Chris PeBenito 04926d
Chris PeBenito b0d224
policy_module(postfix,1.1.1)
Chris PeBenito 04926d
Chris PeBenito 04926d
########################################
Chris PeBenito 04926d
#
Chris PeBenito 04926d
# Declarations
Chris PeBenito 04926d
#
Chris PeBenito 04926d
Chris PeBenito fc0e8c
attribute postfix_user_domains;
Chris PeBenito fc0e8c
# domains that transition to the
Chris PeBenito fc0e8c
# postfix user domains
Chris PeBenito fc0e8c
attribute postfix_user_domtrans;
Chris PeBenito fc0e8c
Chris PeBenito 04926d
postfix_public_domain_template(bounce)
Chris PeBenito 04926d
Chris PeBenito 04926d
type postfix_spool_bounce_t;
Chris PeBenito 04926d
files_type(postfix_spool_bounce_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
postfix_public_domain_template(cleanup)
Chris PeBenito 04926d
Chris PeBenito 04926d
type postfix_etc_t;
Chris PeBenito 04926d
files_type(postfix_etc_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
type postfix_exec_t;
Chris PeBenito 04926d
files_type(postfix_exec_t)
Chris PeBenito 04926d
Chris PeBenito d1b9d9
# temp:
Chris PeBenito d1b9d9
typeattribute postfix_exec_t entry_type;
Chris PeBenito d1b9d9
Chris PeBenito 04926d
postfix_server_domain_template(local)
Chris PeBenito 04926d
mta_mailserver_delivery(postfix_local_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
type postfix_local_tmp_t;
Chris PeBenito 04926d
files_tmp_file(postfix_local_tmp_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
# Program for creating database files
Chris PeBenito 04926d
type postfix_map_t;
Chris PeBenito 04926d
type postfix_map_exec_t;
Chris PeBenito 04926d
domain_type(postfix_map_t)
Chris PeBenito 04926d
domain_entry_file(postfix_map_t,postfix_map_exec_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
type postfix_map_tmp_t;
Chris PeBenito 04926d
files_tmp_file(postfix_map_tmp_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
postfix_domain_template(master)
Chris PeBenito 4614e8
typealias postfix_master_t alias postfix_t;
Chris PeBenito 4614e8
# alias is a hack to make the disable trans bool
Chris PeBenito 4614e8
# generation macro work
Chris PeBenito 4614e8
mta_mailserver(postfix_t,postfix_master_exec_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
postfix_public_domain_template(pickup)
Chris PeBenito 04926d
Chris PeBenito 04926d
postfix_public_domain_template(pipe)
Chris PeBenito 04926d
Chris PeBenito 04926d
postfix_user_domain_template(postdrop)
Chris PeBenito 04926d
mta_mailserver_user_agent(postfix_postdrop_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
postfix_user_domain_template(postqueue)
Chris PeBenito 04926d
Chris PeBenito 04926d
type postfix_private_t;
Chris PeBenito 04926d
files_type(postfix_private_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
type postfix_prng_t;
Chris PeBenito 04926d
files_type(postfix_prng_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
postfix_public_domain_template(qmgr)
Chris PeBenito 04926d
Chris PeBenito 04926d
postfix_user_domain_template(showq)
Chris PeBenito 04926d
Chris PeBenito 04926d
postfix_server_domain_template(smtp)
Chris PeBenito 04926d
mta_mailserver_sender(postfix_smtp_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
postfix_server_domain_template(smtpd)
Chris PeBenito 04926d
Chris PeBenito 04926d
type postfix_spool_t;
Chris PeBenito 04926d
files_type(postfix_spool_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
type postfix_spool_maildrop_t;
Chris PeBenito 04926d
files_type(postfix_spool_maildrop_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
type postfix_spool_flush_t;
Chris PeBenito 04926d
files_type(postfix_spool_flush_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
type postfix_public_t;
Chris PeBenito 04926d
files_type(postfix_public_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
type postfix_var_run_t;
Chris PeBenito 04926d
