2005-10-23 20:18:36 +00:00
|
|
|
|
2006-12-04 20:10:56 +00:00
|
|
|
policy_module(postfix,1.3.1)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# Declarations
|
|
|
|
#
|
|
|
|
|
2005-12-05 20:18:20 +00:00
|
|
|
attribute postfix_user_domains;
|
|
|
|
# domains that transition to the
|
|
|
|
# postfix user domains
|
|
|
|
attribute postfix_user_domtrans;
|
|
|
|
|
2006-05-10 18:08:06 +00:00
|
|
|
postfix_server_domain_template(bounce)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
|
|
|
type postfix_spool_bounce_t;
|
|
|
|
files_type(postfix_spool_bounce_t)
|
|
|
|
|
2006-05-10 18:08:06 +00:00
|
|
|
postfix_server_domain_template(cleanup)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
|
|
|
type postfix_etc_t;
|
|
|
|
files_type(postfix_etc_t)
|
|
|
|
|
|
|
|
type postfix_exec_t;
|
2006-04-19 21:43:02 +00:00
|
|
|
corecmd_executable_file(postfix_exec_t)
|
2005-10-26 18:07:20 +00:00
|
|
|
|
2005-10-23 20:18:36 +00:00
|
|
|
postfix_server_domain_template(local)
|
|
|
|
mta_mailserver_delivery(postfix_local_t)
|
|
|
|
|
|
|
|
type postfix_local_tmp_t;
|
|
|
|
files_tmp_file(postfix_local_tmp_t)
|
|
|
|
|
|
|
|
# Program for creating database files
|
|
|
|
type postfix_map_t;
|
|
|
|
type postfix_map_exec_t;
|
|
|
|
domain_type(postfix_map_t)
|
|
|
|
domain_entry_file(postfix_map_t,postfix_map_exec_t)
|
|
|
|
|
|
|
|
type postfix_map_tmp_t;
|
|
|
|
files_tmp_file(postfix_map_tmp_t)
|
|
|
|
|
|
|
|
postfix_domain_template(master)
|
2005-10-26 21:03:19 +00:00
|
|
|
typealias postfix_master_t alias postfix_t;
|
|
|
|
# alias is a hack to make the disable trans bool
|
|
|
|
# generation macro work
|
|
|
|
mta_mailserver(postfix_t,postfix_master_exec_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
2006-05-10 18:08:06 +00:00
|
|
|
postfix_server_domain_template(pickup)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
2006-05-10 18:08:06 +00:00
|
|
|
postfix_server_domain_template(pipe)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
|
|
|
postfix_user_domain_template(postdrop)
|
|
|
|
mta_mailserver_user_agent(postfix_postdrop_t)
|
|
|
|
|
|
|
|
postfix_user_domain_template(postqueue)
|
|
|
|
|
|
|
|
type postfix_private_t;
|
|
|
|
files_type(postfix_private_t)
|
|
|
|
|
|
|
|
type postfix_prng_t;
|
|
|
|
files_type(postfix_prng_t)
|
|
|
|
|
2006-05-10 18:08:06 +00:00
|
|
|
postfix_server_domain_template(qmgr)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
|
|
|
postfix_user_domain_template(showq)
|
|
|
|
|
|
|
|
postfix_server_domain_template(smtp)
|
|
|
|
mta_mailserver_sender(postfix_smtp_t)
|
|
|
|
|
|
|
|
postfix_server_domain_template(smtpd)
|
|
|
|
|
|
|
|
type postfix_spool_t;
|
|
|
|
files_type(postfix_spool_t)
|
|
|
|
|
|
|
|
type postfix_spool_maildrop_t;
|
|
|
|
files_type(postfix_spool_maildrop_t)
|
|
|
|
|
|
|
|
type postfix_spool_flush_t;
|
|
|
|
files_type(postfix_spool_flush_t)
|
|
|
|
|
|
|
|
type postfix_public_t;
|
|
|
|
files_type(postfix_public_t)
|
|
|
|
|
|
|
|
type postfix_var_run_t;
|
|
|
|
files_pid_file(postfix_var_run_t)
