_fifo_file_perms;
|
|
|
-allow spamd_t self:unix_dgram_socket sendto;
|
|
|
-allow spamd_t self:unix_stream_socket { accept connectto listen };
|
|
|
-allow spamd_t self:tcp_socket { accept listen };
|
|
|
-
|
|
|
-manage_dirs_pattern(spamd_t, spamd_home_t, spamd_home_t)
|
|
|
-manage_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
|
|
|
-manage_lnk_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
|
|
|
-manage_fifo_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
|
|
|
-manage_sock_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
|
|
|
-userdom_user_home_dir_filetrans(spamd_t, spamd_home_t, dir, ".spamd")
|
|
|
-
|
|
|
-manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
|
|
|
-manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
|
|
|
-manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
|
|
|
-manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
|
|
|
-manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
|
|
|
-userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, dir, ".spamassassin")
|
|
|
-
|
|
|
-manage_dirs_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
|
|
|
-manage_files_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
|
|
|
-
|
|
|
-allow spamd_t spamd_log_t:file { append_file_perms create_file_perms setattr_file_perms };
|
|
|
-logging_log_filetrans(spamd_t, spamd_log_t, file)
|
|
|
-
|
|
|
-manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
|
|
|
-manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
|
|
|
-manage_sock_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
|
|
|
-files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
|
|
|
-
|
|
|
-manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
|
|
|
-manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
|
|
|
-files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
|
|
|
-
|
|
|
-allow spamd_t spamd_var_lib_t:dir list_dir_perms;
|
|
|
-manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
|
|
|
-manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
|
|
|
-
|
|
|
-manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
|
|
|
-manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
|
|
|
-manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
|
|
|
-files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
|
|
|
-
|
|
|
-list_dirs_pattern(spamd_t, spamd_etc_t, spamd_etc_t)
|
|
|
-read_files_pattern(spamd_t, spamd_etc_t, spamd_etc_t)
|
|
|
-
|
|
|
-search_dirs_pattern(spamd_t, etc_mail_t, etc_mail_t)
|
|
|
-
|
|
|
-can_exec(spamd_t, { spamd_exec_t spamd_compiled_t })
|
|
|
-
|
|
|
-kernel_read_all_sysctls(spamd_t)
|
|
|
-kernel_read_system_state(spamd_t)
|
|
|
-
|
|
|
-corecmd_exec_shell(spamd_t)
|
|
|
-
|
|
|
-corenet_all_recvfrom_unlabeled(spamd_t)
|
|
|
-corenet_all_recvfrom_netlabel(spamd_t)
|
|
|
-corenet_tcp_sendrecv_generic_if(spamd_t)
|
|
|
-corenet_udp_sendrecv_generic_if(spamd_t)
|
|
|
-corenet_tcp_sendrecv_generic_node(spamd_t)
|
|
|
-corenet_udp_sendrecv_generic_node(spamd_t)
|
|
|
