|
Chris PeBenito |
29af4c |
policy_module(postfix, 1.12.0)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
# Declarations
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
|
|
Dan Walsh |
3eaa99 |
## <desc>
|
|
Dominick Grift |
18f2a7 |
##
|
|
Dominick Grift |
18f2a7 |
## Allow postfix_local domain full write access to mail_spool directories
|
|
Dominick Grift |
18f2a7 |
##
|
|
Dan Walsh |
3eaa99 |
## </desc>
|
|
Dan Walsh |
3eaa99 |
gen_tunable(allow_postfix_local_write_mail_spool, false)
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
attribute postfix_spool_type;
|
|
Chris PeBenito |
17de1b |
attribute postfix_user_domains;
|
|
Chris PeBenito |
17de1b |
# domains that transition to the
|
|
Chris PeBenito |
17de1b |
# postfix user domains
|
|
Chris PeBenito |
17de1b |
attribute postfix_user_domtrans;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
postfix_server_domain_template(bounce)
|
|
Chris PeBenito |
17de1b |
|
|
Dominick Grift |
18f2a7 |
type postfix_spool_bounce_t, postfix_spool_type;
|
|
Chris PeBenito |
17de1b |
files_type(postfix_spool_bounce_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
postfix_server_domain_template(cleanup)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
type postfix_etc_t;
|
|
Chris PeBenito |
d9e4cb |
files_config_file(postfix_etc_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
type postfix_exec_t;
|
|
Chris PeBenito |
d46cfe |
application_executable_file(postfix_exec_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
postfix_server_domain_template(local)
|
|
Chris PeBenito |
17de1b |
mta_mailserver_delivery(postfix_local_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# Program for creating database files
|
|
Chris PeBenito |
17de1b |
type postfix_map_t;
|
|
Chris PeBenito |
17de1b |
type postfix_map_exec_t;
|
|
Chris PeBenito |
0bfccd |
application_domain(postfix_map_t, postfix_map_exec_t)
|
|
Chris PeBenito |
d9e4cb |
role system_r types postfix_map_t;
|
|
Dominick Grift |
18f2a7 |
|
|
Chris PeBenito |
17de1b |
type postfix_map_tmp_t;
|
|
Chris PeBenito |
17de1b |
files_tmp_file(postfix_map_tmp_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
postfix_domain_template(master)
|
|
Chris PeBenito |
17de1b |
typealias postfix_master_t alias postfix_t;
|
|
Chris PeBenito |
17de1b |
# alias is a hack to make the disable trans bool
|
|
Chris PeBenito |
17de1b |
# generation macro work
|
|
Chris PeBenito |
0bfccd |
mta_mailserver(postfix_t, postfix_master_exec_t)
|
|
Chris PeBenito |
17de1b |
|
|
Dan Walsh |
3eaa99 |
type postfix_initrc_exec_t;
|
|
Dan Walsh |
3eaa99 |
init_script_file(postfix_initrc_exec_t)
|
|
Dan Walsh |
3eaa99 |
|
|
Chris PeBenito |
17de1b |
postfix_server_domain_template(pickup)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
postfix_server_domain_template(pipe)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
postfix_user_domain_template(postdrop)
|
|
Chris PeBenito |
17de1b |
mta_mailserver_user_agent(postfix_postdrop_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
postfix_user_domain_template(postqueue)
|
|
Dan Walsh |
3eaa99 |
mta_mailserver_user_agent(postfix_postqueue_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
type postfix_private_t;
|
|
Chris PeBenito |
17de1b |
files_type(postfix_private_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
type postfix_prng_t;
|
|
Chris PeBenito |
17de1b |
files_type(postfix_prng_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
postfix_server_domain_template(qmgr)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
postfix_user_domain_template(showq)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
postfix_server_domain_template(smtp)
|
|
Chris PeBenito |
17de1b |
mta_mailserver_sender(postfix_smtp_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
postfix_server_domain_template(smtpd)
|
|
Chris PeBenito |
17de1b |
|
|
Dan Walsh |
3eaa99 |
type postfix_spool_t, postfix_spool_type;
|
|
Chris PeBenito |
17de1b |
files_type(postfix_spool_t)
|
|
Chris PeBenito |
17de1b |
|
|
Dan Walsh |
3eaa99 |
type postfix_spool_maildrop_t, postfix_spool_type;
|
|
Chris PeBenito |
17de1b |
files_type(postfix_spool_maildrop_t)
|
|
Chris PeBenito |
17de1b |
|
|
Dan Walsh |
3eaa99 |
type postfix_spool_flush_t, postfix_spool_type;
|
|
Chris PeBenito |
17de1b |
files_type(postfix_spool_flush_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
type postfix_public_t;
|
|
Chris PeBenito |
17de1b |
files_type(postfix_public_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
