rpms / selinux-policy

Clone
Source Code
GIT

Blame mls/domains/program/unused/exim.te

c10s-sig-hyperscale c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   a5d54655dd1acde73925c1f1663abfb8b1cd5366
  2.   mls
  3.   domains
  4.   program
  5.   unused
  6.   exim.te
Blob History Raw
Chris PeBenito 31b7c0 
#DESC Exim - Mail server
Chris PeBenito 31b7c0 
#
Chris PeBenito 31b7c0 
# Author:  David Hampton <hampton@employees.org>
Chris PeBenito 31b7c0 
# From postfix.te by Russell Coker <russell@coker.com.au>
Chris PeBenito 31b7c0 
# Depends: mta.te
Chris PeBenito 31b7c0 
#
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
type exim_spool_t, file_type, sysadmfile;
Chris PeBenito 31b7c0 
type exim_spool_db_t, file_type, sysadmfile;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
##########
Chris PeBenito 31b7c0 
# Exim daemon
Chris PeBenito 31b7c0 
##########
Chris PeBenito 31b7c0 
daemon_domain(exim, `, mta_delivery_agent, mail_server_domain, mail_server_sender, nscd_client_domain, privlog, privhome', nosysadm)
Chris PeBenito 31b7c0 
exim_common(exim);
Chris PeBenito 31b7c0 
etcdir_domain(exim)
Chris PeBenito 31b7c0 
logdir_domain(exim)
Chris PeBenito 31b7c0 
########################################
Chris PeBenito 31b7c0 
########################################
Chris PeBenito 31b7c0 
role sysadm_r types exim_t;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
# Server side networking
Chris PeBenito 31b7c0 
can_network_tcp(exim_t);
Chris PeBenito 31b7c0 
allow exim_t { smtp_port_t amavisd_send_port_t }:tcp_socket name_bind;
Chris PeBenito 31b7c0 
# The exim daemon gets to listen to mail coming back from amavisd
Chris PeBenito 31b7c0 
# For identd lookups
Chris PeBenito 31b7c0 
allow exim_t inetd_child_port_t:tcp_socket name_connect;
Chris PeBenito 31b7c0 
allow exim_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
# Lock file between exim processes. Exim creates a lock file in /tmp
Chris PeBenito 31b7c0 
# that doesn't transition to the exim_tmp_t domain for some reason,
Chris PeBenito 31b7c0 
# thus the allow statement.
Chris PeBenito 31b7c0 
tmp_domain(exim)
Chris PeBenito 31b7c0 
allow exim_t tmp_t:file { getattr read };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
# Lock files for the actual mail delivery.  Exim wants to create a
Chris PeBenito 31b7c0 
# 'hitching post' file in the same directory as the delivery file.
Chris PeBenito 31b7c0 
# These are the additiona privileges over and above what's defined for
Chris PeBenito 31b7c0 
# an mta_delivery_agent. Additional privs for maildir mail files
Chris PeBenito 31b7c0 
allow exim_t mail_spool_t:dir remove_name;
Chris PeBenito 31b7c0 
allow exim_t mail_spool_t:file { link setattr unlink write rename };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
# For access to users .forward files
Chris PeBenito 31b7c0 
allow exim_t home_dir_type:dir { getattr search };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
allow exim_t self:capability { dac_read_search net_bind_service };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
# Create exim spool files, update spool database
Chris PeBenito 31b7c0 
create_dir_file(exim_t, exim_spool_t)
Chris PeBenito 31b7c0 
rw_dir_file(exim_t, exim_spool_db_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
# Start daemon/child processes
Chris PeBenito 31b7c0 
can_exec(exim_t, exim_exec_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
allow exim_t sbin_t:dir r_dir_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
# Read aliases file
Chris PeBenito 31b7c0 
allow exim_t etc_aliases_t:file r_file_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
