Postfix patch from Dan Walsh.
This commit is contained in:
parent
9fe1b540b8
commit
d9e4cbd2ce
|
@ -46,6 +46,7 @@ template(`postfix_domain_template',`
|
|||
|
||||
allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
|
||||
read_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t)
|
||||
read_lnk_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t)
|
||||
|
||||
can_exec(postfix_$1_t, postfix_$1_exec_t)
|
||||
|
||||
|
@ -79,6 +80,7 @@ template(`postfix_domain_template',`
|
|||
files_read_usr_symlinks(postfix_$1_t)
|
||||
files_search_spool(postfix_$1_t)
|
||||
files_getattr_tmp_dirs(postfix_$1_t)
|
||||
files_search_all_mountpoints(postfix_$1_t)
|
||||
|
||||
init_dontaudit_use_fds(postfix_$1_t)
|
||||
init_sigchld(postfix_$1_t)
|
||||
|
@ -110,11 +112,18 @@ template(`postfix_domain_template',`
|
|||
template(`postfix_server_domain_template',`
|
||||
postfix_domain_template($1)
|
||||
|
||||
type postfix_$1_tmp_t;
|
||||
files_tmp_file(postfix_$1_tmp_t)
|
||||
|
||||
allow postfix_$1_t self:capability { setuid setgid dac_override };
|
||||
allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
|
||||
allow postfix_$1_t self:tcp_socket create_socket_perms;
|
||||
allow postfix_$1_t self:udp_socket create_socket_perms;
|
||||
|
||||
manage_dirs_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t)
|
||||
manage_files_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t)
|
||||
files_tmp_filetrans(postfix_$1_t, postfix_$1_tmp_t, { file dir })
|
||||
|
||||
domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled(postfix_$1_t)
|
||||
|
@ -174,9 +183,8 @@ interface(`postfix_read_config',`
|
|||
type postfix_etc_t;
|
||||
')
|
||||
|
||||
allow $1 postfix_etc_t:dir list_dir_perms;
|
||||
allow $1 postfix_etc_t:file read_file_perms;
|
||||
allow $1 postfix_etc_t:lnk_file read_lnk_file_perms;
|
||||
read_files_pattern($1, postfix_etc_t, postfix_etc_t)
|
||||
read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t)
|
||||
files_search_etc($1)
|
||||
')
|
||||
|
||||
|
@ -230,6 +238,25 @@ interface(`postfix_dontaudit_rw_local_tcp_sockets',`
|
|||
dontaudit $1 postfix_local_t:tcp_socket { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow read/write postfix local pipes
|
||||
## TCP sockets.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`postfix_rw_local_pipes',`
|
||||
gen_require(`
|
||||
type postfix_local_t;
|
||||
')
|
||||
|
||||
allow $1 postfix_local_t:fifo_file rw_fifo_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow domain to read postfix local process state
|
||||
|
@ -368,6 +395,81 @@ interface(`postfix_exec_master',`
|
|||
can_exec($1, postfix_master_exec_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Connect to postfix master process using a unix domain stream socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`postfix_stream_connect_master',`
|
||||
gen_require(`
|
||||
type postfix_master_t, postfix_public_t;
|
||||
')
|
||||
|
||||
stream_connect_pattern($1, postfix_public_t, postfix_public_t, postfix_master_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute the master postdrop in the
|
||||
## postfix_postdrop domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`postfix_domtrans_postdrop',`
|
||||
gen_require(`
|
||||
type postfix_postdrop_t, postfix_postdrop_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute the master postqueue in the
|
||||
## postfix_postqueue domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`postfix_domtrans_postqueue',`
|
||||
gen_require(`
|
||||
type postfix_postqueue_t, postfix_postqueue_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Execute the master postqueue in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`posftix_exec_postqueue',`
|
||||
gen_require(`
|
||||
type postfix_postqueue_exec_t;
|
||||
')
|
||||
|
||||
can_exec($1, postfix_postqueue_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create a named socket in a postfix private directory.