|
|
|
|
|
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# Postfix master process local policy
|
|
|
|
#
|
|
|
|
|
|
|
|
# chown is to set the correct ownership of queue dirs
|
|
|
|
allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
|
2006-12-12 20:08:08 +00:00
|
|
|
allow postfix_master_t self:fifo_file rw_fifo_file_perms;
|
2005-10-23 20:18:36 +00:00
|
|
|
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
|
|
|
|
allow postfix_master_t self:udp_socket create_socket_perms;
|
|
|
|
|
2005-11-08 22:00:30 +00:00
|
|
|
allow postfix_master_t postfix_etc_t:file rw_file_perms;
|
|
|
|
|
2005-10-23 20:18:36 +00:00
|
|
|
can_exec(postfix_master_t,postfix_exec_t)
|
|
|
|
|
|
|
|
allow postfix_master_t postfix_map_exec_t:file rx_file_perms;
|
|
|
|
|
|
|
|
allow postfix_master_t postfix_postdrop_exec_t:file getattr;
|
|
|
|
|
|
|
|
allow postfix_master_t postfix_postqueue_exec_t:file getattr;
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
manage_fifo_files_pattern(postfix_master_t,postfix_private_t,postfix_private_t)
|
|
|
|
manage_sock_files_pattern(postfix_master_t,postfix_private_t,postfix_private_t)
|
|
|
|
|
|
|
|
domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
|
|
|
allow postfix_master_t postfix_prng_t:file rw_file_perms;
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
manage_fifo_files_pattern(postfix_master_t,postfix_public_t,postfix_public_t)
|
|
|
|
manage_sock_files_pattern(postfix_master_t,postfix_public_t,postfix_public_t)
|
|
|
|
|
|
|
|
domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
|
|
|
# allow access to deferred queue and allow removing bogus incoming entries
|
2006-12-12 20:08:08 +00:00
|
|
|
manage_dirs_pattern(postfix_master_t,postfix_spool_t,postfix_spool_t)
|
|
|
|
manage_files_pattern(postfix_master_t,postfix_spool_t,postfix_spool_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
2005-10-24 19:50:21 +00:00
|
|
|
allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
|
|
|
|
allow postfix_master_t postfix_spool_bounce_t:file getattr;
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
manage_dirs_pattern(postfix_master_t,postfix_spool_flush_t,postfix_spool_flush_t)
|
|
|
|
manage_files_pattern(postfix_master_t,postfix_spool_flush_t,postfix_spool_flush_t)
|
|
|
|
manage_lnk_files_pattern(postfix_master_t,postfix_spool_flush_t,postfix_spool_flush_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
delete_files_pattern(postfix_master_t,postfix_spool_maildrop_t,postfix_spool_maildrop_t)
|
|
|
|
rename_files_pattern(postfix_master_t,postfix_spool_maildrop_t,postfix_spool_maildrop_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
2006-01-31 16:49:43 +00:00
|
|
|
kernel_read_all_sysctls(postfix_master_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
2006-06-02 15:06:45 +00:00
|
|
|
corenet_non_ipsec_sendrecv(postfix_master_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
corenet_tcp_sendrecv_all_if(postfix_master_t)
|
|
|
|
corenet_udp_sendrecv_all_if(postfix_master_t)
