Chris PeBenito 17de1b
Chris PeBenito c12621
policy_module(postfix, 1.10.2)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
########################################
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
# Declarations
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
Chris PeBenito 17de1b
attribute postfix_user_domains;
Chris PeBenito 17de1b
# domains that transition to the
Chris PeBenito 17de1b
# postfix user domains
Chris PeBenito 17de1b
attribute postfix_user_domtrans;
Chris PeBenito 17de1b
Chris PeBenito 17de1b
postfix_server_domain_template(bounce)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
type postfix_spool_bounce_t;
Chris PeBenito 17de1b
files_type(postfix_spool_bounce_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
postfix_server_domain_template(cleanup)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
type postfix_etc_t;
Chris PeBenito 17de1b
files_type(postfix_etc_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
type postfix_exec_t;
Chris PeBenito d46cfe
application_executable_file(postfix_exec_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
postfix_server_domain_template(local)
Chris PeBenito 17de1b
mta_mailserver_delivery(postfix_local_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
type postfix_local_tmp_t;
Chris PeBenito 17de1b
files_tmp_file(postfix_local_tmp_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# Program for creating database files
Chris PeBenito 17de1b
type postfix_map_t;
Chris PeBenito 17de1b
type postfix_map_exec_t;
Chris PeBenito 0bfccd
application_domain(postfix_map_t, postfix_map_exec_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
type postfix_map_tmp_t;
Chris PeBenito 17de1b
files_tmp_file(postfix_map_tmp_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
postfix_domain_template(master)
Chris PeBenito 17de1b
typealias postfix_master_t alias postfix_t;
Chris PeBenito 17de1b
# alias is a hack to make the disable trans bool
Chris PeBenito 17de1b
# generation macro work
Chris PeBenito 0bfccd
mta_mailserver(postfix_t, postfix_master_exec_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
postfix_server_domain_template(pickup)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
postfix_server_domain_template(pipe)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
postfix_user_domain_template(postdrop)
Chris PeBenito 17de1b
mta_mailserver_user_agent(postfix_postdrop_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
postfix_user_domain_template(postqueue)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
type postfix_private_t;
Chris PeBenito 17de1b
files_type(postfix_private_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
type postfix_prng_t;
Chris PeBenito 17de1b
files_type(postfix_prng_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
postfix_server_domain_template(qmgr)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
postfix_user_domain_template(showq)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
postfix_server_domain_template(smtp)
Chris PeBenito 17de1b
mta_mailserver_sender(postfix_smtp_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
postfix_server_domain_template(smtpd)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
type postfix_spool_t;
Chris PeBenito 17de1b
files_type(postfix_spool_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
type postfix_spool_maildrop_t;
Chris PeBenito 17de1b
files_type(postfix_spool_maildrop_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
type postfix_spool_flush_t;
Chris PeBenito 17de1b
files_type(postfix_spool_flush_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
type postfix_public_t;
Chris PeBenito 17de1b
files_type(postfix_public_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
type postfix_var_run_t;
Chris PeBenito 17de1b
files_pid_file(postfix_var_run_t)
Chris PeBenito 17de1b
Chris PeBenito 8c6292
# the data_directory config parameter
Chris PeBenito 8c6292
type postfix_data_t;
Chris PeBenito 8c6292
files_type(postfix_data_t)
Chris PeBenito 8c6292
Chris PeBenito 134a79
postfix_server_domain_template(virtual)
Chris PeBenito 134a79
mta_mailserver_delivery(postfix_virtual_t)
Chris PeBenito 134a79
Chris PeBenito 134a79
type postfix_virtual_tmp_t;
Chris PeBenito 134a79
files_tmp_file(postfix_virtual_tmp_t)
Chris PeBenito 134a79
Chris PeBenito 17de1b
########################################