#
Chris PeBenito 31b7c0 
allow exim_t devpts_t:chr_file getattr;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
ifdef(`crond.te', `
Chris PeBenito 31b7c0 
system_crond_entry(exim_exec_t, exim_t)
Chris PeBenito 31b7c0 
domain_auto_trans(crond_t, exim_exec_t, exim_t)
Chris PeBenito 31b7c0 
allow exim_t system_crond_tmp_t:file { getattr read append };
Chris PeBenito 31b7c0 
#logwatch
Chris PeBenito 31b7c0 
allow system_crond_t exim_log_t:file read;
Chris PeBenito 31b7c0 
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
# For squirrelmail
Chris PeBenito 31b7c0 
ifdef(`httpd.te', `
Chris PeBenito 31b7c0 
domain_auto_trans(httpd_sys_script_t, exim_exec_t, exim_t)
Chris PeBenito 31b7c0 
allow exim_t httpd_t:fd use;
Chris PeBenito 31b7c0 
allow exim_t httpd_t:process sigchld;
Chris PeBenito 31b7c0 
allow exim_t httpd_log_t:file { append getattr };
Chris PeBenito 31b7c0 
allow exim_t httpd_squirrelmail_t:file { append read };
Chris PeBenito 31b7c0 
allow exim_t httpd_t:fifo_file { read write getattr };
Chris PeBenito 31b7c0 
allow exim_t httpd_t:tcp_socket { read write };
Chris PeBenito 31b7c0 
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
########################################
Chris PeBenito 31b7c0 
########################################
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
##  --------------------------------------------------
Chris PeBenito 31b7c0 
##		 exim_ro, exim_ro_net
Chris PeBenito 31b7c0 
##
Chris PeBenito 31b7c0 
##  Many of the subsequent applications call exim for
Chris PeBenito 31b7c0 
##  the sole purpose of extracting configuration or
Chris PeBenito 31b7c0 
##  other information.  Lock down the permissions on
Chris PeBenito 31b7c0 
##  these instances to be pretty much read-only
Chris PeBenito 31b7c0 
##  everything.
Chris PeBenito 31b7c0 
##
Chris PeBenito 31b7c0 
##  One of the applications calls exim only to
Chris PeBenito 31b7c0 
##  determine whether an address is valid.  It does
Chris PeBenito 31b7c0 
##  this by having exim attempt to deliver an empty
Chris PeBenito 31b7c0 
##  message, without doing the actual deliver.
Chris PeBenito 31b7c0 
##  These function are aplit out here to keep all the
Chris PeBenito 31b7c0 
##  access controls on exim itself in poe part of the
Chris PeBenito 31b7c0 
##  file.
Chris PeBenito 31b7c0 
##  --------------------------------------------------
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
define(`exim_ro_base', `
Chris PeBenito 31b7c0 
application_domain($1)
Chris PeBenito 31b7c0 
role system_r types $1_t;
Chris PeBenito 31b7c0 
read_sysctl($1_t)
Chris PeBenito 31b7c0 
r_dir_file($1_t, etc_t)		#for nsswitch.conf
Chris PeBenito 31b7c0 
r_dir_file($1_t, var_spool_t)
Chris PeBenito 31b7c0 
r_dir_file($1_t, exim_spool_t)
Chris PeBenito 31b7c0 
allow $1_t devpts_t:chr_file { getattr read write };
Chris PeBenito 31b7c0 
allow $1_t self:capability { dac_override setgid setuid };
Chris PeBenito 31b7c0 
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
exim_ro_base(exim_ro)
Chris PeBenito 31b7c0 
dontaudit exim_ro_t self:unix_stream_socket { connect create };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
exim_ro_base(exim_ro_net)
Chris PeBenito 31b7c0 
can_network(exim_ro_net_t)
Chris PeBenito 31b7c0 
general_proc_read_access(exim_ro_net_t)
Chris PeBenito 31b7c0 
read_locale(exim_ro_net_t)
Chris PeBenito 31b7c0 
allow exim_ro_net_t mail_spool_t:dir search;
Chris PeBenito 31b7c0 
allow exim_ro_net_t etc_aliases_t:file r_file_perms;
Chris PeBenito 31b7c0 
allow exim_ro_net_t self:unix_stream_socket { create connect };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