|
|
|
|
corenet_tcp_sendrecv_all_nodes(postfix_master_t)
|
|
|
|
corenet_udp_sendrecv_all_nodes(postfix_master_t)
|
|
|
|
corenet_tcp_sendrecv_all_ports(postfix_master_t)
|
|
|
|
corenet_udp_sendrecv_all_ports(postfix_master_t)
|
|
|
|
corenet_tcp_bind_all_nodes(postfix_master_t)
|
|
|
|
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
|
|
|
|
corenet_tcp_bind_smtp_port(postfix_master_t)
|
|
|
|
corenet_tcp_connect_all_ports(postfix_master_t)
|
2006-06-02 15:06:45 +00:00
|
|
|
corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
|
|
|
|
corenet_sendrecv_smtp_server_packets(postfix_master_t)
|
|
|
|
corenet_sendrecv_all_client_packets(postfix_master_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
|
|
|
# for a find command
|
|
|
|
selinux_dontaudit_search_fs(postfix_master_t)
|
|
|
|
|
|
|
|
corecmd_exec_ls(postfix_master_t)
|
|
|
|
corecmd_exec_sbin(postfix_master_t)
|
|
|
|
corecmd_exec_shell(postfix_master_t)
|
|
|
|
corecmd_exec_bin(postfix_master_t)
|
|
|
|
|
2006-02-20 21:33:25 +00:00
|
|
|
domain_use_interactive_fds(postfix_master_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
|
|
|
files_read_usr_files(postfix_master_t)
|
|
|
|
|
2006-02-02 21:08:12 +00:00
|
|
|
init_use_script_ptys(postfix_master_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
2006-07-28 15:13:58 +00:00
|
|
|
miscfiles_read_man_pages(postfix_master_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
|
|
|
seutil_sigchld_newrole(postfix_master_t)
|
|
|
|
# postfix does a "find" on startup for some reason - keep it quiet
|
|
|
|
seutil_dontaudit_search_config(postfix_master_t)
|
|
|
|
|
|
|
|
sysnet_read_config(postfix_master_t)
|
|
|
|
|
|
|
|
mta_rw_aliases(postfix_master_t)
|
|
|
|
mta_read_sendmail_bin(postfix_master_t)
|
|
|
|
|
2006-09-22 17:14:35 +00:00
|
|
|
ifdef(`targeted_policy',`
|
|
|
|
term_dontaudit_use_unallocated_ttys(postfix_master_t)
|
|
|
|
term_dontaudit_use_generic_ptys(postfix_master_t)
|
|
|
|
')
|
|
|
|
|
2006-05-03 19:58:01 +00:00
|
|
|
optional_policy(`
|
|
|
|
cyrus_stream_connect(postfix_master_t)
|
|
|
|
')
|
|
|
|
|
2006-04-17 17:32:54 +00:00
|
|
|
optional_policy(`
|
|
|
|
# for postalias
|
|
|
|
mailman_manage_data_files(postfix_master_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-10-23 20:18:36 +00:00
|
|
|
nis_use_ypbind(postfix_master_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
###########################################################
|
|
|
|
#
|
|
|
|
# Partially converted rules. THESE ARE ONLY TEMPORARY
|
|
|
|
#
|
|
|
|
|
|
|
|
ifdef(`distro_redhat',`
|
|
|
|
# for newer main.cf that uses /etc/aliases
|
2006-12-12 20:08:08 +00:00
|
|
|
allow postfix_master_t etc_aliases_t:dir manage_dir_perms;
|
|
|
|
allow postfix_master_t etc_aliases_t:file manage_file_perms;
|
|
|
|
allow postfix_master_t etc_aliases_t:lnk_file manage_lnk_file_perms;
|
|
|
|
mta_etc_filetrans_aliases(postfix_master_t)
|
|
|
|
filetrans_pattern(postfix_master_t,postfix_etc_t,etc_aliases_t,{ dir file lnk_file })
|