files_pid_file(postfix_var_run_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
########################################
Chris PeBenito 04926d
#
Chris PeBenito 04926d
# Postfix master process local policy
Chris PeBenito 04926d
#
Chris PeBenito 04926d
Chris PeBenito 04926d
# chown is to set the correct ownership of queue dirs
Chris PeBenito 04926d
allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
Chris PeBenito 04926d
allow postfix_master_t self:fifo_file rw_file_perms;
Chris PeBenito 04926d
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
Chris PeBenito 04926d
allow postfix_master_t self:udp_socket create_socket_perms;
Chris PeBenito 04926d
Chris PeBenito 725926
allow postfix_master_t postfix_etc_t:file rw_file_perms;
Chris PeBenito 725926
Chris PeBenito 04926d
can_exec(postfix_master_t,postfix_exec_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_master_t postfix_map_exec_t:file rx_file_perms;
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_master_t postfix_postdrop_exec_t:file getattr;
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_master_t postfix_postqueue_exec_t:file getattr;
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_master_t postfix_private_t:dir rw_dir_perms;
Chris PeBenito 04926d
allow postfix_master_t postfix_private_t:sock_file create_file_perms;
Chris PeBenito 04926d
allow postfix_master_t postfix_private_t:fifo_file create_file_perms;
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_master_t postfix_prng_t:file rw_file_perms;
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_master_t postfix_public_t:fifo_file create_file_perms;
Chris PeBenito 04926d
allow postfix_master_t postfix_public_t:sock_file create_file_perms;
Chris PeBenito 04926d
allow postfix_master_t postfix_public_t:dir rw_dir_perms;
Chris PeBenito 04926d
Chris PeBenito 04926d
# allow access to deferred queue and allow removing bogus incoming entries
Chris PeBenito 04926d
allow postfix_master_t postfix_spool_t:dir create_dir_perms;
Chris PeBenito 04926d
allow postfix_master_t postfix_spool_t:file create_file_perms;
Chris PeBenito 04926d
Chris PeBenito 30705b
allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
Chris PeBenito 30705b
allow postfix_master_t postfix_spool_bounce_t:file getattr;
Chris PeBenito 30705b
Chris PeBenito 04926d
allow postfix_master_t postfix_spool_flush_t:dir create_dir_perms;
Chris PeBenito 04926d
allow postfix_master_t postfix_spool_flush_t:file create_file_perms;
Chris PeBenito 04926d
allow postfix_master_t postfix_spool_flush_t:lnk_file create_lnk_perms;
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
Chris PeBenito 04926d
allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr };
Chris PeBenito 04926d
Chris PeBenito 445522
kernel_read_all_sysctls(postfix_master_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
corenet_tcp_sendrecv_all_if(postfix_master_t)
Chris PeBenito 04926d
corenet_udp_sendrecv_all_if(postfix_master_t)
Chris PeBenito 04926d
corenet_raw_sendrecv_all_if(postfix_master_t)
Chris PeBenito 04926d
corenet_tcp_sendrecv_all_nodes(postfix_master_t)
Chris PeBenito 04926d
corenet_udp_sendrecv_all_nodes(postfix_master_t)
Chris PeBenito 04926d
corenet_raw_sendrecv_all_nodes(postfix_master_t)
Chris PeBenito 04926d
corenet_tcp_sendrecv_all_ports(postfix_master_t)
Chris PeBenito 04926d
corenet_udp_sendrecv_all_ports(postfix_master_t)
Chris PeBenito bd7037
corenet_non_ipsec_sendrecv(postfix_master_t)
Chris PeBenito 04926d
corenet_tcp_bind_all_nodes(postfix_master_t)
Chris PeBenito 04926d
corenet_udp_bind_all_nodes(postfix_master_t)
Chris PeBenito 04926d
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
Chris PeBenito 04926d
corenet_tcp_bind_smtp_port(postfix_master_t)
Chris PeBenito 04926d
corenet_tcp_connect_all_ports(postfix_master_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
# for a find command
Chris PeBenito 04926d
selinux_dontaudit_search_fs(postfix_master_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
corecmd_exec_ls(postfix_master_t)
Chris PeBenito 04926d
corecmd_exec_sbin(postfix_master_t)
Chris PeBenito 04926d
corecmd_exec_shell(postfix_master_t)
Chris PeBenito 04926d
corecmd_exec_bin(postfix_master_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
domain_use_wide_inherit_fd(postfix_master_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
files_read_usr_files(postfix_master_t)
Chris PeBenito 04926d
Chris PeBenito 1815ba
init_use_script_ptys(postfix_master_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
miscfiles_dontaudit_search_man_pages(postfix_master_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
seutil_sigchld_newrole(postfix_master_t)
Chris PeBenito 04926d
# postfix does a "find" on startup for some reason - keep it quiet
Chris PeBenito 04926d
seutil_dontaudit_search_config(postfix_master_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
sysnet_read_config(postfix_master_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
mta_rw_aliases(postfix_master_t)
Chris PeBenito 04926d
mta_read_sendmail_bin(postfix_master_t)
Chris PeBenito 04926d
Chris PeBenito 132880
optional_policy(`mount',`
Chris PeBenito 04926d
	mount_send_nfs_client_request(postfix_master_t)
Chris PeBenito 04926d
')
Chris PeBenito 04926d
Chris PeBenito 132880
optional_policy(`nis',`
Chris PeBenito 04926d
	nis_use_ypbind(postfix_master_t)
Chris PeBenito 04926d
')
Chris PeBenito 04926d
Chris PeBenito 04926d
###########################################################
Chris PeBenito 04926d
#
Chris PeBenito 04926d
# Partially converted rules.  THESE ARE ONLY TEMPORARY
Chris PeBenito 04926d
#
Chris PeBenito 04926d
Chris PeBenito 04926d
ifdef(`distro_redhat',`
Chris PeBenito 04926d
	# for newer main.cf that uses /etc/aliases
Chris PeBenito 04926d
	allow postfix_master_t etc_t:dir rw_dir_perms;
Chris PeBenito 04926d
	allow postfix_master_t etc_aliases_t:dir create_dir_perms;
Chris PeBenito 04926d
	allow postfix_master_t etc_aliases_t:file create_file_perms;
Chris PeBenito 04926d
	allow postfix_master_t etc_aliases_t:lnk_file create_lnk_perms;
Chris PeBenito 04926d
	allow postfix_master_t etc_aliases_t:sock_file create_file_perms;
Chris PeBenito 04926d
	allow postfix_master_t etc_aliases_t:fifo_file create_file_perms;
Chris PeBenito 04926d
	type_transition postfix_master_t etc_t:{ file lnk_file sock_file fifo_file } etc_aliases_t;
Chris PeBenito 04926d
Chris PeBenito 04926d
	allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
Chris PeBenito 04926d
	allow postfix_master_t etc_aliases_t:dir create_dir_perms;
Chris PeBenito 04926d
	allow postfix_master_t etc_aliases_t:file create_file_perms;
Chris PeBenito 04926d
	allow postfix_master_t etc_aliases_t:lnk_file create_lnk_perms;
Chris PeBenito 04926d
	allow postfix_master_t etc_aliases_t:sock_file create_file_perms;
Chris PeBenito 04926d
	allow postfix_master_t etc_aliases_t:fifo_file create_file_perms;
Chris PeBenito 1504ff
	type_transition postfix_master_t postfix_etc_t:{ dir file lnk_file sock_file fifo_file } etc_aliases_t;
Chris PeBenito 04926d
')
Chris PeBenito 04926d
Chris PeBenito 04926d
# end partially converted rules
Chris PeBenito 04926d
Chris PeBenito 04926d
########################################
Chris PeBenito 04926d
#
Chris PeBenito 04926d
# Postfix bounce local policy
Chris PeBenito 04926d
#
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_bounce_t self:capability dac_read_search;
Chris PeBenito 04926d
allow postfix_bounce_t self:tcp_socket create_socket_perms;
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_bounce_t postfix_public_t:sock_file write;
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_bounce_t postfix_spool_t:dir create_dir_perms;
Chris PeBenito 04926d
allow postfix_bounce_t postfix_spool_t:file create_file_perms;
Chris PeBenito 04926d
allow postfix_bounce_t postfix_spool_t:lnk_file create_lnk_perms;
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_bounce_t postfix_spool_bounce_t:dir create_dir_perms;
Chris PeBenito 04926d
allow postfix_bounce_t postfix_spool_bounce_t:file create_file_perms;
Chris PeBenito 04926d
allow postfix_bounce_t postfix_spool_bounce_t:lnk_file create_lnk_perms;
Chris PeBenito 04926d
Chris PeBenito 04926d
########################################
Chris PeBenito 04926d
#
Chris PeBenito 04926d
# Postfix cleanup local policy
Chris PeBenito 04926d
#
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_cleanup_t self:process setrlimit;
Chris PeBenito 04926d
Chris PeBenito 04926d
# connect to master process
Chris PeBenito 04926d
allow postfix_cleanup_t postfix_master_t:unix_stream_socket connectto;
Chris PeBenito 04926d
allow postfix_cleanup_t postfix_private_t:dir search;
Chris PeBenito 04926d
allow postfix_cleanup_t postfix_private_t:sock_file rw_file_perms;
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_cleanup_t postfix_public_t:fifo_file rw_file_perms;
Chris PeBenito 04926d
allow postfix_cleanup_t postfix_public_t:sock_file { getattr write };
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_cleanup_t postfix_spool_t:dir create_dir_perms;
Chris PeBenito 04926d
allow postfix_cleanup_t postfix_spool_t:file create_file_perms;
Chris PeBenito 04926d
allow postfix_cleanup_t postfix_spool_t:lnk_file create_lnk_perms;
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_cleanup_t postfix_spool_bounce_t:dir r_dir_perms;
Chris PeBenito 04926d
Chris PeBenito 04926d
########################################
Chris PeBenito 04926d
#
Chris PeBenito 04926d
# Postfix local local policy
Chris PeBenito 04926d
#
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_local_t self:fifo_file rw_file_perms;
Chris PeBenito 04926d
allow postfix_local_t self:process { setsched setrlimit };
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_local_t postfix_local_tmp_t:dir create_dir_perms;
Chris PeBenito 04926d
allow postfix_local_t postfix_local_tmp_t:file create_file_perms;
Chris PeBenito 9d5949
files_filetrans_tmp(postfix_local_t, postfix_local_tmp_t, { file dir })
Chris PeBenito 04926d
Chris PeBenito 04926d
# connect to master process
Chris PeBenito 04926d
allow postfix_local_t postfix_master_t:unix_stream_socket connectto;
Chris PeBenito 04926d
allow postfix_local_t postfix_public_t:dir search;
Chris PeBenito 04926d
allow postfix_local_t postfix_public_t:sock_file write;
Chris PeBenito 04926d
Chris PeBenito 04926d
# for .forward - maybe we need a new type for it?
Chris PeBenito 04926d
allow postfix_local_t postfix_private_t:dir search;
Chris PeBenito 04926d
allow postfix_local_t postfix_private_t:sock_file rw_file_perms;
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_local_t postfix_spool_t:file rw_file_perms;
Chris PeBenito 04926d
Chris PeBenito 04926d
corecmd_exec_shell(postfix_local_t)
Chris PeBenito 04926d
corecmd_exec_bin(postfix_local_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
mta_read_aliases(postfix_local_t)
Chris PeBenito 04926d
mta_delete_spool(postfix_local_t)
Chris PeBenito 04926d
# For reading spamassasin
Chris PeBenito 04926d
mta_read_config(postfix_local_t)
Chris PeBenito 04926d
Chris PeBenito 132880
optional_policy(`procmail',`
Chris PeBenito 3e6c81
	procmail_domtrans(postfix_local_t)
Chris PeBenito 04926d
')
Chris PeBenito 04926d
Chris PeBenito 04926d
########################################
Chris PeBenito 04926d
#
Chris PeBenito 04926d
# Postfix map local policy
Chris PeBenito 04926d
#
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_map_t self:capability setgid;
Chris PeBenito 04926d
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito 04926d
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 04926d
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
Chris PeBenito 04926d
allow postfix_map_t self:udp_socket create_socket_perms;
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_map_t postfix_etc_t:dir create_dir_perms;
Chris PeBenito 04926d
allow postfix_map_t postfix_etc_t:file create_file_perms;
Chris PeBenito 04926d
allow postfix_map_t postfix_etc_t:lnk_file create_lnk_perms;
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_map_t postfix_map_tmp_t:dir create_dir_perms;
Chris PeBenito 04926d
allow postfix_map_t postfix_map_tmp_t:file create_file_perms;
Chris PeBenito 9d5949
files_filetrans_tmp(postfix_map_t, postfix_map_tmp_t, { file dir })
Chris PeBenito 04926d
Chris PeBenito 445522
kernel_read_kernel_sysctls(postfix_map_t)
Chris PeBenito 725926
kernel_dontaudit_list_proc(postfix_map_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
corenet_tcp_sendrecv_all_if(postfix_map_t)
Chris PeBenito 04926d
corenet_udp_sendrecv_all_if(postfix_map_t)
Chris PeBenito 04926d
corenet_raw_sendrecv_all_if(postfix_map_t)
Chris PeBenito 04926d
corenet_tcp_sendrecv_all_nodes(postfix_map_t)
Chris PeBenito 04926d
corenet_udp_sendrecv_all_nodes(postfix_map_t)
Chris PeBenito 04926d
corenet_raw_sendrecv_all_nodes(postfix_map_t)
Chris PeBenito 04926d
corenet_tcp_sendrecv_all_ports(postfix_map_t)
Chris PeBenito 04926d
corenet_udp_sendrecv_all_ports(postfix_map_t)
Chris PeBenito bd7037
corenet_non_ipsec_sendrecv(postfix_map_t)
Chris PeBenito bd7037
corenet_tcp_bind_all_nodes(postfix_map_t)
Chris PeBenito bd7037
corenet_udp_bind_all_nodes(postfix_map_t)
Chris PeBenito 04926d
corenet_tcp_connect_all_ports(postfix_map_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
corecmd_list_bin(postfix_map_t)
Chris PeBenito 1815ba
corecmd_read_bin_symlinks(postfix_map_t)
Chris PeBenito 1815ba
corecmd_read_bin_files(postfix_map_t)
Chris PeBenito 1815ba
corecmd_read_bin_pipes(postfix_map_t)
Chris PeBenito 1815ba
corecmd_read_bin_sockets(postfix_map_t)
Chris PeBenito 04926d
corecmd_list_sbin(postfix_map_t)
Chris PeBenito 1815ba
corecmd_read_sbin_symlinks(postfix_map_t)
Chris PeBenito 1815ba
corecmd_read_sbin_files(postfix_map_t)
Chris PeBenito 1815ba
corecmd_read_sbin_pipes(postfix_map_t)
Chris PeBenito 1815ba
corecmd_read_sbin_sockets(postfix_map_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
files_list_home(postfix_map_t)
Chris PeBenito 04926d
files_read_usr_files(postfix_map_t)
Chris PeBenito 04926d
files_read_etc_files(postfix_map_t)
Chris PeBenito 04926d
files_read_etc_runtime_files(postfix_map_t)
Chris PeBenito 04926d
files_dontaudit_search_var(postfix_map_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
libs_use_ld_so(postfix_map_t)
Chris PeBenito 04926d
libs_use_shared_libs(postfix_map_t)
Chris PeBenito 04926d
Chris PeBenito 30705b
logging_send_syslog_msg(postfix_map_t)
Chris PeBenito 30705b
Chris PeBenito 04926d
miscfiles_read_localization(postfix_map_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
seutil_read_config(postfix_map_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
sysnet_read_config(postfix_map_t)
Chris PeBenito 04926d
Chris PeBenito daff1d
ifdef(`targeted_policy',`
Chris PeBenito daff1d
	# FIXME: would be better to use a run interface
Chris PeBenito daff1d
	role system_r types postfix_map_t;
Chris PeBenito daff1d
')
Chris PeBenito daff1d
Chris PeBenito 04926d
tunable_policy(`read_default_t',`
Chris PeBenito 04926d
	files_list_default(postfix_map_t)
Chris PeBenito 04926d
	files_read_default_files(postfix_map_t)
Chris PeBenito 04926d
	files_read_default_symlinks(postfix_map_t)
Chris PeBenito 04926d
	files_read_default_sockets(postfix_map_t)
Chris PeBenito 04926d
	files_read_default_pipes(postfix_map_t)
Chris PeBenito 04926d
')
Chris PeBenito 04926d
Chris PeBenito 132880
optional_policy(`locallogin',`
Chris PeBenito 04926d
	locallogin_dontaudit_use_fd(postfix_map_t)
Chris PeBenito 04926d
')
Chris PeBenito 04926d
Chris PeBenito 04926d
# a "run" interface needs to be
Chris PeBenito 04926d
# added, and have sysadm_t use it
Chris PeBenito 04926d
# in a optional_policy block.
Chris PeBenito 04926d
Chris PeBenito 04926d
########################################
Chris PeBenito 04926d
#
Chris PeBenito 04926d
# Postfix pickup local policy
Chris PeBenito 04926d
#
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_pickup_t self:tcp_socket create_socket_perms;
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_pickup_t postfix_master_t:unix_stream_socket connectto;
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_pickup_t postfix_private_t:dir search;
Chris PeBenito 04926d
allow postfix_pickup_t postfix_private_t:sock_file write;
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms;
Chris PeBenito 04926d
allow postfix_pickup_t postfix_public_t:sock_file rw_file_perms;
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_pickup_t postfix_spool_maildrop_t:dir rw_dir_perms;
Chris PeBenito 04926d
allow postfix_pickup_t postfix_spool_maildrop_t:file r_file_perms;
Chris PeBenito 04926d
allow postfix_pickup_t postfix_spool_maildrop_t:file unlink;
Chris PeBenito 04926d
Chris PeBenito 04926d
########################################
Chris PeBenito 04926d
#
Chris PeBenito 04926d
# Postfix pipe local policy
Chris PeBenito 04926d
#
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_pipe_t self:fifo_file { read write };
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_pipe_t postfix_private_t:dir search;
Chris PeBenito 04926d
allow postfix_pipe_t postfix_private_t:sock_file write;
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_pipe_t postfix_spool_t:dir search;
Chris PeBenito 04926d
allow postfix_pipe_t postfix_spool_t:file rw_file_perms;
Chris PeBenito 04926d
Chris PeBenito 132880
optional_policy(`procmail',`
Chris PeBenito 3e6c81
	procmail_domtrans(postfix_pipe_t)
Chris PeBenito 04926d
')
Chris PeBenito 04926d
Chris PeBenito 04926d
########################################
Chris PeBenito 04926d
#
Chris PeBenito 04926d
# Postfix postdrop local policy
Chris PeBenito 04926d
#
Chris PeBenito 04926d
Chris PeBenito 04926d
# usually it does not need a UDP socket
Chris PeBenito 04926d
allow postfix_postdrop_t self:capability sys_resource;
Chris PeBenito 04926d
allow postfix_postdrop_t self:tcp_socket create;
Chris PeBenito 04926d
allow postfix_postdrop_t self:udp_socket create_socket_perms;
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_postdrop_t postfix_public_t:dir search;
Chris PeBenito 04926d
allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms;
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms;
Chris PeBenito 04926d
allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms;
Chris PeBenito 04926d
Chris PeBenito b0d224
corenet_udp_sendrecv_all_if(postfix_postdrop_t)
Chris PeBenito b0d224
corenet_udp_sendrecv_all_nodes(postfix_postdrop_t)
Chris PeBenito b0d224
Chris PeBenito 04926d
term_dontaudit_use_all_user_ptys(postfix_postdrop_t)
Chris PeBenito 04926d
term_dontaudit_use_all_user_ttys(postfix_postdrop_t)
Chris PeBenito 04926d
Chris PeBenito b0d224
sysnet_dns_name_resolve(postfix_postdrop_t)
Chris PeBenito 04926d
Chris PeBenito 1815ba
mta_rw_user_mail_stream_sockets(postfix_postdrop_t)
Chris PeBenito 04926d
Chris PeBenito 7ac225
ifdef(`targeted_policy', `
Chris PeBenito 1815ba
	term_use_unallocated_ttys(postfix_postdrop_t)
Chris PeBenito 1815ba
	term_use_generic_ptys(postfix_postdrop_t)
Chris PeBenito 7ac225
')
Chris PeBenito 7ac225
Chris PeBenito 132880
optional_policy(`crond',`
Chris PeBenito 04926d
	cron_use_fd(postfix_postdrop_t)
Chris PeBenito 1815ba
	cron_rw_pipes(postfix_postdrop_t)
Chris PeBenito 04926d
	cron_use_system_job_fd(postfix_postdrop_t)
Chris PeBenito 1815ba
	cron_rw_system_job_pipes(postfix_postdrop_t)
Chris PeBenito 04926d
')
Chris PeBenito 04926d
Chris PeBenito 132880
optional_policy(`ppp',`
Chris PeBenito 725926
	ppp_use_fd(postfix_postqueue_t)
Chris PeBenito 725926
	ppp_sigchld(postfix_postqueue_t)
Chris PeBenito 725926
')
Chris PeBenito 725926
Chris PeBenito 04926d
#######################################
Chris PeBenito 04926d
#
Chris PeBenito 04926d
# Postfix postqueue local policy
Chris PeBenito 04926d
#
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_postqueue_t self:tcp_socket create;
Chris PeBenito 04926d
allow postfix_postqueue_t self:udp_socket { create ioctl };
Chris PeBenito 04926d
Chris PeBenito 04926d
# wants to write to /var/spool/postfix/public/showq
Chris PeBenito 04926d
allow postfix_postqueue_t postfix_public_t:sock_file rw_file_perms;
Chris PeBenito 04926d
allow postfix_postqueue_t postfix_master_t:unix_stream_socket connectto;
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_postqueue_t postfix_public_t:dir search;
Chris PeBenito 04926d
# write to /var/spool/postfix/public/qmgr
Chris PeBenito 04926d
allow postfix_postqueue_t postfix_public_t:fifo_file { getattr write };
Chris PeBenito 04926d
Chris PeBenito 04926d
domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
Chris PeBenito 30705b
allow postfix_master_t postfix_postqueue_t:fd use;
Chris PeBenito 30705b
allow postfix_postqueue_t postfix_master_t:fd use;
Chris PeBenito 30705b
allow postfix_postqueue_t postfix_master_t:fifo_file rw_file_perms;
Chris PeBenito 30705b
allow postfix_postqueue_t postfix_master_t:process sigchld;
Chris PeBenito 04926d
Chris PeBenito 30705b
domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
Chris PeBenito 30705b
allow postfix_postqueue_t postfix_showq_t:fd use;
Chris PeBenito 30705b
allow postfix_showq_t postfix_postqueue_t:fd use;
Chris PeBenito 30705b
allow postfix_showq_t postfix_postqueue_t:fifo_file rw_file_perms;
Chris PeBenito 30705b
allow postfix_showq_t postfix_postqueue_t:process sigchld;
Chris PeBenito 04926d
Chris PeBenito 88dd38
# to write the mailq output, it really should not need read access!
Chris PeBenito 88dd38
term_use_all_user_ptys(postfix_postqueue_t)
Chris PeBenito 88dd38
term_use_all_user_ttys(postfix_postqueue_t)
Chris PeBenito 88dd38
Chris PeBenito 04926d
init_sigchld_script(postfix_postqueue_t)
Chris PeBenito 04926d
init_use_script_fd(postfix_postqueue_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
sysnet_dontaudit_read_config(postfix_postqueue_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
ifdef(`TODO',`
Chris PeBenito 132880
optional_policy(`gnome-pty-helper', `allow postfix_postqueue_t user_gph_t:fd use;')
Chris PeBenito 04926d
')
Chris PeBenito 04926d
Chris PeBenito 04926d
########################################
Chris PeBenito 04926d
#
Chris PeBenito 04926d
# Postfix qmgr local policy
Chris PeBenito 04926d
#
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_qmgr_t postfix_master_t:unix_stream_socket connectto;
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_qmgr_t postfix_private_t:dir search;
Chris PeBenito 04926d
allow postfix_qmgr_t postfix_private_t:sock_file rw_file_perms;
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_qmgr_t postfix_public_t:fifo_file rw_file_perms;
Chris PeBenito 04926d
allow postfix_qmgr_t postfix_public_t:sock_file write;
Chris PeBenito 04926d
Chris PeBenito 04926d
# for /var/spool/postfix/active
Chris PeBenito 04926d
allow postfix_qmgr_t postfix_spool_t:dir create_dir_perms;
Chris PeBenito 04926d
allow postfix_qmgr_t postfix_spool_t:file create_file_perms;
Chris PeBenito 04926d
allow postfix_qmgr_t postfix_spool_t:lnk_file create_lnk_perms;
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_qmgr_t postfix_spool_bounce_t:dir { getattr read search };
Chris PeBenito 04926d
allow postfix_qmgr_t postfix_spool_bounce_t:file { read getattr };
Chris PeBenito 04926d
allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
Chris PeBenito 04926d
Chris PeBenito 04926d
########################################
Chris PeBenito 04926d
#
Chris PeBenito 04926d
# Postfix showq local policy
Chris PeBenito 04926d
#
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_showq_t self:capability { setuid setgid };
Chris PeBenito 04926d
allow postfix_showq_t self:tcp_socket create_socket_perms;
Chris PeBenito 04926d
Chris PeBenito 04926d
# the following auto_trans is usually in postfix server domain
Chris PeBenito 04926d
domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
Chris PeBenito 30705b
allow postfix_master_t postfix_showq_t:fd use;
Chris PeBenito 30705b
allow postfix_showq_t postfix_master_t:fd use;
Chris PeBenito 30705b
allow postfix_showq_t postfix_master_t:fifo_file rw_file_perms;
Chris PeBenito 30705b
allow postfix_showq_t postfix_master_t:process sigchld;
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_showq_t postfix_spool_t:file r_file_perms;
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_showq_t postfix_spool_maildrop_t:dir { getattr read search };
Chris PeBenito 04926d
allow postfix_showq_t postfix_spool_maildrop_t:file { read getattr };
Chris PeBenito 04926d
allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
Chris PeBenito 04926d
Chris PeBenito 30705b
# to write the mailq output, it really should not need read access!
Chris PeBenito 04926d
term_use_all_user_ptys(postfix_showq_t)
Chris PeBenito 04926d
term_use_all_user_ttys(postfix_showq_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
sysnet_dns_name_resolve(postfix_showq_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
########################################
Chris PeBenito 04926d
#
Chris PeBenito 04926d
# Postfix smtp delivery local policy
Chris PeBenito 04926d
#
Chris PeBenito 04926d
Chris PeBenito 04926d
# connect to master process
Chris PeBenito 04926d
allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto;
Chris PeBenito 04926d
allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search;
Chris PeBenito 04926d
allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write;
Chris PeBenito 04926d
Chris PeBenito 04926d
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
Chris PeBenito 04926d
Chris PeBenito 04926d
kernel_tcp_recvfrom(postfix_smtp_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
# if you have two different mail servers on the same host let them talk via
Chris PeBenito 04926d
# SMTP, also if one mail server wants to talk to itself then allow it and let
Chris PeBenito 04926d
# the SMTP protocol sort it out (SE Linux is not to prevent mail server
Chris PeBenito 04926d
# misconfiguration)
Chris PeBenito 04926d
mta_tcp_connect_all_mailservers(postfix_smtp_t)
Chris PeBenito 04926d
Chris PeBenito 04926d
########################################
Chris PeBenito 04926d
#
Chris PeBenito 04926d
# Postfix smtpd local policy
Chris PeBenito 04926d
#
Chris PeBenito 04926d
allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
Chris PeBenito 04926d
Chris PeBenito 04926d
# connect to master process
Chris PeBenito 04926d
allow postfix_smtpd_t postfix_master_t:unix_stream_socket connectto;
Chris PeBenito 04926d
allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search;
Chris PeBenito 04926d
allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms;
Chris PeBenito 04926d
Chris PeBenito 04926d
# for prng_exch
Chris PeBenito 04926d
allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
Chris PeBenito 04926d
allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms;
Chris PeBenito 04926d
Chris PeBenito 04926d
# for OpenSSL certificates
Chris PeBenito 04926d
files_read_usr_files(postfix_smtpd_t)
Chris PeBenito 04926d
mta_read_aliases(postfix_smtpd_t)
Chris PeBenito 04926d
Chris PeBenito 132880
optional_policy(`sasl',`
Chris PeBenito 04926d
	sasl_connect(postfix_smtpd_t)
Chris PeBenito 04926d
')