exim_selinux(8)

1exim_selinux(8)               SELinux Policy exim              exim_selinux(8)
2
3
4

NAME

6       exim_selinux - Security Enhanced Linux Policy for the exim processes
7

DESCRIPTION

9       Security-Enhanced  Linux secures the exim processes via flexible manda‐
10       tory access control.
11
12       The exim processes execute with the exim_t SELinux type. You can  check
13       if  you  have  these processes running by executing the ps command with
14       the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep exim_t
19
20
21

ENTRYPOINTS

23       The exim_t SELinux type can be entered via the exim_exec_t file type.
24
25       The default entrypoint paths for the exim_t domain are the following:
26
27       /usr/sbin/exim[0-9]?, /usr/sbin/exim_tidydb
28

PROCESS TYPES

30       SELinux defines process types (domains) for each process running on the
31       system
32
33       You can see the context of a process using the -Z option to ps
34
35       Policy  governs  the  access confined processes have to files.  SELinux
36       exim policy is very flexible allowing users to setup  their  exim  pro‐
37       cesses in as secure a method as possible.
38
39       The following process types are defined for exim:
40
41       exim_t
42
43       Note:  semanage  permissive  -a  exim_t can be used to make the process
44       type exim_t permissive. SELinux does  not  deny  access  to  permissive
45       process  types, but the AVC (SELinux denials) messages are still gener‐
46       ated.
47
48

BOOLEANS

50       SELinux policy is customizable based on least  access  required.   exim
51       policy is extremely flexible and has several booleans that allow you to
52       manipulate the policy and run exim with the tightest access possible.
53
54
55
56       If you want to determine whether exim can  connect  to  databases,  you
57       must turn on the exim_can_connect_db boolean. Disabled by default.
58
59       setsebool -P exim_can_connect_db 1
60
61
62
63       If  you  want  to  determine  whether exim can create, read, write, and
64       delete generic user content files,  you  must  turn  on  the  exim_man‐
65       age_user_files boolean. Disabled by default.
66
67       setsebool -P exim_manage_user_files 1
68
69
70
71       If  you  want  to  determine whether exim can read generic user content
72       files, you must turn on the exim_read_user_files boolean.  Disabled  by
73       default.
74
75       setsebool -P exim_read_user_files 1
76
77
78
79       If  you  want  to  dontaudit all daemons scheduling requests (setsched,
80       sys_nice), you must turn on the  daemons_dontaudit_scheduling  boolean.
81       Enabled by default.
82
83       setsebool -P daemons_dontaudit_scheduling 1
84
85
86
87       If you want to allow all domains to execute in fips_mode, you must turn
88       on the fips_mode boolean. Enabled by default.
89
90       setsebool -P fips_mode 1
91
92
93
94       If you want to allow system to run with  NIS,  you  must  turn  on  the
95       nis_enabled boolean. Disabled by default.
96
97       setsebool -P nis_enabled 1
98
99
100

MANAGED FILES

102       The  SELinux process type exim_t can manage files labeled with the fol‐
103       lowing file types.  The paths listed are the default  paths  for  these
104       file types.  Note the processes UID still need to have DAC permissions.
105
106       arpwatch_tmp_t
107
108
109       cifs_t
110
111
112       cluster_conf_t
113
114            /etc/cluster(/.*)?
115
116       cluster_var_lib_t
117
118            /var/lib/pcsd(/.*)?
119            /var/lib/cluster(/.*)?
120            /var/lib/openais(/.*)?
121            /var/lib/pengine(/.*)?
122            /var/lib/corosync(/.*)?
123            /usr/lib/heartbeat(/.*)?
124            /var/lib/heartbeat(/.*)?
125            /var/lib/pacemaker(/.*)?
126
127       cluster_var_run_t
128
129            /var/run/crm(/.*)?
130            /var/run/cman_.*
131            /var/run/rsctmp(/.*)?
132            /var/run/aisexec.*
133            /var/run/heartbeat(/.*)?
134            /var/run/pcsd-ruby.socket
135            /var/run/corosync-qnetd(/.*)?
136            /var/run/corosync-qdevice(/.*)?
137            /var/run/corosync.pid
138            /var/run/cpglockd.pid
139            /var/run/rgmanager.pid
140            /var/run/cluster/rgmanager.sk
141
142       dovecot_spool_t
143
144            /var/spool/dovecot(/.*)?
145
146       ecryptfs_t
147
148            /home/[^/]+/.Private(/.*)?
149            /home/[^/]+/.ecryptfs(/.*)?
150
151       exim_spool_t
152
153            /var/spool/exim[0-9]?(/.*)?
154
155       exim_tmp_t
156
157
158       exim_var_lib_t
159
160            /var/lib/exim[0-9]?(/.*)?
161
162       exim_var_run_t
163
164            /var/run/exim[0-9]?.pid
165            /var/run/exim[0-9]?(/.*)?
166
167       faillog_t
168
169            /var/log/btmp.*
170            /var/log/faillog.*
171            /var/log/tallylog.*
172            /var/run/faillock(/.*)?
173
174       fusefs_t
175
176            /var/run/user/[0-9]+/gvfs
177
178       krb5_host_rcache_t
179
180            /var/tmp/krb5_0.rcache2
181            /var/cache/krb5rcache(/.*)?
182            /var/tmp/nfs_0
183            /var/tmp/DNS_25
184            /var/tmp/host_0
185            /var/tmp/imap_0
186            /var/tmp/HTTP_23
187            /var/tmp/HTTP_48
188            /var/tmp/ldap_55
189            /var/tmp/ldap_487
190            /var/tmp/ldapmap1_0
191
192       mail_home_rw_t
193
194            /root/Maildir(/.*)?
195            /root/.esmtp_queue(/.*)?
196            /var/lib/arpwatch/.esmtp_queue(/.*)?
197            /home/[^/]+/.maildir(/.*)?
198            /home/[^/]+/Maildir(/.*)?
199            /home/[^/]+/.esmtp_queue(/.*)?
200
201       mailman_data_t
202
203            /etc/mailman.*
204            /var/lib/mailman(/.*)?
205            /var/spool/mailman.*
206
207       nfs_t
208
209
210       root_t
211
212            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
213            /
214            /initrd
215
216       sendmail_tmp_t
217
218
219       user_home_t
220
221            /home/[^/]+/.+
222
223

