1 |
commit: 862050dcd2025c7b7331c89601beca3bf44b1422 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Sun Oct 28 17:04:28 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Sun Oct 28 17:59:09 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=862050dc |
7 |
|
8 |
Changes to the spamassassin policy module and relevant dependendies |
9 |
|
10 |
Ported from Fedora with changes |
11 |
|
12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
13 |
|
14 |
--- |
15 |
policy/modules/contrib/razor.if | 41 ++++ |
16 |
policy/modules/contrib/razor.te | 2 +- |
17 |
policy/modules/contrib/spamassassin.fc | 17 ++- |
18 |
policy/modules/contrib/spamassassin.if | 107 +++++++--- |
19 |
policy/modules/contrib/spamassassin.te | 350 ++++++++++++++++++++------------ |
20 |
5 files changed, 352 insertions(+), 165 deletions(-) |
21 |
|
22 |
diff --git a/policy/modules/contrib/razor.if b/policy/modules/contrib/razor.if |
23 |
index 9ea7d52..1e4b523 100644 |
24 |
--- a/policy/modules/contrib/razor.if |
25 |
+++ b/policy/modules/contrib/razor.if |
26 |
@@ -87,3 +87,44 @@ interface(`razor_domtrans',` |
27 |
corecmd_search_bin($1) |
28 |
domtrans_pattern($1, razor_exec_t, system_razor_t) |
29 |
') |
30 |
+ |
31 |
+######################################## |
32 |
+## <summary> |
33 |
+## Create, read, write, and delete |
34 |
+## razor home content. |
35 |
+## </summary> |
36 |
+## <param name="domain"> |
37 |
+## <summary> |
38 |
+## Domain allowed access. |
39 |
+## </summary> |
40 |
+## </param> |
41 |
+# |
42 |
+interface(`razor_manage_home_content',` |
43 |
+ gen_require(` |
44 |
+ type razor_home_t; |
45 |
+ ') |
46 |
+ |
47 |
+ userdom_search_user_home_dirs($1) |
48 |
+ allow $1 razor_home_t:dir manage_dir_perms; |
49 |
+ allow $1 razor_home_t:file manage_file_perms; |
50 |
+ allow $1 razor_home_t:lnk_file manage_lnk_file_perms; |
51 |
+') |
52 |
+ |
53 |
+######################################## |
54 |
+## <summary> |
55 |
+## Read razor lib files. |
56 |
+## </summary> |
57 |
+## <param name="domain"> |
58 |
+## <summary> |
59 |
+## Domain allowed access. |
60 |
+## </summary> |
61 |
+## </param> |
62 |
+# |
63 |
+interface(`razor_read_lib_files',` |
64 |
+ gen_require(` |
65 |
+ type razor_var_lib_t; |
66 |
+ ') |
67 |
+ |
68 |
+ files_search_var_lib($1) |
69 |
+ read_files_pattern($1, razor_var_lib_t, razor_var_lib_t) |
70 |
+') |
71 |
|
72 |
diff --git a/policy/modules/contrib/razor.te b/policy/modules/contrib/razor.te |
73 |
index b92caa1..5ddedbc 100644 |
74 |
--- a/policy/modules/contrib/razor.te |
75 |
+++ b/policy/modules/contrib/razor.te |
76 |
@@ -1,4 +1,4 @@ |
77 |
-policy_module(razor, 2.3.1) |
78 |
+policy_module(razor, 2.3.2) |
79 |
|
80 |
######################################## |
81 |
# |
82 |
|
83 |
diff --git a/policy/modules/contrib/spamassassin.fc b/policy/modules/contrib/spamassassin.fc |
84 |
index 06e1313..e9bd097 100644 |
85 |
--- a/policy/modules/contrib/spamassassin.fc |
86 |
+++ b/policy/modules/contrib/spamassassin.fc |
87 |
@@ -1,16 +1,31 @@ |
88 |
HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) |
89 |
HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0) |
90 |
|
91 |
+/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) |
92 |
+/etc/rc\.d/init\.d/spampd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) |
93 |
+/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) |
94 |
+ |
95 |
/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0) |
96 |
-/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0) |
97 |
+/usr/bin/spamassassin -- gen_context(system_u:object_r:spamc_exec_t,s0) |
98 |
/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0) |
99 |
/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) |
100 |
+/usr/bin/sa-update -- gen_context(system_u:object_r:spamd_update_exec_t,s0) |
101 |
|
102 |
/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) |
103 |
+/usr/sbin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0) |
104 |
+/usr/bin/mimedefang -- gen_context(system_u:object_r:spamd_exec_t,s0) |
105 |
+/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0) |
106 |
|
107 |
/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) |
108 |
+/var/lib/spamassassin/compiled(/.*)? gen_context(system_u:object_r:spamd_compiled_t,s0) |
109 |
+ |
110 |
+/var/log/spamd\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0) |
111 |
+/var/log/mimedefang.* -- gen_context(system_u:object_r:spamd_log_t,s0) |
112 |
|
113 |
/var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) |
114 |
|
115 |
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) |
