Hoshpak
/
gentoo-selinux-policies


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553
							policy_module(spamassassin, 2.9.7)

require {
  type etc_mail_t;
}

########################################
#
# Declarations
#

## <desc>
##	<p>
##	Determine whether spamassassin
##	clients can use the network.
##	</p>
## </desc>
gen_tunable(spamassassin_can_network, false)

## <desc>
##	<p>
##	Determine whether spamd can manage
##	generic user home content.
##	</p>
## </desc>
gen_tunable(spamd_enable_home_dirs, false)

type spamd_update_t;
type spamd_update_exec_t;
init_system_domain(spamd_update_t, spamd_update_exec_t)

type spamassassin_t;
type spamassassin_exec_t;
typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t };
userdom_user_application_domain(spamassassin_t, spamassassin_exec_t)

type spamassassin_home_t;
typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
userdom_user_home_content(spamassassin_home_t)

type spamassassin_tmp_t;
typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
userdom_user_tmp_file(spamassassin_tmp_t)

type spamc_t;
type spamc_exec_t;
typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
userdom_user_application_domain(spamc_t, spamc_exec_t)
role system_r types spamc_t;

type spamc_tmp_t;
typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
userdom_user_tmp_file(spamc_tmp_t)

type spamd_t;
type spamd_exec_t;
init_daemon_domain(spamd_t, spamd_exec_t)

type spamd_compiled_t;
files_type(spamd_compiled_t)

type spamd_etc_t;
files_config_file(spamd_etc_t)

type spamd_home_t;
userdom_user_home_content(spamd_home_t)

type spamd_initrc_exec_t;
init_script_file(spamd_initrc_exec_t)

type spamd_log_t;
logging_log_file(spamd_log_t)

type spamd_spool_t;
files_type(spamd_spool_t)

type spamd_tmp_t;
files_tmp_file(spamd_tmp_t)

type spamd_var_lib_t;
files_type(spamd_var_lib_t)

type spamd_var_run_t;
files_pid_file(spamd_var_run_t)

type spamd_unit_t;
init_unit_file(spamd_unit_t)

########################################
#
# Standalone local policy
#

allow spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamassassin_t self:fd use;
allow spamassassin_t self:fifo_file rw_fifo_file_perms;
allow spamassassin_t self:unix_dgram_socket sendto;
allow spamassassin_t self:unix_stream_socket { accept connectto listen };

manage_dirs_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
manage_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
manage_lnk_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
manage_fifo_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
manage_sock_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
userdom_user_home_dir_filetrans(spamassassin_t, spamassassin_home_t, dir, ".spamassassin")

manage_dirs_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t)
manage_files_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t)
files_tmp_filetrans(spamassassin_t, spamassassin_tmp_t, { file dir })

kernel_read_kernel_sysctls(spamassassin_t)

dev_read_urand(spamassassin_t)

fs_getattr_all_fs(spamassassin_t)
fs_search_auto_mountpoints(spamassassin_t)

domain_use_interactive_fds(spamassassin_t)

files_read_etc_files(spamassassin_t)
files_read_etc_runtime_files(spamassassin_t)
files_list_home(spamassassin_t)
files_read_usr_files(spamassassin_t)
files_dontaudit_search_var(spamassassin_t)

logging_send_syslog_msg(spamassassin_t)

miscfiles_read_localization(spamassassin_t)

sysnet_dns_name_resolve(spamassassin_t)

tunable_policy(`spamassassin_can_network',`
	allow spamassassin_t self:tcp_socket { accept listen };

	corenet_all_recvfrom_unlabeled(spamassassin_t)
	corenet_all_recvfrom_netlabel(spamassassin_t)
	corenet_tcp_sendrecv_generic_if(spamassassin_t)
	corenet_tcp_sendrecv_generic_node(spamassassin_t)
	corenet_tcp_sendrecv_all_ports(spamassassin_t)