2005-10-23 20:18:36 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
# end partially converted rules
|
|
|
|
|
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# Postfix bounce local policy
|
|
|
|
#
|
|
|
|
|
|
|
|
allow postfix_bounce_t self:capability dac_read_search;
|
|
|
|
allow postfix_bounce_t self:tcp_socket create_socket_perms;
|
|
|
|
|
|
|
|
allow postfix_bounce_t postfix_public_t:sock_file write;
|
2006-05-10 18:08:06 +00:00
|
|
|
allow postfix_bounce_t postfix_public_t:dir search;
|
2005-10-23 20:18:36 +00:00
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
manage_dirs_pattern(postfix_bounce_t,postfix_spool_t,postfix_spool_t)
|
|
|
|
manage_files_pattern(postfix_bounce_t,postfix_spool_t,postfix_spool_t)
|
|
|
|
manage_lnk_files_pattern(postfix_bounce_t,postfix_spool_t,postfix_spool_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
manage_dirs_pattern(postfix_bounce_t,postfix_spool_bounce_t,postfix_spool_bounce_t)
|
|
|
|
manage_files_pattern(postfix_bounce_t,postfix_spool_bounce_t,postfix_spool_bounce_t)
|
|
|
|
manage_lnk_files_pattern(postfix_bounce_t,postfix_spool_bounce_t,postfix_spool_bounce_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# Postfix cleanup local policy
|
|
|
|
#
|
|
|
|
|
|
|
|
allow postfix_cleanup_t self:process setrlimit;
|
|
|
|
|
|
|
|
# connect to master process
|
2006-12-12 20:08:08 +00:00
|
|
|
stream_connect_pattern(postfix_cleanup_t,postfix_private_t,postfix_private_t,postfix_master_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
rw_fifo_files_pattern(postfix_cleanup_t,postfix_public_t,postfix_public_t)
|
|
|
|
write_sock_files_pattern(postfix_cleanup_t,postfix_public_t,postfix_public_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
manage_dirs_pattern(postfix_cleanup_t,postfix_spool_t,postfix_spool_t)
|
|
|
|
manage_files_pattern(postfix_cleanup_t,postfix_spool_t,postfix_spool_t)
|
|
|
|
manage_lnk_files_pattern(postfix_cleanup_t,postfix_spool_t,postfix_spool_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
|
2005-10-23 20:18:36 +00:00
|
|
|
|
2006-08-29 02:41:00 +00:00
|
|
|
corecmd_exec_bin(postfix_cleanup_t)
|
|
|
|
|
2005-10-23 20:18:36 +00:00
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# Postfix local local policy
|
|
|
|
#
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow postfix_local_t self:fifo_file rw_fifo_file_perms;
|
2005-10-23 20:18:36 +00:00
|
|
|
allow postfix_local_t self:process { setsched setrlimit };
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
manage_dirs_pattern(postfix_local_t,postfix_local_tmp_t,postfix_local_tmp_t)
|
|
|
|
manage_files_pattern(postfix_local_t,postfix_local_tmp_t,postfix_local_tmp_t)
|
2006-02-21 18:40:44 +00:00
|
|
|
files_tmp_filetrans(postfix_local_t, postfix_local_tmp_t, { file dir })
|
2005-10-23 20:18:36 +00:00
|
|
|
|
|
|
|
# connect to master process
|
2006-12-12 20:08:08 +00:00
|
|
|
stream_connect_pattern(postfix_local_t,postfix_public_t,postfix_public_t,postfix_master_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