116 |
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) |
117 |
+/var/spool/spampd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) |
118 |
+/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) |
119 |
+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) |
120 |
|
121 |
diff --git a/policy/modules/contrib/spamassassin.if b/policy/modules/contrib/spamassassin.if |
122 |
index f2d1fa0..b180439 100644 |
123 |
--- a/policy/modules/contrib/spamassassin.if |
124 |
+++ b/policy/modules/contrib/spamassassin.if |
125 |
@@ -2,41 +2,39 @@ |
126 |
|
127 |
######################################## |
128 |
## <summary> |
129 |
-## Role access for spamassassin |
130 |
+## Role access for spamassassin. |
131 |
## </summary> |
132 |
## <param name="role"> |
133 |
## <summary> |
134 |
-## Role allowed access |
135 |
+## Role allowed access. |
136 |
## </summary> |
137 |
## </param> |
138 |
## <param name="domain"> |
139 |
## <summary> |
140 |
-## User domain for the role |
141 |
+## User domain for the role. |
142 |
## </summary> |
143 |
## </param> |
144 |
# |
145 |
interface(`spamassassin_role',` |
146 |
gen_require(` |
147 |
type spamc_t, spamc_exec_t, spamc_tmp_t; |
148 |
- type spamassassin_t, spamassassin_exec_t; |
149 |
+ type spamassassin_t, spamassassin_exec_t, spamd_home_t; |
150 |
type spamassassin_home_t, spamassassin_tmp_t; |
151 |
') |
152 |
|
153 |
role $1 types { spamc_t spamassassin_t }; |
154 |
|
155 |
domtrans_pattern($2, spamassassin_exec_t, spamassassin_t) |
156 |
- ps_process_pattern($2, spamassassin_t) |
157 |
- |
158 |
domtrans_pattern($2, spamc_exec_t, spamc_t) |
159 |
- ps_process_pattern($2, spamc_t) |
160 |
- |
161 |
- manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t) |
162 |
- manage_files_pattern($2, spamassassin_home_t, spamassassin_home_t) |
163 |
- manage_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t) |
164 |
- relabel_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t) |
165 |
- relabel_files_pattern($2, spamassassin_home_t, spamassassin_home_t) |
166 |
- relabel_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t) |
167 |
+ |
168 |
+ allow $2 { spamc_t spamassassin_t}:process { ptrace signal_perms }; |
169 |
+ ps_process_pattern($2, { spamc_t spamassassin_t }) |
170 |
+ |
171 |
+ allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; |
172 |
+ allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:file { manage_file_perms relabel_file_perms }; |
173 |
+ allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; |
174 |
userdom_user_home_dir_filetrans($2, spamassassin_home_t, dir, ".spamassassin") |
175 |
+ userdom_user_home_dir_filetrans($2, spamassassin_home_t, dir, ".spamd") |
176 |
') |
177 |
|
178 |
######################################## |
179 |
@@ -55,13 +53,13 @@ interface(`spamassassin_exec',` |
180 |
type spamassassin_exec_t; |
181 |
') |
182 |
|
183 |
+ corecmd_search_bin($1) |
184 |
can_exec($1, spamassassin_exec_t) |
185 |
- |
186 |
') |
187 |
|
188 |
######################################## |
189 |
## <summary> |
190 |
-## Singnal the spam assassin daemon |
191 |
+## Send generic signals to spamd. |
192 |
## </summary> |
193 |
## <param name="domain"> |
194 |
## <summary> |
195 |
@@ -79,8 +77,7 @@ interface(`spamassassin_signal_spamd',` |
196 |
|
197 |
######################################## |
198 |
## <summary> |
199 |
-## Execute the spamassassin daemon |
200 |
-## program in the caller directory. |
201 |
+## Execute spamd in the caller domain. |
202 |
## </summary> |
203 |
## <param name="domain"> |
204 |
## <summary> |
205 |
@@ -93,12 +90,13 @@ interface(`spamassassin_exec_spamd',` |
206 |
type spamd_exec_t; |
207 |
') |
208 |
|
209 |
+ corecmd_search_bin($1) |
210 |
can_exec($1, spamd_exec_t) |
211 |
') |
212 |
|
213 |
######################################## |
214 |
## <summary> |
215 |
-## Execute spamassassin client in the spamassassin client domain. |
216 |
+## Execute spamc in the spamc domain. |
217 |
## </summary> |
218 |
## <param name="domain"> |
219 |
## <summary> |
220 |
@@ -111,13 +109,13 @@ interface(`spamassassin_domtrans_client',` |
221 |
type spamc_t, spamc_exec_t; |
222 |
') |
223 |
|
224 |
+ corecmd_search_bin($1) |
225 |
domtrans_pattern($1, spamc_exec_t, spamc_t) |
226 |
') |
227 |
|
228 |
######################################## |
229 |
## <summary> |
230 |
-## Execute the spamassassin client |
231 |
-## program in the caller directory. |
232 |
+## Execute spamc in the caller domain. |
233 |
## </summary> |
234 |
## <param name="domain"> |
235 |
## <summary> |
236 |
