1system_mail_selinux(8)    SELinux Policy system_mail    system_mail_selinux(8)
2
3
4

NAME

6       system_mail_selinux  -  Security  Enhanced  Linux  Policy  for the sys‐
7       tem_mail processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the system_mail processes via  flexible
11       mandatory access control.
12
13       The  system_mail processes execute with the system_mail_t SELinux type.
14       You can check if you have these processes running by executing  the  ps
15       command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep system_mail_t
20
21
22

ENTRYPOINTS

24       The  system_mail_t  SELinux type can be entered via the sendmail_exec_t
25       file type.
26
27       The default entrypoint paths for the system_mail_t domain are the  fol‐
28       lowing:
29
30       /usr/sbin/sendmail(.sendmail)?,     /usr/bin/esmtp,    /usr/sbin/rmail,
31       /usr/sbin/ssmtp,       /usr/lib/sendmail,       /usr/bin/esmtp-wrapper,
32       /var/qmail/bin/sendmail, /usr/sbin/sendmail.postfix
33

PROCESS TYPES

35       SELinux defines process types (domains) for each process running on the
36       system
37
38       You can see the context of a process using the -Z option to ps
39
40       Policy governs the access confined processes have  to  files.   SELinux
41       system_mail  policy is very flexible allowing users to setup their sys‐
42       tem_mail processes in as secure a method as possible.
43
44       The following process types are defined for system_mail:
45
46       system_mail_t
47
48       Note: semanage permissive -a system_mail_t can  be  used  to  make  the
49       process  type system_mail_t permissive. SELinux does not deny access to
50       permissive process types, but the AVC (SELinux  denials)  messages  are
51       still generated.
52
53

BOOLEANS

55       SELinux  policy  is  customizable based on least access required.  sys‐
56       tem_mail policy is extremely flexible and  has  several  booleans  that
57       allow  you to manipulate the policy and run system_mail with the tight‐
58       est access possible.
59
60
61
62       If you want to allow users to resolve user passwd entries directly from
63       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
64       gin_nsswitch_use_ldap boolean. Disabled by default.
65
66       setsebool -P authlogin_nsswitch_use_ldap 1
67
68
69
70       If you want to allow all domains to execute in fips_mode, you must turn
71       on the fips_mode boolean. Enabled by default.
72
73       setsebool -P fips_mode 1
74
75
76
77       If  you  want to determine whether Gitosis can send mail, you must turn
78       on the gitosis_can_sendmail boolean. Disabled by default.
79
80       setsebool -P gitosis_can_sendmail 1
81
82
83
84       If you want to allow http daemon to send mail, you  must  turn  on  the
85       httpd_can_sendmail boolean. Disabled by default.
86
87       setsebool -P httpd_can_sendmail 1
88
89
90
91       If  you  want  to allow confined applications to run with kerberos, you
92       must turn on the kerberos_enabled boolean. Enabled by default.
93
94       setsebool -P kerberos_enabled 1
95
96
97
98       If you want to allow system to run with  NIS,  you  must  turn  on  the
99       nis_enabled boolean. Disabled by default.
100
101       setsebool -P nis_enabled 1
102
103
104
105       If  you  want to allow confined applications to use nscd shared memory,
106       you must turn on the nscd_use_shm boolean. Disabled by default.
107
108       setsebool -P nscd_use_shm 1
109
110
111
112       If you want to allow Redis to run redis-sentinal notification  scripts,
113       you must turn on the redis_enable_notify boolean. Disabled by default.
114
115       setsebool -P redis_enable_notify 1
116
117
118
119       If  you want to support ecryptfs home directories, you must turn on the
120       use_ecryptfs_home_dirs boolean. Disabled by default.
121
122       setsebool -P use_ecryptfs_home_dirs 1
123
124
125

MANAGED FILES

127       The SELinux process type system_mail_t can manage  files  labeled  with
128       the  following  file types.  The paths listed are the default paths for
129       these file types.  Note the processes UID still need to have  DAC  per‐
130       missions.
131
132       anon_inodefs_t
133
134
135       arpwatch_tmp_t
136
137
138       cifs_t
139
140
141       courier_spool_t
142
143            /var/spool/courier(/.*)?
144            /var/spool/authdaemon(/.*)?
145
146       ecryptfs_t
147
148            /home/[^/]+/.Private(/.*)?
149            /home/[^/]+/.ecryptfs(/.*)?
150
151       etc_aliases_t
152
153            /etc/mail/.*.db
154            /etc/mail/aliases.*
155            /etc/postfix/aliases.*
156            /etc/aliases
157            /etc/aliases.db
158
159       exim_log_t
160
161            /var/log/exim[0-9]?(/.*)?
162
163       exim_spool_t
164
165            /var/spool/exim[0-9]?(/.*)?
166
167       mail_home_rw_t
168
169            /root/Maildir(/.*)?
170            /root/.esmtp_queue(/.*)?
171            /var/lib/arpwatch/.esmtp_queue(/.*)?
172            /home/[^/]+/.maildir(/.*)?
173            /home/[^/]+/Maildir(/.*)?
174            /home/[^/]+/.esmtp_queue(/.*)?
175
176       mail_home_t
177
178            /root/.mailrc
179            /root/.esmtprc
180            /root/.forward
181            /root/dead.letter
182            /home/[^/]+/.forward[^/]*
183            /home/[^/]+/.mailrc
184            /home/[^/]+/.esmtprc
185            /home/[^/]+/dead.letter
186
187       mail_spool_t
188
189            /var/mail(/.*)?
190            /var/spool/imap(/.*)?
191            /var/spool/mail(/.*)?
192            /var/spool/smtpd(/.*)?
193
194       mqueue_spool_t
195
196            /var/spool/(client)?mqueue(/.*)?
197            /var/spool/mqueue.in(/.*)?
198
199       munin_var_lib_t
200
201            /var/lib/munin(/.*)?
202
203       nfs_t
204
205
206       qmail_spool_t
207
208            /var/qmail/queue(/.*)?
209
210       sendmail_log_t
211
212            /var/log/mail(/.*)?
213            /var/log/sendmail.st.*
214
215       system_mail_tmp_t
216
217
218       uucpd_spool_t
219
220            /var/spool/uucp(/.*)?
221            /var/spool/uucppublic(/.*)?
222
223

COMMANDS

225       semanage  fcontext  can also be used to manipulate default file context
226       mappings.
227
228       semanage permissive can also be used to manipulate  whether  or  not  a
229       process type is permissive.
230
231       semanage  module can also be used to enable/disable/install/remove pol‐
232       icy modules.
233
234       semanage boolean can also be used to manipulate the booleans
235
236
237       system-config-selinux is a GUI tool available to customize SELinux pol‐
238       icy settings.
239
240

AUTHOR

242       This manual page was auto-generated using sepolicy manpage .
243
244

SEE ALSO

246       selinux(8),   system_mail(8),   semanage(8),  restorecon(8),  chcon(1),
247       sepolicy(8), setsebool(8)
248
249
250
251system_mail                        19-05-30             system_mail_selinux(8)
Impressum