-corenet_tcp_sendrecv_all_ports(spamd_t)
|
|
|
-corenet_udp_sendrecv_all_ports(spamd_t)
|
|
|
-corenet_tcp_bind_generic_node(spamd_t)
|
|
|
-corenet_udp_bind_generic_node(spamd_t)
|
|
|
-
|
|
|
-corenet_sendrecv_spamd_server_packets(spamd_t)
|
|
|
-corenet_tcp_bind_spamd_port(spamd_t)
|
|
|
-
|
|
|
-corenet_sendrecv_razor_client_packets(spamd_t)
|
|
|
-corenet_tcp_connect_razor_port(spamd_t)
|
|
|
-
|
|
|
-corenet_sendrecv_smtp_client_packets(spamd_t)
|
|
|
-corenet_tcp_connect_smtp_port(spamd_t)
|
|
|
-
|
|
|
-corenet_sendrecv_generic_server_packets(spamd_t)
|
|
|
-corenet_udp_bind_generic_port(spamd_t)
|
|
|
-
|
|
|
-corenet_sendrecv_imaze_server_packets(spamd_t)
|
|
|
-corenet_udp_bind_imaze_port(spamd_t)
|
|
|
-
|
|
|
-corenet_dontaudit_udp_bind_all_ports(spamd_t)
|
|
|
-
|
|
|
-corecmd_exec_bin(spamd_t)
|
|
|
-
|
|
|
-dev_read_sysfs(spamd_t)
|
|
|
-dev_read_urand(spamd_t)
|
|
|
-
|
|
|
-domain_use_interactive_fds(spamd_t)
|
|
|
-
|
|
|
-files_read_usr_files(spamd_t)
|
|
|
-files_read_etc_runtime_files(spamd_t)
|
|
|
-files_read_etc_files(spamd_t)
|
|
|
-
|
|
|
-fs_getattr_all_fs(spamd_t)
|
|
|
-fs_search_auto_mountpoints(spamd_t)
|
|
|
-
|
|
|
-auth_use_nsswitch(spamd_t)
|
|
|
-auth_dontaudit_read_shadow(spamd_t)
|
|
|
-
|
|
|
-init_dontaudit_rw_utmp(spamd_t)
|
|
|
-
|
|
|
-libs_use_ld_so(spamd_t)
|
|
|
-libs_use_shared_libs(spamd_t)
|
|
|
-
|
|
|
-logging_send_syslog_msg(spamd_t)
|
|
|
-
|
|
|
-miscfiles_read_localization(spamd_t)
|
|
|
-
|
|
|
-sysnet_use_ldap(spamd_t)
|
|
|
-
|
|
|
-userdom_use_unpriv_users_fds(spamd_t)
|
|
|
-
|
|
|
-tunable_policy(`spamd_enable_home_dirs',`
|
|
|
- userdom_manage_user_home_content_dirs(spamd_t)
|
|
|
- userdom_manage_user_home_content_files(spamd_t)
|
|
|
- userdom_manage_user_home_content_symlinks(spamd_t)
|
|
|
-')
|
|
|
-
|
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
|
- fs_manage_nfs_dirs(spamd_t)
|
|
|
- fs_manage_nfs_files(spamd_t)
|
|
|
- fs_manage_nfs_symlinks(spamd_t)
|
|
|
-')
|
|
|
-
|
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
|
- fs_manage_cifs_dirs(spamd_t)
|
|
|
- fs_manage_cifs_files(spamd_t)
|
|
|
- fs_manage_cifs_symlinks(spamd_t)
|
|
|
-')
|
|
|
-
|
|
|
-optional_policy(`
|
|
|
- amavis_manage_lib_files(spamd_t)
|
|
|
-')
|
|
|
-
|
|
|
-optional_policy(`
|
|
|
- clamav_stream_connect(spamd_t)
|
|
|
-')
|
|
|
-
|
|
|
-optional_policy(`
|
|
|
- cron_system_entry(spamd_t, spamd_exec_t)
|
|
|
-')
|
|
|
-
|
|
|
-optional_policy(`
|
|
|
- daemontools_service_domain(spamd_t, spamd_exec_t)
|
|
|
-')
|
|
|
-
|
|
|
-optional_policy(`
|
|
|
- dcc_domtrans_cdcc(spamd_t)
|
|
|
- dcc_domtrans_client(spamd_t)
|
|
|
- dcc_signal_client(spamd_t)
|
|
|
- dcc_stream_connect_dccifd(spamd_t)
|
|
|
-')
|
|
|
-
|
|
|
-optional_policy(`
|
|
|
- evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file })
|
|
|
-')
|
|
|
-
|
|
|
-optional_policy(`
|
|
|
- exim_manage_spool_dirs(spamd_t)
|
|
|
- exim_manage_spool_files(spamd_t)
|
|
|
-')
|
|
|
-
|
|
|
-optional_policy(`
|
|
|
- milter_manage_spamass_state(spamd_t)