@@ -130,12 +128,13 @@ interface(`spamassassin_exec_client',` |
237 |
type spamc_exec_t; |
238 |
') |
239 |
|
240 |
+ corecmd_search_bin($1) |
241 |
can_exec($1, spamc_exec_t) |
242 |
') |
243 |
|
244 |
######################################## |
245 |
## <summary> |
246 |
-## Send kill signals to spamassassin client. |
247 |
+## Send kill signals to spamc. |
248 |
## </summary> |
249 |
## <param name="domain"> |
250 |
## <summary> |
251 |
@@ -153,7 +152,8 @@ interface(`spamassassin_kill_client',` |
252 |
|
253 |
######################################## |
254 |
## <summary> |
255 |
-## Execute spamassassin standalone client in the user spamassassin domain. |
256 |
+## Execute spamassassin standalone client |
257 |
+## in the user spamassassin domain. |
258 |
## </summary> |
259 |
## <param name="domain"> |
260 |
## <summary> |
261 |
@@ -166,6 +166,7 @@ interface(`spamassassin_domtrans_local_client',` |
262 |
type spamassassin_t, spamassassin_exec_t; |
263 |
') |
264 |
|
265 |
+ corecmd_search_bin($1) |
266 |
domtrans_pattern($1, spamassassin_exec_t, spamassassin_t) |
267 |
') |
268 |
|
269 |
@@ -243,7 +244,7 @@ interface(`spamassassin_home_filetrans_spamd_home',` |
270 |
|
271 |
######################################## |
272 |
## <summary> |
273 |
-## read spamd lib files. |
274 |
+## Read spamd lib files. |
275 |
## </summary> |
276 |
## <param name="domain"> |
277 |
## <summary> |
278 |
@@ -301,7 +302,7 @@ interface(`spamassassin_read_spamd_pid_files',` |
279 |
|
280 |
######################################## |
281 |
## <summary> |
282 |
-## Read temporary spamd file. |
283 |
+## Read temporary spamd files. |
284 |
## </summary> |
285 |
## <param name="domain"> |
286 |
## <summary> |
287 |
@@ -319,8 +320,8 @@ interface(`spamassassin_read_spamd_tmp_files',` |
288 |
|
289 |
######################################## |
290 |
## <summary> |
291 |
-## Do not audit attempts to get attributes of temporary |
292 |
-## spamd sockets/ |
293 |
+## Do not audit attempts to get |
294 |
+## attributes of temporary spamd sockets. |
295 |
## </summary> |
296 |
## <param name="domain"> |
297 |
## <summary> |
298 |
@@ -338,7 +339,7 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` |
299 |
|
300 |
######################################## |
301 |
## <summary> |
302 |
-## Connect to run spamd with a unix |
303 |
+## Connect to spamd with a unix |
304 |
## domain stream socket. |
305 |
## </summary> |
306 |
## <param name="domain"> |
307 |
@@ -355,3 +356,53 @@ interface(`spamassassin_stream_connect_spamd',` |
308 |
files_search_pids($1) |
309 |
stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t) |
310 |
') |
311 |
+ |
312 |
+######################################## |
313 |
+## <summary> |
314 |
+## All of the rules required to |
315 |
+## administrate an spamassassin environment. |
316 |
+## </summary> |
317 |
+## <param name="domain"> |
318 |
+## <summary> |
319 |
+## Domain allowed access. |
320 |
+## </summary> |
321 |
+## </param> |
322 |
+## <param name="role"> |
323 |
+## <summary> |
324 |
+## Role allowed access. |
325 |
+## </summary> |
326 |
+## </param> |
327 |
+## <rolecap/> |
328 |
+# |
329 |
+interface(`spamassassin_admin',` |
330 |
+ gen_require(` |
331 |
+ type spamd_t, spamd_tmp_t, spamd_log_t; |
332 |
+ type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t; |
333 |
+ type spamd_initrc_exec_t; |
334 |
+ ') |
335 |
+ |
336 |
+ allow $1 spamd_t:process { ptrace signal_perms }; |
337 |
+ ps_process_pattern($1, spamd_t) |
338 |
+ |
339 |
+ init_labeled_script_domtrans($1, spamd_initrc_exec_t) |
340 |
+ domain_system_change_exemption($1) |
341 |
+ role_transition $2 spamd_initrc_exec_t system_r; |
342 |
+ allow $2 system_r; |
343 |
+ |
344 |
+ files_list_tmp($1) |
345 |
+ admin_pattern($1, spamd_tmp_t) |
346 |
+ |
347 |
+ logging_list_logs($1) |
348 |
+ admin_pattern($1, spamd_log_t) |
349 |
+ |
350 |
+ files_list_spool($1) |
351 |
+ admin_pattern($1, spamd_spool_t) |
352 |
+ |
353 |
+ files_list_var_lib($1) |
354 |
+ admin_pattern($1, spamd_var_lib_t) |
355 |
+ |
356 |
+ files_list_pids($1) |
357 |
+ admin_pattern($1, spamd_var_run_t) |
358 |
+ |
359 |
+ spamassassin_role($2, $1) |
360 |
+') |
361 |
|
362 |
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te |
363 |
index e141309..01e5555 100644 |
364 |
--- a/policy/modules/contrib/spamassassin.te |
365 |
+++ b/policy/modules/contrib/spamassassin.te |
366 |
@@ -1,4 +1,4 @@ |
367 |
-policy_module(spamassassin, 2.5.5) |
368 |
+policy_module(spamassassin, 2.5.6) |
369 |
|
370 |
######################################## |
