#DESC Exim - Mail server

#

# Author:  David Hampton <hampton@employees.org>

# From postfix.te by Russell Coker <russell@coker.com.au>

# Depends: mta.te

#

##########

# Permissions common to the exim daemon, and exim invoked by a user to

# send a file

##########

define(`exim_common',`

# Networking - All instances need to talk to other mail hosts and

# amavisd

can_network_tcp($1_t);

allow $1_t smtp_port_t:tcp_socket name_connect;

##  can_network_client_tcp($1_t, smtp_port_t);

##  ifdef(`amavis.te', `

##  can_network_client_tcp($1_t, amavisd_recv_port_t);

##  allow $1_t amavisd_recv_port_t:tcp_socket { recv_msg send_msg };

##  ')

can_resolve($1_t);

# Exim forks children to do its work.

general_domain_access($1_t)

# Certs and SSL

r_dir_file($1_t, cert_t)

allow $1_t { random_device_t urandom_device_t }:chr_file r_file_perms;

general_proc_read_access($1_t)

read_locale($1_t)

allow $1_t etc_t:file { getattr read };

allow $1_t sbin_t:dir search;

allow $1_t tmp_t:dir getattr;

allow $1_t self:fifo_file { read write };

can_exec($1_t, exim_exec_t)

allow $1_t self:capability { chown fowner dac_override setgid setuid };

allow $1_t self:process setrlimit;

# Have to walk through /var/xxx to get to /var/xxx/exim

allow $1_t var_log_t:dir search;

allow $1_t var_spool_t:dir search;

# Exim creates a spool file per message

create_dir_file($1_t, exim_spool_t);

# It also creates a log file per message

create_dir_file($1_t, exim_log_t);

# The database is modified by every message

allow $1_t exim_spool_db_t:dir search;

allow $1_t exim_spool_db_t:file rw_file_perms;

# Checking the existence of mailman lists

allow $1_t mailman_data_t:file getattr;

# Trying to read mtab

dontaudit $1_t etc_runtime_t:file { getattr read };

')

define(`exim_user_domain',`

########################################

########################################

application_domain(exim_$1, `, mta_delivery_agent, mail_server_domain, mail_server_sender, nscd_client_domain, privlog');

in_user_role(exim_$1_t)

domain_auto_trans($1_t, exim_exec_t, exim_$1_t)

exim_common(exim_$1)

role $1_r types exim_$1_t;

allow exim_$1_t $1_tmp_t:file { getattr read };

allow exim_$1_t $1_devpts_t:chr_file rw_file_perms;

allow exim_$1_t sshd_t:fd use;

')