|
||||
|
@ -378,7 +480,7 @@ interface(`postfix_exec_master',`
|
|||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`postfix_create_pivate_sockets',`
|
||||
interface(`postfix_create_private_sockets',`
|
||||
gen_require(`
|
||||
type postfix_private_t;
|
||||
')
|
||||
|
@ -387,6 +489,25 @@ interface(`postfix_create_pivate_sockets',`
|
|||
create_sock_files_pattern($1, postfix_private_t, postfix_private_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## manage named socket in a postfix private directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`postfix_manage_private_sockets',`
|
||||
gen_require(`
|
||||
type postfix_private_t;
|
||||
')
|
||||
|
||||
allow $1 postfix_private_t:dir list_dir_perms;
|
||||
manage_sock_files_pattern($1, postfix_private_t, postfix_private_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute the master postfix program in the
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(postfix, 1.11.0)
|
||||
policy_module(postfix, 1.11.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -19,7 +19,7 @@ files_type(postfix_spool_bounce_t)
|
|||
postfix_server_domain_template(cleanup)
|
||||
|
||||
type postfix_etc_t;
|
||||
files_type(postfix_etc_t)
|
||||
files_config_file(postfix_etc_t)
|
||||
|
||||
type postfix_exec_t;
|
||||
application_executable_file(postfix_exec_t)
|
||||
|
@ -27,13 +27,11 @@ application_executable_file(postfix_exec_t)
|
|||
postfix_server_domain_template(local)
|
||||
mta_mailserver_delivery(postfix_local_t)
|
||||
|
||||
type postfix_local_tmp_t;
|
||||
files_tmp_file(postfix_local_tmp_t)
|
||||
|
||||
# Program for creating database files
|
||||
type postfix_map_t;
|
||||
type postfix_map_exec_t;
|
||||
application_domain(postfix_map_t, postfix_map_exec_t)
|
||||
role system_r types postfix_map_t;
|
||||
|
||||
type postfix_map_tmp_t;
|
||||
files_tmp_file(postfix_map_tmp_t)
|
||||
|
@ -90,9 +88,6 @@ files_type(postfix_data_t)
|
|||
postfix_server_domain_template(virtual)
|
||||
mta_mailserver_delivery(postfix_virtual_t)
|
||||
|
||||
type postfix_virtual_tmp_t;
|
||||
files_tmp_file(postfix_virtual_tmp_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Postfix master process local policy
|
||||
|
@ -103,6 +98,7 @@ allow postfix_master_t self:capability { chown dac_override kill setgid setuid n
|
|||
allow postfix_master_t self:fifo_file rw_fifo_file_perms;
|
||||
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
|
||||
allow postfix_master_t self:udp_socket create_socket_perms;
|
||||
allow postfix_master_t self:process setrlimit;
|
||||
|
||||
allow postfix_master_t postfix_etc_t:file rw_file_perms;
|
||||
|
||||
|
@ -132,6 +128,7 @@ domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
|
|||
# allow access to deferred queue and allow removing bogus incoming entries
|
||||
manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
|
||||
manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
|
||||
files_spool_filetrans(postfix_master_t, postfix_spool_t, dir)
|
||||
|
||||
allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
|
||||
allow postfix_master_t postfix_spool_bounce_t:file getattr;
|
||||
|
@ -142,6 +139,7 @@ manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_
|
|||
|
||||
delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
|
||||
rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
|
||||
setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
|
||||
|
||||
kernel_read_all_sysctls(postfix_master_t)
|
||||
|
||||
|
@ -181,6 +179,7 @@ seutil_dontaudit_search_config(postfix_master_t)
|
|||
|
||||
mta_rw_aliases(postfix_master_t)
|
||||
mta_read_sendmail_bin(postfix_master_t)
|
||||
mta_getattr_spool(postfix_master_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
# for newer main.cf that uses /etc/aliases
|
||||
|
@ -192,6 +191,10 @@ optional_policy(`
|
|||
cyrus_stream_connect(postfix_master_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
kerberos_keytab_template(postfix, postfix_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
# for postalias
|
||||
mailman_manage_data_files(postfix_master_t)
|
||||
|
@ -201,6 +204,10 @@ optional_policy(`
|
|||
mysql_stream_connect(postfix_master_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
postgrey_search_spool(postfix_master_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
sendmail_signal(postfix_master_t)
|
||||
')
|
||||
|
@ -219,6 +226,7 @@ allow postfix_bounce_t postfix_public_t:dir search;
|
|||
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
|
||||
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
|
||||
manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
|
||||
files_spool_filetrans(postfix_bounce_t, postfix_spool_t, dir)
|
||||
|
||||
manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
|
||||
manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
|
||||
|
@ -240,11 +248,18 @@ write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
|
|||
manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
|
||||
manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
|
||||
manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
|
||||
files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir)
|
||||
|
||||
allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
|
||||
|
||||
corecmd_exec_bin(postfix_cleanup_t)
|
||||
|
||||
mta_read_aliases(postfix_cleanup_t)
|
||||
|
||||
optional_policy(`
|
||||
mailman_read_data_files(postfix_cleanup_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Postfix local local policy
|
||||
|
@ -253,10 +268,6 @@ corecmd_exec_bin(postfix_cleanup_t)
|
|||
allow postfix_local_t self:fifo_file rw_fifo_file_perms;
|
||||
allow postfix_local_t self:process { setsched setrlimit };
|
||||
|
||||
manage_dirs_pattern(postfix_local_t, postfix_local_tmp_t, postfix_local_tmp_t)
|
||||
manage_files_pattern(postfix_local_t, postfix_local_tmp_t, postfix_local_tmp_t)
|
||||
files_tmp_filetrans(postfix_local_t, postfix_local_tmp_t, { file dir })
|
||||
|
||||
# connect to master process
|
||||
stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
|
||||
|
||||
|
@ -270,18 +281,27 @@ corecmd_exec_bin(postfix_local_t)
|
|||
|
||||
files_read_etc_files(postfix_local_t)
|
||||
|
||||
logging_dontaudit_search_logs(postfix_local_t)
|
||||
|
||||
mta_read_aliases(postfix_local_t)
|
||||
mta_delete_spool(postfix_local_t)
|
||||
# For reading spamassasin
|
||||
mta_read_config(postfix_local_t)
|
||||
|
||||
domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
|
||||
# Might be a leak, but I need a postfix expert to explain
|
||||
allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
|
||||
|
||||
optional_policy(`
|
||||
clamav_search_lib(postfix_local_t)
|
||||
clamav_exec_clamscan(postfix_local_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
# for postalias
|
||||
mailman_manage_data_files(postfix_local_t)
|
||||
mailman_append_log(postfix_local_t)
|
||||
mailman_read_log(postfix_local_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
@ -292,8 +312,7 @@ optional_policy(`
|
|||
#
|
||||
# Postfix map local policy
|
||||
#
|
||||
|
||||
allow postfix_map_t self:capability setgid;
|
||||
allow postfix_map_t self:capability { dac_override setgid setuid };
|
||||
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
|
||||
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
|
||||
|
@ -340,14 +359,15 @@ logging_send_syslog_msg(postfix_map_t)
|
|||
|
||||
miscfiles_read_localization(postfix_map_t)
|
||||
|
||||
seutil_read_config(postfix_map_t)
|
||||
|
||||
userdom_use_user_terminals(postfix_map_t)
|
||||
|
||||
optional_policy(`
|
||||
locallogin_dontaudit_use_fds(postfix_map_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
# for postalias
|
||||
mailman_manage_data_files(postfix_map_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Postfix pickup local policy
|
||||
|
@ -372,6 +392,7 @@ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_m
|
|||
#
|
||||
|
||||
allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
|
||||
allow postfix_pipe_t self:process setrlimit;
|
||||
|
||||
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
|
||||
|
||||
|
@ -379,6 +400,12 @@ write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
|
|||
|
||||
rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
|
||||
|
||||
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
|
||||
|
||||
optional_policy(`
|
||||
dovecot_domtrans_deliver(postfix_pipe_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
procmail_domtrans(postfix_pipe_t)
|
||||
')
|
||||
|
@ -387,6 +414,15 @@ optional_policy(`
|
|||
mailman_domtrans_queue(postfix_pipe_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
mta_manage_spool(postfix_pipe_t)
|
||||
mta_send_mail(postfix_pipe_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
spamassassin_domtrans_client(postfix_pipe_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
uucp_domtrans_uux(postfix_pipe_t)
|
||||
')
|
||||
|
@ -414,6 +450,10 @@ term_dontaudit_use_all_ttys(postfix_postdrop_t)
|
|||
|
||||
mta_rw_user_mail_stream_sockets(postfix_postdrop_t)
|
||||
|
||||
optional_policy(`
|
||||
apache_dontaudit_rw_fifo_file(postfix_postdrop_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
|
||||
')
|
||||
|
@ -424,8 +464,11 @@ optional_policy(`
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
ppp_use_fds(postfix_postqueue_t)
|
||||
ppp_sigchld(postfix_postqueue_t)
|
||||
sendmail_rw_unix_stream_sockets(postfix_postdrop_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
uucp_manage_spool(postfix_postdrop_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
|
@ -451,12 +494,21 @@ term_use_all_ttys(postfix_postqueue_t)
|
|||
init_sigchld_script(postfix_postqueue_t)
|
||||
init_use_script_fds(postfix_postqueue_t)
|
||||
|
||||
optional_policy(`
|
||||
cron_system_entry(postfix_postqueue_t, postfix_postqueue_exec_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
ppp_use_fds(postfix_postqueue_t)
|
||||
ppp_sigchld(postfix_postqueue_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Postfix qmgr local policy
|
||||
#
|
||||
|
||||
stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t },postfix_master_t)
|
||||
stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
|
||||
|
||||
rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
|
||||
|
||||
|
@ -464,6 +516,7 @@ rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
|
|||
manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
|
||||
manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
|
||||
manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
|
||||
files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
|
||||
|
||||
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
|
||||
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
|
||||
|
@ -499,13 +552,14 @@ term_use_all_ttys(postfix_showq_t)
|
|||
#
|
||||
|
||||
# connect to master process
|
||||
stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t },postfix_master_t)
|
||||
allow postfix_smtp_t self:capability sys_chroot;
|
||||
stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
|
||||
|
||||
allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
|
||||
|
||||
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
|
||||
|
||||
files_dontaudit_getattr_home_dir(postfix_smtp_t)
|
||||
files_search_all_mountpoints(postfix_smtp_t)
|
||||
|
||||
optional_policy(`
|
||||
cyrus_stream_connect(postfix_smtp_t)
|
||||
|
@ -522,7 +576,7 @@ optional_policy(`
|
|||
allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
|
||||
|
||||
# connect to master process
|
||||
stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t },postfix_master_t)
|
||||
stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
|
||||
|
||||
# Connect to policy server
|
||||
corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
|
||||
|
@ -537,6 +591,10 @@ corecmd_exec_bin(postfix_smtpd_t)
|
|||
files_read_usr_files(postfix_smtpd_t)
|
||||
mta_read_aliases(postfix_smtpd_t)
|
||||
|
||||
optional_policy(`
|
||||
dovecot_stream_connect_auth(postfix_smtpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
mailman_read_data_files(postfix_smtpd_t)
|
||||
')
|
||||
|
@ -559,17 +617,14 @@ allow postfix_virtual_t self:process { setsched setrlimit };
|
|||
|
||||
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
|
||||
|
||||
manage_dirs_pattern(postfix_virtual_t, postfix_virtual_tmp_t, postfix_virtual_tmp_t)
|
||||
manage_files_pattern(postfix_virtual_t, postfix_virtual_tmp_t, postfix_virtual_tmp_t)
|
||||
files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
|
||||
|
||||
# connect to master process
|
||||
stream_connect_pattern(postfix_virtual_t, postfix_public_t, postfix_public_t, postfix_master_t)
|
||||
stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
|
||||
|
||||
corecmd_exec_shell(postfix_virtual_t)
|
||||
corecmd_exec_bin(postfix_virtual_t)
|
||||
|
||||
files_read_etc_files(postfix_virtual_t)
|
||||
files_read_usr_files(postfix_virtual_t)
|
||||
|
||||
mta_read_aliases(postfix_virtual_t)
|
||||
mta_delete_spool(postfix_virtual_t)
|
||||
|
|
Loading…
Reference in New Issue