371 |
# |
372 |
@@ -6,19 +6,25 @@ policy_module(spamassassin, 2.5.5) |
373 |
# |
374 |
|
375 |
## <desc> |
376 |
-## <p> |
377 |
-## Allow user spamassassin clients to use the network. |
378 |
-## </p> |
379 |
+## <p> |
380 |
+## Determine whether spamassassin |
381 |
+## clients can use the network. |
382 |
+## </p> |
383 |
## </desc> |
384 |
gen_tunable(spamassassin_can_network, false) |
385 |
|
386 |
## <desc> |
387 |
-## <p> |
388 |
-## Allow spamd to read/write user home directories. |
389 |
-## </p> |
390 |
+## <p> |
391 |
+## Determine whether spamd can manage |
392 |
+## generic user home content. |
393 |
+## </p> |
394 |
## </desc> |
395 |
gen_tunable(spamd_enable_home_dirs, false) |
396 |
|
397 |
+type spamd_update_t; |
398 |
+type spamd_update_exec_t; |
399 |
+init_system_domain(spamd_update_t, spamd_update_exec_t) |
400 |
+ |
401 |
type spamassassin_t; |
402 |
type spamassassin_exec_t; |
403 |
typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t }; |
404 |
@@ -50,39 +56,43 @@ type spamd_t; |
405 |
type spamd_exec_t; |
406 |
init_daemon_domain(spamd_t, spamd_exec_t) |
407 |
|
408 |
+type spamd_compiled_t; |
409 |
+files_type(spamd_compiled_t) |
410 |
+ |
411 |
+type spamd_etc_t; |
412 |
+files_config_file(spamd_etc_t) |
413 |
+ |
414 |
type spamd_home_t; |
415 |
userdom_user_home_content(spamd_home_t) |
416 |
|
417 |
+type spamd_initrc_exec_t; |
418 |
+init_script_file(spamd_initrc_exec_t) |
419 |
+ |
420 |
+type spamd_log_t; |
421 |
+logging_log_file(spamd_log_t) |
422 |
+ |
423 |
type spamd_spool_t; |
424 |
files_type(spamd_spool_t) |
425 |
|
426 |
type spamd_tmp_t; |
427 |
files_tmp_file(spamd_tmp_t) |
428 |
|
429 |
-# var/lib files |
430 |
type spamd_var_lib_t; |
431 |
files_type(spamd_var_lib_t) |
432 |
|
433 |
type spamd_var_run_t; |
434 |
files_pid_file(spamd_var_run_t) |
435 |
|
436 |
-############################## |
437 |
+######################################## |
438 |
# |
439 |
-# Standalone program local policy |
440 |
+# Standalone local policy |
441 |
# |
442 |
|
443 |
allow spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
444 |
allow spamassassin_t self:fd use; |
445 |
allow spamassassin_t self:fifo_file rw_fifo_file_perms; |
446 |
-allow spamassassin_t self:sock_file read_sock_file_perms; |
447 |
-allow spamassassin_t self:unix_dgram_socket create_socket_perms; |
448 |
-allow spamassassin_t self:unix_stream_socket create_stream_socket_perms; |
449 |
allow spamassassin_t self:unix_dgram_socket sendto; |
450 |
-allow spamassassin_t self:unix_stream_socket connectto; |
451 |
-allow spamassassin_t self:shm create_shm_perms; |
452 |
-allow spamassassin_t self:sem create_sem_perms; |
453 |
-allow spamassassin_t self:msgq create_msgq_perms; |
454 |
-allow spamassassin_t self:msg { send receive }; |
455 |
+allow spamassassin_t self:unix_stream_socket { accept connectto listen }; |
456 |
|
457 |
manage_dirs_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) |
458 |
manage_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) |
459 |
@@ -95,26 +105,13 @@ manage_dirs_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t) |
460 |
manage_files_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t) |
461 |
files_tmp_filetrans(spamassassin_t, spamassassin_tmp_t, { file dir }) |
462 |
|
463 |
-manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) |
464 |
-manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) |
465 |
-manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) |
466 |
-manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) |
467 |
-manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) |
468 |
-userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file }) |
469 |
- |
470 |
kernel_read_kernel_sysctls(spamassassin_t) |
471 |
|
472 |
dev_read_urand(spamassassin_t) |
473 |
|
474 |
+fs_getattr_all_fs(spamassassin_t) |
475 |
fs_search_auto_mountpoints(spamassassin_t) |
476 |
|
477 |
-# this should probably be removed |
478 |
-corecmd_list_bin(spamassassin_t) |
479 |
-corecmd_read_bin_symlinks(spamassassin_t) |
480 |
-corecmd_read_bin_files(spamassassin_t) |
481 |
-corecmd_read_bin_pipes(spamassassin_t) |
482 |
-corecmd_read_bin_sockets(spamassassin_t) |
483 |
- |
484 |
domain_use_interactive_fds(spamassassin_t) |
485 |
|
486 |
files_read_etc_files(spamassassin_t) |
487 |
@@ -127,34 +124,19 @@ logging_send_syslog_msg(spamassassin_t) |
488 |
|
489 |
miscfiles_read_localization(spamassassin_t) |
490 |
|
491 |
-# cjp: this could probably be removed |
492 |
-seutil_read_config(spamassassin_t) |
493 |
- |
494 |
