policy_module(mailman,1.1.5) ######################################## # # Declarations # mailman_domain_template(cgi) type mailman_data_t; files_type(mailman_data_t) type mailman_archive_t; files_type(mailman_archive_t) type mailman_log_t; logging_log_file(mailman_log_t) type mailman_lock_t; files_lock_file(mailman_lock_t) mailman_domain_template(mail) init_daemon_domain(mailman_mail_t,mailman_mail_exec_t) mailman_domain_template(queue) ######################################## # # Mailman CGI local policy # # cjp: the template invocation for queue should be # in the below optional policy; however, there are no # optionals for file contexts yet, so it is promoted # to global scope until such facilities exist. optional_policy(` allow mailman_cgi_t mailman_archive_t:dir create_dir_perms; allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms; allow mailman_cgi_t mailman_archive_t:file create_file_perms; kernel_tcp_recvfrom(mailman_cgi_t) term_use_controlling_term(mailman_cgi_t) files_search_spool(mailman_cgi_t) mta_tcp_connect_all_mailservers(mailman_cgi_t) apache_sigchld(mailman_cgi_t) apache_use_fds(mailman_cgi_t) apache_dontaudit_append_log(mailman_cgi_t) apache_search_sys_script_state(mailman_cgi_t) ') ######################################## # # Mailman mail local policy # allow mailman_mail_t self:unix_dgram_socket create_socket_perms; mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t) ifdef(`TODO',` optional_policy(` allow mailman_mail_t qmail_spool_t:file { read ioctl getattr }; # do we really need this? allow mailman_mail_t qmail_lspawn_t:fifo_file write; ') ') ######################################## # # Mailman queue local policy # allow mailman_queue_t self:capability { setgid setuid }; allow mailman_queue_t self:process signal; allow mailman_queue_t self:fifo_file rw_file_perms; allow mailman_queue_t self:unix_dgram_socket create_socket_perms; allow mailman_queue_t self:netlink_route_socket r_netlink_socket_perms; allow mailman_queue_t mailman_archive_t:dir create_dir_perms; allow mailman_queue_t mailman_archive_t:file create_file_perms; allow mailman_queue_t mailman_archive_t:lnk_file create_lnk_perms; kernel_read_proc_symlinks(mailman_queue_t) kernel_tcp_recvfrom(mailman_queue_t) auth_domtrans_chk_passwd(mailman_queue_t) files_dontaudit_search_pids(mailman_queue_t) # for su seutil_dontaudit_search_config(mailman_queue_t) # some of the following could probably be changed to dontaudit, someone who # knows mailman well should test this out and send the changes userdom_search_sysadm_home_dirs(mailman_queue_t) userdom_getattr_sysadm_home_dirs(mailman_queue_t) mta_tcp_connect_all_mailservers(mailman_queue_t) su_exec(mailman_queue_t) optional_policy(` cron_system_entry(mailman_queue_t,mailman_queue_exec_t) ') optional_policy(` nscd_socket_use(mailman_queue_t) ')