##  --------------------------------------------------
Chris PeBenito 31b7c0 
##  exim_helper_base
Chris PeBenito 31b7c0 
##
Chris PeBenito 31b7c0 
##  Define the base attributes for an exim helper
Chris PeBenito 31b7c0 
##  program.
Chris PeBenito 31b7c0 
##  --------------------------------------------------
Chris PeBenito 31b7c0 
define(`exim_helper_base',`
Chris PeBenito 31b7c0 
application_domain($1)
Chris PeBenito 31b7c0 
role system_r types $1_t;
Chris PeBenito 31b7c0 
can_exec_any($1_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
allow $1_t devpts_t:dir search;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
# Needed for perl
Chris PeBenito 31b7c0 
general_domain_access($1_t)
Chris PeBenito 31b7c0 
general_proc_read_access($1_t)
Chris PeBenito 31b7c0 
allow $1_t urandom_device_t:chr_file read;
Chris PeBenito 31b7c0 
allow $1_t { devtty_t devpts_t }:chr_file { read write ioctl };
Chris PeBenito 31b7c0 
read_locale($1_t)
Chris PeBenito 31b7c0 
allow $1_t sbin_t:dir r_dir_perms;
Chris PeBenito 31b7c0 
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
##  --------------------------------------------------
Chris PeBenito 31b7c0 
##  exim_helper_script_base
Chris PeBenito 31b7c0 
##  --------------------------------------------------
Chris PeBenito 31b7c0 
define(`exim_helper_script_base',`
Chris PeBenito 31b7c0 
exim_helper_base($1)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
# Needed for bash
Chris PeBenito 31b7c0 
allow $1_t { devtty_t devpts_t }:chr_file { read write getattr };
Chris PeBenito 31b7c0 
allow $1_t devpts_t:dir search;
Chris PeBenito 31b7c0 
allow $1_t fs_t:filesystem getattr;
Chris PeBenito 31b7c0 
rw_dir_create_file($1_t, tmp_t)		# Script uses a "here" document
Chris PeBenito 31b7c0 
dontaudit $1_t etc_runtime_t:file { getattr read };	# mtab
Chris PeBenito 31b7c0 
dontaudit $1_t selinux_config_t:dir { search };
Chris PeBenito 31b7c0 
dontaudit $1_t selinux_config_t:file { getattr read };	# mtab
Chris PeBenito 31b7c0 
allow $1_t var_spool_t:dir search;		# Needed to traverse to get to /var/spool/exim
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
##  --------------------------------------------------
Chris PeBenito 31b7c0 
##  exicyclog
Chris PeBenito 31b7c0 
##  --------------------------------------------------
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
exim_helper_script_base(exicyclog)
Chris PeBenito 31b7c0 
allow exicyclog_t self:capability { dac_override setuid setgid };
Chris PeBenito 31b7c0 
create_dir_file(exicyclog_t, exim_log_t)
Chris PeBenito 31b7c0 
allow exicyclog_t var_t:dir r_dir_perms;
Chris PeBenito 31b7c0 
allow exicyclog_t var_log_t:dir r_dir_perms;
Chris PeBenito 31b7c0 
allow exicyclog_t exim_spool_t:dir r_dir_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
##  --------------------------------------------------
Chris PeBenito 31b7c0 
##  exigrep
Chris PeBenito 31b7c0 
##  --------------------------------------------------
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
exim_helper_base(exigrep)
Chris PeBenito 31b7c0 
allow exigrep_t self:capability dac_override;
Chris PeBenito 31b7c0 
r_dir_file(exigrep_t, var_log_t)
Chris PeBenito 31b7c0 
r_dir_file(exigrep_t, exim_log_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
##  --------------------------------------------------
Chris PeBenito 31b7c0 
##  exipick
Chris PeBenito 31b7c0 
##  --------------------------------------------------
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
exim_helper_base(exipick)
Chris PeBenito 31b7c0 
domain_auto_trans(exipick_t, exim_exec_t, exim_ro_t)
Chris PeBenito 31b7c0 
r_dir_file(exipick_t, var_spool_t)
Chris PeBenito 31b7c0 
r_dir_file(exipick_t, exim_spool_t)
Chris PeBenito 31b7c0 
allow exipick_t self:capability dac_override;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
##  --------------------------------------------------
Chris PeBenito 31b7c0 
##  exiqgrep
Chris PeBenito 31b7c0 
##  --------------------------------------------------
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
exim_helper_base(exiqgrep)
Chris PeBenito 31b7c0 
domain_auto_trans(exiqgrep_t, exim_exec_t, exim_ro_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
application_domain(exim_lock)
Chris PeBenito 31b7c0 
role system_r types exim_lock_t;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