sysnet_dns_name_resolve(spamassassin_t) |
495 |
|
496 |
-# set tunable if you have spamassassin do DNS lookups |
497 |
tunable_policy(`spamassassin_can_network',` |
498 |
- allow spamassassin_t self:tcp_socket create_stream_socket_perms; |
499 |
- allow spamassassin_t self:udp_socket create_socket_perms; |
500 |
+ allow spamassassin_t self:tcp_socket { accept listen }; |
501 |
|
502 |
corenet_all_recvfrom_unlabeled(spamassassin_t) |
503 |
corenet_all_recvfrom_netlabel(spamassassin_t) |
504 |
corenet_tcp_sendrecv_generic_if(spamassassin_t) |
505 |
- corenet_udp_sendrecv_generic_if(spamassassin_t) |
506 |
corenet_tcp_sendrecv_generic_node(spamassassin_t) |
507 |
- corenet_udp_sendrecv_generic_node(spamassassin_t) |
508 |
corenet_tcp_sendrecv_all_ports(spamassassin_t) |
509 |
- corenet_udp_sendrecv_all_ports(spamassassin_t) |
510 |
+ |
511 |
corenet_tcp_connect_all_ports(spamassassin_t) |
512 |
corenet_sendrecv_all_client_packets(spamassassin_t) |
513 |
- |
514 |
- sysnet_read_config(spamassassin_t) |
515 |
-') |
516 |
- |
517 |
-tunable_policy(`spamd_enable_home_dirs',` |
518 |
- userdom_manage_user_home_content_dirs(spamd_t) |
519 |
- userdom_manage_user_home_content_files(spamd_t) |
520 |
- userdom_manage_user_home_content_symlinks(spamd_t) |
521 |
') |
522 |
|
523 |
tunable_policy(`use_nfs_home_dirs',` |
524 |
@@ -170,11 +152,6 @@ tunable_policy(`use_samba_home_dirs',` |
525 |
') |
526 |
|
527 |
optional_policy(` |
528 |
- # Write pid file and socket in ~/.evolution/cache/tmp |
529 |
- evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file }) |
530 |
-') |
531 |
- |
532 |
-optional_policy(` |
533 |
tunable_policy(`spamassassin_can_network && allow_ypbind',` |
534 |
nis_use_ypbind_uncond(spamassassin_t) |
535 |
') |
536 |
@@ -190,139 +167,157 @@ optional_policy(` |
537 |
# Client local policy |
538 |
# |
539 |
|
540 |
+allow spamc_t self:capability dac_override; |
541 |
allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
542 |
allow spamc_t self:fd use; |
543 |
allow spamc_t self:fifo_file rw_fifo_file_perms; |
544 |
-allow spamc_t self:sock_file read_sock_file_perms; |
545 |
-allow spamc_t self:shm create_shm_perms; |
546 |
-allow spamc_t self:sem create_sem_perms; |
547 |
-allow spamc_t self:msgq create_msgq_perms; |
548 |
-allow spamc_t self:msg { send receive }; |
549 |
-allow spamc_t self:unix_dgram_socket create_socket_perms; |
550 |
-allow spamc_t self:unix_stream_socket create_stream_socket_perms; |
551 |
allow spamc_t self:unix_dgram_socket sendto; |
552 |
-allow spamc_t self:unix_stream_socket connectto; |
553 |
-allow spamc_t self:tcp_socket create_stream_socket_perms; |
554 |
-allow spamc_t self:udp_socket create_socket_perms; |
555 |
+allow spamc_t self:unix_stream_socket { accept connectto listen }; |
556 |
+allow spamc_t self:tcp_socket { accept listen }; |
557 |
|
558 |
manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) |
559 |
manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) |
560 |
files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir }) |
561 |
|
562 |
-# Allow connecting to a local spamd |
563 |
-allow spamc_t spamd_t:unix_stream_socket connectto; |
564 |
-allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms; |
565 |
+manage_dirs_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t) |
566 |
+manage_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t) |
567 |
+manage_lnk_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t) |
568 |
+manage_fifo_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t) |
569 |
+manage_sock_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t) |
570 |
+userdom_user_home_dir_filetrans(spamc_t, spamassassin_home_t, dir, ".spamassassin") |
571 |
+ |
572 |
+list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) |
573 |
+read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) |
574 |
+ |
575 |
+stream_connect_pattern(spamc_t, { spamd_var_run_t spamd_tmp_t }, { spamd_var_run_t spamd_tmp_t }, spamd_t) |
576 |
|
577 |
kernel_read_kernel_sysctls(spamc_t) |
578 |
+kernel_read_system_state(spamc_t) |
579 |
|
580 |
corenet_all_recvfrom_unlabeled(spamc_t) |
581 |
corenet_all_recvfrom_netlabel(spamc_t) |
582 |
corenet_tcp_sendrecv_generic_if(spamc_t) |
583 |
-corenet_udp_sendrecv_generic_if(spamc_t) |
584 |
corenet_tcp_sendrecv_generic_node(spamc_t) |
585 |
-corenet_udp_sendrecv_generic_node(spamc_t) |
586 |
corenet_tcp_sendrecv_all_ports(spamc_t) |
587 |
-corenet_udp_sendrecv_all_ports(spamc_t) |
588 |
-corenet_tcp_connect_all_ports(spamc_t) |
589 |
-corenet_sendrecv_all_client_packets(spamc_t) |
