## Qmail Mail Server
########################################
##
## Template for qmail parent/sub-domain pairs
##
##
##
## The prefix of the child domain
##
##
##
##
## The name of the parent domain.
##
##
#
template(`qmail_child_domain_template',`
type $1_t;
domain_type($1_t)
type $1_exec_t;
domain_entry_file($1_t, $1_exec_t)
domain_auto_trans($2, $1_exec_t, $1_t)
role system_r types $1_t;
allow $1_t self:process signal_perms;
allow $1_t $2:fd use;
allow $1_t $2:fifo_file rw_file_perms;
allow $1_t $2:process sigchld;
allow $1_t qmail_etc_t:dir list_dir_perms;
allow $1_t qmail_etc_t:file read_file_perms;
allow $1_t qmail_etc_t:lnk_file read_lnk_file_perms;
allow $1_t qmail_start_t:fd use;
kernel_list_proc($2)
kernel_read_proc_symlinks($2)
corecmd_search_bin($1_t)
files_search_var($1_t)
fs_getattr_xattr_fs($1_t)
')
########################################
##
## Transition to qmail_inject_t
##
##
##
## Domain allowed to transition.
##
##
#
interface(`qmail_domtrans_inject',`
gen_require(`
type qmail_inject_t, qmail_inject_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, qmail_inject_exec_t, qmail_inject_t)
ifdef(`distro_debian',`
files_search_usr($1)
',`
files_search_var($1)
')
')
########################################
##
## Transition to qmail_queue_t
##
##
##
## Domain allowed to transition.
##
##
#
interface(`qmail_domtrans_queue',`
gen_require(`
type qmail_queue_t, qmail_queue_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, qmail_queue_exec_t, qmail_queue_t)
ifdef(`distro_debian',`
files_search_usr($1)
',`
files_search_var($1)
')
')
########################################
##
## Read qmail configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`qmail_read_config',`
gen_require(`
type qmail_etc_t;
')
allow $1 qmail_etc_t:dir list_dir_perms;
allow $1 qmail_etc_t:file read_file_perms;
allow $1 qmail_etc_t:lnk_file read_lnk_file_perms;
files_search_var($1)
ifdef(`distro_debian',`
# handle /etc/qmail
files_search_etc($1)
')
')
########################################
##
## Define the specified domain as a qmail-smtp service.
## Needed by antivirus/antispam filters.
##
##
##
## Domain allowed access
##
##
##
##
## The type associated with the process program.
##
##
#
interface(`qmail_smtpd_service_domain',`
gen_require(`
type qmail_smtpd_t;
')
domtrans_pattern(qmail_smtpd_t, $2, $1)
')
########################################
##
## Create, read, write, and delete qmail
## spool directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`qmail_manage_spool_dirs',`
gen_require(`
type qmail_spool_t;
')
manage_dirs_pattern($1, qmail_spool_t, qmail_spool_t)
')
########################################
##
## Create, read, write, and delete qmail
## spool files.
##
##
##
## Domain allowed access.
##
##
#
interface(`qmail_manage_spool_files',`
gen_require(`
type qmail_spool_t;
')
manage_files_pattern($1, qmail_spool_t, qmail_spool_t)
')
########################################
##
## Read and write to qmail spool pipes.
##
##
##
## Domain to not audit.
##
##
#
interface(`qmail_rw_spool_pipes',`
gen_require(`
type qmail_spool_t;
')
allow $1 qmail_spool_t:fifo_file rw_fifo_file_perms;
')