|
Chris PeBenito |
2705f9 |
#
|
|
Chris PeBenito |
2705f9 |
# Pyzor - Pyzor is a collaborative, networked system to detect and
|
|
Chris PeBenito |
2705f9 |
# block spam using identifying digests of messages.
|
|
Chris PeBenito |
2705f9 |
#
|
|
Chris PeBenito |
2705f9 |
# Author: David Hampton <hampton@employees.org>
|
|
Chris PeBenito |
2705f9 |
#
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
##########
|
|
Chris PeBenito |
2705f9 |
# common definitions for pyzord and all flavors of pyzor
|
|
Chris PeBenito |
2705f9 |
##########
|
|
Chris PeBenito |
2705f9 |
define(`pyzor_base_domain',`
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Networking
|
|
Chris PeBenito |
2705f9 |
can_network_client_tcp($1_t, http_port_t);
|
|
Chris PeBenito |
2705f9 |
can_network_udp($1_t, pyzor_port_t);
|
|
Chris PeBenito |
2705f9 |
can_resolve($1_t);
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
general_proc_read_access($1_t)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
tmp_domain($1)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
allow $1_t bin_t:dir { getattr search };
|
|
Chris PeBenito |
2705f9 |
allow $1_t bin_t:file getattr;
|
|
Chris PeBenito |
2705f9 |
allow $1_t lib_t:file { getattr read };
|
|
Chris PeBenito |
2705f9 |
allow $1_t { var_t var_lib_t var_run_t }:dir search;
|
|
Chris PeBenito |
2705f9 |
uses_shlib($1_t)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Python does a getattr on this file
|
|
Chris PeBenito |
2705f9 |
allow $1_t pyzor_exec_t:file getattr;
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# mktemp and other randoms
|
|
Chris PeBenito |
2705f9 |
allow $1_t { random_device_t urandom_device_t }:chr_file r_file_perms;
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Allow access to various files in the /etc/directory including mtab
|
|
Chris PeBenito |
2705f9 |
# and nsswitch
|
|
Chris PeBenito |
2705f9 |
allow $1_t { etc_t etc_runtime_t }:file { getattr read };
|
|
Chris PeBenito |
2705f9 |
read_locale($1_t)
|
|
Chris PeBenito |
2705f9 |
')
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
#
|
|
Chris PeBenito |
2705f9 |
# Define a user domain for a pyzor
|
|
Chris PeBenito |
2705f9 |
#
|
|
Chris PeBenito |
2705f9 |
# Note: expects to be called with an argument of user, sysadm
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
define(`pyzor_domain',`
|
|
Chris PeBenito |
2705f9 |
type $1_pyzor_t, domain, privlog, nscd_client_domain;
|
|
Chris PeBenito |
2705f9 |
role $1_r types $1_pyzor_t;
|
|
Chris PeBenito |
2705f9 |
domain_auto_trans($1_t, pyzor_exec_t, $1_pyzor_t)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
pyzor_base_domain($1_pyzor)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Per-user config/data files
|
|
Chris PeBenito |
2705f9 |
home_domain($1, pyzor)
|
|
Chris PeBenito |
2705f9 |
file_type_auto_trans($1_pyzor_t, $1_home_dir_t, $1_pyzor_home_t, dir)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# System config files
|
|
Chris PeBenito |
2705f9 |
r_dir_file($1_pyzor_t, pyzor_etc_t)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# System data files
|
|
Chris PeBenito |
2705f9 |
r_dir_file($1_pyzor_t, pyzor_var_lib_t);
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
allow $1_pyzor_t self:unix_stream_socket create_stream_socket_perms;
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Allow pyzor to be run by hand. Needed by any action other than
|
|
Chris PeBenito |
2705f9 |
# invocation from a spam filter.
|
|
Chris PeBenito |
77f6e2 |
can_access_pty($1_pyzor_t, $1)
|
|
Chris PeBenito |
2705f9 |
allow $1_pyzor_t sshd_t:fd use;
|
|
Chris PeBenito |
2705f9 |
')
|