1spamd_selinux(8) SELinux Policy spamd spamd_selinux(8)
2
6 spamd_selinux - Security Enhanced Linux Policy for the spamd processes
7
9 Security-Enhanced Linux secures the spamd processes via flexible manda‐
10 tory access control.
11 The spamd processes execute with the spamd_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15 For example:
17 ps -eZ | grep spamd_t
19
23 The spamd_t SELinux type can be entered via the spamd_exec_t file type.
24 The default entrypoint paths for the spamd_t domain are the following:
26 /usr/bin/spamd, /usr/sbin/spamd, /usr/bin/pyzord, /usr/bin/mimedefang,
28 /usr/bin/mimedefang-multiplexor
29
31 SELinux defines process types (domains) for each process running on the
32 system
33 You can see the context of a process using the -Z option to ps
35 Policy governs the access confined processes have to files. SELinux
37 spamd policy is very flexible allowing users to setup their spamd pro‐
38 cesses in as secure a method as possible.
39 The following process types are defined for spamd:
41 spamd_t
43 Note: semanage permissive -a spamd_t can be used to make the process
45 type spamd_t permissive. SELinux does not deny access to permissive
46 process types, but the AVC (SELinux denials) messages are still gener‐
47 ated.
48
51 SELinux policy is customizable based on least access required. spamd
52 policy is extremely flexible and has several booleans that allow you to
53 manipulate the policy and run spamd with the tightest access possible.
54 If you want to allow spamd to read/write user home directories, you
58 must turn on the spamd_enable_home_dirs boolean. Enabled by default.
59 setsebool -P spamd_enable_home_dirs 1
61 If you want to allow all daemons to write corefiles to /, you must turn
65 on the allow_daemons_dump_core boolean. Disabled by default.
66 setsebool -P allow_daemons_dump_core 1
68 If you want to allow all daemons to use tcp wrappers, you must turn on
72 the allow_daemons_use_tcp_wrapper boolean. Disabled by default.
73 setsebool -P allow_daemons_use_tcp_wrapper 1
75 If you want to allow all daemons the ability to read/write terminals,
79 you must turn on the allow_daemons_use_tty boolean. Disabled by
80 default.
81 setsebool -P allow_daemons_use_tty 1
83 If you want to allow all domains to use other domains file descriptors,
87 you must turn on the allow_domain_fd_use boolean. Enabled by default.
88 setsebool -P allow_domain_fd_use 1
90 If you want to allow confined applications to run with kerberos, you
94 must turn on the allow_kerberos boolean. Enabled by default.
95 setsebool -P allow_kerberos 1
97 If you want to allow sysadm to debug or ptrace all processes, you must
101 turn on the allow_ptrace boolean. Disabled by default.
102 setsebool -P allow_ptrace 1
104 If you want to allow system to run with NIS, you must turn on the
108 allow_ypbind boolean. Disabled by default.
109 setsebool -P allow_ypbind 1
111 If you want to enable cluster mode for daemons, you must turn on the
115 daemons_enable_cluster_mode boolean. Disabled by default.
116 setsebool -P daemons_enable_cluster_mode 1
118 If you want to allow all domains to have the kernel load modules, you
122 must turn on the domain_kernel_load_modules boolean. Disabled by
123 default.
124 setsebool -P domain_kernel_load_modules 1
126 If you want to allow all domains to execute in fips_mode, you must turn
130 on the fips_mode boolean. Enabled by default.
131 setsebool -P fips_mode 1
133 If you want to enable reading of urandom for all domains, you must turn
137 on the global_ssp boolean. Disabled by default.
138 setsebool -P global_ssp 1
140 If you want to enable support for upstart as the init program, you must
144 turn on the init_upstart boolean. Enabled by default.
145 setsebool -P init_upstart 1
147 If you want to allow confined applications to use nscd shared memory,
151 you must turn on the nscd_use_shm boolean. Enabled by default.
152 setsebool -P nscd_use_shm 1
154 If you want to support NFS home directories, you must turn on the
158 use_nfs_home_dirs boolean. Disabled by default.
159 setsebool -P use_nfs_home_dirs 1
161 If you want to support SAMBA home directories, you must turn on the
165 use_samba_home_dirs boolean. Disabled by default.
166 setsebool -P use_samba_home_dirs 1
168
172 SELinux defines port types to represent TCP and UDP ports.
173 You can see the types associated with a port by using the following
175 command:
176 semanage port -l
178 Policy governs the access confined processes have to these ports.
181 SELinux spamd policy is very flexible allowing users to setup their
182 spamd processes in as secure a method as possible.
183 The following port types are defined for spamd:
185 spamd_port_t
188 Default Defined Ports:
192 tcp 783
193
195 The SELinux process type spamd_t can manage files labeled with the fol‐
196 lowing file types. The paths listed are the default paths for these
197 file types. Note the processes UID still need to have DAC permissions.
198 antivirus_db_t
200 /var/clamav(/.*)?
202 /var/amavis(/.*)?
203 /var/lib/clamd.*
204 /var/lib/amavis(/.*)?
205 /var/lib/clamav(/.*)?
206 /var/virusmails(/.*)?
207 /var/opt/f-secure(/.*)?
208 /var/spool/amavisd(/.*)?
209 cifs_t
211 cluster_conf_t
214 /etc/cluster(/.*)?
216 cluster_var_lib_t
218 /var/lib(64)?/openais(/.*)?
220 /var/lib(64)?/pengine(/.*)?
221 /var/lib(64)?/corosync(/.*)?
222 /usr/lib(64)?/heartbeat(/.*)?
223 /var/lib(64)?/heartbeat(/.*)?
224 /var/lib(64)?/pacemaker(/.*)?
225 /var/lib/cluster(/.*)?
226 cluster_var_run_t
228 /var/run/crm(/.*)?
230 /var/run/cman_.*
231 /var/run/rsctmp(/.*)?
232 /var/run/aisexec.*
233 /var/run/heartbeat(/.*)?
234 /var/run/cpglockd.pid
235 /var/run/corosync.pid
236 /var/run/rgmanager.pid
237 /var/run/cluster/rgmanager.sk
238 exim_spool_t
240 /var/spool/exim[0-9]?(/.*)?
242 initrc_tmp_t
244 mail_spool_t
247 /var/mail(/.*)?
249 /var/spool/mail(/.*)?
250 /var/spool/imap(/.*)?
251 mnt_t
253 /mnt(/[^/]*)
255 /mnt(/[^/]*)?
256 /rhev(/[^/]*)?
257 /media(/[^/]*)
258 /media(/[^/]*)?
259 /etc/rhgb(/.*)?
260 /media/.hal-.*
261 /net
262 /afs
263 /rhev
264 /misc
265 nfs_t
267 root_t
270 /
272 /initrd
273 spamass_milter_state_t
275 /var/lib/spamass-milter(/.*)?
277 spamc_home_t
279 /root/.razor(/.*)?
281 /root/.pyzor(/.*)?
282 /root/.spamd(/.*)?
283 /root/.spamassassin(/.*)?
284 /home/[^/]*/.razor(/.*)?
285 /home/[^/]*/.pyzor(/.*)?
286 /home/[^/]*/.spamd(/.*)?
287 /home/[^/]*/.spamassassin(/.*)?
288 /home/staff/.razor(/.*)?
289 /home/staff/.pyzor(/.*)?
290 /home/staff/.spamd(/.*)?
291 /home/staff/.spamassassin(/.*)?
292 spamd_compiled_t
294 /var/lib/spamassassin/compiled(/.*)?
296 spamd_etc_t
298 /etc/razor(/.*)?
300 /etc/pyzor(/.*)?
301 spamd_log_t
303 /var/log/spamd.log.*
305 /var/log/mimedefang.*
306 /var/log/pyzord.log.*
307 /var/log/razor-agent.log.*
308 spamd_spool_t
310 /var/spool/spamd(/.*)?
312 /var/spool/spamassassin(/.*)?
313 spamd_tmp_t
315 spamd_var_lib_t
318 /var/lib/razor(/.*)?
320 /var/lib/pyzord(/.*)?
321 /var/lib/spamassassin(/.*)?
322 spamd_var_run_t
324 /var/run/spamassassin(/.*)?
326 /var/spool/MIMEDefang(/.*)?
327 /var/spool/MD-Quarantine(/.*)?
328 tmp_t
330 /tmp
332 /usr/tmp
333 /var/tmp
334 /tmp-inst
335 /var/tmp-inst
336 /var/tmp/vi.recover
337 user_home_t
339 /home/[^/]*/.+
341 /home/staff/.+
342
345 SELinux requires files to have an extended attribute to define the file
346 type.
347 You can see the context of a file using the -Z option to ls
349 Policy governs the access confined processes have to these files.
351 SELinux spamd policy is very flexible allowing users to setup their
352 spamd processes in as secure a method as possible.
353 EQUIVALENCE DIRECTORIES
355 spamd policy stores data with multiple different file context types
358 under the /var/lib/spamassassin directory. If you would like to store
359 the data in a different directory you can use the semanage command to
360 create an equivalence mapping. If you wanted to store this data under
361 the /srv dirctory you would execute the following command:
362 semanage fcontext -a -e /var/lib/spamassassin /srv/spamassassin
364 restorecon -R -v /srv/spamassassin
365 STANDARD FILE CONTEXT
367 SELinux defines the file context types for the spamd, if you wanted to
369 store files with these types in a diffent paths, you need to execute
370 the semanage command to sepecify alternate labeling and then use
371 restorecon to put the labels on disk.
372 semanage fcontext -a -t spamd_var_run_t '/srv/myspamd_content(/.*)?'
374 restorecon -R -v /srv/myspamd_content
375 Note: SELinux often uses regular expressions to specify labels that
377 match multiple files.
378 The following file types are defined for spamd:
380 spamd_compiled_t
384 - Set files with the spamd_compiled_t type, if you want to treat the
386 files as spamd compiled data.
387 spamd_etc_t
391 - Set files with the spamd_etc_t type, if you want to store spamd files
393 in the /etc directories.
394 Paths:
397 /etc/razor(/.*)?, /etc/pyzor(/.*)?
398 spamd_exec_t
401 - Set files with the spamd_exec_t type, if you want to transition an
403 executable to the spamd_t domain.
404 Paths:
407 /usr/bin/spamd, /usr/sbin/spamd, /usr/bin/pyzord, /usr/bin/mimede‐
408 fang, /usr/bin/mimedefang-multiplexor
409 spamd_initrc_exec_t
412 - Set files with the spamd_initrc_exec_t type, if you want to transi‐
414 tion an executable to the spamd_initrc_t domain.
415 Paths:
418 /etc/rc.d/init.d/mimedefang.*, /etc/rc.d/init.d/spamd,
419 /etc/rc.d/init.d/pyzord, /etc/rc.d/init.d/spamassassin
420 spamd_log_t
423 - Set files with the spamd_log_t type, if you want to treat the data as
425 spamd log data, usually stored under the /var/log directory.
426 Paths:
429 /var/log/spamd.log.*, /var/log/mimedefang.*,
430 /var/log/pyzord.log.*, /var/log/razor-agent.log.*
431 spamd_spool_t
434 - Set files with the spamd_spool_t type, if you want to store the spamd
436 files under the /var/spool directory.
437 Paths:
440 /var/spool/spamd(/.*)?, /var/spool/spamassassin(/.*)?
441 spamd_tmp_t
444 - Set files with the spamd_tmp_t type, if you want to store spamd tem‐
446 porary files in the /tmp directories.
447 spamd_var_lib_t
451 - Set files with the spamd_var_lib_t type, if you want to store the
453 spamd files under the /var/lib directory.
454 Paths:
457 /var/lib/razor(/.*)?, /var/lib/pyzord(/.*)?, /var/lib/spamassas‐
458 sin(/.*)?
459 spamd_var_run_t
462 - Set files with the spamd_var_run_t type, if you want to store the
464 spamd files under the /run or /var/run directory.
465 Paths:
468 /var/run/spamassassin(/.*)?, /var/spool/MIMEDefang(/.*)?,
469 /var/spool/MD-Quarantine(/.*)?
470 Note: File context can be temporarily modified with the chcon command.
473 If you want to permanently change the file context you need to use the
474 semanage fcontext command. This will modify the SELinux labeling data‐
475 base. You will need to use restorecon to apply the labels.
476
479 semanage fcontext can also be used to manipulate default file context
480 mappings.
481 semanage permissive can also be used to manipulate whether or not a
483 process type is permissive.
484 semanage module can also be used to enable/disable/install/remove pol‐
486 icy modules.
487 semanage port can also be used to manipulate the port definitions
489 semanage boolean can also be used to manipulate the booleans
491 system-config-selinux is a GUI tool available to customize SELinux pol‐
494 icy settings.
495
498 This manual page was auto-generated using sepolicy manpage .
499
502 selinux(8), spamd(8), semanage(8), restorecon(8), chcon(1) , setse‐
503 bool(8)
504spamd 15-06-03 spamd_selinux(8)