#DESC MTA - Mail agents

#

# Author: Russell Coker <russell@coker.com.au>

# X-Debian-Packages: postfix exim sendmail sendmail-wide

#

# policy for all mail servers, including allowing user to send mail from the

# command-line and for cron jobs to use sendmail -t

#

# sendmail_exec_t is the type of /usr/sbin/sendmail

#

# define sendmail_exec_t if sendmail.te does not do it for us

ifdef(`sendmail.te', `', `

type sendmail_exec_t, file_type, exec_type, sysadmfile;

')

# create a system_mail_t domain for daemons, init scripts, etc when they run

# "mail user@domain"

mail_domain(system)

ifdef(`targeted_policy', `

# rules are currently defined in sendmail.te, but it is not included in 

# targeted policy.  We could move these rules permanantly here.

ifdef(`postfix.te', `', `can_exec_any(system_mail_t)')

allow system_mail_t self:dir search;

allow system_mail_t self:lnk_file read;

r_dir_file(system_mail_t, { proc_t proc_net_t })

allow system_mail_t fs_t:filesystem getattr;

allow system_mail_t { var_t var_spool_t }:dir getattr;

create_dir_file(system_mail_t, mqueue_spool_t)

create_dir_file(system_mail_t, mail_spool_t)

allow system_mail_t mail_spool_t:fifo_file rw_file_perms;

allow system_mail_t etc_mail_t:file { getattr read };

', `

ifdef(`sendmail.te', `

# sendmail has an ugly design, the one process parses input from the user and

# then does system things with it.

domain_auto_trans(initrc_t, sendmail_exec_t, sendmail_t)

', `

domain_auto_trans(initrc_t, sendmail_exec_t, system_mail_t)

')

allow initrc_t sendmail_exec_t:lnk_file { getattr read };

# allow the sysadmin to do "mail someone < /home/user/whatever"

allow sysadm_mail_t user_home_dir_type:dir search;

r_dir_file(sysadm_mail_t, user_home_type)

')

# for a mail server process that does things in response to a user command

allow mta_user_agent userdomain:process sigchld;

allow mta_user_agent { userdomain privfd }:fd use;

ifdef(`crond.te', `

allow mta_user_agent crond_t:process sigchld;

')

allow mta_user_agent sysadm_t:fifo_file { read write };

allow { system_mail_t mta_user_agent } privmail:fd use;

allow { system_mail_t mta_user_agent } privmail:process sigchld;

allow { system_mail_t mta_user_agent } privmail:fifo_file { read write };

allow { system_mail_t mta_user_agent } admin_tty_type:chr_file { read write };

allow mta_delivery_agent home_root_t:dir { getattr search };

# for /var/spool/mail

ra_dir_create_file(mta_delivery_agent, mail_spool_t)

# for piping mail to a command

can_exec(mta_delivery_agent, shell_exec_t)

allow mta_delivery_agent bin_t:dir search;

allow mta_delivery_agent bin_t:lnk_file read;

allow mta_delivery_agent devtty_t:chr_file rw_file_perms;

allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read };

allow system_mail_t etc_runtime_t:file { getattr read };

allow system_mail_t { random_device_t urandom_device_t }:chr_file { getattr read };

ifdef(`targeted_policy', `

typealias system_mail_t alias sysadm_mail_t;

')