1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
|
policy_module(amavis, 1.13.0)
########################################
#
# Declarations
#
type amavis_t;
type amavis_exec_t;
domain_type(amavis_t)
init_daemon_domain(amavis_t, amavis_exec_t)
# configuration files
type amavis_etc_t;
files_config_file(amavis_etc_t)
type amavis_initrc_exec_t;
init_script_file(amavis_initrc_exec_t)
# pid files
type amavis_var_run_t;
files_pid_file(amavis_var_run_t)
# var/lib files
type amavis_var_lib_t;
files_type(amavis_var_lib_t)
# log files
type amavis_var_log_t;
logging_log_file(amavis_var_log_t)
# tmp files
type amavis_tmp_t;
files_tmp_file(amavis_tmp_t)
# virus quarantine
type amavis_quarantine_t;
files_type(amavis_quarantine_t)
type amavis_spool_t;
files_type(amavis_spool_t)
########################################
#
# amavis local policy
#
allow amavis_t self:capability { kill chown dac_override setgid setuid };
dontaudit amavis_t self:capability sys_tty_config;
allow amavis_t self:process { signal sigchld sigkill signull };
allow amavis_t self:fifo_file rw_fifo_file_perms;
allow amavis_t self:unix_stream_socket create_stream_socket_perms;
allow amavis_t self:unix_dgram_socket create_socket_perms;
allow amavis_t self:tcp_socket { listen accept };
allow amavis_t self:netlink_route_socket r_netlink_socket_perms;
# configuration files
allow amavis_t amavis_etc_t:dir list_dir_perms;
read_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t)
read_lnk_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t)
can_exec(amavis_t, amavis_exec_t)
# mail quarantine
manage_dirs_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t)
manage_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t)
manage_sock_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t)
# Spool Files
manage_dirs_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
manage_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file)
files_search_spool(amavis_t)
# tmp files
manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
allow amavis_t amavis_tmp_t:dir setattr_dir_perms;
files_tmp_filetrans(amavis_t, amavis_tmp_t, file)
# var/lib files for amavis
manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
manage_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
manage_sock_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
files_search_var_lib(amavis_t)
# log files
allow amavis_t amavis_var_log_t:dir setattr_dir_perms;
manage_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir })
# pid file
manage_dirs_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
manage_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
manage_sock_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
files_pid_filetrans(amavis_t, amavis_var_run_t, { dir file sock_file })
kernel_read_kernel_sysctls(amavis_t)
# amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
kernel_dontaudit_list_proc(amavis_t)
kernel_dontaudit_read_proc_symlinks(amavis_t)
kernel_dontaudit_read_system_state(amavis_t)
# find perl
corecmd_exec_bin(amavis_t)
corecmd_exec_shell(amavis_t)
corenet_all_recvfrom_unlabeled(amavis_t)
corenet_all_recvfrom_netlabel(amavis_t)
corenet_tcp_sendrecv_generic_if(amavis_t)
corenet_tcp_sendrecv_generic_node(amavis_t)
corenet_tcp_bind_generic_node(amavis_t)
corenet_udp_bind_generic_node(amavis_t)
# amavis uses well-defined ports
corenet_tcp_sendrecv_amavisd_recv_port(amavis_t)
corenet_tcp_sendrecv_amavisd_send_port(amavis_t)
# just the other side not. ;-)
corenet_tcp_sendrecv_all_ports(amavis_t)
# connect to backchannel port
corenet_tcp_connect_amavisd_send_port(amavis_t)
# bind to incoming port
corenet_tcp_bind_amavisd_recv_port(amavis_t)
corenet_udp_bind_generic_port(amavis_t)
corenet_dontaudit_udp_bind_all_ports(amavis_t)
corenet_tcp_connect_razor_port(amavis_t)
dev_read_rand(amavis_t)
dev_read_urand(amavis_t)
domain_use_interactive_fds(amavis_t)
files_read_etc_files(amavis_t)
files_read_etc_runtime_files(amavis_t)
files_read_usr_files(amavis_t)
fs_getattr_xattr_fs(amavis_t)
auth_dontaudit_read_shadow(amavis_t)
# uses uptime which reads utmp - redhat bug 561383
init_read_utmp(amavis_t)
init_stream_connect_script(amavis_t)
logging_send_syslog_msg(amavis_t)
miscfiles_read_generic_certs(amavis_t)
miscfiles_read_localization(amavis_t)
sysnet_dns_name_resolve(amavis_t)
sysnet_use_ldap(amavis_t)
userdom_dontaudit_search_user_home_dirs(amavis_t)
# Cron handling
cron_use_fds(amavis_t)
cron_use_system_job_fds(amavis_t)
cron_rw_pipes(amavis_t)
mta_read_config(amavis_t)
optional_policy(`
clamav_stream_connect(amavis_t)
clamav_domtrans_clamscan(amavis_t)
')
optional_policy(`
dcc_domtrans_client(amavis_t)
dcc_stream_connect_dccifd(amavis_t)
')
optional_policy(`
nslcd_stream_connect(amavis_t)
')
optional_policy(`
postfix_read_config(amavis_t)
')
optional_policy(`
pyzor_domtrans(amavis_t)
pyzor_signal(amavis_t)
')
optional_policy(`
razor_domtrans(amavis_t)
')
optional_policy(`
spamassassin_exec(amavis_t)
spamassassin_exec_client(amavis_t)
spamassassin_read_lib_files(amavis_t)
')
|
GitWeb