policy_module(mailman, 1.8.0)

########################################
#
# Declarations
#

mailman_domain_template(cgi)

type mailman_data_t;
files_type(mailman_data_t)

type mailman_archive_t;
files_type(mailman_archive_t)

type mailman_log_t;
logging_log_file(mailman_log_t)

type mailman_lock_t;
files_lock_file(mailman_lock_t)

mailman_domain_template(mail)
init_daemon_domain(mailman_mail_t, mailman_mail_exec_t)

mailman_domain_template(queue)

########################################
#
# Mailman CGI local policy
#

# cjp: the template invocation for cgi should be
# in the below optional policy; however, there are no
# optionals for file contexts yet, so it is promoted
# to global scope until such facilities exist.

optional_policy(`
	dev_read_urand(mailman_cgi_t)

	manage_dirs_pattern(mailman_cgi_t, mailman_archive_t, mailman_archive_t)
	manage_files_pattern(mailman_cgi_t, mailman_archive_t, mailman_archive_t)
	manage_lnk_files_pattern(mailman_cgi_t, mailman_archive_t, mailman_archive_t)

	files_search_spool(mailman_cgi_t)

	term_use_controlling_term(mailman_cgi_t)

	# for python pre-compile foolishness
	libs_dontaudit_write_lib_dirs(mailman_cgi_t)

	apache_sigchld(mailman_cgi_t)
	apache_use_fds(mailman_cgi_t)
	apache_dontaudit_append_log(mailman_cgi_t)
	apache_search_sys_script_state(mailman_cgi_t)
	apache_read_config(mailman_cgi_t)
	apache_dontaudit_rw_stream_sockets(mailman_cgi_t)
')

########################################
#
# Mailman mail local policy
#

allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
allow mailman_mail_t self:process { signal signull };
allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config };

manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)

files_search_spool(mailman_mail_t)

fs_rw_anon_inodefs_files(mailman_mail_t)

mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
mta_dontaudit_rw_queue(mailman_mail_t)

optional_policy(`
	courier_read_spool(mailman_mail_t)
')

optional_policy(`
	cron_read_pipes(mailman_mail_t)
')

optional_policy(`
	postfix_search_spool(mailman_mail_t)
')

########################################
#
# Mailman queue local policy
#

allow mailman_queue_t self:capability { setgid setuid };
allow mailman_queue_t self:process signal;
allow mailman_queue_t self:fifo_file rw_fifo_file_perms;
allow mailman_queue_t self:unix_dgram_socket create_socket_perms;

manage_dirs_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
manage_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)

kernel_read_proc_symlinks(mailman_queue_t)

auth_domtrans_chk_passwd(mailman_queue_t)

files_dontaudit_search_pids(mailman_queue_t)

# for su
seutil_dontaudit_search_config(mailman_queue_t)

# some of the following could probably be changed to dontaudit, someone who
# knows mailman well should test this out and send the changes
userdom_search_user_home_dirs(mailman_queue_t)

optional_policy(`
	apache_read_config(mailman_queue_t)
')

optional_policy(`
	cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
')

optional_policy(`
	su_exec(mailman_queue_t)
')