# This is the SpamAssassin system client policy backported
# to EL-5 from upstream spamassassin module version 2.1.2

policy_module(spamassassin-client, 2.1.2)

require {
	type spamc_exec_t;
	type spamd_t;
	type spamd_tmp_t;
}

########################################
#
# Declarations
#

type spamc_t;
typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
application_domain(spamc_t, spamc_exec_t)

type spamc_tmp_t;
typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
files_tmp_file(spamc_tmp_t)

########################################
#
# Client local policy
#

allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamc_t self:fd use;
allow spamc_t self:fifo_file rw_fifo_file_perms;
allow spamc_t self:sock_file read_sock_file_perms;
allow spamc_t self:shm create_shm_perms;
allow spamc_t self:sem create_sem_perms;
allow spamc_t self:msgq create_msgq_perms;
allow spamc_t self:msg { send receive };
allow spamc_t self:unix_dgram_socket create_socket_perms;
allow spamc_t self:unix_stream_socket create_stream_socket_perms;
allow spamc_t self:unix_dgram_socket sendto;
allow spamc_t self:unix_stream_socket connectto;
allow spamc_t self:tcp_socket create_stream_socket_perms;
allow spamc_t self:udp_socket create_socket_perms;

manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir })

# Allow connecting to a local spamd
allow spamc_t spamd_t:unix_stream_socket connectto;
allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;

kernel_read_kernel_sysctls(spamc_t)

corenet_all_recvfrom_unlabeled(spamc_t)
corenet_all_recvfrom_netlabel(spamc_t)
corenet_tcp_sendrecv_generic_if(spamc_t)
corenet_udp_sendrecv_generic_if(spamc_t)
corenet_tcp_sendrecv_generic_node(spamc_t)
corenet_udp_sendrecv_generic_node(spamc_t)
corenet_tcp_sendrecv_all_ports(spamc_t)
corenet_udp_sendrecv_all_ports(spamc_t)
corenet_tcp_connect_all_ports(spamc_t)
corenet_sendrecv_all_client_packets(spamc_t)

# Connection to spamd appears to use unlabeled packets
corenet_sendrecv_unlabeled_packets(spamc_t)

fs_search_auto_mountpoints(spamc_t)

# cjp: these should probably be removed:
corecmd_list_bin(spamc_t)
corecmd_read_bin_symlinks(spamc_t)
corecmd_read_bin_files(spamc_t)
corecmd_read_bin_pipes(spamc_t)
corecmd_read_bin_sockets(spamc_t)

domain_use_interactive_fds(spamc_t)

files_read_etc_files(spamc_t)
files_read_etc_runtime_files(spamc_t)
files_read_usr_files(spamc_t)
files_dontaudit_search_var(spamc_t)
# cjp: this may be removable:
files_list_home(spamc_t)

# Included in all upstream domains but not in EL-5
libs_use_ld_so(spamc_t)
libs_use_shared_libs(spamc_t)

logging_send_syslog_msg(spamc_t)

miscfiles_read_localization(spamc_t)

# cjp: this should probably be removed:
seutil_read_config(spamc_t)

sysnet_read_config(spamc_t)

# cjp: this should probably be removed:
tunable_policy(`read_default_t',`
	files_list_default(spamc_t)
	files_read_default_files(spamc_t)
	files_read_default_symlinks(spamc_t)
	files_read_default_sockets(spamc_t)
	files_read_default_pipes(spamc_t)
')

optional_policy(`
	# Allow connection to spamd socket above
	evolution_stream_connect(user,spamc_t)
')

optional_policy(`
	# Needed for pyzor/razor called from spamd
	milter_manage_spamass_state(spamc_t)
')

optional_policy(`
	nis_use_ypbind(spamc_t)
')

optional_policy(`
	nscd_socket_use(spamc_t)
')

optional_policy(`
	mta_read_config(spamc_t)
	sendmail_stub(spamc_t)
')