Blob Blame History Raw
#DESC Postfix - Mail server
#
# Author:  Russell Coker <russell@coker.com.au>
# X-Debian-Packages: postfix
# Depends: mta.te
#

# Type for files created during execution of postfix.
type postfix_var_run_t, file_type, sysadmfile, pidfile;

type postfix_etc_t, file_type, sysadmfile;
type postfix_exec_t, file_type, sysadmfile, exec_type;
type postfix_public_t, file_type, sysadmfile;
type postfix_private_t, file_type, sysadmfile;
type postfix_spool_t, file_type, sysadmfile;
type postfix_spool_maildrop_t, file_type, sysadmfile;
type postfix_spool_flush_t, file_type, sysadmfile;
type postfix_prng_t, file_type, sysadmfile;

# postfix needs this for newaliases
allow { system_mail_t sysadm_mail_t } tmp_t:dir getattr;

#################################
#
# Rules for the postfix_$1_t domain.
#
# postfix_$1_exec_t is the type of the postfix_$1 executables.
#
define(`postfix_domain', `
daemon_core_rules(postfix_$1, `$2')
allow postfix_$1_t self:process setpgid;
allow postfix_$1_t postfix_master_t:process sigchld;
allow postfix_master_t postfix_$1_t:process signal;

allow postfix_$1_t { etc_t postfix_etc_t postfix_spool_t }:dir r_dir_perms;
allow postfix_$1_t postfix_etc_t:file r_file_perms;
read_locale(postfix_$1_t)
allow postfix_$1_t etc_t:file { getattr read };
allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
allow postfix_$1_t self:unix_stream_socket connectto;

allow postfix_$1_t { sbin_t bin_t }:dir r_dir_perms;
allow postfix_$1_t { bin_t usr_t }:lnk_file { getattr read };
allow postfix_$1_t shell_exec_t:file rx_file_perms;
allow postfix_$1_t { var_t var_spool_t }:dir { search getattr };
allow postfix_$1_t postfix_exec_t:file rx_file_perms;
allow postfix_$1_t devtty_t:chr_file rw_file_perms;
allow postfix_$1_t etc_runtime_t:file r_file_perms;
allow postfix_$1_t proc_t:dir r_dir_perms;
allow postfix_$1_t proc_t:file r_file_perms;
allow postfix_$1_t postfix_exec_t:dir r_dir_perms;
allow postfix_$1_t fs_t:filesystem getattr;
allow postfix_$1_t proc_net_t:dir search;
allow postfix_$1_t proc_net_t:file { getattr read };
can_exec(postfix_$1_t, postfix_$1_exec_t)
r_dir_file(postfix_$1_t, cert_t)
allow postfix_$1_t { urandom_device_t random_device_t }:chr_file { read getattr };

allow postfix_$1_t tmp_t:dir getattr;

file_type_auto_trans(postfix_$1_t, var_run_t, postfix_var_run_t, file)

read_sysctl(postfix_$1_t)

')dnl end postfix_domain

ifdef(`crond.te',
`allow system_mail_t crond_t:tcp_socket { read write create };')

postfix_domain(master, `, mail_server_domain')
rhgb_domain(postfix_master_t)

# for a find command
dontaudit postfix_master_t security_t:dir search;

read_sysctl(postfix_master_t)

ifdef(`targeted_policy', `
bool disable_postfix_trans false;
if (!disable_postfix_trans) {
')
domain_auto_trans(initrc_t, postfix_master_exec_t, postfix_master_t)
allow initrc_t postfix_master_t:process { noatsecure siginh rlimitinh };

domain_auto_trans(sysadm_t, postfix_master_exec_t, postfix_master_t)
allow sysadm_t postfix_master_t:process { noatsecure siginh rlimitinh };
ifdef(`targeted_policy', `', `
role_transition sysadm_r postfix_master_exec_t system_r;
')
allow postfix_master_t postfix_etc_t:file rw_file_perms;
dontaudit postfix_master_t admin_tty_type:chr_file { read write };
allow postfix_master_t devpts_t:dir search;

domain_auto_trans(sysadm_mail_t, postfix_master_exec_t, system_mail_t)
allow system_mail_t sysadm_t:process sigchld;
allow system_mail_t privfd:fd use;

ifdef(`pppd.te', `
domain_auto_trans(pppd_t, postfix_master_exec_t, postfix_master_t)
')

ifdef(`targeted_policy', `
}
')

allow postfix_master_t privfd:fd use;
ifdef(`newrole.te', `allow postfix_master_t newrole_t:process sigchld;')
allow postfix_master_t initrc_devpts_t:chr_file rw_file_perms;

# postfix does a "find" on startup for some reason - keep it quiet
dontaudit postfix_master_t selinux_config_t:dir search;
can_exec({ sysadm_mail_t system_mail_t }, postfix_master_exec_t)
ifdef(`distro_redhat', `
# compatability for old default main.cf
file_type_auto_trans({ sysadm_mail_t system_mail_t postfix_master_t }, postfix_etc_t, etc_aliases_t)
# for newer main.cf that uses /etc/aliases
file_type_auto_trans(postfix_master_t, etc_t, etc_aliases_t)
')
file_type_auto_trans({ sysadm_mail_t system_mail_t }, etc_t, etc_aliases_t)
allow postfix_master_t sendmail_exec_t:file r_file_perms;
allow postfix_master_t sbin_t:lnk_file { getattr read };

can_exec(postfix_master_t, { ls_exec_t sbin_t })
allow postfix_master_t self:fifo_file rw_file_perms;
allow postfix_master_t usr_t:file r_file_perms;
can_exec(postfix_master_t, { shell_exec_t bin_t postfix_exec_t })
# chown is to set the correct ownership of queue dirs
allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
allow postfix_master_t postfix_public_t:fifo_file create_file_perms;
allow postfix_master_t postfix_public_t:sock_file create_file_perms;
allow postfix_master_t postfix_public_t:dir rw_dir_perms;
allow postfix_master_t postfix_private_t:dir rw_dir_perms;
allow postfix_master_t postfix_private_t:sock_file create_file_perms;
allow postfix_master_t postfix_private_t:fifo_file create_file_perms;
can_network(postfix_master_t)
allow postfix_master_t port_type:tcp_socket name_connect;
can_ypbind(postfix_master_t)
allow postfix_master_t { amavisd_send_port_t smtp_port_t }:tcp_socket name_bind;
allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr };
allow postfix_master_t postfix_prng_t:file getattr;
allow postfix_master_t privfd:fd use;
allow postfix_master_t etc_aliases_t:file rw_file_perms;

ifdef(`saslauthd.te',`
allow postfix_smtpd_t saslauthd_var_run_t:dir { search getattr };
allow postfix_smtpd_t saslauthd_var_run_t:sock_file { read write };
can_unix_connect(postfix_smtpd_t,saslauthd_t)
')

create_dir_file(postfix_master_t, postfix_spool_flush_t)
allow postfix_master_t postfix_prng_t:file rw_file_perms;
# for ls to get the current context
allow postfix_master_t self:file { getattr read };

# allow access to deferred queue and allow removing bogus incoming entries
allow postfix_master_t postfix_spool_t:dir create_dir_perms;
allow postfix_master_t postfix_spool_t:file create_file_perms;

dontaudit postfix_master_t man_t:dir search;

define(`postfix_server_domain', `
postfix_domain($1, `$2')
domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
allow postfix_$1_t self:capability { setuid setgid dac_override };
can_network_client(postfix_$1_t)
allow postfix_$1_t port_type:tcp_socket name_connect;
can_ypbind(postfix_$1_t)
')

postfix_server_domain(smtp, `, mail_server_sender')
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search;
allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write;
allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto;
# if you have two different mail servers on the same host let them talk via
# SMTP, also if one mail server wants to talk to itself then allow it and let
# the SMTP protocol sort it out (SE Linux is not to prevent mail server
# misconfiguration)
can_tcp_connect(postfix_smtp_t, mail_server_domain)

postfix_server_domain(smtpd)
allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search;
allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms;
allow postfix_smtpd_t postfix_master_t:unix_stream_socket connectto;
# for OpenSSL certificates
r_dir_file(postfix_smtpd_t,usr_t)
allow postfix_smtpd_t etc_aliases_t:file r_file_perms;
allow postfix_smtpd_t self:file { getattr read };

# for prng_exch
allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms;

postfix_server_domain(local, `, mta_delivery_agent')

ifdef(`procmail.te', `
domain_auto_trans(postfix_local_t, procmail_exec_t, procmail_t)
# for a bug in the postfix local program
dontaudit procmail_t postfix_local_t:tcp_socket { read write };
dontaudit procmail_t postfix_master_t:fd use;
')
allow postfix_local_t etc_aliases_t:file r_file_perms;
allow postfix_local_t self:fifo_file rw_file_perms;
allow postfix_local_t self:process { setsched setrlimit };
allow postfix_local_t postfix_spool_t:file rw_file_perms;
# for .forward - maybe we need a new type for it?
allow postfix_local_t postfix_private_t:dir search;
allow postfix_local_t postfix_private_t:sock_file rw_file_perms;
allow postfix_local_t postfix_master_t:unix_stream_socket connectto;
allow postfix_local_t postfix_public_t:dir search;
allow postfix_local_t postfix_public_t:sock_file write;
tmp_domain(postfix_local)
can_exec(postfix_local_t,{ shell_exec_t bin_t })
allow postfix_local_t mail_spool_t:dir { remove_name };
allow postfix_local_t mail_spool_t:file { unlink };
# For reading spamassasin
r_dir_file(postfix_local_t, etc_mail_t)

define(`postfix_public_domain',`
postfix_server_domain($1)
allow postfix_$1_t postfix_public_t:dir search;
')

postfix_public_domain(cleanup)
create_dir_file(postfix_cleanup_t, postfix_spool_t)
allow postfix_cleanup_t postfix_public_t:fifo_file rw_file_perms;
allow postfix_cleanup_t postfix_public_t:sock_file { getattr write };
allow postfix_cleanup_t postfix_private_t:dir search;
allow postfix_cleanup_t postfix_private_t:sock_file rw_file_perms;
allow postfix_cleanup_t postfix_master_t:unix_stream_socket connectto;
allow postfix_cleanup_t postfix_spool_bounce_t:dir r_dir_perms;
allow postfix_cleanup_t self:process setrlimit;

allow user_mail_domain postfix_spool_t:dir r_dir_perms;
allow user_mail_domain postfix_etc_t:dir r_dir_perms;
allow { user_mail_domain initrc_t } postfix_etc_t:file r_file_perms;
allow user_mail_domain self:capability dac_override;

define(`postfix_user_domain', `
postfix_domain($1, `$2')
domain_auto_trans(user_mail_domain, postfix_$1_exec_t, postfix_$1_t)
in_user_role(postfix_$1_t)
role sysadm_r types postfix_$1_t;
allow postfix_$1_t userdomain:process sigchld;
allow postfix_$1_t userdomain:fifo_file { write getattr };
allow postfix_$1_t { userdomain privfd }:fd use;
allow postfix_$1_t self:capability dac_override;
')

postfix_user_domain(postqueue)
allow postfix_postqueue_t postfix_public_t:dir search;
allow postfix_postqueue_t postfix_public_t:fifo_file getattr;
allow postfix_postqueue_t self:udp_socket { create ioctl };
allow postfix_postqueue_t self:tcp_socket create;
allow postfix_master_t postfix_postqueue_exec_t:file getattr;
domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
allow postfix_postqueue_t initrc_t:process sigchld;
allow postfix_postqueue_t initrc_t:fd use;

# to write the mailq output, it really should not need read access!
allow postfix_postqueue_t { ptyfile ttyfile }:chr_file { read write getattr };
ifdef(`gnome-pty-helper.te', `allow postfix_postqueue_t user_gph_t:fd use;')

# wants to write to /var/spool/postfix/public/showq
allow postfix_postqueue_t postfix_public_t:sock_file rw_file_perms;
allow postfix_postqueue_t postfix_master_t:unix_stream_socket connectto;
# write to /var/spool/postfix/public/qmgr
allow postfix_postqueue_t postfix_public_t:fifo_file write;
dontaudit postfix_postqueue_t net_conf_t:file r_file_perms;

postfix_user_domain(showq)
# the following auto_trans is usually in postfix server domain
domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
can_resolve(postfix_showq_t)
r_dir_file(postfix_showq_t, postfix_spool_maildrop_t)
domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
allow postfix_showq_t self:capability { setuid setgid };
allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
allow postfix_showq_t postfix_spool_t:file r_file_perms;
allow postfix_showq_t self:tcp_socket create_socket_perms;
allow postfix_showq_t { ttyfile ptyfile }:chr_file { read write };
dontaudit postfix_showq_t net_conf_t:file r_file_perms;

postfix_user_domain(postdrop, `, mta_user_agent')
allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms;
allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms;
allow postfix_postdrop_t user_mail_domain:unix_stream_socket rw_socket_perms;
allow postfix_postdrop_t postfix_public_t:dir search;
allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms;
dontaudit postfix_postdrop_t { ptyfile ttyfile }:chr_file { read write };
dontaudit postfix_postdrop_t net_conf_t:file r_file_perms;
allow postfix_master_t postfix_postdrop_exec_t:file getattr;
ifdef(`crond.te',
`allow postfix_postdrop_t { crond_t system_crond_t }:fd use;
allow postfix_postdrop_t { crond_t system_crond_t }:fifo_file rw_file_perms;')
# usually it does not need a UDP socket
allow postfix_postdrop_t self:udp_socket create_socket_perms;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;

postfix_public_domain(pickup)
allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms;
allow postfix_pickup_t postfix_public_t:sock_file rw_file_perms;
allow postfix_pickup_t postfix_private_t:dir search;
allow postfix_pickup_t postfix_private_t:sock_file write;
allow postfix_pickup_t postfix_master_t:unix_stream_socket connectto;
allow postfix_pickup_t postfix_spool_maildrop_t:dir rw_dir_perms;
allow postfix_pickup_t postfix_spool_maildrop_t:file r_file_perms;
allow postfix_pickup_t postfix_spool_maildrop_t:file unlink;
allow postfix_pickup_t self:tcp_socket create_socket_perms;

postfix_public_domain(qmgr)
allow postfix_qmgr_t postfix_public_t:fifo_file rw_file_perms;
allow postfix_qmgr_t postfix_public_t:sock_file write;
allow postfix_qmgr_t postfix_private_t:dir search;
allow postfix_qmgr_t postfix_private_t:sock_file rw_file_perms;
allow postfix_qmgr_t postfix_master_t:unix_stream_socket connectto;

# for /var/spool/postfix/active
create_dir_file(postfix_qmgr_t, postfix_spool_t)

postfix_public_domain(bounce)
type postfix_spool_bounce_t, file_type, sysadmfile;
create_dir_file(postfix_bounce_t, postfix_spool_bounce_t)
create_dir_file(postfix_bounce_t, postfix_spool_t)
allow postfix_master_t postfix_spool_bounce_t:dir create_dir_perms;
allow postfix_master_t postfix_spool_bounce_t:file getattr;
allow postfix_bounce_t self:capability dac_read_search;
allow postfix_bounce_t postfix_public_t:sock_file write;
allow postfix_bounce_t self:tcp_socket create_socket_perms;

r_dir_file(postfix_qmgr_t, postfix_spool_bounce_t)

postfix_public_domain(pipe)
allow postfix_pipe_t postfix_spool_t:dir search;
allow postfix_pipe_t postfix_spool_t:file rw_file_perms;
allow postfix_pipe_t self:fifo_file { read write };
allow postfix_pipe_t postfix_private_t:dir search;
allow postfix_pipe_t postfix_private_t:sock_file write;
ifdef(`procmail.te', `
domain_auto_trans(postfix_pipe_t, procmail_exec_t, procmail_t)
')
ifdef(`sendmail.te', `
r_dir_file(sendmail_t, postfix_etc_t)
allow sendmail_t postfix_spool_t:dir search;
')

# Program for creating database files
application_domain(postfix_map)
base_file_read_access(postfix_map_t)
allow postfix_map_t { etc_t etc_runtime_t }:{ file lnk_file } { getattr read };
tmp_domain(postfix_map)
create_dir_file(postfix_map_t, postfix_etc_t)
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
dontaudit postfix_map_t proc_t:dir { getattr read search };
dontaudit postfix_map_t local_login_t:fd use;
allow postfix_master_t postfix_map_exec_t:file rx_file_perms;
read_locale(postfix_map_t)
allow postfix_map_t self:capability setgid;
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
dontaudit postfix_map_t var_t:dir search;
can_network_server(postfix_map_t)
allow postfix_map_t port_type:tcp_socket name_connect;