## <summary>policy for rspamd</summary> ######################################## ## <summary> ## Execute rspamd_exec_t in the rspamd domain. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed to transition. ## </summary> ## </param> # interface(`rspamd_domtrans',` gen_require(` type rspamd_t, rspamd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, rspamd_exec_t, rspamd_t) ') ###################################### ## <summary> ## Execute rspamd in the caller domain. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`rspamd_exec',` gen_require(` type rspamd_exec_t; ') corecmd_search_bin($1) can_exec($1, rspamd_exec_t) ') ######################################## ## <summary> ## Read rspamd's log files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`rspamd_read_log',` gen_require(` type rspamd_log_t; ') logging_search_logs($1) read_files_pattern($1, rspamd_log_t, rspamd_log_t) ') ######################################## ## <summary> ## Append to rspamd log files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`rspamd_append_log',` gen_require(` type rspamd_log_t; ') logging_search_logs($1) append_files_pattern($1, rspamd_log_t, rspamd_log_t) ') ######################################## ## <summary> ## Manage rspamd log files ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`rspamd_manage_log',` gen_require(` type rspamd_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, rspamd_log_t, rspamd_log_t) manage_files_pattern($1, rspamd_log_t, rspamd_log_t) manage_lnk_files_pattern($1, rspamd_log_t, rspamd_log_t) ') ######################################## ## <summary> ## Search rspamd lib directories. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`rspamd_search_lib',` gen_require(` type rspamd_var_lib_t; ') allow $1 rspamd_var_lib_t:dir search_dir_perms; files_search_var_lib($1) ') ######################################## ## <summary> ## Read rspamd lib files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`rspamd_read_lib_files',` gen_require(` type rspamd_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, rspamd_var_lib_t, rspamd_var_lib_t) ') ######################################## ## <summary> ## Manage rspamd lib files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`rspamd_manage_lib_files',` gen_require(` type rspamd_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, rspamd_var_lib_t, rspamd_var_lib_t) ') ######################################## ## <summary> ## Manage rspamd lib directories. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`rspamd_manage_lib_dirs',` gen_require(` type rspamd_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, rspamd_var_lib_t, rspamd_var_lib_t) ') ######################################## ## <summary> ## Read rspamd PID files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`rspamd_read_pid_files',` gen_require(` type rspamd_var_run_t; ') files_search_pids($1) read_files_pattern($1, rspamd_var_run_t, rspamd_var_run_t) ') ######################################## ## <summary> ## All of the rules required to administrate ## an rspamd environment ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <param name="role"> ## <summary> ## Role allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`rspamd_admin',` gen_require(` type rspamd_t; type rspamd_log_t; type rspamd_var_lib_t; type rspamd_var_run_t; ') allow $1 rspamd_t:process { signal_perms }; ps_process_pattern($1, rspamd_t) tunable_policy(`deny_ptrace',`',` allow $1 rspamd_t:process ptrace; ') logging_search_logs($1) admin_pattern($1, rspamd_log_t) files_search_var_lib($1) admin_pattern($1, rspamd_var_lib_t) files_search_pids($1) admin_pattern($1, rspamd_var_run_t) optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') ') ############################################################################ # network.if ############################################################################ ######################################## ## <summary> ## Bind TCP sockets to the rspamd worker port. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <infoflow type="none"/> # interface(`corenet_tcp_bind_rspamd_wrkr_port',` gen_require(` type rspamd_wrkr_port_t; ') allow $1 rspamd_wrkr_port_t:tcp_socket name_bind; ') ######################################## ## <summary> ## Bind TCP sockets to the rspamd controller port. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <infoflow type="none"/> # interface(`corenet_tcp_bind_rspamd_cntrllr_port',` gen_require(` type rspamd_cntrllr_port_t; ') allow $1 rspamd_cntrllr_port_t:tcp_socket name_bind; ') ######################################## ## <summary> ## Bind TCP sockets to the rspamd proxy port. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <infoflow type="none"/> # interface(`corenet_tcp_bind_rspamd_prx_port',` gen_require(` type rspamd_prx_port_t; ') allow $1 rspamd_prx_port_t:tcp_socket name_bind; ') ######################################## ## <summary> ## Make a TCP connection to the rspamd worker port. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`corenet_tcp_connect_rspamd_wrkr_port',` gen_require(` type rspamd_wrkr_port_t; ') allow $1 rspamd_wrkr_port_t:tcp_socket name_connect; ')