590 |
|
591 |
-fs_search_auto_mountpoints(spamc_t) |
592 |
+corenet_sendrecv_all_client_packets(spamc_t) |
593 |
+corenet_tcp_connect_all_ports(spamc_t) |
594 |
|
595 |
-# cjp: these should probably be removed: |
596 |
-corecmd_list_bin(spamc_t) |
597 |
-corecmd_read_bin_symlinks(spamc_t) |
598 |
-corecmd_read_bin_files(spamc_t) |
599 |
-corecmd_read_bin_pipes(spamc_t) |
600 |
-corecmd_read_bin_sockets(spamc_t) |
601 |
+corecmd_exec_bin(spamc_t) |
602 |
|
603 |
domain_use_interactive_fds(spamc_t) |
604 |
|
605 |
-files_read_etc_files(spamc_t) |
606 |
+fs_getattr_all_fs(spamc_t) |
607 |
+fs_search_auto_mountpoints(spamc_t) |
608 |
+ |
609 |
files_read_etc_runtime_files(spamc_t) |
610 |
files_read_usr_files(spamc_t) |
611 |
files_dontaudit_search_var(spamc_t) |
612 |
-# cjp: this may be removable: |
613 |
files_list_home(spamc_t) |
614 |
+files_list_var_lib(spamc_t) |
615 |
+ |
616 |
+auth_use_nsswitch(spamc_t) |
617 |
|
618 |
logging_send_syslog_msg(spamc_t) |
619 |
|
620 |
miscfiles_read_localization(spamc_t) |
621 |
|
622 |
-# cjp: this should probably be removed: |
623 |
-seutil_read_config(spamc_t) |
624 |
+tunable_policy(`use_nfs_home_dirs',` |
625 |
+ fs_manage_nfs_dirs(spamc_t) |
626 |
+ fs_manage_nfs_files(spamc_t) |
627 |
+ fs_manage_nfs_symlinks(spamc_t) |
628 |
+') |
629 |
|
630 |
-sysnet_read_config(spamc_t) |
631 |
+tunable_policy(`use_samba_home_dirs',` |
632 |
+ fs_manage_cifs_dirs(spamc_t) |
633 |
+ fs_manage_cifs_files(spamc_t) |
634 |
+ fs_manage_cifs_symlinks(spamc_t) |
635 |
+') |
636 |
|
637 |
optional_policy(` |
638 |
- # Allow connection to spamd socket above |
639 |
- evolution_stream_connect(spamc_t) |
640 |
+ abrt_stream_connect(spamc_t) |
641 |
') |
642 |
|
643 |
optional_policy(` |
644 |
- # Needed for pyzor/razor called from spamd |
645 |
- milter_manage_spamass_state(spamc_t) |
646 |
+ amavis_manage_spool_files(spamc_t) |
647 |
') |
648 |
|
649 |
optional_policy(` |
650 |
- nis_use_ypbind(spamc_t) |
651 |
+ evolution_stream_connect(spamc_t) |
652 |
') |
653 |
|
654 |
optional_policy(` |
655 |
- nscd_socket_use(spamc_t) |
656 |
+ milter_manage_spamass_state(spamc_t) |
657 |
') |
658 |
|
659 |
optional_policy(` |
660 |
+ mta_send_mail(spamc_t) |
661 |
mta_read_config(spamc_t) |
662 |
+ mta_read_queue(spamc_t) |
663 |
+ sendmail_rw_pipes(spamc_t) |
664 |
sendmail_stub(spamc_t) |
665 |
') |
666 |
|
667 |
+optional_policy(` |
668 |
+ postfix_domtrans_postdrop(spamc_t) |
669 |
+ postfix_search_spool(spamc_t) |
670 |
+ postfix_rw_local_pipes(spamc_t) |
671 |
+ postfix_rw_master_pipes(spamc_t) |
672 |
+') |
673 |
+ |
674 |
######################################## |
675 |
# |
676 |
-# Server local policy |
677 |
+# Daemon local policy |
678 |
# |
679 |
|
680 |
-# Spamassassin, when run as root and using per-user config files, |
681 |
-# setuids to the user running spamc. Comment this if you are not |
682 |
-# using this ability. |
683 |
- |
684 |
-allow spamd_t self:capability { setuid setgid dac_override sys_tty_config }; |
685 |
+allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config }; |
686 |
dontaudit spamd_t self:capability sys_tty_config; |
687 |
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
688 |
allow spamd_t self:fd use; |
689 |
allow spamd_t self:fifo_file rw_fifo_file_perms; |
690 |
-allow spamd_t self:sock_file read_sock_file_perms; |
691 |
-allow spamd_t self:shm create_shm_perms; |
692 |
-allow spamd_t self:sem create_sem_perms; |
693 |
-allow spamd_t self:msgq create_msgq_perms; |
694 |
-allow spamd_t self:msg { send receive }; |
695 |
-allow spamd_t self:unix_dgram_socket create_socket_perms; |
696 |
-allow spamd_t self:unix_stream_socket create_stream_socket_perms; |
697 |
allow spamd_t self:unix_dgram_socket sendto; |
698 |
-allow spamd_t self:unix_stream_socket connectto; |
699 |
-allow spamd_t self:tcp_socket create_stream_socket_perms; |
700 |
-allow spamd_t self:udp_socket create_socket_perms; |
701 |
-allow spamd_t self:netlink_route_socket r_netlink_socket_perms; |
702 |
+allow spamd_t self:unix_stream_socket { accept connectto listen }; |
703 |
+allow spamd_t self:tcp_socket { accept listen }; |
704 |
|
705 |
manage_dirs_pattern(spamd_t, spamd_home_t, spamd_home_t) |
706 |
manage_files_pattern(spamd_t, spamd_home_t, spamd_home_t) |
707 |
manage_lnk_files_pattern(spamd_t, spamd_home_t, spamd_home_t) |
708 |
+manage_fifo_files_pattern(spamd_t, spamd_home_t, spamd_home_t) |
709 |
+manage_sock_files_pattern(spamd_t, spamd_home_t, spamd_home_t) |
710 |
userdom_user_home_dir_filetrans(spamd_t, spamd_home_t, dir, ".spamd") |