	corenet_tcp_connect_all_ports(spamassassin_t)
	corenet_sendrecv_all_client_packets(spamassassin_t)
')

tunable_policy(`use_nfs_home_dirs',`
	fs_manage_nfs_dirs(spamassassin_t)
	fs_manage_nfs_files(spamassassin_t)
	fs_manage_nfs_symlinks(spamassassin_t)
')

tunable_policy(`use_samba_home_dirs',`
	fs_manage_cifs_dirs(spamassassin_t)
	fs_manage_cifs_files(spamassassin_t)
	fs_manage_cifs_symlinks(spamassassin_t)
')

optional_policy(`
	tunable_policy(`spamassassin_can_network && allow_ypbind',`
		nis_use_ypbind_uncond(spamassassin_t)
	')
')

optional_policy(`
	mta_read_config(spamassassin_t)
	sendmail_stub(spamassassin_t)
')

########################################
#
# Client local policy
#

allow spamc_t self:capability dac_override;
allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamc_t self:fd use;
allow spamc_t self:fifo_file rw_fifo_file_perms;
allow spamc_t self:unix_dgram_socket sendto;
allow spamc_t self:unix_stream_socket { accept connectto listen };
allow spamc_t self:tcp_socket { accept listen };

manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir })

manage_dirs_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t)
manage_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t)
manage_lnk_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t)
manage_fifo_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t)
manage_sock_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t)
userdom_user_home_dir_filetrans(spamc_t, spamassassin_home_t, dir, ".spamassassin")

list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)

stream_connect_pattern(spamc_t, { spamd_var_run_t spamd_tmp_t }, { spamd_var_run_t spamd_tmp_t }, spamd_t)

kernel_read_kernel_sysctls(spamc_t)
kernel_read_system_state(spamc_t)

corenet_all_recvfrom_unlabeled(spamc_t)
corenet_all_recvfrom_netlabel(spamc_t)
corenet_tcp_sendrecv_generic_if(spamc_t)
corenet_tcp_sendrecv_generic_node(spamc_t)
corenet_tcp_sendrecv_all_ports(spamc_t)

corenet_sendrecv_all_client_packets(spamc_t)
corenet_tcp_connect_all_ports(spamc_t)

corecmd_exec_bin(spamc_t)

domain_use_interactive_fds(spamc_t)

fs_getattr_all_fs(spamc_t)
fs_search_auto_mountpoints(spamc_t)

files_read_etc_runtime_files(spamc_t)
files_read_usr_files(spamc_t)
files_dontaudit_search_var(spamc_t)
files_list_home(spamc_t)
files_list_var_lib(spamc_t)

auth_use_nsswitch(spamc_t)

logging_send_syslog_msg(spamc_t)

miscfiles_read_localization(spamc_t)

dovecot_domtrans_deliver(spamc_t)

search_dirs_pattern(spamc_t, etc_mail_t, etc_mail_t)
search_dirs_pattern(spamc_t, spamd_etc_t, spamd_etc_t)

tunable_policy(`use_nfs_home_dirs',`
	fs_manage_nfs_dirs(spamc_t)
	fs_manage_nfs_files(spamc_t)
	fs_manage_nfs_symlinks(spamc_t)
')

tunable_policy(`use_samba_home_dirs',`
	fs_manage_cifs_dirs(spamc_t)
	fs_manage_cifs_files(spamc_t)
	fs_manage_cifs_symlinks(spamc_t)
')

optional_policy(`
	abrt_stream_connect(spamc_t)
')

optional_policy(`
	amavis_manage_spool_files(spamc_t)
')

optional_policy(`
	evolution_stream_connect(spamc_t)
')

optional_policy(`
	milter_manage_spamass_state(spamc_t)
')

optional_policy(`
	mta_send_mail(spamc_t)
	mta_read_config(spamc_t)
	mta_read_queue(spamc_t)
	sendmail_rw_pipes(spamc_t)
	sendmail_stub(spamc_t)
')

optional_policy(`
	postfix_domtrans_postdrop(spamc_t)
	postfix_search_spool(spamc_t)
	postfix_rw_local_pipes(spamc_t)
	postfix_rw_inherited_master_pipes(spamc_t)
')