##  --------------------------------------------------
Chris PeBenito 31b7c0 
##  exiwhat
Chris PeBenito 31b7c0 
##     1) Runs exim to extract config info
Chris PeBenito 31b7c0 
##     2) Sends a signal to all running exim processes
Chris PeBenito 31b7c0 
##     3) Collects the status files they drop in the spool directory
Chris PeBenito 31b7c0 
##  --------------------------------------------------
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
exim_helper_script_base(exiwhat)
Chris PeBenito 31b7c0 
domain_auto_trans(exiwhat_t, exim_exec_t, exim_ro_t)
Chris PeBenito 31b7c0 
allow exiwhat_t exim_spool_t:dir { rw_dir_perms };
Chris PeBenito 31b7c0 
allow exiwhat_t exim_spool_t:file { r_file_perms unlink };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
# killall
Chris PeBenito 31b7c0 
r_dir_file(exiwhat_t, exim_t)
Chris PeBenito 31b7c0 
r_dir_file(exiwhat_t, selinux_config_t)
Chris PeBenito 31b7c0 
allow exiwhat_t exim_t:process signal;
Chris PeBenito 31b7c0 
allow exiwhat_t self:capability { dac_override kill sys_nice };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
dontaudit exiwhat_t file_type:dir search;
Chris PeBenito 31b7c0 
dontaudit exiwhat_t file_type:file { getattr read };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
# rm
Chris PeBenito 31b7c0 
allow exiwhat_t devpts_t:chr_file ioctl;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
##  --------------------------------------------------
Chris PeBenito 31b7c0 
##  exim_check_access
Chris PeBenito 31b7c0 
##     1) Runs exim to simulate mail receipt
Chris PeBenito 31b7c0 
##     2) Checks on whether the mail address is allowed from the ip address
Chris PeBenito 31b7c0 
##  --------------------------------------------------
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
exim_helper_script_base(exim_checkaccess)
Chris PeBenito 31b7c0 
domain_auto_trans(exim_checkaccess_t, exim_exec_t, exim_ro_net_t)
Chris PeBenito 31b7c0 
allow exim_checkaccess_t exim_spool_t:dir { r_dir_perms };
Chris PeBenito 31b7c0 
allow exim_checkaccess_t self:capability dac_override;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
##  --------------------------------------------------
Chris PeBenito 31b7c0 
##  exim_helper
Chris PeBenito 31b7c0 
##  --------------------------------------------------
Chris PeBenito 31b7c0 
application_domain(exim_helper)
Chris PeBenito 31b7c0 
domain_auto_trans(exim_helper_t, exim_exec_t, exim_ro_t)
Chris PeBenito 31b7c0 
can_exec(exim_helper_t, bin_t)
Chris PeBenito 31b7c0 
role system_r types exim_helper_t;
Chris PeBenito 31b7c0 
general_domain_access(exim_helper_t)
Chris PeBenito 31b7c0 
read_locale(exim_helper_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
allow exim_helper_t { devtty_t devpts_t }:chr_file { read write };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
# Have to walk through /var/log to get to /var/log/exim
Chris PeBenito 31b7c0 
allow exim_helper_t var_t:dir r_dir_perms;
Chris PeBenito 31b7c0 
r_dir_file(exim_helper_t, exim_log_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
##  --------------------------------------------------
Chris PeBenito 31b7c0 
##  exim database maintenance programs
Chris PeBenito 31b7c0 
##     exim_dump_db, exim_fixdb, exim_tidydb
Chris PeBenito 31b7c0 
##  --------------------------------------------------
Chris PeBenito 31b7c0 
define(`exim_db_base',`
Chris PeBenito 31b7c0 
application_domain($1)
Chris PeBenito 31b7c0 
role system_r types $1_t;
Chris PeBenito 31b7c0 
read_locale($1_t)
Chris PeBenito 31b7c0 
general_proc_read_access($1_t)
Chris PeBenito 31b7c0 
allow $1_t devpts_t:chr_file { getattr read write };
Chris PeBenito 31b7c0 
allow $1_t self:capability { dac_override setgid setuid };
Chris PeBenito 31b7c0 
allow $1_t tmp_t:dir { getattr };
Chris PeBenito 31b7c0 
r_dir_file($1_t, var_spool_t)
Chris PeBenito 31b7c0 
r_dir_file($1_t, exim_spool_t)
Chris PeBenito 31b7c0 
r_dir_file($1_t, exim_spool_db_t)
Chris PeBenito 31b7c0 
dontaudit $1_t etc_runtime_t:file { getattr read };	# mtab
Chris PeBenito 31b7c0 
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
exim_db_base(exim_db_ro)
Chris PeBenito 31b7c0 
exim_db_base(exim_db_rw)
Chris PeBenito 31b7c0 
rw_dir_file(exim_db_rw_t, exim_spool_db_t)

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation