spamd_selinux(8)

1spamd_selinux(8)             SELinux Policy spamd             spamd_selinux(8)
2
3
4

NAME

6       spamd_selinux - Security Enhanced Linux Policy for the spamd processes
7

DESCRIPTION

9       Security-Enhanced Linux secures the spamd processes via flexible manda‐
10       tory access control.
11
12       The spamd processes execute with the  spamd_t  SELinux  type.  You  can
13       check  if  you have these processes running by executing the ps command
14       with the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep spamd_t
19
20
21

ENTRYPOINTS

23       The spamd_t SELinux type can be entered via the spamd_exec_t file type.
24
25       The default entrypoint paths for the spamd_t domain are the following:
26
27       /usr/bin/spamd,  /usr/sbin/spamd,  /usr/bin/pyzord,   /usr/sbin/spampd,
28       /usr/bin/mimedefang,                   /usr/bin/mimedefang-multiplexor,
29       /usr/libexec/mimedefang-wrapper
30

PROCESS TYPES

32       SELinux defines process types (domains) for each process running on the
33       system
34
35       You can see the context of a process using the -Z option to ps
36
37       Policy  governs  the  access confined processes have to files.  SELinux
38       spamd policy is very flexible allowing users to setup their spamd  pro‐
39       cesses in as secure a method as possible.
40
41       The following process types are defined for spamd:
42
43       spamd_update_t, spamd_t
44
45       Note:  semanage  permissive  -a spamd_t can be used to make the process
46       type spamd_t permissive. SELinux does not  deny  access  to  permissive
47       process  types, but the AVC (SELinux denials) messages are still gener‐
48       ated.
49
50

BOOLEANS

52       SELinux policy is customizable based on least access  required.   spamd
53       policy is extremely flexible and has several booleans that allow you to
54       manipulate the policy and run spamd with the tightest access possible.
55
56
57
58       If you want to allow spamd to read/write  user  home  directories,  you
59       must turn on the spamd_enable_home_dirs boolean. Enabled by default.
60
61       setsebool -P spamd_enable_home_dirs 1
62
63
64
65       If you want to allow users to resolve user passwd entries directly from
66       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
67       gin_nsswitch_use_ldap boolean. Disabled by default.
68
69       setsebool -P authlogin_nsswitch_use_ldap 1
70
71
72
73       If you want to allow all daemons to write corefiles to /, you must turn
74       on the daemons_dump_core boolean. Disabled by default.
75
76       setsebool -P daemons_dump_core 1
77
78
79
80       If you want to enable cluster mode for daemons, you must  turn  on  the
81       daemons_enable_cluster_mode boolean. Enabled by default.
82
83       setsebool -P daemons_enable_cluster_mode 1
84
85
86
87       If  you want to allow all daemons to use tcp wrappers, you must turn on
88       the daemons_use_tcp_wrapper boolean. Disabled by default.
89
90       setsebool -P daemons_use_tcp_wrapper 1
91
92
93
94       If you want to allow all daemons the ability to  read/write  terminals,