FILE CONTEXTS

225       SELinux requires files to have an extended attribute to define the file
226       type.
227
228       You can see the context of a file using the -Z option to ls
229
230       Policy governs the access  confined  processes  have  to  these  files.
231       SELinux exim policy is very flexible allowing users to setup their exim
232       processes in as secure a method as possible.
233
234       EQUIVALENCE DIRECTORIES
235
236
237       exim policy stores data with multiple different file context types  un‐
238       der  the /var/run/exim[0-9]? directory.  If you would like to store the
239       data in a different directory you can use the semanage command to  cre‐
240       ate an equivalence mapping.  If you wanted to store this data under the
241       /srv directory you would execute the following command:
242
243       semanage fcontext -a -e /var/run/exim[0-9]? /srv/exim[0-9]?
244       restorecon -R -v /srv/exim[0-9]?
245
246       STANDARD FILE CONTEXT
247
248       SELinux defines the file context types for the exim, if you  wanted  to
249       store  files with these types in a different paths, you need to execute
250       the semanage command to specify alternate labeling  and  then  use  re‐
251       storecon to put the labels on disk.
252
253       semanage fcontext -a -t exim_exec_t '/srv/exim/content(/.*)?'
254       restorecon -R -v /srv/myexim_content
255
256       Note:  SELinux  often  uses  regular expressions to specify labels that
257       match multiple files.
258
259       The following file types are defined for exim:
260
261
262
263       exim_exec_t
264
265       - Set files with the exim_exec_t type, if you want to transition an ex‐
266       ecutable to the exim_t domain.
267
268
269       Paths:
270            /usr/sbin/exim[0-9]?, /usr/sbin/exim_tidydb
271
272
273       exim_initrc_exec_t
274
275       - Set files with the exim_initrc_exec_t type, if you want to transition
276       an executable to the exim_initrc_t domain.
277
278
279
280       exim_keytab_t
281
282       - Set files with the exim_keytab_t type, if you want to treat the files
283       as kerberos keytab files.
284
285
286
287       exim_log_t
288
289       -  Set files with the exim_log_t type, if you want to treat the data as
290       exim log data, usually stored under the /var/log directory.
291
292
293
294       exim_spool_t
295
296       - Set files with the exim_spool_t type, if you want to store  the  exim
297       files under the /var/spool directory.
298
299
300
301       exim_tmp_t
302
303       -  Set files with the exim_tmp_t type, if you want to store exim tempo‐
304       rary files in the /tmp directories.
305
306
307
308       exim_var_lib_t
309
310       - Set files with the exim_var_lib_t type, if you want to store the exim
311       files under the /var/lib directory.
312
313
314
315       exim_var_run_t
316
317       - Set files with the exim_var_run_t type, if you want to store the exim
318       files under the /run or /var/run directory.
319
320
321       Paths:
322            /var/run/exim[0-9]?.pid, /var/run/exim[0-9]?(/.*)?
323
324
325       Note: File context can be temporarily modified with the chcon  command.
326       If  you want to permanently change the file context you need to use the
327       semanage fcontext command.  This will modify the SELinux labeling data‐
328       base.  You will need to use restorecon to apply the labels.
329
330

COMMANDS

332       semanage  fcontext  can also be used to manipulate default file context
333       mappings.
334
335       semanage permissive can also be used to manipulate  whether  or  not  a
336       process type is permissive.
337
338       semanage  module can also be used to enable/disable/install/remove pol‐
339       icy modules.
340
341       semanage boolean can also be used to manipulate the booleans
342
343
344       system-config-selinux is a GUI tool available to customize SELinux pol‐
345       icy settings.
346
347

AUTHOR

349       This manual page was auto-generated using sepolicy manpage .
350
351