## Mailman is for managing electronic mail discussion and e-newsletter lists ####################################### ## ## The template to define a mailmain domain. ## ## ##

## This template creates a domain to be used for ## a new mailman daemon. ##

##
## ## ## The type of daemon to be used eg, cgi would give mailman_cgi_ ## ## # template(`mailman_domain_template', ` ######################################## # # Declarations # gen_require(` attribute mailman_domain; ') type mailman_$1_t, mailman_domain; domain_type(mailman_$1_t) type mailman_$1_exec_t; domain_entry_file(mailman_$1_t, mailman_$1_exec_t) role system_r types mailman_$1_t; type mailman_$1_tmp_t; files_tmp_file(mailman_$1_tmp_t) #################################### # # Policy # manage_dirs_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t) manage_files_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t) files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir }) kernel_read_system_state(mailman_$1_t) corenet_all_recvfrom_unlabeled(mailman_$1_t) corenet_all_recvfrom_netlabel(mailman_$1_t) corenet_tcp_sendrecv_generic_if(mailman_$1_t) corenet_udp_sendrecv_generic_if(mailman_$1_t) corenet_raw_sendrecv_generic_if(mailman_$1_t) corenet_tcp_sendrecv_generic_node(mailman_$1_t) corenet_udp_sendrecv_generic_node(mailman_$1_t) corenet_raw_sendrecv_generic_node(mailman_$1_t) corenet_tcp_sendrecv_all_ports(mailman_$1_t) corenet_udp_sendrecv_all_ports(mailman_$1_t) corenet_tcp_bind_generic_node(mailman_$1_t) corenet_udp_bind_generic_node(mailman_$1_t) corenet_tcp_connect_smtp_port(mailman_$1_t) corenet_sendrecv_smtp_client_packets(mailman_$1_t) auth_use_nsswitch(mailman_$1_t) logging_send_syslog_msg(mailman_$1_t) ') ####################################### ## ## Execute mailman in the mailman domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`mailman_domtrans',` gen_require(` type mailman_mail_exec_t, mailman_mail_t; ') domtrans_pattern($1, mailman_mail_exec_t, mailman_mail_t) ') ######################################## ## ## Execute the mailman program in the mailman domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## The role to allow the mailman domain. ## ## ## # interface(`mailman_run',` gen_require(` type mailman_mail_t; ') mailman_domtrans($1) role $2 types mailman_mail_t; ') ####################################### ## ## Execute mailman CGI scripts in the ## mailman CGI domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`mailman_domtrans_cgi',` gen_require(` type mailman_cgi_exec_t, mailman_cgi_t; ') domtrans_pattern($1, mailman_cgi_exec_t, mailman_cgi_t) ') ####################################### ## ## Execute mailman in the caller domain. ## ## ## ## Domain allowd access. ## ## # interface(`mailman_exec',` gen_require(` type mailman_mail_exec_t; ') can_exec($1, mailman_mail_exec_t) ') ####################################### ## ## Send generic signals to the mailman cgi domain. ## ## ## ## Domain allowed access. ## ## # interface(`mailman_signal_cgi',` gen_require(` type mailman_cgi_t; ') allow $1 mailman_cgi_t:process signal; ') ######################################## ## ## Send null signals to the mailman cgi domain. ## ## ## ## Domain allowed access. ## ## # interface(`mailman_signull_cgi',` gen_require(` type mailman_cgi_t; ') allow $1 mailman_cgi_t:process signull; ') ####################################### ## ## Allow domain to search data directories. ## ## ## ## Domain allowed access. ## ## # interface(`mailman_search_data',` gen_require(` type mailman_data_t; ') allow $1 mailman_data_t:dir search_dir_perms; ') ####################################### ## ## Allow domain to to read mailman data files. ## ## ## ## Domain allowed access. ## ## # interface(`mailman_read_data_files',` gen_require(` type mailman_data_t; ') list_dirs_pattern($1, mailman_data_t, mailman_data_t) read_files_pattern($1, mailman_data_t, mailman_data_t) read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) ') ####################################### ## ## Allow domain to to create mailman data files ## and write the directory. ## ## ## ## Domain allowed access. ## ## # interface(`mailman_manage_data_files',` gen_require(` type mailman_data_t; ') manage_dirs_pattern($1, mailman_data_t, mailman_data_t) manage_files_pattern($1, mailman_data_t, mailman_data_t) ') ####################################### ## ## List the contents of mailman data directories. ## ## ## ## Domain allowed access. ## ## # interface(`mailman_list_data',` gen_require(` type mailman_data_t; ') allow $1 mailman_data_t:dir list_dir_perms; ') ####################################### ## ## Allow read acces to mailman data symbolic links. ## ## ## ## Domain allowed access. ## ## # interface(`mailman_read_data_symlinks',` gen_require(` type mailman_data_t; ') read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) ') ####################################### ## ## Read mailman logs. ## ## ## ## Domain allowed access. ## ## # interface(`mailman_read_log',` gen_require(` type mailman_log_t; ') read_files_pattern($1, mailman_log_t, mailman_log_t) ') ####################################### ## ## Append to mailman logs. ## ## ## ## Domain allowed access. ## ## # interface(`mailman_append_log',` gen_require(` type mailman_log_t; ') append_files_pattern($1, mailman_log_t, mailman_log_t) ') ####################################### ## ## Create, read, write, and delete ## mailman logs. ## ## ## ## Domain allowed access. ## ## # interface(`mailman_manage_log',` gen_require(` type mailman_log_t; ') manage_files_pattern($1, mailman_log_t, mailman_log_t) manage_lnk_files_pattern($1, mailman_log_t, mailman_log_t) ') ####################################### ## ## Allow domain to read mailman archive files. ## ## ## ## Domain allowed access. ## ## # interface(`mailman_read_archive',` gen_require(` type mailman_archive_t; ') allow $1 mailman_archive_t:dir list_dir_perms; read_files_pattern($1, mailman_archive_t, mailman_archive_t) read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t) ') ####################################### ## ## Execute mailman_queue in the mailman_queue domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`mailman_domtrans_queue',` gen_require(` type mailman_queue_exec_t, mailman_queue_t; ') domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t) ')