[selinux-policy: 974/3172] add in procmail

Thu Oct 7 20:29:11 UTC 2010

commit 801b2a7a88297c78eabbc6f9f56f7eadf7dedee7
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Nov 15 19:44:37 2005 +0000

    add in procmail

 targeted/domains/program/procmail.te |   91 ++++++++++++++++++++++++++++++++++
 1 files changed, 91 insertions(+), 0 deletions(-)
---

diff --git a/targeted/domains/program/procmail.te b/targeted/domains/program/procmail.te
new file mode 100644
index 0000000..2c77b46
--- /dev/null
+++ b/targeted/domains/program/procmail.te
@@ -0,0 +1,91 @@
+#DESC Procmail - Mail delivery agent for mail servers
+#
+# Author:  Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: procmail
+#
+
+#################################
+#
+# Rules for the procmail_t domain.
+#
+# procmail_exec_t is the type of the procmail executable.
+#
+# privhome only works until we define a different type for maildir
+type procmail_t, domain, privlog, privhome, nscd_client_domain;
+type procmail_exec_t, file_type, sysadmfile, exec_type;
+
+role system_r types procmail_t;
+
+uses_shlib(procmail_t)
+allow procmail_t device_t:dir search;
+can_network_server(procmail_t)
+nsswitch_domain(procmail_t)
+
+allow procmail_t self:capability { sys_nice chown setuid setgid dac_override };
+
+allow procmail_t etc_t:dir r_dir_perms;
+allow procmail_t { etc_t etc_runtime_t }:file { getattr read };
+allow procmail_t etc_t:lnk_file read;
+read_locale(procmail_t)
+read_sysctl(procmail_t)
+
+allow procmail_t sysctl_t:dir search;
+
+allow procmail_t self:process { setsched fork sigchld signal };
+dontaudit procmail_t sbin_t:dir { getattr search };
+can_exec(procmail_t, { bin_t shell_exec_t })
+allow procmail_t bin_t:dir { getattr search };
+allow procmail_t bin_t:lnk_file read;
+allow procmail_t self:fifo_file rw_file_perms;
+
+allow procmail_t self:unix_stream_socket create_socket_perms;
+allow procmail_t self:unix_dgram_socket create_socket_perms;
+
+# for /var/mail
+rw_dir_create_file(procmail_t, mail_spool_t)
+
+allow procmail_t var_t:dir { getattr search };
+allow procmail_t var_spool_t:dir r_dir_perms;
+
+allow procmail_t fs_t:filesystem getattr;
+allow procmail_t { self proc_t }:dir search;
+allow procmail_t proc_t:file { getattr read };
+allow procmail_t { self proc_t }:lnk_file read;
+
+# for if /var/mail is a symlink to /var/spool/mail
+#allow procmail_t mail_spool_t:lnk_file r_file_perms;
+
+# for spamassasin
+allow procmail_t usr_t:file { getattr ioctl read };
+ifdef(`spamassassin.te', `
+can_exec(procmail_t, spamassassin_exec_t)
+allow procmail_t port_t:udp_socket name_bind;
+allow procmail_t tmp_t:dir getattr;
+')
+ifdef(`spamc.te', `
+can_exec(procmail_t, spamc_exec_t)
+')
+
+ifdef(`targeted_policy', `
+allow procmail_t port_t:udp_socket name_bind;
+allow procmail_t tmp_t:dir getattr;
+')
+
+# Search /var/run.
+allow procmail_t var_run_t:dir { getattr search };
+
+# Do not audit attempts to access /root.
+dontaudit procmail_t sysadm_home_dir_t:dir { getattr search };
+
+allow procmail_t devtty_t:chr_file { read write };
+
+allow procmail_t urandom_device_t:chr_file { getattr read };
+
+ifdef(`sendmail.te', `
+r_dir_file(procmail_t, etc_mail_t)
+allow procmail_t sendmail_t:tcp_socket { read write };
+')
+
+ifdef(`hide_broken_symptoms', `
+dontaudit procmail_t mqueue_spool_t:file { getattr read write };
+')
