contrib/selinux/el7/publicinbox.te

   1 ##################
   2 # This policy allows running public-inbox-httpd and public-inbox-nntpd
   3 # on reasonable ports (119 for nntpd and 80/443/8080 for httpd)
   4 #
   5 # It also allows delivering mail via postfix-pipe to public-inbox-mda
   6 #
   7 # Author: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
   8 #
   9 policy_module(publicinbox, 1.0.3)
  10
  11 require {
  12     type postfix_pipe_t;
  13     type spamc_t;
  14     type spamd_t;
  15 }
  16
  17 ##################
  18 # Declarations
  19
  20 type publicinbox_daemon_t;
  21 type publicinbox_daemon_exec_t;
  22 init_daemon_domain(publicinbox_daemon_t, publicinbox_daemon_exec_t)
  23
  24 type publicinbox_var_lib_t;
  25 files_type(publicinbox_var_lib_t)
  26
  27 type publicinbox_log_t;
  28 logging_log_file(publicinbox_log_t)
  29
  30 type publicinbox_var_run_t;
  31 files_tmp_file(publicinbox_var_run_t)
  32
  33 type publicinbox_tmp_t;
  34 files_tmp_file(publicinbox_tmp_t)
  35
  36 type publicinbox_deliver_t;
  37 type publicinbox_deliver_exec_t;
  38 init_daemon_domain(publicinbox_deliver_t, publicinbox_deliver_exec_t)
  39
  40 # Uncomment to put these domains into permissive mode
  41 #permissive publicinbox_daemon_t;
  42 #permissive publicinbox_deliver_t;
  43
  44 ##################
  45 # Daemons policy
  46
  47 domain_use_interactive_fds(publicinbox_daemon_t)
  48 files_read_etc_files(publicinbox_daemon_t)
  49 miscfiles_read_localization(publicinbox_daemon_t)
  50 allow publicinbox_daemon_t self:tcp_socket create_stream_socket_perms;
  51 allow publicinbox_daemon_t self:tcp_socket { accept listen };
  52
  53 # Need to be able to manage and exec them for Inline::C
  54 manage_files_pattern(publicinbox_daemon_t, publicinbox_var_run_t, publicinbox_var_run_t)
  55 exec_files_pattern(publicinbox_daemon_t, publicinbox_var_run_t, publicinbox_var_run_t)
  56
  57 # Logging
  58 append_files_pattern(publicinbox_daemon_t, publicinbox_log_t, publicinbox_log_t)
  59 create_files_pattern(publicinbox_daemon_t, publicinbox_log_t, publicinbox_log_t)
  60 setattr_files_pattern(publicinbox_daemon_t, publicinbox_log_t, publicinbox_log_t)
  61 logging_log_filetrans(publicinbox_daemon_t, publicinbox_log_t, { file dir })
  62
  63 # Run on httpd and nntp ports (called innd_port_t)
  64 corenet_tcp_bind_generic_node(publicinbox_daemon_t)
  65 corenet_tcp_bind_http_port(publicinbox_daemon_t)
  66 corenet_tcp_bind_http_cache_port(publicinbox_daemon_t)
  67 corenet_tcp_bind_innd_port(publicinbox_daemon_t)
  68
  69 # Allow reading anything publicinbox_var_lib_t
  70 list_dirs_pattern(publicinbox_daemon_t, publicinbox_var_lib_t, publicinbox_var_lib_t)
  71 read_files_pattern(publicinbox_daemon_t, publicinbox_var_lib_t, publicinbox_var_lib_t)
  72
  73 # The daemon doesn't need to write to this dir
  74 dontaudit publicinbox_daemon_t publicinbox_var_lib_t:file write;
  75
  76 # Allow executing bin (for git, mostly)
  77 corecmd_exec_bin(publicinbox_daemon_t)
  78
  79 # Manage our tmp files
  80 manage_dirs_pattern(publicinbox_daemon_t, publicinbox_tmp_t, publicinbox_tmp_t)
  81 manage_files_pattern(publicinbox_daemon_t, publicinbox_tmp_t, publicinbox_tmp_t)
  82 files_tmp_filetrans(publicinbox_daemon_t, publicinbox_tmp_t, { file dir })
  83
  84 ##################
  85 # mda/watch policy
  86 #
  87 # Allow transitioning to deliver_t from postfix pipe
  88 domtrans_pattern(postfix_pipe_t, publicinbox_deliver_exec_t, publicinbox_deliver_t)
  89 postfix_rw_inherited_master_pipes(publicinbox_deliver_t)
  90 postfix_read_spool_files(publicinbox_deliver_t)
  91
  92 files_read_etc_files(publicinbox_deliver_t)
  93
  94 # Allow managing anything in publicinbox_var_lib_t
  95 manage_dirs_pattern(publicinbox_deliver_t, publicinbox_var_lib_t, publicinbox_var_lib_t)
  96 manage_files_pattern(publicinbox_deliver_t, publicinbox_var_lib_t, publicinbox_var_lib_t)
  97
  98 # Allow executing bin (for git, mostly)
  99 corecmd_exec_bin(publicinbox_deliver_t)
 100
 101 # git-fast-import wants to access system state and other bits
 102 kernel_dontaudit_read_system_state(publicinbox_deliver_t)
 103
 104 # Allow using spamc
 105 spamassassin_domtrans_client(publicinbox_deliver_t)
 106 manage_files_pattern(spamc_t, publicinbox_var_lib_t, publicinbox_var_lib_t)
 107 read_files_pattern(spamd_t, publicinbox_var_lib_t, publicinbox_var_lib_t)
 108
 109 # Manage our tmp files
 110 manage_dirs_pattern(publicinbox_deliver_t, publicinbox_tmp_t, publicinbox_tmp_t)
 111 manage_files_pattern(publicinbox_deliver_t, publicinbox_tmp_t, publicinbox_tmp_t)
 112 files_tmp_filetrans(publicinbox_deliver_t, publicinbox_tmp_t, { file dir })