|
Chris PeBenito |
ab58ad |
# Macros for MTA domains.
|
|
Chris PeBenito |
ab58ad |
#
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
#
|
|
Chris PeBenito |
ab58ad |
# Author: Russell Coker <russell@coker.com.au>
|
|
Chris PeBenito |
ab58ad |
# Based on the work of: Stephen Smalley <sds@epoch.ncsc.mil>
|
|
Chris PeBenito |
ab58ad |
# Timothy Fraser
|
|
Chris PeBenito |
ab58ad |
#
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
#
|
|
Chris PeBenito |
ab58ad |
# mail_domain(domain_prefix)
|
|
Chris PeBenito |
ab58ad |
#
|
|
Chris PeBenito |
ab58ad |
# Define a derived domain for the sendmail program when executed by
|
|
Chris PeBenito |
ab58ad |
# a user domain to send outgoing mail. These domains are separate and
|
|
Chris PeBenito |
ab58ad |
# independent of the domain used for the sendmail daemon process.
|
|
Chris PeBenito |
ab58ad |
#
|
|
Chris PeBenito |
ab58ad |
# The type declaration for the executable type for this program is
|
|
Chris PeBenito |
ab58ad |
# provided separately in domains/program/mta.te.
|
|
Chris PeBenito |
ab58ad |
#
|
|
Chris PeBenito |
ab58ad |
undefine(`mail_domain')
|
|
Chris PeBenito |
ab58ad |
define(`mail_domain',`
|
|
Chris PeBenito |
ab58ad |
# Derived domain based on the calling user domain and the program.
|
|
Chris PeBenito |
ab58ad |
type $1_mail_t, domain, privlog, user_mail_domain, nscd_client_domain;
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
ifdef(`sendmail.te', `
|
|
Chris PeBenito |
ab58ad |
sendmail_user_domain($1)
|
|
Chris PeBenito |
ab58ad |
')
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
can_exec($1_mail_t, sendmail_exec_t)
|
|
Chris PeBenito |
ab58ad |
allow $1_mail_t sendmail_exec_t:lnk_file { getattr read };
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
# The user role is authorized for this domain.
|
|
Chris PeBenito |
ab58ad |
role $1_r types $1_mail_t;
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
uses_shlib($1_mail_t)
|
|
Chris PeBenito |
ab58ad |
can_network_client_tcp($1_mail_t)
|
|
Chris PeBenito |
ab58ad |
allow $1_mail_t { smtp_port_t port_type }:tcp_socket name_connect;
|
|
Chris PeBenito |
ab58ad |
can_resolve($1_mail_t)
|
|
Chris PeBenito |
ab58ad |
can_ypbind($1_mail_t)
|
|
Chris PeBenito |
ab58ad |
allow $1_mail_t self:unix_dgram_socket create_socket_perms;
|
|
Chris PeBenito |
ab58ad |
allow $1_mail_t self:unix_stream_socket create_socket_perms;
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
read_locale($1_mail_t)
|
|
Chris PeBenito |
ab58ad |
read_sysctl($1_mail_t)
|
|
Chris PeBenito |
ab58ad |
allow $1_mail_t device_t:dir search;
|
|
Chris PeBenito |
ab58ad |
allow $1_mail_t { var_t var_spool_t }:dir search;
|
|
Chris PeBenito |
ab58ad |
allow $1_mail_t self:process { fork signal_perms setrlimit };
|
|
Chris PeBenito |
ab58ad |
allow $1_mail_t sbin_t:dir search;
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
# It wants to check for nscd
|
|
Chris PeBenito |
ab58ad |
dontaudit $1_mail_t var_run_t:dir search;
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
# Use capabilities
|
|
Chris PeBenito |
ab58ad |
allow $1_mail_t self:capability { setuid setgid chown };
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
# Execute procmail.
|
|
Chris PeBenito |
ab58ad |
can_exec($1_mail_t, bin_t)
|
|
Chris PeBenito |
ab58ad |
ifdef(`procmail.te',`
|
|
Chris PeBenito |
ab58ad |
can_exec($1_mail_t, procmail_exec_t)')