########################################
#
# Daemon local policy
#

allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config };
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
allow spamd_t self:fifo_file rw_fifo_file_perms;
allow spamd_t self:unix_dgram_socket sendto;
allow spamd_t self:unix_stream_socket { accept connectto listen };
allow spamd_t self:tcp_socket { accept listen };

manage_dirs_pattern(spamd_t, spamd_home_t, spamd_home_t)
manage_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
manage_lnk_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
manage_fifo_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
manage_sock_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
userdom_user_home_dir_filetrans(spamd_t, spamd_home_t, dir, ".spamd")

manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, dir, ".spamassassin")

manage_dirs_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
manage_files_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)

allow spamd_t spamd_log_t:file { append_file_perms create_file_perms setattr_file_perms };
logging_log_filetrans(spamd_t, spamd_log_t, file)

manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
manage_sock_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })

manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })

allow spamd_t spamd_var_lib_t:dir list_dir_perms;
manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)

manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })

list_dirs_pattern(spamd_t, spamd_etc_t, spamd_etc_t)
read_files_pattern(spamd_t, spamd_etc_t, spamd_etc_t)

search_dirs_pattern(spamd_t, etc_mail_t, etc_mail_t)

can_exec(spamd_t, { spamd_exec_t spamd_compiled_t })

kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)

corecmd_exec_shell(spamd_t)

corenet_all_recvfrom_unlabeled(spamd_t)
corenet_all_recvfrom_netlabel(spamd_t)
corenet_tcp_sendrecv_generic_if(spamd_t)
corenet_udp_sendrecv_generic_if(spamd_t)
corenet_tcp_sendrecv_generic_node(spamd_t)
corenet_udp_sendrecv_generic_node(spamd_t)
corenet_tcp_sendrecv_all_ports(spamd_t)
corenet_udp_sendrecv_all_ports(spamd_t)
corenet_tcp_bind_generic_node(spamd_t)
corenet_udp_bind_generic_node(spamd_t)

corenet_sendrecv_spamd_server_packets(spamd_t)
corenet_tcp_bind_spamd_port(spamd_t)

corenet_sendrecv_razor_client_packets(spamd_t)
corenet_tcp_connect_razor_port(spamd_t)

corenet_sendrecv_smtp_client_packets(spamd_t)
corenet_tcp_connect_smtp_port(spamd_t)

corenet_sendrecv_generic_server_packets(spamd_t)
corenet_udp_bind_generic_port(spamd_t)

corenet_sendrecv_imaze_server_packets(spamd_t)
corenet_udp_bind_imaze_port(spamd_t)

corenet_dontaudit_udp_bind_all_ports(spamd_t)

corecmd_exec_bin(spamd_t)

dev_read_sysfs(spamd_t)
dev_read_urand(spamd_t)

domain_use_interactive_fds(spamd_t)

files_read_usr_files(spamd_t)
files_read_etc_runtime_files(spamd_t)
files_read_etc_files(spamd_t)

fs_getattr_all_fs(spamd_t)
fs_search_auto_mountpoints(spamd_t)

auth_use_nsswitch(spamd_t)
auth_dontaudit_read_shadow(spamd_t)

init_dontaudit_rw_utmp(spamd_t)

libs_use_ld_so(spamd_t)
libs_use_shared_libs(spamd_t)

logging_send_syslog_msg(spamd_t)

miscfiles_read_localization(spamd_t)

sysnet_use_ldap(spamd_t)

userdom_use_unpriv_users_fds(spamd_t)

tunable_policy(`spamd_enable_home_dirs',`
	userdom_manage_user_home_content_dirs(spamd_t)
	userdom_manage_user_home_content_files(spamd_t)
	userdom_manage_user_home_content_symlinks(spamd_t)
')

