#DESC Postfix - Mail server

#

# Author:  Russell Coker <russell@coker.com.au>

# X-Debian-Packages: postfix

# Depends: mta.te

#

# Type for files created during execution of postfix.

type postfix_var_run_t, file_type, sysadmfile, pidfile;

type postfix_etc_t, file_type, sysadmfile;

type postfix_exec_t, file_type, sysadmfile, exec_type;

type postfix_public_t, file_type, sysadmfile;

type postfix_private_t, file_type, sysadmfile;

type postfix_spool_t, file_type, sysadmfile;

type postfix_spool_maildrop_t, file_type, sysadmfile;

type postfix_spool_flush_t, file_type, sysadmfile;

type postfix_prng_t, file_type, sysadmfile;

# postfix needs this for newaliases

allow { system_mail_t sysadm_mail_t } tmp_t:dir getattr;

#################################

#

# Rules for the postfix_$1_t domain.

#

# postfix_$1_exec_t is the type of the postfix_$1 executables.

#

define(`postfix_domain', `

daemon_core_rules(postfix_$1, `$2')

allow postfix_$1_t self:process setpgid;

allow postfix_$1_t postfix_master_t:process sigchld;

allow postfix_master_t postfix_$1_t:process signal;

allow postfix_$1_t { etc_t postfix_etc_t postfix_spool_t }:dir r_dir_perms;

allow postfix_$1_t postfix_etc_t:file r_file_perms;

read_locale(postfix_$1_t)

allow postfix_$1_t etc_t:file { getattr read };

allow postfix_$1_t self:unix_dgram_socket create_socket_perms;

allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;

allow postfix_$1_t self:unix_stream_socket connectto;

allow postfix_$1_t { sbin_t bin_t }:dir r_dir_perms;

allow postfix_$1_t { bin_t usr_t }:lnk_file { getattr read };

allow postfix_$1_t shell_exec_t:file rx_file_perms;

allow postfix_$1_t { var_t var_spool_t }:dir { search getattr };

allow postfix_$1_t postfix_exec_t:file rx_file_perms;

allow postfix_$1_t devtty_t:chr_file rw_file_perms;

allow postfix_$1_t etc_runtime_t:file r_file_perms;

allow postfix_$1_t proc_t:dir r_dir_perms;

allow postfix_$1_t proc_t:file r_file_perms;

allow postfix_$1_t postfix_exec_t:dir r_dir_perms;

allow postfix_$1_t fs_t:filesystem getattr;

allow postfix_$1_t proc_net_t:dir search;

allow postfix_$1_t proc_net_t:file { getattr read };

can_exec(postfix_$1_t, postfix_$1_exec_t)

r_dir_file(postfix_$1_t, cert_t)

allow postfix_$1_t { urandom_device_t random_device_t }:chr_file { read getattr };

allow postfix_$1_t tmp_t:dir getattr;

file_type_auto_trans(postfix_$1_t, var_run_t, postfix_var_run_t, file)

read_sysctl(postfix_$1_t)

')dnl end postfix_domain

ifdef(`crond.te',

`allow system_mail_t crond_t:tcp_socket { read write create };')

postfix_domain(master, `, mail_server_domain')

rhgb_domain(postfix_master_t)

# for a find command

dontaudit postfix_master_t security_t:dir search;

read_sysctl(postfix_master_t)

ifdef(`targeted_policy', `

bool postfix_disable_trans false;

if (!postfix_disable_trans) {

')

domain_auto_trans(initrc_t, postfix_master_exec_t, postfix_master_t)

allow initrc_t postfix_master_t:process { noatsecure siginh rlimitinh };

domain_auto_trans(sysadm_t, postfix_master_exec_t, postfix_master_t)

allow sysadm_t postfix_master_t:process { noatsecure siginh rlimitinh };

ifdef(`targeted_policy', `', `

role_transition sysadm_r postfix_master_exec_t system_r;

')

allow postfix_master_t postfix_etc_t:file rw_file_perms;

dontaudit postfix_master_t admin_tty_type:chr_file { read write };

allow postfix_master_t devpts_t:dir search;

domain_auto_trans(sysadm_mail_t, postfix_master_exec_t, system_mail_t)

allow system_mail_t sysadm_t:process sigchld;

allow system_mail_t privfd:fd use;

ifdef(`pppd.te', `

domain_auto_trans(pppd_t, postfix_master_exec_t, postfix_master_t)

