#DESC MTA - Mail agents
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: postfix exim sendmail sendmail-wide
#
# policy for all mail servers, including allowing user to send mail from the
# command-line and for cron jobs to use sendmail -t

#
# sendmail_exec_t is the type of /usr/sbin/sendmail
#
# define sendmail_exec_t if sendmail.te does not do it for us
ifdef(`sendmail.te', `', `
type sendmail_exec_t, file_type, exec_type, sysadmfile;
')

# create a system_mail_t domain for daemons, init scripts, etc when they run
# "mail user@domain"
mail_domain(system)

ifdef(`targeted_policy', `
# rules are currently defined in sendmail.te, but it is not included in 
# targeted policy.  We could move these rules permanantly here.
ifdef(`postfix.te', `', `can_exec_any(system_mail_t)')
allow system_mail_t self:dir search;
allow system_mail_t self:lnk_file read;
r_dir_file(system_mail_t, { proc_t proc_net_t })
allow system_mail_t fs_t:filesystem getattr;
allow system_mail_t { var_t var_spool_t }:dir getattr;
create_dir_file(system_mail_t, mqueue_spool_t)
create_dir_file(system_mail_t, mail_spool_t)
allow system_mail_t mail_spool_t:fifo_file rw_file_perms;
allow system_mail_t etc_mail_t:file { getattr read };
', `
ifdef(`sendmail.te', `
# sendmail has an ugly design, the one process parses input from the user and
# then does system things with it.
domain_auto_trans(initrc_t, sendmail_exec_t, sendmail_t)
', `
domain_auto_trans(initrc_t, sendmail_exec_t, system_mail_t)
')
allow initrc_t sendmail_exec_t:lnk_file { getattr read };

# allow the sysadmin to do "mail someone < /home/user/whatever"
allow sysadm_mail_t user_home_dir_type:dir search;
r_dir_file(sysadm_mail_t, user_home_type)
')
# for a mail server process that does things in response to a user command
allow mta_user_agent userdomain:process sigchld;
allow mta_user_agent { userdomain privfd }:fd use;
ifdef(`crond.te', `
allow mta_user_agent crond_t:process sigchld;
')
allow mta_user_agent sysadm_t:fifo_file { read write };

allow { system_mail_t mta_user_agent } privmail:fd use;
allow { system_mail_t mta_user_agent } privmail:process sigchld;
allow { system_mail_t mta_user_agent } privmail:fifo_file { read write };
allow { system_mail_t mta_user_agent } admin_tty_type:chr_file { read write };

allow mta_delivery_agent home_root_t:dir { getattr search };

# for /var/spool/mail
ra_dir_create_file(mta_delivery_agent, mail_spool_t)

# for piping mail to a command
can_exec(mta_delivery_agent, shell_exec_t)
allow mta_delivery_agent bin_t:dir search;
allow mta_delivery_agent bin_t:lnk_file read;
allow mta_delivery_agent devtty_t:chr_file rw_file_perms;
allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read };

allow system_mail_t etc_runtime_t:file { getattr read };
allow system_mail_t { random_device_t urandom_device_t }:chr_file { getattr read };
ifdef(`targeted_policy', `
typealias system_mail_t alias sysadm_mail_t;
')