95       you must turn on the daemons_use_tty boolean. Disabled by default.
96
97       setsebool -P daemons_use_tty 1
98
99
100
101       If  you  want  to deny any process from ptracing or debugging any other
102       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
103       default.
104
105       setsebool -P deny_ptrace 1
106
107
108
109       If  you  want  to  allow  any  process  to mmap any file on system with
110       attribute file_type, you must turn on the  domain_can_mmap_files  bool‐
111       ean. Enabled by default.
112
113       setsebool -P domain_can_mmap_files 1
114
115
116
117       If  you want to allow all domains write to kmsg_device, while kernel is
118       executed with systemd.log_target=kmsg parameter, you must turn  on  the
119       domain_can_write_kmsg boolean. Disabled by default.
120
121       setsebool -P domain_can_write_kmsg 1
122
123
124
125       If you want to allow all domains to use other domains file descriptors,
126       you must turn on the domain_fd_use boolean. Enabled by default.
127
128       setsebool -P domain_fd_use 1
129
130
131
132       If you want to allow all domains to have the kernel load  modules,  you
133       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
134       default.
135
136       setsebool -P domain_kernel_load_modules 1
137
138
139
140       If you want to allow all domains to execute in fips_mode, you must turn
141       on the fips_mode boolean. Enabled by default.
142
143       setsebool -P fips_mode 1
144
145
146
147       If you want to enable reading of urandom for all domains, you must turn
148       on the global_ssp boolean. Disabled by default.
149
150       setsebool -P global_ssp 1
151
152
153
154       If you want to allow confined applications to run  with  kerberos,  you
155       must turn on the kerberos_enabled boolean. Enabled by default.
156
157       setsebool -P kerberos_enabled 1
158
159
160
161       If  you  want  to  allow  system  to run with NIS, you must turn on the
162       nis_enabled boolean. Disabled by default.
163
164       setsebool -P nis_enabled 1
165
166
167
168       If you want to allow confined applications to use nscd  shared  memory,
169       you must turn on the nscd_use_shm boolean. Disabled by default.
170
171       setsebool -P nscd_use_shm 1
172
173
174
175       If  you want to support ecryptfs home directories, you must turn on the
176       use_ecryptfs_home_dirs boolean. Disabled by default.
177
178       setsebool -P use_ecryptfs_home_dirs 1
179
180
181
182       If you want to support fusefs home directories, you must  turn  on  the
183       use_fusefs_home_dirs boolean. Disabled by default.
184
185       setsebool -P use_fusefs_home_dirs 1
186
187
188
189       If  you  want  to  support  NFS  home directories, you must turn on the
190       use_nfs_home_dirs boolean. Disabled by default.
191
192       setsebool -P use_nfs_home_dirs 1
193
194
195
196       If you want to support SAMBA home directories, you  must  turn  on  the
197       use_samba_home_dirs boolean. Disabled by default.
198
199       setsebool -P use_samba_home_dirs 1
200
201
202

