#DESC Spamd - Spamassassin daemon

#

# Author: Colin Walters <walters@debian.org>

# X-Debian-Packages: spamassassin

# Depends: spamassassin.te

#

daemon_domain(spamd)

tmp_domain(spamd)

general_domain_access(spamd_t)

uses_shlib(spamd_t)

read_sysctl(spamd_t)

# Various Perl bits

allow spamd_t lib_t:file rx_file_perms;

dontaudit spamd_t shadow_t:file { getattr read };

dontaudit spamd_t initrc_var_run_t:file { read write lock };

dontaudit spamd_t sysadm_home_dir_t:dir { getattr search };

can_network_server(spamd_t)

allow spamd_t spamd_port_t:tcp_socket name_bind;

allow spamd_t port_type:udp_socket name_bind;

dontaudit spamd_t reserved_port_type:udp_socket name_bind;

can_ypbind(spamd_t)

can_resolve(spamd_t)

allow spamd_t self:capability net_bind_service;

allow spamd_t proc_t:file { getattr read };

# Spamassassin, when run as root and using per-user config files,

# setuids to the user running spamc.  Comment this if you are not

# using this ability.

allow spamd_t self:capability { setuid setgid dac_override sys_tty_config };

allow spamd_t { bin_t sbin_t }:dir { getattr search };

can_exec(spamd_t, bin_t)

ifdef(`sendmail.te', `

allow spamd_t etc_mail_t:dir { getattr read search };

allow spamd_t etc_mail_t:file { getattr ioctl read };

')

allow spamd_t { etc_t etc_runtime_t }:file { getattr ioctl read };

ifdef(`amavis.te', `

# for bayes tokens

allow spamd_t var_lib_t:dir { getattr search };

rw_dir_create_file(spamd_t, amavisd_lib_t)

')

allow spamd_t usr_t:file { getattr ioctl read };

allow spamd_t usr_t:lnk_file { getattr read };

allow spamd_t urandom_device_t:chr_file { getattr read };

system_crond_entry(spamd_exec_t, spamd_t)

ifdef(`targeted_policy', `home_domain_access(spamd_t, user)')