Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
# Macros for sendmail domains.
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser 
Chris PeBenito ab58ad
#           Russell Coker <russell@coker.com.au>
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
# sendmail_user_domain(domain_prefix)
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
# Define a derived domain for the sendmail program when executed by
Chris PeBenito ab58ad
# a user domain to send outgoing mail.  These domains are separate and
Chris PeBenito ab58ad
# independent of the domain used for the sendmail daemon process.
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
undefine(`sendmail_user_domain')
Chris PeBenito ab58ad
define(`sendmail_user_domain', `
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Use capabilities
Chris PeBenito ab58ad
allow $1_mail_t self:capability net_bind_service;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
tmp_domain($1_mail)
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Write to /var/spool/mail and /var/spool/mqueue.
Chris PeBenito ab58ad
allow $1_mail_t mail_spool_t:dir rw_dir_perms;
Chris PeBenito ab58ad
allow $1_mail_t mail_spool_t:file create_file_perms;
Chris PeBenito ab58ad
allow $1_mail_t mqueue_spool_t:dir rw_dir_perms;
Chris PeBenito ab58ad
allow $1_mail_t mqueue_spool_t:file create_file_perms;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Write to /var/log/sendmail.st
Chris PeBenito ab58ad
file_type_auto_trans($1_mail_t, var_log_t, sendmail_log_t)
Chris PeBenito ab58ad
Chris PeBenito ab58ad
allow $1_mail_t etc_mail_t:dir { getattr search };
Chris PeBenito ab58ad
Chris PeBenito ab58ad
allow $1_mail_t { var_t var_spool_t }:dir getattr;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
allow $1_mail_t etc_runtime_t:file { getattr read };
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Check available space.
Chris PeBenito ab58ad
allow $1_mail_t fs_t:filesystem getattr;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
allow $1_mail_t sysctl_kernel_t:dir search;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
ifelse(`$1', `sysadm', `
Chris PeBenito ab58ad
allow $1_mail_t proc_t:dir { getattr search };
Chris PeBenito ab58ad
allow $1_mail_t proc_t:{ lnk_file file } { getattr read };
Chris PeBenito ab58ad
dontaudit $1_mail_t proc_net_t:dir search;
Chris PeBenito ab58ad
allow $1_mail_t sysctl_kernel_t:file { getattr read };
Chris PeBenito ab58ad
allow $1_mail_t etc_runtime_t:file { getattr read };
Chris PeBenito ab58ad
', `
Chris PeBenito ab58ad
dontaudit $1_mail_t proc_t:dir search;
Chris PeBenito ab58ad
dontaudit $1_mail_t sysctl_kernel_t:file read;
Chris PeBenito ab58ad
')dnl end if sysadm
Chris PeBenito ab58ad
')
Chris PeBenito ab58ad