PORT TYPES

204       SELinux defines port types to represent TCP and UDP ports.
205
206       You  can  see  the  types associated with a port by using the following
207       command:
208
209       semanage port -l
210
211
212       Policy governs the access  confined  processes  have  to  these  ports.
213       SELinux  spamd  policy  is  very flexible allowing users to setup their
214       spamd processes in as secure a method as possible.
215
216       The following port types are defined for spamd:
217
218
219       spamd_port_t
220
221
222
223       Default Defined Ports:
224                 tcp 783,10026,10027
225

MANAGED FILES

227       The SELinux process type spamd_t can manage files labeled with the fol‐
228       lowing  file  types.   The paths listed are the default paths for these
229       file types.  Note the processes UID still need to have DAC permissions.
230
231       antivirus_db_t
232
233            /var/clamav(/.*)?
234            /var/amavis(/.*)?
235            /var/lib/clamd.*
236            /var/lib/amavis(/.*)?
237            /var/lib/clamav(/.*)?
238            /var/virusmails(/.*)?
239            /var/opt/f-secure(/.*)?
240            /var/spool/amavisd(/.*)?
241            /var/lib/clamav-unofficial-sigs(/.*)?
242
243       cifs_t
244
245
246       cluster_conf_t
247
248            /etc/cluster(/.*)?
249
250       cluster_var_lib_t
251
252            /var/lib/pcsd(/.*)?
253            /var/lib/cluster(/.*)?
254            /var/lib/openais(/.*)?
255            /var/lib/pengine(/.*)?
256            /var/lib/corosync(/.*)?
257            /usr/lib/heartbeat(/.*)?
258            /var/lib/heartbeat(/.*)?
259            /var/lib/pacemaker(/.*)?
260
261       cluster_var_run_t
262
263            /var/run/crm(/.*)?
264            /var/run/cman_.*
265            /var/run/rsctmp(/.*)?
266            /var/run/aisexec.*
267            /var/run/heartbeat(/.*)?
268            /var/run/corosync-qnetd(/.*)?
269            /var/run/corosync-qdevice(/.*)?
270            /var/run/cpglockd.pid
271            /var/run/corosync.pid
272            /var/run/rgmanager.pid
273            /var/run/cluster/rgmanager.sk
274
275       ecryptfs_t
276
277            /home/[^/]+/.Private(/.*)?
278            /home/[^/]+/.ecryptfs(/.*)?
279
280       exim_spool_t
281
282            /var/spool/exim[0-9]?(/.*)?
283
284       fusefs_t
285
286            /var/run/user/[^/]*/gvfs
287
288       logwatch_cache_t
289
290            /var/lib/epylog(/.*)?
291            /var/lib/logcheck(/.*)?
292            /var/cache/logwatch(/.*)?
293
294       nfs_t
295
296
297       root_t
298
299            /sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)?
300            /
301            /initrd
302
303       spamass_milter_state_t
304
305            /var/lib/spamass-milter(/.*)?
306
307       spamc_home_t
308
309            /root/.pyzor(/.*)?
310            /root/.razor(/.*)?
311            /root/.spamd(/.*)?
312            /root/.spamassassin(/.*)?
313            /home/[^/]+/.pyzor(/.*)?
314            /home/[^/]+/.razor(/.*)?
315            /home/[^/]+/.spamd(/.*)?
316            /home/[^/]+/.spamassassin(/.*)?
317
318       spamd_compiled_t
319
320            /var/lib/spamassassin/compiled(/.*)?
321
322       spamd_etc_t
323
324            /etc/pyzor(/.*)?
325            /etc/razor(/.*)?
326
327       spamd_log_t
328
329            /var/log/spamd.log.*
330            /var/log/mimedefang.*
331            /var/log/pyzord.log.*
332            /var/log/razor-agent.log.*
333
334       spamd_spool_t
335
336            /var/spool/spamd(/.*)?
337            /var/spool/spampd(/.*)?
338            /var/spool/spamassassin(/.*)?
339
340       spamd_tmp_t
341
342
343       spamd_var_lib_t
344
345            /var/lib/razor(/.*)?
346            /var/lib/pyzord(/.*)?
347            /var/lib/spamassassin(/.*)?
348
349       spamd_var_run_t
350
351            /var/run/spamassassin(/.*)?
352            /var/spool/MIMEDefang(/.*)?
353            /var/spool/MD-Quarantine(/.*)?
354
355       user_home_t
356
357            /home/[^/]+/.+
358
359