|
|
|
# for .forward - maybe we need a new type for it?
|
2006-12-12 20:08:08 +00:00
|
|
|
rw_sock_files_pattern(postfix_local_t,postfix_private_t,postfix_private_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
|
|
|
allow postfix_local_t postfix_spool_t:file rw_file_perms;
|
|
|
|
|
|
|
|
corecmd_exec_shell(postfix_local_t)
|
|
|
|
corecmd_exec_bin(postfix_local_t)
|
|
|
|
|
2006-02-16 19:32:13 +00:00
|
|
|
files_read_etc_files(postfix_local_t)
|
|
|
|
|
2005-10-23 20:18:36 +00:00
|
|
|
mta_read_aliases(postfix_local_t)
|
|
|
|
mta_delete_spool(postfix_local_t)
|
|
|
|
# For reading spamassasin
|
|
|
|
mta_read_config(postfix_local_t)
|
|
|
|
|
2006-08-29 02:41:00 +00:00
|
|
|
optional_policy(`
|
|
|
|
clamav_search_lib(postfix_local_t)
|
|
|
|
')
|
|
|
|
|
2006-04-17 17:32:54 +00:00
|
|
|
optional_policy(`
|
|
|
|
# for postalias
|
2006-06-07 17:43:10 +00:00
|
|
|
mailman_manage_data_files(postfix_local_t)
|
2006-04-17 17:32:54 +00:00
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-11-15 20:17:18 +00:00
|
|
|
procmail_domtrans(postfix_local_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# Postfix map local policy
|
|
|
|
#
|
|
|
|
|
|
|
|
allow postfix_map_t self:capability setgid;
|
|
|
|
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
|
|
|
|
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
|
|
|
|
allow postfix_map_t self:udp_socket create_socket_perms;
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
manage_dirs_pattern(postfix_map_t,postfix_etc_t,postfix_etc_t)
|
|
|
|
manage_files_pattern(postfix_map_t,postfix_etc_t,postfix_etc_t)
|
|
|
|
manage_lnk_files_pattern(postfix_map_t,postfix_etc_t,postfix_etc_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
manage_dirs_pattern(postfix_map_t,postfix_map_tmp_t,postfix_map_tmp_t)
|
|
|
|
manage_files_pattern(postfix_map_t,postfix_map_tmp_t,postfix_map_tmp_t)
|
2006-02-21 18:40:44 +00:00
|
|
|
files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir })
|
2005-10-23 20:18:36 +00:00
|
|
|
|
2006-01-31 16:49:43 +00:00
|
|
|
kernel_read_kernel_sysctls(postfix_map_t)
|
2005-11-08 22:00:30 +00:00
|
|
|
kernel_dontaudit_list_proc(postfix_map_t)
|
2006-04-19 15:25:22 +00:00
|
|
|
kernel_dontaudit_read_system_state(postfix_map_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
2006-06-02 15:06:45 +00:00
|
|
|
corenet_non_ipsec_sendrecv(postfix_map_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
corenet_tcp_sendrecv_all_if(postfix_map_t)
|
|
|
|
corenet_udp_sendrecv_all_if(postfix_map_t)
|
|
|
|
corenet_tcp_sendrecv_all_nodes(postfix_map_t)
|
|
|
|
corenet_udp_sendrecv_all_nodes(postfix_map_t)
|
|
|
|
corenet_tcp_sendrecv_all_ports(postfix_map_t)
|
|
|
|
corenet_udp_sendrecv_all_ports(postfix_map_t)
|
|
|
|
corenet_tcp_connect_all_ports(postfix_map_t)
|
2006-06-02 15:06:45 +00:00
|
|
|
corenet_sendrecv_all_client_packets(postfix_map_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
|
|
|
corecmd_list_bin(postfix_map_t)
|
2006-02-02 21:08:12 +00:00
|
|
|
corecmd_read_bin_symlinks(postfix_map_t)
|
|
|
|