type postfix_var_run_t;
|
|
Chris PeBenito |
17de1b |
files_pid_file(postfix_var_run_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
8c6292 |
# the data_directory config parameter
|
|
Chris PeBenito |
8c6292 |
type postfix_data_t;
|
|
Chris PeBenito |
8c6292 |
files_type(postfix_data_t)
|
|
Chris PeBenito |
8c6292 |
|
|
Chris PeBenito |
134a79 |
postfix_server_domain_template(virtual)
|
|
Chris PeBenito |
134a79 |
mta_mailserver_delivery(postfix_virtual_t)
|
|
Chris PeBenito |
134a79 |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
# Postfix master process local policy
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# chown is to set the correct ownership of queue dirs
|
|
Chris PeBenito |
17de1b |
allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
|
|
Dominick Grift |
1b39de |
allow postfix_master_t self:process setrlimit;
|
|
Chris PeBenito |
c0868a |
allow postfix_master_t self:fifo_file rw_fifo_file_perms;
|
|
Chris PeBenito |
17de1b |
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
|
|
Chris PeBenito |
17de1b |
allow postfix_master_t self:udp_socket create_socket_perms;
|
|
Chris PeBenito |
17de1b |
|
|
Dan Walsh |
3eaa99 |
allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
|
|
Chris PeBenito |
17de1b |
allow postfix_master_t postfix_etc_t:file rw_file_perms;
|
|
Dan Walsh |
3eaa99 |
mta_filetrans_aliases(postfix_master_t, postfix_etc_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
3f67f7 |
can_exec(postfix_master_t, postfix_exec_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
8c6292 |
allow postfix_master_t postfix_data_t:dir manage_dir_perms;
|
|
Chris PeBenito |
8c6292 |
allow postfix_master_t postfix_data_t:file manage_file_perms;
|
|
Chris PeBenito |
8c6292 |
|
|
Dominick Grift |
8725d6 |
allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock };
|
|
Chris PeBenito |
17de1b |
|
|
Dominick Grift |
0f7c40 |
allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms;
|
|
Chris PeBenito |
17de1b |
|
|
Dominick Grift |
0f7c40 |
allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
0bfccd |
manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
|
|
Chris PeBenito |
0bfccd |
manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
|
|
Chris PeBenito |
c0868a |
|
|
Chris PeBenito |
c0868a |
domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
allow postfix_master_t postfix_prng_t:file rw_file_perms;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
0bfccd |
manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
|
|
Chris PeBenito |
0bfccd |
manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
|
|
Chris PeBenito |
c0868a |
|
|
Chris PeBenito |
c0868a |
domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# allow access to deferred queue and allow removing bogus incoming entries
|
|
Chris PeBenito |
0bfccd |
manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
|
|
Chris PeBenito |
0bfccd |
manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
|
|
Chris PeBenito |
d9e4cb |
files_spool_filetrans(postfix_master_t, postfix_spool_t, dir)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
|
|
Dominick Grift |
0f7c40 |
allow postfix_master_t postfix_spool_bounce_t:file getattr_file_perms;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
0bfccd |
manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
|
|
Chris PeBenito |
0bfccd |
manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
|
|
Chris PeBenito |
0bfccd |
manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
0bfccd |
delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
|
|
Chris PeBenito |
0bfccd |
rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
|
|
Chris PeBenito |
d9e4cb |
setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
kernel_read_all_sysctls(postfix_master_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
190066 |
corenet_all_recvfrom_unlabeled(postfix_master_t)
|
|
Chris PeBenito |
190066 |
corenet_all_recvfrom_netlabel(postfix_master_t)
|
|
Chris PeBenito |
668b30 |
corenet_tcp_sendrecv_generic_if(postfix_master_t)
|
|
Chris PeBenito |
668b30 |
corenet_udp_sendrecv_generic_if(postfix_master_t)
|
|
Chris PeBenito |
c12621 |
corenet_tcp_sendrecv_generic_node(postfix_master_t)
|
|
Chris PeBenito |
c12621 |
corenet_udp_sendrecv_generic_node(postfix_master_t)
|
|
Chris PeBenito |
17de1b |
corenet_tcp_sendrecv_all_ports(postfix_master_t)
|
|
Chris PeBenito |
17de1b |
corenet_udp_sendrecv_all_ports(postfix_master_t)
|
|
Dan Walsh |
3eaa99 |
corenet_udp_bind_generic_node(postfix_master_t)
|
|
Dan Walsh |
3eaa99 |
corenet_udp_bind_all_unreserved_ports(postfix_master_t)
|
|
Dan Walsh |
3eaa99 |
corenet_dontaudit_udp_bind_all_ports(postfix_master_t)
|
|
Chris PeBenito |
c12621 |
corenet_tcp_bind_generic_node(postfix_master_t)
|
|
Chris PeBenito |
17de1b |
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
|
|
Chris PeBenito |
17de1b |
corenet_tcp_bind_smtp_port(postfix_master_t)
|
|
Chris PeBenito |
17de1b |
corenet_tcp_connect_all_ports(postfix_master_t)
|
|
Chris PeBenito |
17de1b |
corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
|
|
Chris PeBenito |
17de1b |
corenet_sendrecv_smtp_server_packets(postfix_master_t)
|
|
Chris PeBenito |
17de1b |
corenet_sendrecv_all_client_packets(postfix_master_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# for a find command
|
|
Chris PeBenito |
17de1b |
selinux_dontaudit_search_fs(postfix_master_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
corecmd_exec_shell(postfix_master_t)
|
|
Chris PeBenito |
17de1b |
corecmd_exec_bin(postfix_master_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
domain_use_interactive_fds(postfix_master_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
files_read_usr_files(postfix_master_t)
|
|
Dan Walsh |
3eaa99 |
files_search_var_lib(postfix_master_t)
|
|
Dan Walsh |
3eaa99 |
files_search_tmp(postfix_master_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
134a79 |
term_dontaudit_search_ptys(postfix_master_t)
|
|
Chris PeBenito |
134a79 |
|
|
Chris PeBenito |
465510 |
miscfiles_read_man_pages(postfix_master_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
seutil_sigchld_newrole(postfix_master_t)
|
|
Chris PeBenito |
17de1b |
# postfix does a "find" on startup for some reason - keep it quiet
|
|
Chris PeBenito |
17de1b |
seutil_dontaudit_search_config(postfix_master_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
mta_rw_aliases(postfix_master_t)
|
|
Chris PeBenito |
17de1b |
mta_read_sendmail_bin(postfix_master_t)
|
|
Chris PeBenito |
d9e4cb |
mta_getattr_spool(postfix_master_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
aa7c46 |
ifdef(`distro_redhat',`
|
|
Chris PeBenito |
aa7c46 |
# for newer main.cf that uses /etc/aliases
|
|
Chris PeBenito |
aa7c46 |
mta_manage_aliases(postfix_master_t)
|
|
Chris PeBenito |
aa7c46 |
mta_etc_filetrans_aliases(postfix_master_t)
|
|
Chris PeBenito |
aa7c46 |
')
|
|
Chris PeBenito |
aa7c46 |
|
|
Chris PeBenito |
134a79 |
optional_policy(`
|
|
Chris PeBenito |
17de1b |
cyrus_stream_connect(postfix_master_t)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
optional_policy(`
|
|
Chris PeBenito |
d9e4cb |
kerberos_keytab_template(postfix, postfix_t)
|
|
Chris PeBenito |
d9e4cb |
')
|
|
Chris PeBenito |
d9e4cb |
|
|
Chris PeBenito |
d9e4cb |
optional_policy(`
|
|
Chris PeBenito |
17de1b |
# for postalias
|
|
Chris PeBenito |
17de1b |
mailman_manage_data_files(postfix_master_t)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
optional_policy(`
|
|
Chris PeBenito |
134a79 |
mysql_stream_connect(postfix_master_t)
|
|
Chris PeBenito |
134a79 |
')
|
|
Chris PeBenito |
134a79 |
|
|
Chris PeBenito |
134a79 |
optional_policy(`
|
|
Chris PeBenito |
d9e4cb |
postgrey_search_spool(postfix_master_t)
|
|
Chris PeBenito |
d9e4cb |
')
|
|
Chris PeBenito |
d9e4cb |
|
|
Chris PeBenito |
d9e4cb |
optional_policy(`
|
|
Chris PeBenito |
134a79 |
sendmail_signal(postfix_master_t)
|
|
Chris PeBenito |
134a79 |
')
|
|
Chris PeBenito |
134a79 |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
# Postfix bounce local policy
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
allow postfix_bounce_t self:capability dac_read_search;
|
|
Chris PeBenito |
17de1b |
allow postfix_bounce_t self:tcp_socket create_socket_perms;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
allow postfix_bounce_t postfix_public_t:sock_file write;
|
|
Dominick Grift |
0f7c40 |
allow postfix_bounce_t postfix_public_t:dir search_dir_perms;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
0bfccd |
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
|
|
Chris PeBenito |
0bfccd |
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
|
|
Chris PeBenito |
0bfccd |
manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
|
|
Chris PeBenito |
d9e4cb |
files_spool_filetrans(postfix_bounce_t, postfix_spool_t, dir)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
0bfccd |
manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
|
|
Chris PeBenito |
0bfccd |
manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
|
|
Chris PeBenito |
0bfccd |
manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
# Postfix cleanup local policy
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
allow postfix_cleanup_t self:process setrlimit;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# connect to master process
|
|
Chris PeBenito |
0bfccd |
stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, postfix_master_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
0bfccd |
rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
|
|
Chris PeBenito |
0bfccd |
write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
0bfccd |
manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
|
|
Chris PeBenito |
0bfccd |
manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
|
|
Chris PeBenito |
0bfccd |
manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
|
|
Chris PeBenito |
d9e4cb |
files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
c0868a |
allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
a5e213 |
corecmd_exec_bin(postfix_cleanup_t)
|
|
Chris PeBenito |
a5e213 |
|
|
Chris PeBenito |
d9e4cb |
mta_read_aliases(postfix_cleanup_t)
|
|
Chris PeBenito |
d9e4cb |
|
|
Chris PeBenito |
d9e4cb |
optional_policy(`
|
|
Chris PeBenito |
d9e4cb |
mailman_read_data_files(postfix_cleanup_t)
|
|
Chris PeBenito |
d9e4cb |
')
|
|
Chris PeBenito |
d9e4cb |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
# Postfix local local policy
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
allow postfix_local_t self:process { setsched setrlimit };
|
|
Dominick Grift |
1b39de |
allow postfix_local_t self:fifo_file rw_fifo_file_perms;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# connect to master process
|
|
Chris PeBenito |
0bfccd |
stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# for .forward - maybe we need a new type for it?
|
|
Chris PeBenito |
0bfccd |
rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
|
|
Chris PeBenito |
17de1b |
|
|
Dominick Grift |
a7b40a |
domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
|
|
Dominick Grift |
a7b40a |
|
|
Chris PeBenito |
17de1b |
allow postfix_local_t postfix_spool_t:file rw_file_perms;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
corecmd_exec_shell(postfix_local_t)
|
|
Chris PeBenito |
17de1b |
corecmd_exec_bin(postfix_local_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
files_read_etc_files(postfix_local_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
d9e4cb |
logging_dontaudit_search_logs(postfix_local_t)
|
|
Chris PeBenito |
d9e4cb |
|
|
Chris PeBenito |
17de1b |
mta_read_aliases(postfix_local_t)
|
|
Chris PeBenito |
17de1b |
mta_delete_spool(postfix_local_t)
|
|
Chris PeBenito |
17de1b |
# For reading spamassasin
|
|
Chris PeBenito |
17de1b |
mta_read_config(postfix_local_t)
|
|
Dominick Grift |
f6e866 |
# Handle vacation script
|
|
Dominick Grift |
f6e866 |
mta_send_mail(postfix_local_t)
|
|
Chris PeBenito |
17de1b |
|
|
Dominick Grift |
f6e866 |
userdom_read_user_home_content_files(postfix_local_t)
|
|
Dominick Grift |
f6e866 |
|
|
Dominick Grift |
f6e866 |
tunable_policy(`allow_postfix_local_write_mail_spool',`
|
|
Dominick Grift |
f6e866 |
mta_manage_spool(postfix_local_t)
|
|
Dominick Grift |
f6e866 |
')
|
|
Dominick Grift |
f6e866 |
|
|
Chris PeBenito |
17de1b |
optional_policy(`
|
|
Chris PeBenito |
a5e213 |
clamav_search_lib(postfix_local_t)
|
|
Chris PeBenito |
d9e4cb |
clamav_exec_clamscan(postfix_local_t)
|
|
Chris PeBenito |
a5e213 |
')
|
|
Chris PeBenito |
a5e213 |
|
|
Chris PeBenito |
a5e213 |
optional_policy(`
|
|
Chris PeBenito |
17de1b |
# for postalias
|
|
Chris PeBenito |
17de1b |
mailman_manage_data_files(postfix_local_t)
|
|
Chris PeBenito |
d9e4cb |
mailman_append_log(postfix_local_t)
|
|
Chris PeBenito |
d9e4cb |
mailman_read_log(postfix_local_t)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
optional_policy(`
|
|
Dan Walsh |
3eaa99 |
nagios_search_spool(postfix_local_t)
|
|
Dan Walsh |
3eaa99 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
optional_policy(`
|
|
Chris PeBenito |
17de1b |
procmail_domtrans(postfix_local_t)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Dan Walsh |
3eaa99 |
optional_policy(`
|
|
Dan Walsh |
3eaa99 |
zarafa_deliver_domtrans(postfix_local_t)
|
|
Dan Walsh |
3eaa99 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
# Postfix map local policy
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
d9e4cb |
allow postfix_map_t self:capability { dac_override setgid setuid };
|
|
Chris PeBenito |
17de1b |
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
|
|
Chris PeBenito |
17de1b |
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
|
|
Chris PeBenito |
17de1b |
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
|
|
Chris PeBenito |
17de1b |
allow postfix_map_t self:udp_socket create_socket_perms;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
0bfccd |
manage_dirs_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
|
|
Chris PeBenito |
0bfccd |
manage_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
|
|
Chris PeBenito |
0bfccd |
manage_lnk_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
0bfccd |
manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
|
|
Chris PeBenito |
0bfccd |
manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
|
|
Chris PeBenito |
17de1b |
files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir })
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
kernel_read_kernel_sysctls(postfix_map_t)
|
|
Chris PeBenito |
17de1b |
kernel_dontaudit_list_proc(postfix_map_t)
|
|
Chris PeBenito |
17de1b |
kernel_dontaudit_read_system_state(postfix_map_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
190066 |
corenet_all_recvfrom_unlabeled(postfix_map_t)
|
|
Chris PeBenito |
190066 |
corenet_all_recvfrom_netlabel(postfix_map_t)
|
|
Chris PeBenito |
668b30 |
corenet_tcp_sendrecv_generic_if(postfix_map_t)
|
|
Chris PeBenito |
668b30 |
corenet_udp_sendrecv_generic_if(postfix_map_t)
|
|
Chris PeBenito |
c12621 |
corenet_tcp_sendrecv_generic_node(postfix_map_t)
|
|
Chris PeBenito |
c12621 |
corenet_udp_sendrecv_generic_node(postfix_map_t)
|
|
Chris PeBenito |
17de1b |
corenet_tcp_sendrecv_all_ports(postfix_map_t)
|
|
Chris PeBenito |
17de1b |
corenet_udp_sendrecv_all_ports(postfix_map_t)
|
|
Chris PeBenito |
17de1b |
corenet_tcp_connect_all_ports(postfix_map_t)
|
|
Chris PeBenito |
17de1b |
corenet_sendrecv_all_client_packets(postfix_map_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
corecmd_list_bin(postfix_map_t)
|
|
Chris PeBenito |
17de1b |
corecmd_read_bin_symlinks(postfix_map_t)
|
|
Chris PeBenito |
17de1b |
corecmd_read_bin_files(postfix_map_t)
|
|
Chris PeBenito |
17de1b |
corecmd_read_bin_pipes(postfix_map_t)
|
|
Chris PeBenito |
17de1b |
corecmd_read_bin_sockets(postfix_map_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
files_list_home(postfix_map_t)
|
|
Chris PeBenito |
17de1b |
files_read_usr_files(postfix_map_t)
|
|
Chris PeBenito |
17de1b |
files_read_etc_files(postfix_map_t)
|
|
Chris PeBenito |
17de1b |
files_read_etc_runtime_files(postfix_map_t)
|
|
Chris PeBenito |
17de1b |
files_dontaudit_search_var(postfix_map_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
c0cf6e |
auth_use_nsswitch(postfix_map_t)
|
|
Chris PeBenito |
c0cf6e |
|
|
Chris PeBenito |
17de1b |
logging_send_syslog_msg(postfix_map_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
miscfiles_read_localization(postfix_map_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
optional_policy(`
|
|
Chris PeBenito |
17de1b |
locallogin_dontaudit_use_fds(postfix_map_t)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
d9e4cb |
optional_policy(`
|
|
Chris PeBenito |
d9e4cb |
# for postalias
|
|
Chris PeBenito |
d9e4cb |
mailman_manage_data_files(postfix_map_t)
|
|
Chris PeBenito |
d9e4cb |
')
|
|
Chris PeBenito |
d9e4cb |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
# Postfix pickup local policy
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
allow postfix_pickup_t self:tcp_socket create_socket_perms;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
3f67f7 |
stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
0bfccd |
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
|
|
Chris PeBenito |
0bfccd |
rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
postfix_list_spool(postfix_pickup_t)
|
|
Chris PeBenito |
c0868a |
|
|
Chris PeBenito |
f2c69c |
allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
|
|
Chris PeBenito |
0bfccd |
read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
|
|
Chris PeBenito |
0bfccd |
delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
# Postfix pipe local policy
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
d9e4cb |
allow postfix_pipe_t self:process setrlimit;
|
|
Dominick Grift |
1b39de |
allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
0bfccd |
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
0bfccd |
write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
0bfccd |
rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
d9e4cb |
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
|
|
Chris PeBenito |
d9e4cb |
|
|
Dan Walsh |
3eaa99 |
corecmd_exec_bin(postfix_pipe_t)
|
|
Dan Walsh |
3eaa99 |
|
|
Chris PeBenito |
d9e4cb |
optional_policy(`
|
|
Chris PeBenito |
d9e4cb |
dovecot_domtrans_deliver(postfix_pipe_t)
|
|
Chris PeBenito |
d9e4cb |
')
|
|
Chris PeBenito |
d9e4cb |
|
|
Chris PeBenito |
17de1b |
optional_policy(`
|
|
Chris PeBenito |
17de1b |
procmail_domtrans(postfix_pipe_t)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
optional_policy(`
|
|
Chris PeBenito |
17de1b |
mailman_domtrans_queue(postfix_pipe_t)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
d6d16b |
optional_policy(`
|
|
Chris PeBenito |
d9e4cb |
mta_manage_spool(postfix_pipe_t)
|
|
Chris PeBenito |
d9e4cb |
mta_send_mail(postfix_pipe_t)
|
|
Chris PeBenito |
d9e4cb |
')
|
|
Chris PeBenito |
d9e4cb |
|
|
Chris PeBenito |
d9e4cb |
optional_policy(`
|
|
Chris PeBenito |
d9e4cb |
spamassassin_domtrans_client(postfix_pipe_t)
|
|
Dan Walsh |
3eaa99 |
spamassassin_kill_client(postfix_pipe_t)
|
|
Chris PeBenito |
d9e4cb |
')
|
|
Chris PeBenito |
d9e4cb |
|
|
Chris PeBenito |
d9e4cb |
optional_policy(`
|
|
Chris PeBenito |
d6d16b |
uucp_domtrans_uux(postfix_pipe_t)
|
|
Chris PeBenito |
d6d16b |
')
|
|
Chris PeBenito |
d6d16b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
# Postfix postdrop local policy
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# usually it does not need a UDP socket
|
|
Chris PeBenito |
17de1b |
allow postfix_postdrop_t self:capability sys_resource;
|
|
Chris PeBenito |
17de1b |
allow postfix_postdrop_t self:tcp_socket create;
|
|
Chris PeBenito |
17de1b |
allow postfix_postdrop_t self:udp_socket create_socket_perms;
|
|
Chris PeBenito |
17de1b |
|
|
Dominick Grift |
11ad1d |
# Might be a leak, but I need a postfix expert to explain
|
|
Dominick Grift |
11ad1d |
allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
|
|
Dominick Grift |
11ad1d |
|
|
Chris PeBenito |
0bfccd |
rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
postfix_list_spool(postfix_postdrop_t)
|
|
Chris PeBenito |
0bfccd |
manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
668b30 |
corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
|
|
Chris PeBenito |
c12621 |
corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
c3c753 |
term_dontaudit_use_all_ptys(postfix_postdrop_t)
|
|
Chris PeBenito |
c3c753 |
term_dontaudit_use_all_ttys(postfix_postdrop_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
mta_rw_user_mail_stream_sockets(postfix_postdrop_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
optional_policy(`
|
|
Chris PeBenito |
d9e4cb |
apache_dontaudit_rw_fifo_file(postfix_postdrop_t)
|
|
Chris PeBenito |
d9e4cb |
')
|
|
Chris PeBenito |
d9e4cb |
|
|
Chris PeBenito |
d9e4cb |
optional_policy(`
|
|
Chris PeBenito |
17de1b |
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
134a79 |
# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239951
|
|
Chris PeBenito |
134a79 |
optional_policy(`
|
|
Chris PeBenito |
134a79 |
fstools_read_pipes(postfix_postdrop_t)
|
|
Chris PeBenito |
134a79 |
')
|
|
Chris PeBenito |
134a79 |
|
|
Chris PeBenito |
17de1b |
optional_policy(`
|
|
Chris PeBenito |
d9e4cb |
sendmail_rw_unix_stream_sockets(postfix_postdrop_t)
|
|
Chris PeBenito |
d9e4cb |
')
|
|
Chris PeBenito |
d9e4cb |
|
|
Chris PeBenito |
d9e4cb |
optional_policy(`
|
|
Chris PeBenito |
d9e4cb |
uucp_manage_spool(postfix_postdrop_t)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
#######################################
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
# Postfix postqueue local policy
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
allow postfix_postqueue_t self:tcp_socket create;
|
|
Chris PeBenito |
17de1b |
allow postfix_postqueue_t self:udp_socket { create ioctl };
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# wants to write to /var/spool/postfix/public/showq
|
|
Chris PeBenito |
3f67f7 |
stream_connect_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t, postfix_master_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# write to /var/spool/postfix/public/qmgr
|
|
Chris PeBenito |
0bfccd |
write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
c0868a |
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# to write the mailq output, it really should not need read access!
|
|
Chris PeBenito |
c3c753 |
term_use_all_ptys(postfix_postqueue_t)
|
|
Chris PeBenito |
c3c753 |
term_use_all_ttys(postfix_postqueue_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
init_sigchld_script(postfix_postqueue_t)
|
|
Chris PeBenito |
17de1b |
init_use_script_fds(postfix_postqueue_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
d9e4cb |
optional_policy(`
|
|
Chris PeBenito |
d9e4cb |
cron_system_entry(postfix_postqueue_t, postfix_postqueue_exec_t)
|
|
Chris PeBenito |
d9e4cb |
')
|
|
Chris PeBenito |
d9e4cb |
|
|
Chris PeBenito |
d9e4cb |
optional_policy(`
|
|
Chris PeBenito |
d9e4cb |
ppp_use_fds(postfix_postqueue_t)
|
|
Chris PeBenito |
d9e4cb |
ppp_sigchld(postfix_postqueue_t)
|
|
Chris PeBenito |
d9e4cb |
')
|
|
Chris PeBenito |
d9e4cb |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
# Postfix qmgr local policy
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
d9e4cb |
stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
0bfccd |
rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# for /var/spool/postfix/active
|
|
Chris PeBenito |
0bfccd |
manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
|
|
Chris PeBenito |
0bfccd |
manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
|
|
Chris PeBenito |
0bfccd |
manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
|
|
Chris PeBenito |
d9e4cb |
files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
0b36a2 |
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
|
|
Chris PeBenito |
0b36a2 |
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
|
|
Dominick Grift |
0f7c40 |
allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
a5e213 |
corecmd_exec_bin(postfix_qmgr_t)
|
|
Chris PeBenito |
a5e213 |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
# Postfix showq local policy
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
allow postfix_showq_t self:capability { setuid setgid };
|
|
Chris PeBenito |
17de1b |
allow postfix_showq_t self:tcp_socket create_socket_perms;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
c0868a |
allow postfix_showq_t postfix_spool_t:file read_file_perms;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
postfix_list_spool(postfix_showq_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
0b36a2 |
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
|
|
Chris PeBenito |
0b36a2 |
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
|
|
Dominick Grift |
0f7c40 |
allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# to write the mailq output, it really should not need read access!