FILE CONTEXTS

361       SELinux requires files to have an extended attribute to define the file
362       type.
363
364       You can see the context of a file using the -Z option to ls
365
366       Policy  governs  the  access  confined  processes  have to these files.
367       SELinux spamd policy is very flexible allowing  users  to  setup  their
368       spamd processes in as secure a method as possible.
369
370       EQUIVALENCE DIRECTORIES
371
372
373       spamd  policy  stores  data  with multiple different file context types
374       under the /var/lib/spamassassin directory.  If you would like to  store
375       the  data  in a different directory you can use the semanage command to
376       create an equivalence mapping.  If you wanted to store this data  under
377       the /srv dirctory you would execute the following command:
378
379       semanage fcontext -a -e /var/lib/spamassassin /srv/spamassassin
380       restorecon -R -v /srv/spamassassin
381
382       STANDARD FILE CONTEXT
383
384       SELinux  defines the file context types for the spamd, if you wanted to
385       store files with these types in a diffent paths, you  need  to  execute
386       the  semanage  command  to  sepecify  alternate  labeling  and then use
387       restorecon to put the labels on disk.
388
389       semanage fcontext -a -t spamd_var_run_t '/srv/myspamd_content(/.*)?'
390       restorecon -R -v /srv/myspamd_content
391
392       Note: SELinux often uses regular expressions  to  specify  labels  that
393       match multiple files.
394
395       The following file types are defined for spamd:
396
397
398
399       spamd_compiled_t
400
401       -  Set  files  with the spamd_compiled_t type, if you want to treat the
402       files as spamd compiled data.
403
404
405
406       spamd_etc_t
407
408       - Set files with the spamd_etc_t type, if you want to store spamd files
409       in the /etc directories.
410
411
412       Paths:
413            /etc/pyzor(/.*)?, /etc/razor(/.*)?
414
415
416       spamd_exec_t
417
418       -  Set  files  with the spamd_exec_t type, if you want to transition an
419       executable to the spamd_t domain.
420
421
422       Paths:
423            /usr/bin/spamd,         /usr/sbin/spamd,          /usr/bin/pyzord,
424            /usr/sbin/spampd,  /usr/bin/mimedefang, /usr/bin/mimedefang-multi‐
425            plexor, /usr/libexec/mimedefang-wrapper
426
427
428       spamd_initrc_exec_t
429
430       - Set files with the spamd_initrc_exec_t type, if you want  to  transi‐
431       tion an executable to the spamd_initrc_t domain.
432
433
434       Paths:
435            /etc/rc.d/init.d/mimedefang.*,             /etc/rc.d/init.d/spamd,
436            /etc/rc.d/init.d/spampd, /etc/rc.d/init.d/pyzord
437
438
439       spamd_log_t
440
441       - Set files with the spamd_log_t type, if you want to treat the data as
442       spamd log data, usually stored under the /var/log directory.
443
444
445       Paths:
446            /var/log/spamd.log.*,                       /var/log/mimedefang.*,
447            /var/log/pyzord.log.*, /var/log/razor-agent.log.*
448
449
450       spamd_spool_t
451
452       - Set files with the spamd_spool_t type, if you want to store the spamd
453       files under the /var/spool directory.
454
455
456       Paths:
457            /var/spool/spamd(/.*)?,  /var/spool/spampd(/.*)?,  /var/spool/spa‐
458            massassin(/.*)?
459
460
461       spamd_tmp_t
462
463       - Set files with the spamd_tmp_t type, if you want to store spamd  tem‐
464       porary files in the /tmp directories.
465
466
467
468       spamd_update_exec_t
469
470       -  Set  files with the spamd_update_exec_t type, if you want to transi‐
471       tion an executable to the spamd_update_t domain.
472
473
474
475       spamd_var_lib_t
476
477       - Set files with the spamd_var_lib_t type, if you  want  to  store  the
478       spamd files under the /var/lib directory.
479
480
481       Paths:
482            /var/lib/razor(/.*)?,  /var/lib/pyzord(/.*)?,  /var/lib/spamassas‐
483            sin(/.*)?
484
485
486       spamd_var_run_t
487
488       - Set files with the spamd_var_run_t type, if you  want  to  store  the
489       spamd files under the /run or /var/run directory.
490
491
492       Paths:
493            /var/run/spamassassin(/.*)?,          /var/spool/MIMEDefang(/.*)?,
494            /var/spool/MD-Quarantine(/.*)?
495
496
497       Note: File context can be temporarily modified with the chcon  command.
498       If  you want to permanently change the file context you need to use the
499       semanage fcontext command.  This will modify the SELinux labeling data‐
500       base.  You will need to use restorecon to apply the labels.
501
502

COMMANDS

504       semanage  fcontext  can also be used to manipulate default file context
505       mappings.
506
507       semanage permissive can also be used to manipulate  whether  or  not  a
508       process type is permissive.
509
510       semanage  module can also be used to enable/disable/install/remove pol‐
511       icy modules.
512
513       semanage port can also be used to manipulate the port definitions
514
515       semanage boolean can also be used to manipulate the booleans
516
517
518       system-config-selinux is a GUI tool available to customize SELinux pol‐
519       icy settings.
520
521

AUTHOR

523       This manual page was auto-generated using sepolicy manpage .
524
525