|
|
|
-')
|
|
|
-
|
|
|
-optional_policy(`
|
|
|
- mysql_stream_connect(spamd_t)
|
|
|
- mysql_tcp_connect(spamd_t)
|
|
|
-')
|
|
|
-
|
|
|
-optional_policy(`
|
|
|
- postfix_read_config(spamd_t)
|
|
|
-')
|
|
|
-
|
|
|
-optional_policy(`
|
|
|
- postgresql_stream_connect(spamd_t)
|
|
|
- postgresql_tcp_connect(spamd_t)
|
|
|
-')
|
|
|
-
|
|
|
-optional_policy(`
|
|
|
- pyzor_domtrans(spamd_t)
|
|
|
- pyzor_signal(spamd_t)
|
|
|
-')
|
|
|
-
|
|
|
-optional_policy(`
|
|
|
- razor_domtrans(spamd_t)
|
|
|
- razor_read_lib_files(spamd_t)
|
|
|
- razor_manage_home_content(spamd_t)
|
|
|
-')
|
|
|
-
|
|
|
-optional_policy(`
|
|
|
- seutil_sigchld_newrole(spamd_t)
|
|
|
-')
|
|
|
-
|
|
|
-optional_policy(`
|
|
|
- sendmail_stub(spamd_t)
|
|
|
- mta_read_config(spamd_t)
|
|
|
- mta_send_mail(spamd_t)
|
|
|
-')
|
|
|
-
|
|
|
-optional_policy(`
|
|
|
- udev_read_db(spamd_t)
|
|
|
-')
|
|
|
-
|
|
|
-########################################
|
|
|
-#
|
|
|
-# Update local policy
|
|
|
-#
|
|
|
-
|
|
|
-allow spamd_update_t self:capability dac_override;
|
|
|
-allow spamd_update_t self:fifo_file manage_fifo_file_perms;
|
|
|
-allow spamd_update_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
-
|
|
|
-manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
|
|
|
-manage_files_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
|
|
|
-files_tmp_filetrans(spamd_update_t, spamd_tmp_t, { file dir })
|
|
|
-
|
|
|
-manage_dirs_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
|
|
|
-manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
|
|
|
-manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
|
|
|
-
|
|
|
-kernel_read_system_state(spamd_update_t)
|
|
|
-
|
|
|
-corenet_all_recvfrom_unlabeled(spamd_update_t)
|
|
|
-corenet_all_recvfrom_netlabel(spamd_update_t)
|
|
|
-corenet_tcp_sendrecv_generic_if(spamd_update_t)
|
|
|
-corenet_tcp_sendrecv_generic_node(spamd_update_t)
|
|
|
-corenet_tcp_sendrecv_all_ports(spamd_update_t)
|
|
|
-
|
|
|
-corenet_sendrecv_http_client_packets(spamd_update_t)
|
|
|
-corenet_tcp_connect_http_port(spamd_update_t)
|
|
|
-corenet_tcp_sendrecv_http_port(spamd_update_t)
|
|
|
-
|
|
|
-corecmd_exec_bin(spamd_update_t)
|
|
|
-corecmd_exec_shell(spamd_update_t)
|
|
|
-
|
|
|
-dev_read_urand(spamd_update_t)
|
|
|
-
|
|
|
-domain_use_interactive_fds(spamd_update_t)
|
|
|
-
|
|
|
-files_read_usr_files(spamd_update_t)
|
|
|
-
|
|
|
-auth_use_nsswitch(spamd_update_t)
|
|
|
-auth_dontaudit_read_shadow(spamd_update_t)
|
|
|
-
|
|
|
-miscfiles_read_localization(spamd_update_t)
|
|
|
-
|
|
|
-userdom_use_user_terminals(spamd_update_t)
|
|
|
-
|
|
|
-optional_policy(`
|
|
|
- cron_system_entry(spamd_update_t, spamd_update_exec_t)
|
|
|
-')
|
|
|
-
|
|
|
-# probably want a solution same as httpd_use_gpg since this will
|
|
|
-# give spamd_update a path to users gpg keys
|
|
|
-# optional_policy(`
|
|
|
-# gpg_domtrans(spamd_update_t)
|
|
|
-# ')
|
|
|
-
|
|
|
-optional_policy(`
|
|
|
- mta_read_config(spamd_update_t)
|
|
|
-')
|