')

ifdef(`targeted_policy', `

}

')

allow postfix_master_t privfd:fd use;

ifdef(`newrole.te', `allow postfix_master_t newrole_t:process sigchld;')

allow postfix_master_t initrc_devpts_t:chr_file rw_file_perms;

# postfix does a "find" on startup for some reason - keep it quiet

dontaudit postfix_master_t selinux_config_t:dir search;

can_exec({ sysadm_mail_t system_mail_t }, postfix_master_exec_t)

ifdef(`distro_redhat', `

# compatability for old default main.cf

file_type_auto_trans({ sysadm_mail_t system_mail_t postfix_master_t }, postfix_etc_t, etc_aliases_t)

# for newer main.cf that uses /etc/aliases

file_type_auto_trans(postfix_master_t, etc_t, etc_aliases_t)

')

file_type_auto_trans({ sysadm_mail_t system_mail_t }, etc_t, etc_aliases_t)

allow postfix_master_t sendmail_exec_t:file r_file_perms;

allow postfix_master_t sbin_t:lnk_file { getattr read };

can_exec(postfix_master_t, { ls_exec_t sbin_t })

allow postfix_master_t self:fifo_file rw_file_perms;

allow postfix_master_t usr_t:file r_file_perms;

can_exec(postfix_master_t, { shell_exec_t bin_t postfix_exec_t })

# chown is to set the correct ownership of queue dirs

allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };

allow postfix_master_t postfix_public_t:fifo_file create_file_perms;

allow postfix_master_t postfix_public_t:sock_file create_file_perms;

allow postfix_master_t postfix_public_t:dir rw_dir_perms;

allow postfix_master_t postfix_private_t:dir rw_dir_perms;

allow postfix_master_t postfix_private_t:sock_file create_file_perms;

allow postfix_master_t postfix_private_t:fifo_file create_file_perms;

can_network(postfix_master_t)

allow postfix_master_t port_type:tcp_socket name_connect;

can_ypbind(postfix_master_t)

allow postfix_master_t { amavisd_send_port_t smtp_port_t }:tcp_socket name_bind;

allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;

allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr };

allow postfix_master_t postfix_prng_t:file getattr;

allow postfix_master_t privfd:fd use;

allow postfix_master_t etc_aliases_t:file rw_file_perms;

allow postfix_master_t var_lib_t:dir search;

ifdef(`saslauthd.te',`

allow postfix_smtpd_t saslauthd_var_run_t:dir { search getattr };

allow postfix_smtpd_t saslauthd_var_run_t:sock_file { read write };

can_unix_connect(postfix_smtpd_t,saslauthd_t)

')

create_dir_file(postfix_master_t, postfix_spool_flush_t)

allow postfix_master_t postfix_prng_t:file rw_file_perms;

# for ls to get the current context

allow postfix_master_t self:file { getattr read };

# allow access to deferred queue and allow removing bogus incoming entries

allow postfix_master_t postfix_spool_t:dir create_dir_perms;

allow postfix_master_t postfix_spool_t:file create_file_perms;

dontaudit postfix_master_t man_t:dir search;

define(`postfix_server_domain', `

postfix_domain($1, `$2')

domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)

allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };

allow postfix_$1_t self:capability { setuid setgid dac_override };

can_network_client(postfix_$1_t)

allow postfix_$1_t port_type:tcp_socket name_connect;

can_ypbind(postfix_$1_t)

')

postfix_server_domain(smtp, `, mail_server_sender')

allow postfix_smtp_t postfix_spool_t:file rw_file_perms;

allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search;

allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write;

allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto;

# if you have two different mail servers on the same host let them talk via

# SMTP, also if one mail server wants to talk to itself then allow it and let

# the SMTP protocol sort it out (SE Linux is not to prevent mail server

# misconfiguration)

can_tcp_connect(postfix_smtp_t, mail_server_domain)

postfix_server_domain(smtpd)

allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;

allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search;

allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms;

allow postfix_smtpd_t postfix_master_t:unix_stream_socket connectto;

# for OpenSSL certificates

r_dir_file(postfix_smtpd_t,usr_t)

allow postfix_smtpd_t etc_aliases_t:file r_file_perms;

allow postfix_smtpd_t self:file { getattr read };

# for prng_exch

allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;

allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms;

postfix_server_domain(local, `, mta_delivery_agent')

ifdef(`procmail.te', `

domain_auto_trans(postfix_local_t, procmail_exec_t, procmail_t)

# for a bug in the postfix local program

dontaudit procmail_t postfix_local_t:tcp_socket { read write };

dontaudit procmail_t postfix_master_t:fd use;

')

allow postfix_local_t etc_aliases_t:file r_file_perms;

allow postfix_local_t self:fifo_file rw_file_perms;

allow postfix_local_t self:process { setsched setrlimit };

allow postfix_local_t postfix_spool_t:file rw_file_perms;

# for .forward - maybe we need a new type for it?

allow postfix_local_t postfix_private_t:dir search;

allow postfix_local_t postfix_private_t:sock_file rw_file_perms;

allow postfix_local_t postfix_master_t:unix_stream_socket connectto;

allow postfix_local_t postfix_public_t:dir search;

allow postfix_local_t postfix_public_t:sock_file write;

tmp_domain(postfix_local)

can_exec(postfix_local_t,{ shell_exec_t bin_t })

ifdef(`spamc.te', `

can_exec(postfix_local_t, spamc_exec_t)

')

allow postfix_local_t mail_spool_t:dir { remove_name };

allow postfix_local_t mail_spool_t:file { unlink };

# For reading spamassasin

r_dir_file(postfix_local_t, etc_mail_t)

define(`postfix_public_domain',`

postfix_server_domain($1)

allow postfix_$1_t postfix_public_t:dir search;

')

postfix_public_domain(cleanup)

create_dir_file(postfix_cleanup_t, postfix_spool_t)

allow postfix_cleanup_t postfix_public_t:fifo_file rw_file_perms;

allow postfix_cleanup_t postfix_public_t:sock_file { getattr write };

allow postfix_cleanup_t postfix_private_t:dir search;

allow postfix_cleanup_t postfix_private_t:sock_file rw_file_perms;

allow postfix_cleanup_t postfix_master_t:unix_stream_socket connectto;

allow postfix_cleanup_t postfix_spool_bounce_t:dir r_dir_perms;

allow postfix_cleanup_t self:process setrlimit;

allow user_mail_domain postfix_spool_t:dir r_dir_perms;

allow user_mail_domain postfix_etc_t:dir r_dir_perms;

allow { user_mail_domain initrc_t } postfix_etc_t:file r_file_perms;

allow user_mail_domain self:capability dac_override;

define(`postfix_user_domain', `

postfix_domain($1, `$2')

domain_auto_trans(user_mail_domain, postfix_$1_exec_t, postfix_$1_t)

in_user_role(postfix_$1_t)

role sysadm_r types postfix_$1_t;

allow postfix_$1_t userdomain:process sigchld;

allow postfix_$1_t userdomain:fifo_file { write getattr };

allow postfix_$1_t { userdomain privfd }:fd use;

allow postfix_$1_t self:capability dac_override;

')

postfix_user_domain(postqueue)

allow postfix_postqueue_t postfix_public_t:dir search;

allow postfix_postqueue_t postfix_public_t:fifo_file getattr;

allow postfix_postqueue_t self:udp_socket { create ioctl };

allow postfix_postqueue_t self:tcp_socket create;

allow postfix_master_t postfix_postqueue_exec_t:file getattr;

domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)

allow postfix_postqueue_t initrc_t:process sigchld;

allow postfix_postqueue_t initrc_t:fd use;

# to write the mailq output, it really should not need read access!

allow postfix_postqueue_t { ptyfile ttyfile }:chr_file { read write getattr };

ifdef(`gnome-pty-helper.te', `allow postfix_postqueue_t user_gph_t:fd use;')

# wants to write to /var/spool/postfix/public/showq

allow postfix_postqueue_t postfix_public_t:sock_file rw_file_perms;

allow postfix_postqueue_t postfix_master_t:unix_stream_socket connectto;

# write to /var/spool/postfix/public/qmgr

allow postfix_postqueue_t postfix_public_t:fifo_file write;

dontaudit postfix_postqueue_t net_conf_t:file r_file_perms;

postfix_user_domain(showq)