711 |
|
712 |
+manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) |
713 |
+manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) |
714 |
+manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) |
715 |
+manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) |
716 |
+manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) |
717 |
+userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, dir, ".spamassassin") |
718 |
+ |
719 |
+manage_dirs_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t) |
720 |
+manage_files_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t) |
721 |
+ |
722 |
+allow spamd_t spamd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; |
723 |
+logging_log_filetrans(spamd_t, spamd_log_t, file) |
724 |
+ |
725 |
manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t) |
726 |
manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t) |
727 |
+manage_sock_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t) |
728 |
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) |
729 |
|
730 |
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) |
731 |
manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) |
732 |
files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) |
733 |
|
734 |
-# var/lib files for spamd |
735 |
allow spamd_t spamd_var_lib_t:dir list_dir_perms; |
736 |
-read_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) |
737 |
+manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) |
738 |
+manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) |
739 |
|
740 |
manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) |
741 |
manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) |
742 |
-files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file }) |
743 |
+manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) |
744 |
+files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir }) |
745 |
+ |
746 |
+can_exec(spamd_t, { spamd_exec_t spamd_compiled_t }) |
747 |
|
748 |
kernel_read_all_sysctls(spamd_t) |
749 |
kernel_read_system_state(spamd_t) |
750 |
@@ -336,58 +331,70 @@ corenet_udp_sendrecv_generic_node(spamd_t) |
751 |
corenet_tcp_sendrecv_all_ports(spamd_t) |
752 |
corenet_udp_sendrecv_all_ports(spamd_t) |
753 |
corenet_tcp_bind_generic_node(spamd_t) |
754 |
+corenet_udp_bind_generic_node(spamd_t) |
755 |
+ |
756 |
+corenet_sendrecv_spamd_server_packets(spamd_t) |
757 |
corenet_tcp_bind_spamd_port(spamd_t) |
758 |
+ |
759 |
+corenet_sendrecv_razor_client_packets(spamd_t) |
760 |
corenet_tcp_connect_razor_port(spamd_t) |
761 |
+ |
762 |
+corenet_sendrecv_smtp_client_packets(spamd_t) |
763 |
corenet_tcp_connect_smtp_port(spamd_t) |
764 |
-corenet_sendrecv_razor_client_packets(spamd_t) |
765 |
-corenet_sendrecv_spamd_server_packets(spamd_t) |
766 |
-# spamassassin 3.1 needs this for its |
767 |
-# DnsResolver.pm module which binds to |
768 |
-# random ports >= 1024. |
769 |
-corenet_udp_bind_generic_node(spamd_t) |
770 |
+ |
771 |
+corenet_sendrecv_generic_server_packets(spamd_t) |
772 |
corenet_udp_bind_generic_port(spamd_t) |
773 |
+ |
774 |
+corenet_sendrecv_imaze_server_packets(spamd_t) |
775 |
corenet_udp_bind_imaze_port(spamd_t) |
776 |
+ |
777 |
corenet_dontaudit_udp_bind_all_ports(spamd_t) |
778 |
-corenet_sendrecv_imaze_server_packets(spamd_t) |
779 |
-corenet_sendrecv_generic_server_packets(spamd_t) |
780 |
+ |
781 |
+corecmd_exec_bin(spamd_t) |
782 |
|
783 |
dev_read_sysfs(spamd_t) |
784 |
dev_read_urand(spamd_t) |
785 |
|
786 |
-fs_getattr_all_fs(spamd_t) |
787 |
-fs_search_auto_mountpoints(spamd_t) |
788 |
- |
789 |
-auth_dontaudit_read_shadow(spamd_t) |
790 |
- |
791 |
-corecmd_exec_bin(spamd_t) |
792 |
- |
793 |
domain_use_interactive_fds(spamd_t) |
794 |
|
795 |
files_read_usr_files(spamd_t) |
796 |
-files_read_etc_files(spamd_t) |
797 |
files_read_etc_runtime_files(spamd_t) |
798 |
-# /var/lib/spamassin |
799 |
-files_read_var_lib_files(spamd_t) |
800 |
+ |
801 |
+fs_getattr_all_fs(spamd_t) |
802 |
+fs_search_auto_mountpoints(spamd_t) |
803 |
+ |
804 |
+auth_use_nsswitch(spamd_t) |
805 |
+auth_dontaudit_read_shadow(spamd_t) |
806 |
|
807 |
init_dontaudit_rw_utmp(spamd_t) |
808 |
|
809 |
+libs_use_ld_so(spamd_t) |
810 |
+libs_use_shared_libs(spamd_t) |
811 |
+ |
812 |
logging_send_syslog_msg(spamd_t) |
813 |
|
814 |
miscfiles_read_localization(spamd_t) |
815 |
|
816 |
-sysnet_read_config(spamd_t) |
817 |
sysnet_use_ldap(spamd_t) |
818 |
-sysnet_dns_name_resolve(spamd_t) |
819 |
|
820 |
userdom_use_unpriv_users_fds(spamd_t) |
821 |
-userdom_search_user_home_dirs(spamd_t) |
