Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Macros for spamassassin domains.
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Author: Colin Walters <walters@verbum.org>
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# spamassassin_domain(domain_prefix)
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Define derived domains for various spamassassin tools when executed
Chris PeBenito 31b7c0
# by a user domain.
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# The type declarations for the executable types of these programs are
Chris PeBenito 31b7c0
# provided separately in domains/program/spamassassin.te and
Chris PeBenito 31b7c0
# domains/program/spamc.te.
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
undefine(`spamassassin_domain')
Chris PeBenito 31b7c0
ifdef(`spamassassin.te', `define(`using_spamassassin', `')')
Chris PeBenito 31b7c0
ifdef(`spamd.te', `define(`using_spamassassin', `')')
Chris PeBenito 31b7c0
ifdef(`spamc.te', `define(`using_spamassassin', `')')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
ifdef(`using_spamassassin',`
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
#######
Chris PeBenito 31b7c0
# Macros used internally in these spamassassin macros.
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
###
Chris PeBenito 31b7c0
# Define a domain for a spamassassin-like program (spamc/spamassassin).
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Note: most of this should really be in a generic macro like
Chris PeBenito 31b7c0
# base_user_program($1, foo)
Chris PeBenito 31b7c0
define(`spamassassin_program_domain',`
Chris PeBenito 31b7c0
type $1_$2_t, domain, privlog $3;
Chris PeBenito 31b7c0
domain_auto_trans($1_t, $2_exec_t, $1_$2_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
role $1_r types $1_$2_t;
Chris PeBenito 31b7c0
general_domain_access($1_$2_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
base_file_read_access($1_$2_t)
Chris PeBenito 31b7c0
r_dir_file($1_$2_t, etc_t)
Chris PeBenito 31b7c0
ifdef(`sendmail.te', `
Chris PeBenito 31b7c0
r_dir_file($1_$2_t, etc_mail_t)
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
allow $1_$2_t etc_runtime_t:file r_file_perms;
Chris PeBenito 31b7c0
uses_shlib($1_$2_t)
Chris PeBenito 31b7c0
read_locale($1_$2_t)
Chris PeBenito 31b7c0
dontaudit $1_$2_t var_t:dir search;
Chris PeBenito 31b7c0
tmp_domain($1_$2)
Chris PeBenito 31b7c0
allow $1_$2_t privfd:fd use;
Chris PeBenito 31b7c0
allow $1_$2_t userpty_type:chr_file rw_file_perms;
Chris PeBenito 31b7c0
') dnl end spamassassin_program_domain
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
###
Chris PeBenito 31b7c0
# Give privileges to a domain for accessing ~/.spamassassin
Chris PeBenito 31b7c0
# and a few other misc things like /dev/random.
Chris PeBenito 31b7c0
# This is granted to /usr/bin/spamassassin and
Chris PeBenito 31b7c0
# /usr/sbin/spamd, but NOT spamc (because it does not need it).
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
define(`spamassassin_agent_privs',`
Chris PeBenito 31b7c0
allow $1 home_root_t:dir r_dir_perms;
Chris PeBenito 31b7c0
file_type_auto_trans($1, $2_home_dir_t, $2_spamassassin_home_t)
Chris PeBenito 31b7c0
create_dir_file($1, $2_spamassassin_home_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow $1 urandom_device_t:chr_file r_file_perms;
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
#######
Chris PeBenito 31b7c0
# Define the main spamassassin macro.  This itself creates a
Chris PeBenito 31b7c0
# domain for /usr/bin/spamassassin, and also spamc/spamd if
Chris PeBenito 31b7c0
# applicable.
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
define(`spamassassin_domain',`
Chris PeBenito 31b7c0
spamassassin_program_domain($1, spamassassin)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# For perl libraries.
Chris PeBenito 31b7c0
allow $1_spamassassin_t lib_t:file rx_file_perms;
Chris PeBenito 31b7c0
# Ignore perl digging in /proc and /var.
Chris PeBenito 31b7c0
dontaudit $1_spamassassin_t proc_t:dir search;
Chris PeBenito 31b7c0
dontaudit $1_spamassassin_t proc_t:lnk_file read;
Chris PeBenito 31b7c0
dontaudit $1_spamassassin_t { sysctl_t sysctl_kernel_t }:dir search;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# For ~/.spamassassin
Chris PeBenito 31b7c0
home_domain($1, spamassassin)
Chris PeBenito 31b7c0
file_type_auto_trans($1_spamassassin_t, $1_home_dir_t, $1_spamassassin_home_t, dir)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
spamassassin_agent_privs($1_spamassassin_t, $1)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
can_resolve($1_spamassassin_t)
Chris PeBenito 31b7c0
# set tunable if you have spamassassin do DNS lookups
Chris PeBenito 31b7c0
if (spamassasin_can_network) {
Chris PeBenito 31b7c0
can_network($1_spamassassin_t)
Chris PeBenito 31b7c0
allow $1_spamassassin_t port_type:tcp_socket name_connect;
Chris PeBenito 31b7c0
}
Chris PeBenito 31b7c0
if (spamassasin_can_network && allow_ypbind) {
Chris PeBenito 31b7c0
uncond_can_ypbind($1_spamassassin_t)
Chris PeBenito 31b7c0
}
Chris PeBenito 31b7c0
###
Chris PeBenito 31b7c0
# Define the domain for /usr/bin/spamc
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
ifdef(`spamc.te',`
Chris PeBenito 31b7c0
spamassassin_program_domain($1, spamc, `, nscd_client_domain')
Chris PeBenito 31b7c0
can_network($1_spamc_t)
Chris PeBenito 31b7c0
allow $1_spamc_t port_type:tcp_socket name_connect;
Chris PeBenito 31b7c0
can_ypbind($1_spamc_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Allow connecting to a local spamd
Chris PeBenito 31b7c0
ifdef(`spamd.te',`
Chris PeBenito 31b7c0
can_tcp_connect($1_spamc_t, spamd_t)
Chris PeBenito 31b7c0
can_unix_connect($1_spamc_t, spamd_t)
Chris PeBenito 31b7c0
allow $1_spamc_t spamd_tmp_t:sock_file rw_file_perms;
Chris PeBenito 31b7c0
') dnl endif spamd.te
Chris PeBenito 31b7c0
') dnl endif spamc.te
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
###
Chris PeBenito 31b7c0
# Define the domain for /usr/sbin/spamd
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
ifdef(`spamd.te',`
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
spamassassin_agent_privs(spamd_t, $1)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
') dnl endif spamd.te
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
') dnl end spamassassin_domain
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
', `
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
define(`spamassassin_domain',`')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
')