# the following auto_trans is usually in postfix server domain

domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)

can_resolve(postfix_showq_t)

r_dir_file(postfix_showq_t, postfix_spool_maildrop_t)

domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)

allow postfix_showq_t self:capability { setuid setgid };

allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };

allow postfix_showq_t postfix_spool_t:file r_file_perms;

allow postfix_showq_t self:tcp_socket create_socket_perms;

allow postfix_showq_t { ttyfile ptyfile }:chr_file { read write };

dontaudit postfix_showq_t net_conf_t:file r_file_perms;

postfix_user_domain(postdrop, `, mta_user_agent')

can_resolve(postfix_postdrop_t)

allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms;

allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms;

allow postfix_postdrop_t user_mail_domain:unix_stream_socket rw_socket_perms;

allow postfix_postdrop_t postfix_public_t:dir search;

allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms;

dontaudit postfix_postdrop_t { ptyfile ttyfile }:chr_file { read write };

dontaudit postfix_postdrop_t net_conf_t:file r_file_perms;

allow postfix_master_t postfix_postdrop_exec_t:file getattr;

ifdef(`crond.te',

`allow postfix_postdrop_t { crond_t system_crond_t }:fd use;

allow postfix_postdrop_t { crond_t system_crond_t }:fifo_file rw_file_perms;')

# usually it does not need a UDP socket

allow postfix_postdrop_t self:udp_socket create_socket_perms;

allow postfix_postdrop_t self:tcp_socket create;

allow postfix_postdrop_t self:capability sys_resource;

allow postfix_postdrop_t self:tcp_socket create;

postfix_public_domain(pickup)

allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms;

allow postfix_pickup_t postfix_public_t:sock_file rw_file_perms;

allow postfix_pickup_t postfix_private_t:dir search;

allow postfix_pickup_t postfix_private_t:sock_file write;

allow postfix_pickup_t postfix_master_t:unix_stream_socket connectto;

allow postfix_pickup_t postfix_spool_maildrop_t:dir rw_dir_perms;

allow postfix_pickup_t postfix_spool_maildrop_t:file r_file_perms;

allow postfix_pickup_t postfix_spool_maildrop_t:file unlink;

allow postfix_pickup_t self:tcp_socket create_socket_perms;

postfix_public_domain(qmgr)

allow postfix_qmgr_t postfix_public_t:fifo_file rw_file_perms;

allow postfix_qmgr_t postfix_public_t:sock_file write;

allow postfix_qmgr_t postfix_private_t:dir search;

allow postfix_qmgr_t postfix_private_t:sock_file rw_file_perms;

allow postfix_qmgr_t postfix_master_t:unix_stream_socket connectto;

# for /var/spool/postfix/active

create_dir_file(postfix_qmgr_t, postfix_spool_t)

postfix_public_domain(bounce)

type postfix_spool_bounce_t, file_type, sysadmfile;

create_dir_file(postfix_bounce_t, postfix_spool_bounce_t)

create_dir_file(postfix_bounce_t, postfix_spool_t)

allow postfix_master_t postfix_spool_bounce_t:dir create_dir_perms;

allow postfix_master_t postfix_spool_bounce_t:file getattr;

allow postfix_bounce_t self:capability dac_read_search;

allow postfix_bounce_t postfix_public_t:sock_file write;

allow postfix_bounce_t self:tcp_socket create_socket_perms;

r_dir_file(postfix_qmgr_t, postfix_spool_bounce_t)

postfix_public_domain(pipe)

allow postfix_pipe_t postfix_spool_t:dir search;

allow postfix_pipe_t postfix_spool_t:file rw_file_perms;

allow postfix_pipe_t self:fifo_file { read write };

allow postfix_pipe_t postfix_private_t:dir search;

allow postfix_pipe_t postfix_private_t:sock_file write;

ifdef(`procmail.te', `

domain_auto_trans(postfix_pipe_t, procmail_exec_t, procmail_t)

')

ifdef(`sendmail.te', `

r_dir_file(sendmail_t, postfix_etc_t)

allow sendmail_t postfix_spool_t:dir search;

')

# Program for creating database files

application_domain(postfix_map)

base_file_read_access(postfix_map_t)

allow postfix_map_t { etc_t etc_runtime_t }:{ file lnk_file } { getattr read };

tmp_domain(postfix_map)

create_dir_file(postfix_map_t, postfix_etc_t)

allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;

dontaudit postfix_map_t proc_t:dir { getattr read search };

dontaudit postfix_map_t local_login_t:fd use;

allow postfix_master_t postfix_map_exec_t:file rx_file_perms;

read_locale(postfix_map_t)

allow postfix_map_t self:capability setgid;

allow postfix_map_t self:unix_dgram_socket create_socket_perms;

dontaudit postfix_map_t var_t:dir search;

can_network_server(postfix_map_t)

allow postfix_map_t port_type:tcp_socket name_connect;