#DESC Amavis - Anti-virus
#
# Author:  Brian May <bam@snoopy.apana.org.au>
# X-Debian-Packages: amavis-ng amavisd-new amavisd-new-milter amavisd-new-milter-helper
# Depends: clamav.te
#

#################################
#
# Rules for the amavisd_t domain.
#
type amavisd_etc_t, file_type, sysadmfile;
type amavisd_lib_t, file_type, sysadmfile;

# Virus and spam found and quarantined.
type amavisd_quarantine_t, file_type, sysadmfile, tmpfile;

daemon_domain(amavisd)
tmp_domain(amavisd)

allow initrc_t amavisd_etc_t:file { getattr read };
allow initrc_t amavisd_lib_t:dir { search read write rmdir remove_name unlink };
allow initrc_t amavisd_lib_t:file unlink;
allow initrc_t amavisd_var_run_t:dir setattr;
allow amavisd_t self:capability { chown dac_override setgid setuid };
dontaudit amavisd_t self:capability sys_tty_config;

allow amavisd_t usr_t:{ file lnk_file } { getattr read };
dontaudit amavisd_t usr_t:file ioctl;

# networking
can_network_server_tcp(amavisd_t, amavisd_recv_port_t)
allow amavisd_t amavisd_recv_port_t:tcp_socket name_bind;
allow mta_delivery_agent amavisd_recv_port_t:tcp_socket name_connect;
# The next line doesn't work right so drop the port specification.
#can_network_client_tcp(amavisd_t, amavisd_send_port_t)
can_network_client_tcp(amavisd_t)
allow amavisd_t amavisd_send_port_t:tcp_socket name_connect;
can_resolve(amavisd_t);
can_ypbind(amavisd_t);
can_tcp_connect(mail_server_sender, amavisd_t);
can_tcp_connect(amavisd_t, mail_server_domain)

ifdef(`scannerdaemon.te', `
can_tcp_connect(amavisd_t, scannerdaemon_t);
allow scannerdaemon_t amavisd_lib_t:dir r_dir_perms;
allow scannerdaemon_t amavisd_lib_t:file r_file_perms;
')

ifdef(`clamav.te', `
clamscan_domain(amavisd)
role system_r types amavisd_clamscan_t;
domain_auto_trans(amavisd_t, clamscan_exec_t, amavisd_clamscan_t)
allow amavisd_clamscan_t amavisd_lib_t:dir r_dir_perms;
allow amavisd_clamscan_t amavisd_lib_t:file r_file_perms;
can_clamd_connect(amavisd)
allow clamd_t amavisd_lib_t:dir r_dir_perms;
allow clamd_t amavisd_lib_t:file r_file_perms;
')

# DCC
ifdef(`dcc.te', `
allow dcc_client_t amavisd_lib_t:file r_file_perms;
')

# Pyzor
ifdef(`pyzor.te',`
domain_auto_trans(amavisd_t, pyzor_exec_t, pyzor_t)
#allow pyzor_t amavisd_data_t:dir search;
# Pyzor creates a temp file adjacent to the working file.
create_dir_file(pyzor_t, amavisd_lib_t);
')

# SpamAssassin is executed from within amavisd, but needs to read its
# config
ifdef(`spamd.te', `
r_dir_file(amavisd_t, etc_mail_t)
')

# Can create unix sockets
allow amavisd_t self:unix_stream_socket create_stream_socket_perms;
allow amavisd_t self:unix_dgram_socket create_socket_perms;
allow amavisd_t self:fifo_file getattr;

read_locale(amavisd_t)

# Access config files (amavisd).
allow amavisd_t amavisd_etc_t:file r_file_perms;

log_domain(amavisd)

# Access amavisd var/lib files.
create_dir_file(amavisd_t, amavisd_lib_t)

# Access amavisd quarantined files.
create_dir_file(amavisd_t, amavisd_quarantine_t)

# Run helper programs.
can_exec_any(amavisd_t,bin_t)
allow amavisd_t bin_t:dir { getattr search };
allow amavisd_t sbin_t:dir search;
allow amavisd_t var_lib_t:dir search;

# allow access to files for scanning (required for amavis):
allow clamd_t self:capability { dac_override dac_read_search };

# unknown stuff
allow amavisd_t self:fifo_file { ioctl read write };
allow amavisd_t { random_device_t urandom_device_t }:chr_file read;
allow amavisd_t proc_t:file { getattr read };
allow amavisd_t etc_runtime_t:file { getattr read };

# broken stuff
dontaudit amavisd_t sysadm_home_dir_t:dir search;
dontaudit amavisd_t shadow_t:file { getattr read };
dontaudit amavisd_t sysadm_devpts_t:chr_file { read write };