/[gentoo-projects]/selinux/procmail/procmail.te
Gentoo

Contents of /selinux/procmail/procmail.te

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.8 - (show annotations) (download)
Thu Nov 24 11:07:28 2005 UTC (8 years, 10 months ago) by kaiowas
Branch: MAIN
CVS Tags: HEAD
Changes since 1.7: +3 -1 lines
merge with upstream

1 #DESC Procmail - Mail delivery agent for mail servers
2 #
3 # Author: Russell Coker <russell@coker.com.au>
4 # X-Debian-Packages: procmail
5 #
6
7 #################################
8 #
9 # Rules for the procmail_t domain.
10 #
11 # procmail_exec_t is the type of the procmail executable.
12 #
13 # privhome only works until we define a different type for maildir
14 type procmail_t, domain, privlog, privhome, nscd_client_domain;
15 type procmail_exec_t, file_type, exec_type;
16
17 role system_r types procmail_t;
18
19 uses_shlib(procmail_t)
20 allow procmail_t device_t:dir search;
21 can_network_server(procmail_t)
22
23 allow procmail_t self:capability { sys_nice chown setuid setgid dac_override };
24
25 allow procmail_t etc_t:dir r_dir_perms;
26 allow procmail_t { etc_t etc_runtime_t }:file { getattr read };
27 allow procmail_t etc_t:lnk_file read;
28 read_locale(procmail_t)
29 read_sysctl(procmail_t)
30
31 allow procmail_t sysctl_t:dir search;
32
33 allow procmail_t self:process { setsched fork sigchld signal };
34 dontaudit procmail_t sbin_t:dir { getattr search };
35 can_exec(procmail_t, { bin_t shell_exec_t })
36 allow procmail_t bin_t:dir { getattr search };
37 allow procmail_t bin_t:lnk_file read;
38 allow procmail_t self:fifo_file rw_file_perms;
39
40 allow procmail_t self:unix_stream_socket create_socket_perms;
41 allow procmail_t self:unix_dgram_socket create_socket_perms;
42
43 # for /var/mail
44 rw_dir_create_file(procmail_t, mail_spool_t)
45
46 allow procmail_t var_t:dir { getattr search };
47 allow procmail_t var_spool_t:dir r_dir_perms;
48
49 allow procmail_t fs_t:filesystem getattr;
50 allow procmail_t { self proc_t }:dir search;
51 allow procmail_t proc_t:file { getattr read };
52 allow procmail_t { self proc_t }:lnk_file read;
53
54 # for if /var/mail is a symlink to /var/spool/mail
55 #allow procmail_t mail_spool_t:lnk_file r_file_perms;
56
57 # for spamassasin
58 allow procmail_t usr_t:file { getattr ioctl read };
59 ifdef(`spamassassin.te', `
60 can_exec(procmail_t, spamassassin_exec_t)
61 allow procmail_t port_t:udp_socket name_bind;
62 allow procmail_t tmp_t:dir getattr;
63 ')
64 ifdef(`spamc.te', `
65 can_exec(procmail_t, spamc_exec_t)
66 ')
67
68 # Search /var/run.
69 allow procmail_t var_run_t:dir { getattr search };
70
71 # Do not audit attempts to access /root.
72 dontaudit procmail_t sysadm_home_dir_t:dir { getattr search };
73
74 allow procmail_t devtty_t:chr_file { read write };
75
76 allow procmail_t urandom_device_t:chr_file { getattr read };
77
78 ifdef(`sendmail.te', `
79 r_dir_file(procmail_t, etc_mail_t)
80 allow procmail_t sendmail_t:tcp_socket { read write };
81 ')
82
83 ifdef(`hide_broken_symptoms', `
84 dontaudit procmail_t mqueue_spool_t:file { getattr read write };
85 ')

  ViewVC Help
Powered by ViewVC 1.1.20