corecmd_read_bin_files(postfix_map_t)
|
|
|
|
corecmd_read_bin_pipes(postfix_map_t)
|
|
|
|
corecmd_read_bin_sockets(postfix_map_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
corecmd_list_sbin(postfix_map_t)
|
2006-02-02 21:08:12 +00:00
|
|
|
corecmd_read_sbin_symlinks(postfix_map_t)
|
|
|
|
corecmd_read_sbin_files(postfix_map_t)
|
|
|
|
corecmd_read_sbin_pipes(postfix_map_t)
|
|
|
|
corecmd_read_sbin_sockets(postfix_map_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
|
|
|
files_list_home(postfix_map_t)
|
|
|
|
files_read_usr_files(postfix_map_t)
|
|
|
|
files_read_etc_files(postfix_map_t)
|
|
|
|
files_read_etc_runtime_files(postfix_map_t)
|
|
|
|
files_dontaudit_search_var(postfix_map_t)
|
|
|
|
|
|
|
|
libs_use_ld_so(postfix_map_t)
|
|
|
|
libs_use_shared_libs(postfix_map_t)
|
|
|
|
|
2005-10-24 19:50:21 +00:00
|
|
|
logging_send_syslog_msg(postfix_map_t)
|
|
|
|
|
2005-10-23 20:18:36 +00:00
|
|
|
miscfiles_read_localization(postfix_map_t)
|
|
|
|
|
|
|
|
seutil_read_config(postfix_map_t)
|
|
|
|
|
|
|
|
sysnet_read_config(postfix_map_t)
|
|
|
|
|
2005-11-11 15:33:38 +00:00
|
|
|
ifdef(`targeted_policy',`
|
2006-09-22 17:14:35 +00:00
|
|
|
term_dontaudit_use_unallocated_ttys(postfix_map_t)
|
2006-04-19 15:25:22 +00:00
|
|
|
term_dontaudit_use_generic_ptys(postfix_map_t)
|
2005-11-11 15:33:38 +00:00
|
|
|
')
|
|
|
|
|
2005-10-23 20:18:36 +00:00
|
|
|
tunable_policy(`read_default_t',`
|
|
|
|
files_list_default(postfix_map_t)
|
|
|
|
files_read_default_files(postfix_map_t)
|
|
|
|
files_read_default_symlinks(postfix_map_t)
|
|
|
|
files_read_default_sockets(postfix_map_t)
|
|
|
|
files_read_default_pipes(postfix_map_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-03-02 23:41:11 +00:00
|
|
|
locallogin_dontaudit_use_fds(postfix_map_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
')
|
|
|
|
|
2006-12-04 20:10:56 +00:00
|
|
|
optional_policy(`
|
|
|
|
nscd_socket_use(postfix_map_t)
|
|
|
|
')
|
2005-10-23 20:18:36 +00:00
|
|
|
|
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# Postfix pickup local policy
|
|
|
|
#
|
|
|
|
|
|
|
|
allow postfix_pickup_t self:tcp_socket create_socket_perms;
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
stream_connect_pattern(postfix_pickup_t,postfix_private_t,postfix_private_t,postfix_master_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
rw_fifo_files_pattern(postfix_pickup_t,postfix_public_t,postfix_public_t)
|
|
|
|
rw_sock_files_pattern(postfix_pickup_t,postfix_public_t,postfix_public_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
2006-05-03 19:58:01 +00:00
|
|
|
postfix_list_spool(postfix_pickup_t)
|
2006-12-12 20:08:08 +00:00
|
|
|
|
|
|
|
read_files_pattern(postfix_pickup_t,postfix_spool_maildrop_t,postfix_spool_maildrop_t)
|
|
|
|
delete_files_pattern(postfix_pickup_t,postfix_spool_maildrop_t,postfix_spool_maildrop_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# Postfix pipe local policy
|
|
|
|
#
|
|
|
|
|
|
|
|
allow postfix_pipe_t self:fifo_file { read write };
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
