#DESC Amavis - Anti-virus

#

# Author:  Brian May <bam@snoopy.apana.org.au>

# X-Debian-Packages: amavis-ng amavisd-new amavisd-new-milter amavisd-new-milter-helper

# Depends: clamav.te

#

#################################

#

# Rules for the amavisd_t domain.

#

type amavisd_etc_t, file_type, sysadmfile;

type amavisd_lib_t, file_type, sysadmfile;

# Virus and spam found and quarantined.

type amavisd_quarantine_t, file_type, sysadmfile, tmpfile;

daemon_domain(amavisd)

tmp_domain(amavisd)

allow initrc_t amavisd_etc_t:file { getattr read };

allow initrc_t amavisd_lib_t:dir { search read write rmdir remove_name unlink };

allow initrc_t amavisd_lib_t:file unlink;

allow initrc_t amavisd_var_run_t:dir setattr;

allow amavisd_t self:capability { chown dac_override setgid setuid };

dontaudit amavisd_t self:capability sys_tty_config;

allow amavisd_t usr_t:{ file lnk_file } { getattr read };

dontaudit amavisd_t usr_t:file ioctl;

# networking

can_network_server_tcp(amavisd_t, amavisd_recv_port_t)

allow amavisd_t amavisd_recv_port_t:tcp_socket name_bind;

allow mta_delivery_agent amavisd_recv_port_t:tcp_socket name_connect;

# The next line doesn't work right so drop the port specification.

#can_network_client_tcp(amavisd_t, amavisd_send_port_t)

can_network_client_tcp(amavisd_t)

allow amavisd_t amavisd_send_port_t:tcp_socket name_connect;

can_resolve(amavisd_t);

can_ypbind(amavisd_t);

can_tcp_connect(mail_server_sender, amavisd_t);

can_tcp_connect(amavisd_t, mail_server_domain)

ifdef(`scannerdaemon.te', `

can_tcp_connect(amavisd_t, scannerdaemon_t);

allow scannerdaemon_t amavisd_lib_t:dir r_dir_perms;

allow scannerdaemon_t amavisd_lib_t:file r_file_perms;

')

ifdef(`clamav.te', `

clamscan_domain(amavisd)

role system_r types amavisd_clamscan_t;

domain_auto_trans(amavisd_t, clamscan_exec_t, amavisd_clamscan_t)

allow amavisd_clamscan_t amavisd_lib_t:dir r_dir_perms;

allow amavisd_clamscan_t amavisd_lib_t:file r_file_perms;

can_clamd_connect(amavisd)

allow clamd_t amavisd_lib_t:dir r_dir_perms;

allow clamd_t amavisd_lib_t:file r_file_perms;

')

# DCC

ifdef(`dcc.te', `

allow dcc_client_t amavisd_lib_t:file r_file_perms;

')

# Pyzor

ifdef(`pyzor.te',`

domain_auto_trans(amavisd_t, pyzor_exec_t, pyzor_t)

#allow pyzor_t amavisd_data_t:dir search;

# Pyzor creates a temp file adjacent to the working file.

create_dir_file(pyzor_t, amavisd_lib_t);

')

# SpamAssassin is executed from within amavisd, but needs to read its

# config

ifdef(`spamd.te', `

r_dir_file(amavisd_t, etc_mail_t)

')

# Can create unix sockets

allow amavisd_t self:unix_stream_socket create_stream_socket_perms;

allow amavisd_t self:unix_dgram_socket create_socket_perms;

allow amavisd_t self:fifo_file getattr;

read_locale(amavisd_t)

# Access config files (amavisd).

allow amavisd_t amavisd_etc_t:file r_file_perms;

log_domain(amavisd)

# Access amavisd var/lib files.

create_dir_file(amavisd_t, amavisd_lib_t)

# Access amavisd quarantined files.

create_dir_file(amavisd_t, amavisd_quarantine_t)

# Run helper programs.

can_exec_any(amavisd_t,bin_t)

allow amavisd_t bin_t:dir { getattr search };

allow amavisd_t sbin_t:dir search;

allow amavisd_t var_lib_t:dir search;

# allow access to files for scanning (required for amavis):

allow clamd_t self:capability { dac_override dac_read_search };

# unknown stuff

allow amavisd_t self:fifo_file { ioctl read write };

allow amavisd_t { random_device_t urandom_device_t }:chr_file read;

allow amavisd_t proc_t:file { getattr read };

allow amavisd_t etc_runtime_t:file { getattr read };

# broken stuff

dontaudit amavisd_t sysadm_home_dir_t:dir search;

dontaudit amavisd_t shadow_t:file { getattr read };

dontaudit amavisd_t sysadm_devpts_t:chr_file { read write };