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
# Postfix master process local policy
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# chown is to set the correct ownership of queue dirs
Chris PeBenito 17de1b
allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
Chris PeBenito c0868a
allow postfix_master_t self:fifo_file rw_fifo_file_perms;
Chris PeBenito 17de1b
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
Chris PeBenito 17de1b
allow postfix_master_t self:udp_socket create_socket_perms;
Chris PeBenito 17de1b
Chris PeBenito 17de1b
allow postfix_master_t postfix_etc_t:file rw_file_perms;
Chris PeBenito 17de1b
Chris PeBenito 17de1b
can_exec(postfix_master_t,postfix_exec_t)
Chris PeBenito 17de1b
Chris PeBenito 8c6292
allow postfix_master_t postfix_data_t:dir manage_dir_perms;
Chris PeBenito 8c6292
allow postfix_master_t postfix_data_t:file manage_file_perms;
Chris PeBenito 8c6292
Chris PeBenito ef659a
allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
Chris PeBenito 17de1b
Chris PeBenito 17de1b
allow postfix_master_t postfix_postdrop_exec_t:file getattr;
Chris PeBenito 17de1b
Chris PeBenito 17de1b
allow postfix_master_t postfix_postqueue_exec_t:file getattr;
Chris PeBenito 17de1b
Chris PeBenito 0bfccd
manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
Chris PeBenito 0bfccd
manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
Chris PeBenito c0868a
Chris PeBenito c0868a
domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
allow postfix_master_t postfix_prng_t:file rw_file_perms;
Chris PeBenito 17de1b
Chris PeBenito 0bfccd
manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
Chris PeBenito 0bfccd
manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
Chris PeBenito c0868a
Chris PeBenito c0868a
domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# allow access to deferred queue and allow removing bogus incoming entries
Chris PeBenito 0bfccd
manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
Chris PeBenito 0bfccd
manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
Chris PeBenito 17de1b
allow postfix_master_t postfix_spool_bounce_t:file getattr;
Chris PeBenito 17de1b
Chris PeBenito 0bfccd
manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
Chris PeBenito 0bfccd
manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
Chris PeBenito 0bfccd
manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
Chris PeBenito 17de1b
Chris PeBenito 0bfccd
delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
Chris PeBenito 0bfccd
rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
kernel_read_all_sysctls(postfix_master_t)
Chris PeBenito 17de1b
Chris PeBenito 190066
corenet_all_recvfrom_unlabeled(postfix_master_t)
Chris PeBenito 190066
corenet_all_recvfrom_netlabel(postfix_master_t)
Chris PeBenito 668b30
corenet_tcp_sendrecv_generic_if(postfix_master_t)
Chris PeBenito 668b30
corenet_udp_sendrecv_generic_if(postfix_master_t)
Chris PeBenito c12621
corenet_tcp_sendrecv_generic_node(postfix_master_t)
Chris PeBenito c12621
corenet_udp_sendrecv_generic_node(postfix_master_t)
Chris PeBenito 17de1b
corenet_tcp_sendrecv_all_ports(postfix_master_t)
Chris PeBenito 17de1b
corenet_udp_sendrecv_all_ports(postfix_master_t)
Chris PeBenito c12621
corenet_tcp_bind_generic_node(postfix_master_t)
Chris PeBenito 17de1b
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
Chris PeBenito 17de1b
corenet_tcp_bind_smtp_port(postfix_master_t)
Chris PeBenito 17de1b
corenet_tcp_connect_all_ports(postfix_master_t)
Chris PeBenito 17de1b
corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
Chris PeBenito 17de1b
corenet_sendrecv_smtp_server_packets(postfix_master_t)
Chris PeBenito 17de1b
corenet_sendrecv_all_client_packets(postfix_master_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# for a find command
Chris PeBenito 17de1b
selinux_dontaudit_search_fs(postfix_master_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
corecmd_exec_shell(postfix_master_t)
Chris PeBenito 17de1b
corecmd_exec_bin(postfix_master_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
domain_use_interactive_fds(postfix_master_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
files_read_usr_files(postfix_master_t)
Chris PeBenito 17de1b
Chris PeBenito 134a79
term_dontaudit_search_ptys(postfix_master_t)
Chris PeBenito 134a79
Chris PeBenito 465510
miscfiles_read_man_pages(postfix_master_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
seutil_sigchld_newrole(postfix_master_t)
Chris PeBenito 17de1b
# postfix does a "find" on startup for some reason - keep it quiet
Chris PeBenito 17de1b
seutil_dontaudit_search_config(postfix_master_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
mta_rw_aliases(postfix_master_t)
Chris PeBenito 17de1b
mta_read_sendmail_bin(postfix_master_t)
Chris PeBenito 17de1b
Chris PeBenito aa7c46
ifdef(`distro_redhat',`
Chris PeBenito aa7c46
	# for newer main.cf that uses /etc/aliases
Chris PeBenito aa7c46
	mta_manage_aliases(postfix_master_t)
Chris PeBenito aa7c46
	mta_etc_filetrans_aliases(postfix_master_t)
Chris PeBenito aa7c46
')
Chris PeBenito aa7c46
Chris PeBenito 134a79
optional_policy(`
Chris PeBenito 17de1b
	cyrus_stream_connect(postfix_master_t)
Chris PeBenito 17de1b
')
Chris PeBenito 17de1b
Chris PeBenito 17de1b
optional_policy(`
Chris PeBenito 17de1b
#	for postalias
Chris PeBenito 17de1b
	mailman_manage_data_files(postfix_master_t)
Chris PeBenito 17de1b
')
Chris PeBenito 17de1b
Chris PeBenito 17de1b
optional_policy(`
Chris PeBenito 134a79
	mysql_stream_connect(postfix_master_t)
Chris PeBenito 134a79
')
Chris PeBenito 134a79
Chris PeBenito 134a79
optional_policy(`
Chris PeBenito 134a79
	sendmail_signal(postfix_master_t)
Chris PeBenito 134a79
')
Chris PeBenito 134a79
Chris PeBenito 17de1b
########################################
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
# Postfix bounce local policy
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
Chris PeBenito 17de1b
allow postfix_bounce_t self:capability dac_read_search;
Chris PeBenito 17de1b
allow postfix_bounce_t self:tcp_socket create_socket_perms;
Chris PeBenito 17de1b
Chris PeBenito 17de1b
allow postfix_bounce_t postfix_public_t:sock_file write;
Chris PeBenito 17de1b
allow postfix_bounce_t postfix_public_t:dir search;
Chris PeBenito 17de1b
Chris PeBenito 0bfccd
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
Chris PeBenito 0bfccd
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
Chris PeBenito 0bfccd
manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
Chris PeBenito 17de1b
Chris PeBenito 0bfccd
manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
Chris PeBenito 0bfccd
manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
Chris PeBenito 0bfccd
manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
########################################
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
# Postfix cleanup local policy
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
Chris PeBenito 17de1b
allow postfix_cleanup_t self:process setrlimit;
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# connect to master process
Chris PeBenito 0bfccd
stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, postfix_master_t)
Chris PeBenito 17de1b
Chris PeBenito 0bfccd
rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
Chris PeBenito 0bfccd
write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
Chris PeBenito 17de1b
Chris PeBenito 0bfccd
manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
Chris PeBenito 0bfccd
manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
Chris PeBenito 0bfccd
manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
Chris PeBenito 17de1b
Chris PeBenito c0868a
allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
Chris PeBenito 17de1b
Chris PeBenito a5e213
corecmd_exec_bin(postfix_cleanup_t)
Chris PeBenito a5e213
Chris PeBenito 17de1b
########################################
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
# Postfix local local policy
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
Chris PeBenito c0868a
allow postfix_local_t self:fifo_file rw_fifo_file_perms;
Chris PeBenito 17de1b
allow postfix_local_t self:process { setsched setrlimit };
Chris PeBenito 17de1b
Chris PeBenito 0bfccd
manage_dirs_pattern(postfix_local_t, postfix_local_tmp_t, postfix_local_tmp_t)
Chris PeBenito 0bfccd
manage_files_pattern(postfix_local_t, postfix_local_tmp_t, postfix_local_tmp_t)
Chris PeBenito 17de1b
files_tmp_filetrans(postfix_local_t, postfix_local_tmp_t, { file dir })
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# connect to master process
Chris PeBenito 0bfccd
stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# for .forward - maybe we need a new type for it?
Chris PeBenito 0bfccd
rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
allow postfix_local_t postfix_spool_t:file rw_file_perms;
Chris PeBenito 17de1b
Chris PeBenito 17de1b
corecmd_exec_shell(postfix_local_t)
Chris PeBenito 17de1b
corecmd_exec_bin(postfix_local_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
files_read_etc_files(postfix_local_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
mta_read_aliases(postfix_local_t)
Chris PeBenito 17de1b
mta_delete_spool(postfix_local_t)
Chris PeBenito 17de1b
# For reading spamassasin
Chris PeBenito 17de1b
mta_read_config(postfix_local_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
optional_policy(`
Chris PeBenito a5e213
	clamav_search_lib(postfix_local_t)
Chris PeBenito a5e213
')
Chris PeBenito a5e213
Chris PeBenito a5e213
optional_policy(`
Chris PeBenito 17de1b
#	for postalias
Chris PeBenito 17de1b
	mailman_manage_data_files(postfix_local_t)
Chris PeBenito 17de1b
')
Chris PeBenito 17de1b
Chris PeBenito 17de1b
optional_policy(`
Chris PeBenito 17de1b
	procmail_domtrans(postfix_local_t)
Chris PeBenito 17de1b
')
Chris PeBenito 17de1b
Chris PeBenito 17de1b
########################################
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
# Postfix map local policy
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
Chris PeBenito 17de1b
allow postfix_map_t self:capability setgid;
Chris PeBenito 17de1b
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito 17de1b
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 17de1b
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
Chris PeBenito 17de1b
allow postfix_map_t self:udp_socket create_socket_perms;
Chris PeBenito 17de1b
Chris PeBenito 0bfccd
manage_dirs_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
Chris PeBenito 0bfccd
manage_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
Chris PeBenito 0bfccd
manage_lnk_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
Chris PeBenito 17de1b
Chris PeBenito 0bfccd
manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
Chris PeBenito 0bfccd
manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
Chris PeBenito 17de1b
files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir })
Chris PeBenito 17de1b
Chris PeBenito 17de1b
kernel_read_kernel_sysctls(postfix_map_t)
Chris PeBenito 17de1b
kernel_dontaudit_list_proc(postfix_map_t)
Chris PeBenito 17de1b
kernel_dontaudit_read_system_state(postfix_map_t)
Chris PeBenito 17de1b
Chris PeBenito 190066
corenet_all_recvfrom_unlabeled(postfix_map_t)
Chris PeBenito 190066
corenet_all_recvfrom_netlabel(postfix_map_t)
Chris PeBenito 668b30
corenet_tcp_sendrecv_generic_if(postfix_map_t)
Chris PeBenito 668b30
corenet_udp_sendrecv_generic_if(postfix_map_t)
Chris PeBenito c12621
corenet_tcp_sendrecv_generic_node(postfix_map_t)
Chris PeBenito c12621
corenet_udp_sendrecv_generic_node(postfix_map_t)
Chris PeBenito 17de1b
corenet_tcp_sendrecv_all_ports(postfix_map_t)
Chris PeBenito 17de1b
corenet_udp_sendrecv_all_ports(postfix_map_t)
Chris PeBenito 17de1b
corenet_tcp_connect_all_ports(postfix_map_t)
Chris PeBenito 17de1b
corenet_sendrecv_all_client_packets(postfix_map_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
corecmd_list_bin(postfix_map_t)
Chris PeBenito 17de1b
corecmd_read_bin_symlinks(postfix_map_t)
Chris PeBenito 17de1b
corecmd_read_bin_files(postfix_map_t)
Chris PeBenito 17de1b
corecmd_read_bin_pipes(postfix_map_t)
Chris PeBenito 17de1b
corecmd_read_bin_sockets(postfix_map_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
files_list_home(postfix_map_t)
Chris PeBenito 17de1b
files_read_usr_files(postfix_map_t)
Chris PeBenito 17de1b
files_read_etc_files(postfix_map_t)
Chris PeBenito 17de1b
files_read_etc_runtime_files(postfix_map_t)
Chris PeBenito 17de1b
files_dontaudit_search_var(postfix_map_t)
Chris PeBenito 17de1b
Chris PeBenito c0cf6e
auth_use_nsswitch(postfix_map_t)
Chris PeBenito c0cf6e
Chris PeBenito 17de1b
logging_send_syslog_msg(postfix_map_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
miscfiles_read_localization(postfix_map_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
seutil_read_config(postfix_map_t)
Chris PeBenito 17de1b
Chris PeBenito 296273
userdom_use_user_terminals(postfix_map_t)
Chris PeBenito 296273
Chris PeBenito 17de1b
tunable_policy(`read_default_t',`
Chris PeBenito 17de1b
	files_list_default(postfix_map_t)
Chris PeBenito 17de1b
	files_read_default_files(postfix_map_t)
Chris PeBenito 17de1b
	files_read_default_symlinks(postfix_map_t)
Chris PeBenito 17de1b
	files_read_default_sockets(postfix_map_t)
Chris PeBenito 17de1b
	files_read_default_pipes(postfix_map_t)
Chris PeBenito 17de1b
')
Chris PeBenito 17de1b
Chris PeBenito 17de1b
optional_policy(`
Chris PeBenito 17de1b
	locallogin_dontaudit_use_fds(postfix_map_t)
Chris PeBenito 17de1b
')
Chris PeBenito 17de1b
Chris PeBenito 17de1b
########################################
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
# Postfix pickup local policy
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
Chris PeBenito 17de1b
allow postfix_pickup_t self:tcp_socket create_socket_perms;
Chris PeBenito 17de1b
Chris PeBenito c0868a
stream_connect_pattern(postfix_pickup_t,postfix_private_t,postfix_private_t,postfix_master_t)
Chris PeBenito 17de1b
Chris PeBenito 0bfccd
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
Chris PeBenito 0bfccd
rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
postfix_list_spool(postfix_pickup_t)
Chris PeBenito c0868a
Chris PeBenito f2c69c
allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
Chris PeBenito 0bfccd
read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
Chris PeBenito 0bfccd
delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
########################################
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
# Postfix pipe local policy
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
Chris PeBenito 134a79
allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
Chris PeBenito 17de1b
Chris PeBenito 0bfccd
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
Chris PeBenito 17de1b
Chris PeBenito 0bfccd
write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
Chris PeBenito 17de1b
Chris PeBenito 0bfccd
rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
optional_policy(`
Chris PeBenito 17de1b
	procmail_domtrans(postfix_pipe_t)
Chris PeBenito 17de1b
')
Chris PeBenito 17de1b
Chris PeBenito 17de1b
optional_policy(`
Chris PeBenito 17de1b
	mailman_domtrans_queue(postfix_pipe_t)
Chris PeBenito 17de1b
')
Chris PeBenito 17de1b
Chris PeBenito d6d16b
optional_policy(`
Chris PeBenito d6d16b
	uucp_domtrans_uux(postfix_pipe_t)
Chris PeBenito d6d16b
')
Chris PeBenito d6d16b
Chris PeBenito 17de1b
########################################
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
# Postfix postdrop local policy
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# usually it does not need a UDP socket
Chris PeBenito 17de1b
allow postfix_postdrop_t self:capability sys_resource;
Chris PeBenito 17de1b
allow postfix_postdrop_t self:tcp_socket create;
Chris PeBenito 17de1b
allow postfix_postdrop_t self:udp_socket create_socket_perms;
Chris PeBenito 17de1b
Chris PeBenito 0bfccd
rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
postfix_list_spool(postfix_postdrop_t)
Chris PeBenito 0bfccd
manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
Chris PeBenito 17de1b
Chris PeBenito 668b30
corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
Chris PeBenito c12621
corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
term_dontaudit_use_all_user_ptys(postfix_postdrop_t)
Chris PeBenito 17de1b
term_dontaudit_use_all_user_ttys(postfix_postdrop_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
mta_rw_user_mail_stream_sockets(postfix_postdrop_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
optional_policy(`
Chris PeBenito 17de1b
	cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
Chris PeBenito 17de1b
')
Chris PeBenito 17de1b
Chris PeBenito 134a79
# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239951
Chris PeBenito 134a79
optional_policy(`
Chris PeBenito 134a79
	fstools_read_pipes(postfix_postdrop_t)
Chris PeBenito 134a79
')
Chris PeBenito 134a79
Chris PeBenito 17de1b
optional_policy(`
Chris PeBenito 17de1b
	ppp_use_fds(postfix_postqueue_t)
Chris PeBenito 17de1b
	ppp_sigchld(postfix_postqueue_t)
Chris PeBenito 17de1b
')
Chris PeBenito 17de1b
Chris PeBenito 17de1b
#######################################
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
# Postfix postqueue local policy
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
Chris PeBenito 17de1b
allow postfix_postqueue_t self:tcp_socket create;
Chris PeBenito 17de1b
allow postfix_postqueue_t self:udp_socket { create ioctl };
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# wants to write to /var/spool/postfix/public/showq
Chris PeBenito 0bfccd
stream_connect_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t,postfix_master_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# write to /var/spool/postfix/public/qmgr
Chris PeBenito 0bfccd
write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t)
Chris PeBenito 17de1b
Chris PeBenito c0868a
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# to write the mailq output, it really should not need read access!
Chris PeBenito 17de1b
term_use_all_user_ptys(postfix_postqueue_t)
Chris PeBenito 17de1b
term_use_all_user_ttys(postfix_postqueue_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
init_sigchld_script(postfix_postqueue_t)
Chris PeBenito 17de1b
init_use_script_fds(postfix_postqueue_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
########################################
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
# Postfix qmgr local policy
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
Chris PeBenito 0bfccd
stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t },postfix_master_t)
Chris PeBenito 17de1b
Chris PeBenito 0bfccd
rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# for /var/spool/postfix/active
Chris PeBenito 0bfccd
manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
Chris PeBenito 0bfccd
manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
Chris PeBenito 0bfccd
manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
Chris PeBenito 17de1b
Chris PeBenito 0b36a2
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
Chris PeBenito 0b36a2
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
Chris PeBenito 17de1b
allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
Chris PeBenito 17de1b
Chris PeBenito a5e213
corecmd_exec_bin(postfix_qmgr_t)
Chris PeBenito a5e213
Chris PeBenito 17de1b
########################################
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
# Postfix showq local policy
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
Chris PeBenito 17de1b
allow postfix_showq_t self:capability { setuid setgid };
Chris PeBenito 17de1b
allow postfix_showq_t self:tcp_socket create_socket_perms;
Chris PeBenito 17de1b
Chris PeBenito 17de1b
allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
Chris PeBenito 17de1b
Chris PeBenito c0868a
allow postfix_showq_t postfix_spool_t:file read_file_perms;
Chris PeBenito 17de1b
Chris PeBenito 17de1b
postfix_list_spool(postfix_showq_t)
Chris PeBenito 17de1b
Chris PeBenito 0b36a2
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
Chris PeBenito 0b36a2
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
Chris PeBenito 17de1b
allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# to write the mailq output, it really should not need read access!
Chris PeBenito 17de1b
term_use_all_user_ptys(postfix_showq_t)
Chris PeBenito 17de1b
term_use_all_user_ttys(postfix_showq_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
########################################
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
# Postfix smtp delivery local policy
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# connect to master process
Chris PeBenito 0bfccd
stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t },postfix_master_t)
Chris PeBenito c0868a
Chris PeBenito c0868a
allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
Chris PeBenito 17de1b
Chris PeBenito 17de1b
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
Chris PeBenito 17de1b
Chris PeBenito 134a79
files_dontaudit_getattr_home_dir(postfix_smtp_t)
Chris PeBenito 134a79
Chris PeBenito d6d16b
optional_policy(`
Chris PeBenito d6d16b
	cyrus_stream_connect(postfix_smtp_t)
Chris PeBenito d6d16b
')
Chris PeBenito d6d16b
Chris PeBenito b9e523
optional_policy(`
Chris PeBenito b9e523
	milter_stream_connect_all(postfix_smtp_t)
Chris PeBenito b9e523
')
Chris PeBenito b9e523
Chris PeBenito 17de1b
########################################
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
# Postfix smtpd local policy
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# connect to master process
Chris PeBenito 0bfccd
stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t },postfix_master_t)
Chris PeBenito 17de1b
Chris PeBenito 4605ad
# Connect to policy server
Chris PeBenito 4605ad
corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
Chris PeBenito 4605ad
Chris PeBenito 17de1b
# for prng_exch
Chris PeBenito 17de1b
allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
Chris PeBenito c0868a
allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
Chris PeBenito 17de1b
Chris PeBenito a5e213
corecmd_exec_bin(postfix_smtpd_t)
Chris PeBenito a5e213
Chris PeBenito 17de1b
# for OpenSSL certificates
Chris PeBenito 17de1b
files_read_usr_files(postfix_smtpd_t)
Chris PeBenito 17de1b
mta_read_aliases(postfix_smtpd_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
optional_policy(`
Chris PeBenito 134a79
	mailman_read_data_files(postfix_smtpd_t)
Chris PeBenito 134a79
')
Chris PeBenito 134a79
Chris PeBenito 134a79
optional_policy(`
Chris PeBenito 465510
	postgrey_stream_connect(postfix_smtpd_t)
Chris PeBenito 465510
')
Chris PeBenito 465510
Chris PeBenito 465510
optional_policy(`
Chris PeBenito 17de1b
	sasl_connect(postfix_smtpd_t)
Chris PeBenito 17de1b
')
Chris PeBenito 134a79
Chris PeBenito 134a79
########################################
Chris PeBenito 134a79
#
Chris PeBenito 134a79
# Postfix virtual local policy
Chris PeBenito 134a79
#
Chris PeBenito 134a79
Chris PeBenito 134a79
allow postfix_virtual_t self:fifo_file rw_fifo_file_perms;
Chris PeBenito 134a79
allow postfix_virtual_t self:process { setsched setrlimit };
Chris PeBenito 134a79
Chris PeBenito 134a79
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
Chris PeBenito 134a79
Chris PeBenito 0bfccd
manage_dirs_pattern(postfix_virtual_t, postfix_virtual_tmp_t, postfix_virtual_tmp_t)
Chris PeBenito 0bfccd
manage_files_pattern(postfix_virtual_t, postfix_virtual_tmp_t, postfix_virtual_tmp_t)
Chris PeBenito 134a79
files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
Chris PeBenito 134a79
Chris PeBenito 134a79
# connect to master process
Chris PeBenito 0bfccd
stream_connect_pattern(postfix_virtual_t, postfix_public_t, postfix_public_t, postfix_master_t)
Chris PeBenito 134a79
Chris PeBenito 134a79
corecmd_exec_shell(postfix_virtual_t)
Chris PeBenito 134a79
corecmd_exec_bin(postfix_virtual_t)
Chris PeBenito 134a79
Chris PeBenito 134a79
files_read_etc_files(postfix_virtual_t)
Chris PeBenito 134a79
Chris PeBenito 134a79
mta_read_aliases(postfix_virtual_t)
Chris PeBenito 134a79
mta_delete_spool(postfix_virtual_t)
Chris PeBenito 134a79
# For reading spamassasin
Chris PeBenito 134a79
mta_read_config(postfix_virtual_t)
Chris PeBenito 134a79
mta_manage_spool(postfix_virtual_t)