Chris PeBenito ab58ad
# Macros for MTA domains.
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
# Author:   Russell Coker <russell@coker.com.au>
Chris PeBenito ab58ad
# Based on the work of: Stephen Smalley <sds@epoch.ncsc.mil>
Chris PeBenito ab58ad
#                       Timothy Fraser 
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
# mail_domain(domain_prefix)
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
# Define a derived domain for the sendmail program when executed by
Chris PeBenito ab58ad
# a user domain to send outgoing mail.  These domains are separate and
Chris PeBenito ab58ad
# independent of the domain used for the sendmail daemon process.
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
# The type declaration for the executable type for this program is
Chris PeBenito ab58ad
# provided separately in domains/program/mta.te. 
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
undefine(`mail_domain')
Chris PeBenito ab58ad
define(`mail_domain',`
Chris PeBenito ab58ad
# Derived domain based on the calling user domain and the program.
Chris PeBenito ab58ad
type $1_mail_t, domain, privlog, user_mail_domain, nscd_client_domain;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
ifdef(`sendmail.te', `
Chris PeBenito ab58ad
sendmail_user_domain($1)
Chris PeBenito ab58ad
')
Chris PeBenito ab58ad
Chris PeBenito ab58ad
can_exec($1_mail_t, sendmail_exec_t)
Chris PeBenito ab58ad
allow $1_mail_t sendmail_exec_t:lnk_file { getattr read };
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# The user role is authorized for this domain.
Chris PeBenito ab58ad
role $1_r types $1_mail_t;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
uses_shlib($1_mail_t)
Chris PeBenito ab58ad
can_network_client_tcp($1_mail_t)
Chris PeBenito ab58ad
allow $1_mail_t { smtp_port_t port_type }:tcp_socket name_connect;
Chris PeBenito ab58ad
can_resolve($1_mail_t)
Chris PeBenito ab58ad
can_ypbind($1_mail_t)
Chris PeBenito ab58ad
allow $1_mail_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito ab58ad
allow $1_mail_t self:unix_stream_socket create_socket_perms;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
read_locale($1_mail_t)
Chris PeBenito ab58ad
read_sysctl($1_mail_t)
Chris PeBenito ab58ad
allow $1_mail_t device_t:dir search;
Chris PeBenito ab58ad
allow $1_mail_t { var_t var_spool_t }:dir search;
Chris PeBenito ab58ad
allow $1_mail_t self:process { fork signal_perms setrlimit };
Chris PeBenito ab58ad
allow $1_mail_t sbin_t:dir search;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# It wants to check for nscd
Chris PeBenito ab58ad
dontaudit $1_mail_t var_run_t:dir search;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Use capabilities
Chris PeBenito ab58ad
allow $1_mail_t self:capability { setuid setgid chown };
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Execute procmail.
Chris PeBenito ab58ad
can_exec($1_mail_t, bin_t)
Chris PeBenito ab58ad
ifdef(`procmail.te',`
Chris PeBenito ab58ad
can_exec($1_mail_t, procmail_exec_t)')
Chris PeBenito ab58ad
Chris PeBenito ab58ad
ifelse(`$1', `system', `
Chris PeBenito ab58ad
# Transition from a system domain to the derived domain.
Chris PeBenito ab58ad
domain_auto_trans(privmail, sendmail_exec_t, system_mail_t)
Chris PeBenito ab58ad
allow privmail sendmail_exec_t:lnk_file { getattr read };
Chris PeBenito ab58ad
Chris PeBenito ab58ad
ifdef(`crond.te', `
Chris PeBenito ab58ad
# Read cron temporary files.
Chris PeBenito ab58ad
allow system_mail_t system_crond_tmp_t:file { read getattr ioctl };
Chris PeBenito ab58ad
allow mta_user_agent system_crond_tmp_t:file { read getattr };
Chris PeBenito ab58ad
')
Chris PeBenito ab58ad
can_access_pty(system_mail_t, initrc)
Chris PeBenito ab58ad
Chris PeBenito ab58ad
', `
Chris PeBenito ab58ad
# For when the user wants to send mail via port 25 localhost
Chris PeBenito ab58ad
can_tcp_connect($1_t, mail_server_domain)
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Transition from the user domain to the derived domain.
Chris PeBenito ab58ad
domain_auto_trans($1_t, sendmail_exec_t, $1_mail_t)
Chris PeBenito ab58ad
allow $1_t sendmail_exec_t:lnk_file { getattr read };
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Read user temporary files.
Chris PeBenito ab58ad
allow $1_mail_t $1_tmp_t:file r_file_perms;
Chris PeBenito ab58ad
dontaudit $1_mail_t $1_tmp_t:file append;
Chris PeBenito ab58ad
ifdef(`postfix.te', `
Chris PeBenito ab58ad
# postfix seems to need write access if the file handle is opened read/write
Chris PeBenito ab58ad
allow $1_mail_t $1_tmp_t:file write;
Chris PeBenito ab58ad
')dnl end if postfix
Chris PeBenito ab58ad
Chris PeBenito ab58ad
allow mta_user_agent $1_tmp_t:file { read getattr };
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Write to the user domain tty.
Chris PeBenito ab58ad
access_terminal(mta_user_agent, $1)
Chris PeBenito ab58ad
access_terminal($1_mail_t, $1)
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Inherit and use descriptors from gnome-pty-helper.
Chris PeBenito ab58ad
ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;')
Chris PeBenito ab58ad
allow $1_mail_t privfd:fd use;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Create dead.letter in user home directories.
Chris PeBenito ab58ad
file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file)
Chris PeBenito ab58ad
Chris PeBenito ab58ad
if (use_samba_home_dirs) {
Chris PeBenito ab58ad
rw_dir_create_file($1_mail_t, cifs_t)
Chris PeBenito ab58ad
}
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# if you do not want to allow dead.letter then use the following instead
Chris PeBenito ab58ad
#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
Chris PeBenito ab58ad
#allow $1_mail_t $1_home_t:file r_file_perms;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# for reading .forward - maybe we need a new type for it?
Chris PeBenito ab58ad
# also for delivering mail to maildir
Chris PeBenito ab58ad
file_type_auto_trans(mta_delivery_agent, $1_home_dir_t, $1_home_t)
Chris PeBenito ab58ad
')dnl end if system
Chris PeBenito ab58ad
Chris PeBenito ab58ad
allow $1_mail_t etc_t:file { getattr read };
Chris PeBenito ab58ad
ifdef(`qmail.te', `
Chris PeBenito ab58ad
allow $1_mail_t qmail_etc_t:dir search;
Chris PeBenito ab58ad
allow $1_mail_t qmail_etc_t:{ file lnk_file } read;
Chris PeBenito ab58ad
')dnl end if qmail
Chris PeBenito ab58ad
Chris PeBenito ab58ad
')