write_fifo_files_pattern(postfix_pipe_t,postfix_public_t,postfix_public_t)
|
2006-02-16 19:32:13 +00:00
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-11-15 20:17:18 +00:00
|
|
|
procmail_domtrans(postfix_pipe_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-03-23 19:19:38 +00:00
|
|
|
mailman_domtrans_queue(postfix_pipe_t)
|
|
|
|
')
|
|
|
|
|
2006-12-04 20:10:56 +00:00
|
|
|
optional_policy(`
|
|
|
|
uucp_domtrans_uux(postfix_pipe_t)
|
|
|
|
')
|
|
|
|
|
2005-10-23 20:18:36 +00:00
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# Postfix postdrop local policy
|
|
|
|
#
|
|
|
|
|
|
|
|
# usually it does not need a UDP socket
|
|
|
|
allow postfix_postdrop_t self:capability sys_resource;
|
|
|
|
allow postfix_postdrop_t self:tcp_socket create;
|
|
|
|
allow postfix_postdrop_t self:udp_socket create_socket_perms;
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
rw_fifo_files_pattern(postfix_postdrop_t,postfix_public_t,postfix_public_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
2006-05-03 19:58:01 +00:00
|
|
|
postfix_list_spool(postfix_postdrop_t)
|
2006-12-12 20:08:08 +00:00
|
|
|
manage_files_pattern(postfix_postdrop_t,postfix_spool_maildrop_t,postfix_spool_maildrop_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
2006-02-13 22:05:08 +00:00
|
|
|
corenet_udp_sendrecv_all_if(postfix_postdrop_t)
|
|
|
|
corenet_udp_sendrecv_all_nodes(postfix_postdrop_t)
|
|
|
|
|
2005-10-23 20:18:36 +00:00
|
|
|
term_dontaudit_use_all_user_ptys(postfix_postdrop_t)
|
|
|
|
term_dontaudit_use_all_user_ttys(postfix_postdrop_t)
|
|
|
|
|
2006-02-13 22:05:08 +00:00
|
|
|
sysnet_dns_name_resolve(postfix_postdrop_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
2006-02-02 21:08:12 +00:00
|
|
|
mta_rw_user_mail_stream_sockets(postfix_postdrop_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
2005-11-01 15:34:00 +00:00
|
|
|
ifdef(`targeted_policy', `
|
2006-02-02 21:08:12 +00:00
|
|
|
term_use_unallocated_ttys(postfix_postdrop_t)
|
|
|
|
term_use_generic_ptys(postfix_postdrop_t)
|
2005-11-01 15:34:00 +00:00
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-06-21 18:25:06 +00:00
|
|
|
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-03-02 23:41:11 +00:00
|
|
|
ppp_use_fds(postfix_postqueue_t)
|
2005-11-08 22:00:30 +00:00
|
|
|
ppp_sigchld(postfix_postqueue_t)
|
|
|
|
')
|
|
|
|
|
2005-10-23 20:18:36 +00:00
|
|
|
#######################################
|
|
|
|
#
|
|
|
|
# Postfix postqueue local policy
|
|
|
|
#
|
|
|
|
|
|
|
|
allow postfix_postqueue_t self:tcp_socket create;
|
|
|
|
allow postfix_postqueue_t self:udp_socket { create ioctl };
|
|
|
|
|
|
|
|
# wants to write to /var/spool/postfix/public/showq
|
2006-12-12 20:08:08 +00:00
|
|
|
stream_connect_pattern(postfix_postqueue_t,postfix_public_t,postfix_public_t,postfix_master_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
|
|
|
# write to /var/spool/postfix/public/qmgr
|
2006-12-12 20:08:08 +00:00
|
|
|
write_fifo_files_pattern(postfix_postqueue_t,postfix_public_t,postfix_public_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
