|
Chris PeBenito |
0fbfa5 |
#DESC Procmail - Mail delivery agent for mail servers
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Author: Russell Coker <russell@coker.com.au>
|
|
Chris PeBenito |
0fbfa5 |
# X-Debian-Packages: procmail
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#################################
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Rules for the procmail_t domain.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# procmail_exec_t is the type of the procmail executable.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# privhome only works until we define a different type for maildir
|
|
Chris PeBenito |
0fbfa5 |
type procmail_t, domain, privlog, privhome, nscd_client_domain;
|
|
Chris PeBenito |
0fbfa5 |
type procmail_exec_t, file_type, sysadmfile, exec_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
role system_r types procmail_t;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
uses_shlib(procmail_t)
|
|
Chris PeBenito |
0fbfa5 |
allow procmail_t device_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
can_network_server(procmail_t)
|
|
Chris PeBenito |
77f6e2 |
nsswitch_domain(procmail_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow procmail_t self:capability { sys_nice chown setuid setgid dac_override };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow procmail_t etc_t:dir r_dir_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow procmail_t { etc_t etc_runtime_t }:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
allow procmail_t etc_t:lnk_file read;
|
|
Chris PeBenito |
0fbfa5 |
read_locale(procmail_t)
|
|
Chris PeBenito |
0fbfa5 |
read_sysctl(procmail_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow procmail_t sysctl_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow procmail_t self:process { setsched fork sigchld signal };
|
|
Chris PeBenito |
0fbfa5 |
dontaudit procmail_t sbin_t:dir { getattr search };
|
|
Chris PeBenito |
0fbfa5 |
can_exec(procmail_t, { bin_t shell_exec_t })
|
|
Chris PeBenito |
0fbfa5 |
allow procmail_t bin_t:dir { getattr search };
|
|
Chris PeBenito |
0fbfa5 |
allow procmail_t bin_t:lnk_file read;
|
|
Chris PeBenito |
0fbfa5 |
allow procmail_t self:fifo_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow procmail_t self:unix_stream_socket create_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow procmail_t self:unix_dgram_socket create_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for /var/mail
|
|
Chris PeBenito |
0fbfa5 |
rw_dir_create_file(procmail_t, mail_spool_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow procmail_t var_t:dir { getattr search };
|
|
Chris PeBenito |
0fbfa5 |
allow procmail_t var_spool_t:dir r_dir_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow procmail_t fs_t:filesystem getattr;
|
|
Chris PeBenito |
0fbfa5 |
allow procmail_t { self proc_t }:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow procmail_t proc_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
allow procmail_t { self proc_t }:lnk_file read;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for if /var/mail is a symlink to /var/spool/mail
|
|
Chris PeBenito |
0fbfa5 |
#allow procmail_t mail_spool_t:lnk_file r_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for spamassasin
|
|
Chris PeBenito |
0fbfa5 |
allow procmail_t usr_t:file { getattr ioctl read };
|
|
Chris PeBenito |
2705f9 |
ifdef(`spamassassin.te', `
|
|
Chris PeBenito |
2705f9 |
can_exec(procmail_t, spamassassin_exec_t)
|
|
Chris PeBenito |
77f6e2 |
can_resolve(procmail_t)
|
|
Chris PeBenito |
77f6e2 |
allow procmail_t port_t:udp_socket name_bind;
|
|
Chris PeBenito |
77f6e2 |
allow procmail_t tmp_t:dir getattr;
|
|
Chris PeBenito |
77f6e2 |
')
|
|
Chris PeBenito |
77f6e2 |
ifdef(`targeted_policy', `
|
|
Chris PeBenito |
77f6e2 |
can_resolve(procmail_t)
|
|
Chris PeBenito |
77f6e2 |
allow procmail_t port_t:udp_socket name_bind;
|
|
Chris PeBenito |
77f6e2 |
allow procmail_t tmp_t:dir getattr;
|
|
Chris PeBenito |
2705f9 |
')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Search /var/run.
|
|
Chris PeBenito |
0fbfa5 |
allow procmail_t var_run_t:dir { getattr search };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Do not audit attempts to access /root.
|
|
Chris PeBenito |
0fbfa5 |
dontaudit procmail_t sysadm_home_dir_t:dir { getattr search };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow procmail_t devtty_t:chr_file { read write };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow procmail_t urandom_device_t:chr_file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`sendmail.te', `
|
|
Chris PeBenito |
0fbfa5 |
r_dir_file(procmail_t, etc_mail_t)
|
|
Chris PeBenito |
0fbfa5 |
allow procmail_t sendmail_t:tcp_socket { read write };
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`hide_broken_symptoms', `
|
|
Chris PeBenito |
0fbfa5 |
dontaudit procmail_t mqueue_spool_t:file { getattr read write };
|
|
Chris PeBenito |
0fbfa5 |
')
|