rpms / selinux-policy

Clone
Source Code
GIT

Files

  1.   2705f9a0f3e3764b0256a63ffefdf84e76cfe1cf
  2.   strict
  3.   domains
  4.   program
  5.   mailman.te
Blob Blame History Raw 
#DESC Mailman - GNU Mailman mailing list manager
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: mailman

type mailman_data_t, file_type, sysadmfile;
type mailman_archive_t, file_type, sysadmfile;

type mailman_log_t, file_type, sysadmfile, logfile;
type mailman_lock_t, file_type, sysadmfile, lockfile;

define(`mailman_domain', `
type mailman_$1_t, domain, privlog $2;
type mailman_$1_exec_t, file_type, sysadmfile, exec_type;
role system_r types mailman_$1_t;
file_type_auto_trans(mailman_$1_t, var_log_t, mailman_log_t, file)
allow mailman_$1_t mailman_log_t:dir rw_dir_perms;
create_dir_file(mailman_$1_t, mailman_data_t)
uses_shlib(mailman_$1_t)
can_exec_any(mailman_$1_t)
read_sysctl(mailman_$1_t)
allow mailman_$1_t proc_t:dir search;
allow mailman_$1_t proc_t:file { read getattr };
allow mailman_$1_t var_lib_t:dir r_dir_perms;
allow mailman_$1_t var_lib_t:lnk_file read;
allow mailman_$1_t device_t:dir search;
allow mailman_$1_t etc_runtime_t:file { read getattr };
read_locale(mailman_$1_t)
file_type_auto_trans(mailman_$1_t, var_lock_t, mailman_lock_t, file)
allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
allow mailman_$1_t fs_t:filesystem getattr;
can_network(mailman_$1_t)
allow mailman_$1_t smtp_port_t:tcp_socket name_connect;
can_ypbind(mailman_$1_t)
allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms;
allow mailman_$1_t var_t:dir r_dir_perms;
tmp_domain(mailman_$1)
')

mailman_domain(queue, `, auth_chkpwd, nscd_client_domain')
can_tcp_connect(mailman_queue_t, mail_server_domain)

can_exec(mailman_queue_t, su_exec_t)
allow mailman_queue_t self:capability { setgid setuid };
allow mailman_queue_t self:fifo_file rw_file_perms;
dontaudit mailman_queue_t var_run_t:dir search;
allow mailman_queue_t proc_t:lnk_file { getattr read };

# for su
dontaudit mailman_queue_t selinux_config_t:dir search;
allow mailman_queue_t self:dir search;
allow mailman_queue_t self:file { getattr read };
allow mailman_queue_t self:unix_dgram_socket create_socket_perms;
allow mailman_queue_t self:lnk_file { getattr read };

# some of the following could probably be changed to dontaudit, someone who
# knows mailman well should test this out and send the changes
allow mailman_queue_t sysadm_home_dir_t:dir { getattr search };

mailman_domain(mail)
dontaudit mailman_mail_t mta_delivery_agent:tcp_socket { read write };
allow mailman_mail_t mta_delivery_agent:fd use;
ifdef(`qmail.te', `
allow mailman_mail_t qmail_spool_t:file { read ioctl getattr };
# do we really need this?
allow mailman_mail_t qmail_lspawn_t:fifo_file write;
')

create_dir_file(mailman_queue_t, mailman_archive_t)

ifdef(`apache.te', `
mailman_domain(cgi)
can_tcp_connect(mailman_cgi_t, mail_server_domain)

domain_auto_trans({ httpd_t httpd_suexec_t }, mailman_cgi_exec_t, mailman_cgi_t)
# should have separate types for public and private archives
r_dir_file(httpd_t, mailman_archive_t)
create_dir_file(mailman_cgi_t, mailman_archive_t)
allow httpd_t mailman_data_t:dir { getattr search };

dontaudit mailman_cgi_t httpd_log_t:file append;
allow httpd_t mailman_cgi_t:process signal;
allow mailman_cgi_t httpd_t:process sigchld;
allow mailman_cgi_t httpd_t:fd use;
allow mailman_cgi_t httpd_t:fifo_file { getattr read write ioctl };
allow mailman_cgi_t httpd_sys_script_t:dir search;
allow mailman_cgi_t devtty_t:chr_file { read write };
allow mailman_cgi_t self:process { fork sigchld };
allow mailman_cgi_t var_spool_t:dir search;
')

allow mta_delivery_agent mailman_data_t:dir search;
allow mta_delivery_agent mailman_data_t:lnk_file read;
domain_auto_trans({ mta_delivery_agent initrc_t }, mailman_mail_exec_t, mailman_mail_t)
ifdef(`direct_sysadm_daemon', `
domain_auto_trans(sysadm_t, mailman_mail_exec_t, mailman_mail_t)
')
allow mailman_mail_t self:unix_dgram_socket create_socket_perms;

system_crond_entry(mailman_queue_exec_t, mailman_queue_t)
allow mailman_queue_t devtty_t:chr_file { read write };
allow mailman_queue_t self:process { fork signal sigchld };
allow mailman_queue_t self:netlink_route_socket r_netlink_socket_perms;

# so MTA can access /var/lib/mailman/mail/wrapper
allow mta_delivery_agent var_lib_t:dir search;

# Handle mailman log files
rw_dir_create_file(logrotate_t, mailman_log_t)
allow logrotate_t mailman_data_t:dir search;
can_exec(logrotate_t, mailman_mail_exec_t)
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.