2005-10-25 00:00:50 +00:00
|
|
|
# to write the mailq output, it really should not need read access!
|
|
|
|
term_use_all_user_ptys(postfix_postqueue_t)
|
|
|
|
term_use_all_user_ttys(postfix_postqueue_t)
|
|
|
|
|
2005-10-23 20:18:36 +00:00
|
|
|
init_sigchld_script(postfix_postqueue_t)
|
2006-02-20 21:33:25 +00:00
|
|
|
init_use_script_fds(postfix_postqueue_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
|
|
|
sysnet_dontaudit_read_config(postfix_postqueue_t)
|
|
|
|
|
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# Postfix qmgr local policy
|
|
|
|
#
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
stream_connect_pattern(postfix_qmgr_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
rw_fifo_files_pattern(postfix_qmgr_t,postfix_public_t,postfix_public_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
|
|
|
# for /var/spool/postfix/active
|
2006-12-12 20:08:08 +00:00
|
|
|
manage_dirs_pattern(postfix_qmgr_t,postfix_spool_t,postfix_spool_t)
|
|
|
|
manage_files_pattern(postfix_qmgr_t,postfix_spool_t,postfix_spool_t)
|
|
|
|
manage_lnk_files_pattern(postfix_qmgr_t,postfix_spool_t,postfix_spool_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
|
|
|
allow postfix_qmgr_t postfix_spool_bounce_t:dir { getattr read search };
|
|
|
|
allow postfix_qmgr_t postfix_spool_bounce_t:file { read getattr };
|
|
|
|
allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
|
|
|
|
|
2006-08-29 02:41:00 +00:00
|
|
|
corecmd_exec_bin(postfix_qmgr_t)
|
|
|
|
|
2005-10-23 20:18:36 +00:00
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# Postfix showq local policy
|
|
|
|
#
|
|
|
|
|
|
|
|
allow postfix_showq_t self:capability { setuid setgid };
|
|
|
|
allow postfix_showq_t self:tcp_socket create_socket_perms;
|
|
|
|
|
|
|
|
allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow postfix_showq_t postfix_spool_t:file read_file_perms;
|
2005-10-23 20:18:36 +00:00
|
|
|
|
2006-05-03 19:58:01 +00:00
|
|
|
postfix_list_spool(postfix_showq_t)
|
|
|
|
|
2005-10-23 20:18:36 +00:00
|
|
|
allow postfix_showq_t postfix_spool_maildrop_t:dir { getattr read search };
|
|
|
|
allow postfix_showq_t postfix_spool_maildrop_t:file { read getattr };
|
|
|
|
allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
|
|
|
|
|
2005-10-24 19:50:21 +00:00
|
|
|
# to write the mailq output, it really should not need read access!
|
2005-10-23 20:18:36 +00:00
|
|
|
term_use_all_user_ptys(postfix_showq_t)
|
|
|
|
term_use_all_user_ttys(postfix_showq_t)
|
|
|
|
|
|
|
|
sysnet_dns_name_resolve(postfix_showq_t)
|
|
|
|
|
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# Postfix smtp delivery local policy
|
|
|
|
#
|
|
|
|
|
2006-12-04 20:10:56 +00:00
|
|
|
allow postfix_smtp_t self:netlink_route_socket r_netlink_socket_perms;
|
|
|
|
|
2005-10-23 20:18:36 +00:00
|
|
|
# connect to master process
|
2006-12-12 20:08:08 +00:00
|
|
|
stream_connect_pattern(postfix_smtp_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
|
|
|
|
|
|
|
|
allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
|
2005-10-23 20:18:36 +00:00
|
|
|
|
|
|
|
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
|
|
|
|
|
2006-12-04 20:10:56 +00:00
|
|
|
optional_policy(`
|
|
|
|
cyrus_stream_connect(postfix_smtp_t)
|
|
|
|
')
|
|
|
|
|
2005-10-23 20:18:36 +00:00
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# Postfix smtpd local policy
|
|
|
|
#
|
|
|
|
allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
|
|
|
|
|
|
|
|
# connect to master process
|
2006-12-12 20:08:08 +00:00
|
|
|
stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
|
2005-10-23 20:18:36 +00:00
|
|
|
|
|
|
|
# for prng_exch
|
|
|
|
allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
|
2006-12-12 20:08:08 +00:00
|
|
|
allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
|
2005-10-23 20:18:36 +00:00
|
|
|
|
2006-08-29 02:41:00 +00:00
|
|
|
corecmd_exec_bin(postfix_smtpd_t)
|
|
|
|
|
2005-10-23 20:18:36 +00:00
|
|
|
# for OpenSSL certificates
|
|
|
|
files_read_usr_files(postfix_smtpd_t)
|
|
|
|
mta_read_aliases(postfix_smtpd_t)
|
|
|
|
|
2006-07-28 15:13:58 +00:00
|
|
|
optional_policy(`
|
|
|
|
postgrey_stream_connect(postfix_smtpd_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-10-23 20:18:36 +00:00
|
|
|
sasl_connect(postfix_smtpd_t)
|
|
|
|
')
|