2 # This policy allows running public-inbox-httpd and public-inbox-nntpd
3 # on reasonable ports (119 for nntpd and 80/443/8080 for httpd)
5 # It also allows delivering mail via postfix-pipe to public-inbox-mda
7 # Author: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
9 policy_module(publicinbox, 1.0.3)
20 type publicinbox_daemon_t;
21 type publicinbox_daemon_exec_t;
22 init_daemon_domain(publicinbox_daemon_t, publicinbox_daemon_exec_t)
24 type publicinbox_var_lib_t;
25 files_type(publicinbox_var_lib_t)
27 type publicinbox_log_t;
28 logging_log_file(publicinbox_log_t)
30 type publicinbox_var_run_t;
31 files_tmp_file(publicinbox_var_run_t)
33 type publicinbox_tmp_t;
34 files_tmp_file(publicinbox_tmp_t)
36 type publicinbox_deliver_t;
37 type publicinbox_deliver_exec_t;
38 init_daemon_domain(publicinbox_deliver_t, publicinbox_deliver_exec_t)
40 # Uncomment to put these domains into permissive mode
41 #permissive publicinbox_daemon_t;
42 #permissive publicinbox_deliver_t;
47 domain_use_interactive_fds(publicinbox_daemon_t)
48 files_read_etc_files(publicinbox_daemon_t)
49 miscfiles_read_localization(publicinbox_daemon_t)
50 allow publicinbox_daemon_t self:tcp_socket create_stream_socket_perms;
51 allow publicinbox_daemon_t self:tcp_socket { accept listen };
53 # Need to be able to manage and exec them for Inline::C
54 manage_files_pattern(publicinbox_daemon_t, publicinbox_var_run_t, publicinbox_var_run_t)
55 exec_files_pattern(publicinbox_daemon_t, publicinbox_var_run_t, publicinbox_var_run_t)
58 append_files_pattern(publicinbox_daemon_t, publicinbox_log_t, publicinbox_log_t)
59 create_files_pattern(publicinbox_daemon_t, publicinbox_log_t, publicinbox_log_t)
60 setattr_files_pattern(publicinbox_daemon_t, publicinbox_log_t, publicinbox_log_t)
61 logging_log_filetrans(publicinbox_daemon_t, publicinbox_log_t, { file dir })
63 # Run on httpd and nntp ports (called innd_port_t)
64 corenet_tcp_bind_generic_node(publicinbox_daemon_t)
65 corenet_tcp_bind_http_port(publicinbox_daemon_t)
66 corenet_tcp_bind_http_cache_port(publicinbox_daemon_t)
67 corenet_tcp_bind_innd_port(publicinbox_daemon_t)
69 # Allow reading anything publicinbox_var_lib_t
70 list_dirs_pattern(publicinbox_daemon_t, publicinbox_var_lib_t, publicinbox_var_lib_t)
71 read_files_pattern(publicinbox_daemon_t, publicinbox_var_lib_t, publicinbox_var_lib_t)
73 # The daemon doesn't need to write to this dir
74 dontaudit publicinbox_daemon_t publicinbox_var_lib_t:file write;
76 # Allow executing bin (for git, mostly)
77 corecmd_exec_bin(publicinbox_daemon_t)
79 # Manage our tmp files
80 manage_dirs_pattern(publicinbox_daemon_t, publicinbox_tmp_t, publicinbox_tmp_t)
81 manage_files_pattern(publicinbox_daemon_t, publicinbox_tmp_t, publicinbox_tmp_t)
82 files_tmp_filetrans(publicinbox_daemon_t, publicinbox_tmp_t, { file dir })
87 # Allow transitioning to deliver_t from postfix pipe
88 domtrans_pattern(postfix_pipe_t, publicinbox_deliver_exec_t, publicinbox_deliver_t)
89 postfix_rw_inherited_master_pipes(publicinbox_deliver_t)
90 postfix_read_spool_files(publicinbox_deliver_t)
92 files_read_etc_files(publicinbox_deliver_t)
94 # Allow managing anything in publicinbox_var_lib_t
95 manage_dirs_pattern(publicinbox_deliver_t, publicinbox_var_lib_t, publicinbox_var_lib_t)
96 manage_files_pattern(publicinbox_deliver_t, publicinbox_var_lib_t, publicinbox_var_lib_t)
98 # Allow executing bin (for git, mostly)
99 corecmd_exec_bin(publicinbox_deliver_t)
101 # git-fast-import wants to access system state and other bits
102 kernel_dontaudit_read_system_state(publicinbox_deliver_t)
105 spamassassin_domtrans_client(publicinbox_deliver_t)
106 manage_files_pattern(spamc_t, publicinbox_var_lib_t, publicinbox_var_lib_t)
107 read_files_pattern(spamd_t, publicinbox_var_lib_t, publicinbox_var_lib_t)
109 # Manage our tmp files
110 manage_dirs_pattern(publicinbox_deliver_t, publicinbox_tmp_t, publicinbox_tmp_t)
111 manage_files_pattern(publicinbox_deliver_t, publicinbox_tmp_t, publicinbox_tmp_t)
112 files_tmp_filetrans(publicinbox_deliver_t, publicinbox_tmp_t, { file dir })