|
|
Chris PeBenito |
c3c753 |
term_use_all_ptys(postfix_showq_t)
|
|
Chris PeBenito |
c3c753 |
term_use_all_ttys(postfix_showq_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
# Postfix smtp delivery local policy
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# connect to master process
|
|
Chris PeBenito |
d9e4cb |
allow postfix_smtp_t self:capability sys_chroot;
|
|
Chris PeBenito |
d9e4cb |
stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
|
|
Chris PeBenito |
c0868a |
|
|
Chris PeBenito |
c0868a |
allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
d9e4cb |
files_search_all_mountpoints(postfix_smtp_t)
|
|
Chris PeBenito |
134a79 |
|
|
Chris PeBenito |
d6d16b |
optional_policy(`
|
|
Chris PeBenito |
d6d16b |
cyrus_stream_connect(postfix_smtp_t)
|
|
Chris PeBenito |
d6d16b |
')
|
|
Chris PeBenito |
d6d16b |
|
|
Chris PeBenito |
b9e523 |
optional_policy(`
|
|
Chris PeBenito |
b9e523 |
milter_stream_connect_all(postfix_smtp_t)
|
|
Chris PeBenito |
b9e523 |
')
|
|
Chris PeBenito |
b9e523 |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
# Postfix smtpd local policy
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# connect to master process
|
|
Chris PeBenito |
d9e4cb |
stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
4605ad |
# Connect to policy server
|
|
Chris PeBenito |
4605ad |
corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
|
|
Chris PeBenito |
4605ad |
|
|
Chris PeBenito |
17de1b |
# for prng_exch
|
|
Chris PeBenito |
17de1b |
allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
|
|
Chris PeBenito |
c0868a |
allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
a5e213 |
corecmd_exec_bin(postfix_smtpd_t)
|
|
Chris PeBenito |
a5e213 |
|
|
Chris PeBenito |
17de1b |
# for OpenSSL certificates
|
|
Chris PeBenito |
17de1b |
files_read_usr_files(postfix_smtpd_t)
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
# postfix checks the size of all mounted file systems
|
|
Dan Walsh |
3eaa99 |
fs_getattr_all_dirs(postfix_smtpd_t)
|
|
Dan Walsh |
3eaa99 |
fs_getattr_all_fs(postfix_smtpd_t)
|
|
Dan Walsh |
3eaa99 |
|
|
Chris PeBenito |
17de1b |
mta_read_aliases(postfix_smtpd_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
optional_policy(`
|
|
Chris PeBenito |
d9e4cb |
dovecot_stream_connect_auth(postfix_smtpd_t)
|
|
Chris PeBenito |
d9e4cb |
')
|
|
Chris PeBenito |
d9e4cb |
|
|
Chris PeBenito |
d9e4cb |
optional_policy(`
|
|
Chris PeBenito |
134a79 |
mailman_read_data_files(postfix_smtpd_t)
|
|
Chris PeBenito |
134a79 |
')
|
|
Chris PeBenito |
134a79 |
|
|
Chris PeBenito |
134a79 |
optional_policy(`
|
|
Chris PeBenito |
465510 |
postgrey_stream_connect(postfix_smtpd_t)
|
|
Chris PeBenito |
465510 |
')
|
|
Chris PeBenito |
465510 |
|
|
Chris PeBenito |
465510 |
optional_policy(`
|
|
Chris PeBenito |
17de1b |
sasl_connect(postfix_smtpd_t)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
134a79 |
|
|
Chris PeBenito |
134a79 |
########################################
|
|
Chris PeBenito |
134a79 |
#
|
|
Chris PeBenito |
134a79 |
# Postfix virtual local policy
|
|
Chris PeBenito |
134a79 |
#
|
|
Chris PeBenito |
134a79 |
|
|
Chris PeBenito |
134a79 |
allow postfix_virtual_t self:process { setsched setrlimit };
|
|
Dominick Grift |
1b39de |
allow postfix_virtual_t self:fifo_file rw_fifo_file_perms;
|
|
Chris PeBenito |
134a79 |
|
|
Chris PeBenito |
134a79 |
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
|
|
Chris PeBenito |
134a79 |
|
|
Chris PeBenito |
134a79 |
# connect to master process
|
|
Chris PeBenito |
d9e4cb |
stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
|
|
Chris PeBenito |
134a79 |
|
|
Chris PeBenito |
134a79 |
corecmd_exec_shell(postfix_virtual_t)
|
|
Chris PeBenito |
134a79 |
corecmd_exec_bin(postfix_virtual_t)
|
|
Chris PeBenito |
134a79 |
|
|
Chris PeBenito |
134a79 |
files_read_etc_files(postfix_virtual_t)
|
|
Chris PeBenito |
d9e4cb |
files_read_usr_files(postfix_virtual_t)
|
|
Chris PeBenito |
134a79 |
|
|
Chris PeBenito |
134a79 |
mta_read_aliases(postfix_virtual_t)
|
|
Chris PeBenito |
134a79 |
mta_delete_spool(postfix_virtual_t)
|
|
Chris PeBenito |
134a79 |
# For reading spamassasin
|
|
Chris PeBenito |
134a79 |
mta_read_config(postfix_virtual_t)
|
|
Chris PeBenito |
134a79 |
mta_manage_spool(postfix_virtual_t)
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
userdom_manage_user_home_dirs(postfix_virtual_t)
|
|
Dan Walsh |
3eaa99 |
userdom_manage_user_home_content(postfix_virtual_t)
|
|
Dan Walsh |
3eaa99 |
userdom_home_filetrans_user_home_dir(postfix_virtual_t)
|
|
Dan Walsh |
3eaa99 |
userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })
|