822 |
+ |
823 |
+tunable_policy(`spamd_enable_home_dirs',` |
824 |
+ userdom_manage_user_home_content_dirs(spamd_t) |
825 |
+ userdom_manage_user_home_content_files(spamd_t) |
826 |
+ userdom_manage_user_home_content_symlinks(spamd_t) |
827 |
+') |
828 |
|
829 |
tunable_policy(`use_nfs_home_dirs',` |
830 |
+ fs_manage_nfs_dirs(spamd_t) |
831 |
fs_manage_nfs_files(spamd_t) |
832 |
+ fs_manage_nfs_symlinks(spamd_t) |
833 |
') |
834 |
|
835 |
tunable_policy(`use_samba_home_dirs',` |
836 |
+ fs_manage_cifs_dirs(spamd_t) |
837 |
fs_manage_cifs_files(spamd_t) |
838 |
+ fs_manage_cifs_symlinks(spamd_t) |
839 |
') |
840 |
|
841 |
optional_policy(` |
842 |
@@ -395,6 +402,10 @@ optional_policy(` |
843 |
') |
844 |
|
845 |
optional_policy(` |
846 |
+ clamav_stream_connect(spamd_t) |
847 |
+') |
848 |
+ |
849 |
+optional_policy(` |
850 |
cron_system_entry(spamd_t, spamd_exec_t) |
851 |
') |
852 |
|
853 |
@@ -403,21 +414,28 @@ optional_policy(` |
854 |
') |
855 |
|
856 |
optional_policy(` |
857 |
+ dcc_domtrans_cdcc(spamd_t) |
858 |
dcc_domtrans_client(spamd_t) |
859 |
+ dcc_signal_client(spamd_t) |
860 |
dcc_stream_connect_dccifd(spamd_t) |
861 |
') |
862 |
|
863 |
optional_policy(` |
864 |
- milter_manage_spamass_state(spamd_t) |
865 |
+ evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file }) |
866 |
') |
867 |
|
868 |
optional_policy(` |
869 |
- mysql_stream_connect(spamd_t) |
870 |
- mysql_tcp_connect(spamd_t) |
871 |
+ exim_manage_spool_dirs(spamd_t) |
872 |
+ exim_manage_spool_files(spamd_t) |
873 |
+') |
874 |
+ |
875 |
+optional_policy(` |
876 |
+ milter_manage_spamass_state(spamd_t) |
877 |
') |
878 |
|
879 |
optional_policy(` |
880 |
- nis_use_ypbind(spamd_t) |
881 |
+ mysql_stream_connect(spamd_t) |
882 |
+ mysql_tcp_connect(spamd_t) |
883 |
') |
884 |
|
885 |
optional_policy(` |
886 |
@@ -436,6 +454,8 @@ optional_policy(` |
887 |
|
888 |
optional_policy(` |
889 |
razor_domtrans(spamd_t) |
890 |
+ razor_read_lib_files(spamd_t) |
891 |
+ razor_manage_home_content(spamd_t) |
892 |
') |
893 |
|
894 |
optional_policy(` |
895 |
@@ -445,8 +465,68 @@ optional_policy(` |
896 |
optional_policy(` |
897 |
sendmail_stub(spamd_t) |
898 |
mta_read_config(spamd_t) |
899 |
+ mta_send_mail(spamd_t) |
900 |
') |
901 |
|
902 |
optional_policy(` |
903 |
udev_read_db(spamd_t) |
904 |
') |
905 |
+ |
906 |
+######################################## |
907 |
+# |
908 |
+# Update local policy |
909 |
+# |
910 |
+ |
911 |
+dontaudit spamd_update_t self:capability dac_override; |
912 |
+allow spamd_update_t self:fifo_file manage_fifo_file_perms; |
913 |
+allow spamd_update_t self:unix_stream_socket create_stream_socket_perms; |
914 |
+ |
915 |
+manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t) |
916 |
+manage_files_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t) |
917 |
+files_tmp_filetrans(spamd_update_t, spamd_tmp_t, { file dir }) |
918 |
+ |
919 |
+allow spamd_update_t spamd_var_lib_t:dir list_dir_perms; |
920 |
+manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) |
921 |
+manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) |
922 |
+ |
923 |
+kernel_read_system_state(spamd_update_t) |
924 |
+ |
925 |
+corenet_all_recvfrom_unlabeled(spamd_update_t) |
926 |
+corenet_all_recvfrom_netlabel(spamd_update_t) |
927 |
+corenet_tcp_sendrecv_generic_if(spamd_update_t) |
928 |
+corenet_tcp_sendrecv_generic_node(spamd_update_t) |
929 |
+corenet_tcp_sendrecv_all_ports(spamd_update_t) |
930 |
+ |
931 |
+corenet_sendrecv_http_client_packets(spamd_update_t) |
932 |
+corenet_tcp_connect_http_port(spamd_update_t) |
933 |
+corenet_tcp_sendrecv_http_port(spamd_update_t) |
934 |
+ |
935 |
+corecmd_exec_bin(spamd_update_t) |
936 |
+corecmd_exec_shell(spamd_update_t) |
937 |
+ |
938 |
+dev_read_urand(spamd_update_t) |
939 |
+ |
940 |
+domain_use_interactive_fds(spamd_update_t) |
941 |
+ |
942 |
+files_read_usr_files(spamd_update_t) |
943 |
+ |
944 |
+auth_use_nsswitch(spamd_update_t) |
945 |
+auth_dontaudit_read_shadow(spamd_update_t) |
946 |
+ |
947 |
+miscfiles_read_localization(spamd_update_t) |
948 |
+ |
949 |
+userdom_use_user_terminals(spamd_update_t) |
950 |
+ |
951 |
+optional_policy(` |
952 |
+ cron_system_entry(spamd_update_t, spamd_update_exec_t) |
953 |
+') |
954 |
+ |
955 |
+# probably want a solution same as httpd_use_gpg since this will |
956 |
+# give spamd_update a path to users gpg keys |
957 |
+# optional_policy(` |
958 |
+# gpg_domtrans(spamd_update_t) |
959 |
+# ') |
960 |
+ |
961 |
+optional_policy(` |
962 |
+ mta_read_config(spamd_update_t) |
963 |
+') |