diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if index 0c73e5203..44e782e03 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -310,26 +310,6 @@ interface(`mta_mailserver_delivery',` ') typeattribute $1 mailserver_delivery; - - allow $1 mail_spool_t:dir list_dir_perms; - create_files_pattern($1, mail_spool_t, mail_spool_t) - read_files_pattern($1, mail_spool_t, mail_spool_t) - append_files_pattern($1, mail_spool_t, mail_spool_t) - create_lnk_files_pattern($1, mail_spool_t, mail_spool_t) - read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) - - optional_policy(` - dovecot_manage_spool($1) - dovecot_domtrans_deliver($1) - ') - - optional_policy(` - # so MTA can access /var/lib/mailman/mail/wrapper - files_search_var_lib($1) - - mailman_domtrans($1) - mailman_read_data_symlinks($1) - ') ') ####################################### diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te index da4022a39..797d86bef 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -209,6 +209,13 @@ optional_policy(` # Mailserver delivery local policy # +allow mailserver_delivery mail_spool_t:dir list_dir_perms; +create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +read_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) + read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t) read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) @@ -225,6 +232,19 @@ tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_symlinks(mailserver_delivery) ') +optional_policy(` + dovecot_manage_spool(mailserver_delivery) + dovecot_domtrans_deliver(mailserver_delivery) +') + +optional_policy(` + # so MTA can access /var/lib/mailman/mail/wrapper + files_search_var_lib(mailserver_delivery) + + mailman_domtrans(mailserver_delivery) + mailman_read_data_symlinks(mailserver_delivery) +') + ######################################## # # User send mail local policy