Blob Blame History Raw
#DESC Exim - Mail server
#
# Author:  David Hampton <hampton@employees.org>
# From postfix.te by Russell Coker <russell@coker.com.au>
# Depends: mta.te
#

##########
# Permissions common to the exim daemon, and exim invoked by a user to
# send a file
##########
define(`exim_common',`

# Networking - All instances need to talk to other mail hosts and
# amavisd
can_network_tcp($1_t);
allow $1_t smtp_port_t:tcp_socket name_connect;
##  can_network_client_tcp($1_t, smtp_port_t);
##  ifdef(`amavis.te', `
##  can_network_client_tcp($1_t, amavisd_recv_port_t);
##  allow $1_t amavisd_recv_port_t:tcp_socket { recv_msg send_msg };
##  ')
can_resolve($1_t);

# Exim forks children to do its work.
general_domain_access($1_t)

# Certs and SSL
r_dir_file($1_t, cert_t)
allow $1_t { random_device_t urandom_device_t }:chr_file r_file_perms;

general_proc_read_access($1_t)
read_locale($1_t)

allow $1_t etc_t:file { getattr read };
allow $1_t sbin_t:dir search;
allow $1_t tmp_t:dir getattr;
allow $1_t self:fifo_file { read write };
can_exec($1_t, exim_exec_t)
allow $1_t self:capability { chown fowner dac_override setgid setuid };
allow $1_t self:process setrlimit;

# Have to walk through /var/xxx to get to /var/xxx/exim
allow $1_t var_log_t:dir search;
allow $1_t var_spool_t:dir search;

# Exim creates a spool file per message
create_dir_file($1_t, exim_spool_t);
# It also creates a log file per message
create_dir_file($1_t, exim_log_t);
# The database is modified by every message
allow $1_t exim_spool_db_t:dir search;
allow $1_t exim_spool_db_t:file rw_file_perms;

# Checking the existence of mailman lists
allow $1_t mailman_data_t:file getattr;

# Trying to read mtab
dontaudit $1_t etc_runtime_t:file { getattr read };
')


define(`exim_user_domain',`
########################################
########################################
application_domain(exim_$1, `, mta_delivery_agent, mail_server_domain, mail_server_sender, nscd_client_domain, privlog');
in_user_role(exim_$1_t)
domain_auto_trans($1_t, exim_exec_t, exim_$1_t)
exim_common(exim_$1)
role $1_r types exim_$1_t;
allow exim_$1_t $1_tmp_t:file { getattr read };
allow exim_$1_t $1_devpts_t:chr_file rw_file_perms;
allow exim_$1_t sshd_t:fd use;
')