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
ifelse(`$1', `system', `
|
|
Chris PeBenito |
ab58ad |
# Transition from a system domain to the derived domain.
|
|
Chris PeBenito |
ab58ad |
domain_auto_trans(privmail, sendmail_exec_t, system_mail_t)
|
|
Chris PeBenito |
ab58ad |
allow privmail sendmail_exec_t:lnk_file { getattr read };
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
ifdef(`crond.te', `
|
|
Chris PeBenito |
ab58ad |
# Read cron temporary files.
|
|
Chris PeBenito |
ab58ad |
allow system_mail_t system_crond_tmp_t:file { read getattr ioctl };
|
|
Chris PeBenito |
ab58ad |
allow mta_user_agent system_crond_tmp_t:file { read getattr };
|
|
Chris PeBenito |
ab58ad |
')
|
|
Chris PeBenito |
ab58ad |
can_access_pty(system_mail_t, initrc)
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
', `
|
|
Chris PeBenito |
ab58ad |
# For when the user wants to send mail via port 25 localhost
|
|
Chris PeBenito |
ab58ad |
can_tcp_connect($1_t, mail_server_domain)
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
# Transition from the user domain to the derived domain.
|
|
Chris PeBenito |
ab58ad |
domain_auto_trans($1_t, sendmail_exec_t, $1_mail_t)
|
|
Chris PeBenito |
ab58ad |
allow $1_t sendmail_exec_t:lnk_file { getattr read };
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
# Read user temporary files.
|
|
Chris PeBenito |
ab58ad |
allow $1_mail_t $1_tmp_t:file r_file_perms;
|
|
Chris PeBenito |
ab58ad |
dontaudit $1_mail_t $1_tmp_t:file append;
|
|
Chris PeBenito |
ab58ad |
ifdef(`postfix.te', `
|
|
Chris PeBenito |
ab58ad |
# postfix seems to need write access if the file handle is opened read/write
|
|
Chris PeBenito |
ab58ad |
allow $1_mail_t $1_tmp_t:file write;
|
|
Chris PeBenito |
ab58ad |
')dnl end if postfix
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
allow mta_user_agent $1_tmp_t:file { read getattr };
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
# Write to the user domain tty.
|
|
Chris PeBenito |
ab58ad |
access_terminal(mta_user_agent, $1)
|
|
Chris PeBenito |
ab58ad |
access_terminal($1_mail_t, $1)
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
# Inherit and use descriptors from gnome-pty-helper.
|
|
Chris PeBenito |
ab58ad |
ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;')
|
|
Chris PeBenito |
ab58ad |
allow $1_mail_t privfd:fd use;
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
# Create dead.letter in user home directories.
|
|
Chris PeBenito |
ab58ad |
file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file)
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
if (use_samba_home_dirs) {
|
|
Chris PeBenito |
ab58ad |
rw_dir_create_file($1_mail_t, cifs_t)
|
|
Chris PeBenito |
ab58ad |
}
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
# if you do not want to allow dead.letter then use the following instead
|
|
Chris PeBenito |
ab58ad |
#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
|
|
Chris PeBenito |
ab58ad |
#allow $1_mail_t $1_home_t:file r_file_perms;
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
# for reading .forward - maybe we need a new type for it?
|
|
Chris PeBenito |
ab58ad |
# also for delivering mail to maildir
|
|
Chris PeBenito |
ab58ad |
file_type_auto_trans(mta_delivery_agent, $1_home_dir_t, $1_home_t)
|
|
Chris PeBenito |
ab58ad |
')dnl end if system
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
allow $1_mail_t etc_t:file { getattr read };
|
|
Chris PeBenito |
ab58ad |
ifdef(`qmail.te', `
|
|
Chris PeBenito |
ab58ad |
allow $1_mail_t qmail_etc_t:dir search;
|
|
Chris PeBenito |
ab58ad |
allow $1_mail_t qmail_etc_t:{ file lnk_file } read;
|
|
Chris PeBenito |
ab58ad |
')dnl end if qmail
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
')
|