tunable_policy(`use_nfs_home_dirs',`
	fs_manage_nfs_dirs(spamd_t)
	fs_manage_nfs_files(spamd_t)
	fs_manage_nfs_symlinks(spamd_t)
')

tunable_policy(`use_samba_home_dirs',`
	fs_manage_cifs_dirs(spamd_t)
	fs_manage_cifs_files(spamd_t)
	fs_manage_cifs_symlinks(spamd_t)
')

optional_policy(`
	amavis_manage_lib_files(spamd_t)
')

optional_policy(`
	clamav_stream_connect(spamd_t)
')

optional_policy(`
	cron_system_entry(spamd_t, spamd_exec_t)
')

optional_policy(`
	daemontools_service_domain(spamd_t, spamd_exec_t)
')

optional_policy(`
	dcc_domtrans_cdcc(spamd_t)
	dcc_domtrans_client(spamd_t)
	dcc_signal_client(spamd_t)
	dcc_stream_connect_dccifd(spamd_t)
')

optional_policy(`
	evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file })
')

optional_policy(`
	exim_manage_spool_dirs(spamd_t)
	exim_manage_spool_files(spamd_t)
')

optional_policy(`
	milter_manage_spamass_state(spamd_t)
')

optional_policy(`
	mysql_stream_connect(spamd_t)
	mysql_tcp_connect(spamd_t)
')

optional_policy(`
	postfix_read_config(spamd_t)
')

optional_policy(`
	postgresql_stream_connect(spamd_t)
	postgresql_tcp_connect(spamd_t)
')

optional_policy(`
	pyzor_domtrans(spamd_t)
	pyzor_signal(spamd_t)
')

optional_policy(`
	razor_domtrans(spamd_t)
	razor_read_lib_files(spamd_t)
	razor_manage_home_content(spamd_t)
')

optional_policy(`
	seutil_sigchld_newrole(spamd_t)
')

optional_policy(`
	sendmail_stub(spamd_t)
	mta_read_config(spamd_t)
	mta_send_mail(spamd_t)
')

optional_policy(`
	udev_read_db(spamd_t)
')

########################################
#
# Update local policy
#

allow spamd_update_t self:capability dac_override;
allow spamd_update_t self:fifo_file manage_fifo_file_perms;
allow spamd_update_t self:unix_stream_socket create_stream_socket_perms;

manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
manage_files_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
files_tmp_filetrans(spamd_update_t, spamd_tmp_t, { file dir })

manage_dirs_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)

kernel_read_system_state(spamd_update_t)

corenet_all_recvfrom_unlabeled(spamd_update_t)
corenet_all_recvfrom_netlabel(spamd_update_t)
corenet_tcp_sendrecv_generic_if(spamd_update_t)
corenet_tcp_sendrecv_generic_node(spamd_update_t)
corenet_tcp_sendrecv_all_ports(spamd_update_t)

corenet_sendrecv_http_client_packets(spamd_update_t)
corenet_tcp_connect_http_port(spamd_update_t)
corenet_tcp_sendrecv_http_port(spamd_update_t)

corecmd_exec_bin(spamd_update_t)
corecmd_exec_shell(spamd_update_t)

dev_read_urand(spamd_update_t)

domain_use_interactive_fds(spamd_update_t)

files_read_usr_files(spamd_update_t)

auth_use_nsswitch(spamd_update_t)
auth_dontaudit_read_shadow(spamd_update_t)

miscfiles_read_localization(spamd_update_t)

userdom_use_user_terminals(spamd_update_t)

optional_policy(`
	cron_system_entry(spamd_update_t, spamd_update_exec_t)
')

# probably want a solution same as httpd_use_gpg since this will
# give spamd_update a path to users gpg keys
# optional_policy(`
#	gpg_domtrans(spamd_update_t)
# ')

optional_policy(`
	mta_read_config(spamd_update_t)
')