rpms / selinux-policy

Clone
Source Code
GIT

Blame strict/macros/program/sendmail_macros.te

c10s-sig-hyperscale c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   4e69c1c42344df04ae8a4bbac9459c3af9e29361
  2.   strict
  3.   macros
  4.   program
  5.   sendmail_macros.te
Blob History Raw
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Macros for sendmail domains.
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
Chris PeBenito 0fbfa5 
#           Russell Coker <russell@coker.com.au>
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# sendmail_user_domain(domain_prefix)
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Define a derived domain for the sendmail program when executed by
Chris PeBenito 0fbfa5 
# a user domain to send outgoing mail.  These domains are separate and
Chris PeBenito 0fbfa5 
# independent of the domain used for the sendmail daemon process.
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
undefine(`sendmail_user_domain')
Chris PeBenito 0fbfa5 
define(`sendmail_user_domain', `
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Use capabilities
Chris PeBenito 0fbfa5 
allow $1_mail_t self:capability net_bind_service;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
tmp_domain($1_mail)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Write to /var/spool/mail and /var/spool/mqueue.
Chris PeBenito 0fbfa5 
allow $1_mail_t mail_spool_t:dir rw_dir_perms;
Chris PeBenito 0fbfa5 
allow $1_mail_t mail_spool_t:file create_file_perms;
Chris PeBenito 0fbfa5 
allow $1_mail_t mqueue_spool_t:dir rw_dir_perms;
Chris PeBenito 0fbfa5 
allow $1_mail_t mqueue_spool_t:file create_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Write to /var/log/sendmail.st
Chris PeBenito 0fbfa5 
file_type_auto_trans($1_mail_t, var_log_t, sendmail_log_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
allow $1_mail_t etc_mail_t:dir { getattr search };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
allow $1_mail_t { var_t var_spool_t }:dir getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
allow $1_mail_t etc_runtime_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Check available space.
Chris PeBenito 0fbfa5 
allow $1_mail_t fs_t:filesystem getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
allow $1_mail_t sysctl_kernel_t:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
ifelse(`$1', `sysadm', `
Chris PeBenito 0fbfa5 
allow $1_mail_t proc_t:dir { getattr search };
Chris PeBenito 0fbfa5 
allow $1_mail_t proc_t:{ lnk_file file } { getattr read };
Chris PeBenito 0fbfa5 
dontaudit $1_mail_t proc_net_t:dir search;
Chris PeBenito 0fbfa5 
allow $1_mail_t sysctl_kernel_t:file { getattr read };
Chris PeBenito 0fbfa5 
allow $1_mail_t etc_runtime_t:file { getattr read };
Chris PeBenito 0fbfa5 
', `
Chris PeBenito 0fbfa5 
dontaudit $1_mail_t proc_t:dir search;
Chris PeBenito 0fbfa5 
dontaudit $1_mail_t sysctl_kernel_t:file read;
Chris PeBenito 0fbfa5 
')dnl end if sysadm
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation