add postfix
This commit is contained in:
Chris PeBenito
parent
f932d8e3cb
commit
04926d07a8
|
|
@ -11,6 +11,7 @@
|
|||
lpd
|
||||
networkmanager
|
||||
pegasus
|
||||
postfix
|
||||
radius
|
||||
spamassassin
|
||||
xdm
|
||||
|
|
|
|||
|
|
@ -392,10 +392,26 @@ interface(`cron_read_pipe',`
|
|||
interface(`cron_rw_pipe',`
|
||||
gen_require(`
|
||||
type crond_t;
|
||||
class file { read write };
|
||||
')
|
||||
|
||||
allow $1 crond_t:file { read write };
|
||||
allow $1 crond_t:fifo_file { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, and write a cron daemon TCP socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
# cjp: need to fix this name
|
||||
interface(`cron_crw_tcp_socket',`
|
||||
gen_require(`
|
||||
type crond_t;
|
||||
')
|
||||
|
||||
allow $1 crond_t:tcp_socket { create read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
@ -449,7 +465,6 @@ interface(`cron_domtrans_anacron_system_job',`
|
|||
interface(`cron_use_system_job_fd',`
|
||||
gen_require(`
|
||||
type system_crond_t;
|
||||
class fd use;
|
||||
')
|
||||
|
||||
allow $1 system_crond_t:fd use;
|
||||
|
|
@ -457,7 +472,7 @@ interface(`cron_use_system_job_fd',`
|
|||
|
||||
########################################
|
||||
## <summary>
|
||||
## Wrate a system cron job unnamed pipe.
|
||||
## Write a system cron job unnamed pipe.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
|
|
@ -472,6 +487,22 @@ interface(`cron_write_system_job_pipe',`
|
|||
allow $1 system_crond_t:file write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write a system cron job unnamed pipe.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`cron_rw_system_job_pipe',`
|
||||
gen_require(`
|
||||
type system_crond_t;
|
||||
')
|
||||
|
||||
allow $1 system_crond_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read temporary files from the system cron jobs.
|
||||
|
|
|
|||
|
|
@ -43,11 +43,11 @@ interface(`mta_stub',`
|
|||
#
|
||||
template(`mta_per_userdomain_template',`
|
||||
gen_require(`
|
||||
attribute mailserver_domain, mta_user_agent;
|
||||
attribute mailserver_domain, mta_user_agent, user_mail_domain;
|
||||
type sendmail_exec_t;
|
||||
')
|
||||
|
||||
type $1_mail_t;
|
||||
type $1_mail_t, user_mail_domain;
|
||||
domain_type($1_mail_t)
|
||||
role $3 types $1_mail_t;
|
||||
|
||||
|
|
@ -128,6 +128,12 @@ template(`mta_per_userdomain_template',`
|
|||
nscd_use_socket($1_mail_t)
|
||||
')
|
||||
|
||||
optional_policy(`postfix.te',`
|
||||
allow $1_mail_t self:capability dac_override;
|
||||
postfix_read_config($1_mail_t)
|
||||
postfix_list_spool($1_mail_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`procmail.te',`
|
||||
procmail_execute($1_mail_t)
|
||||
|
|
@ -376,7 +382,7 @@ interface(`mta_rw_aliases',`
|
|||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow sendmail_t etc_aliases_t:file { rw_file_perms setattr };
|
||||
allow $1 etc_aliases_t:file { rw_file_perms setattr };
|
||||
')
|
||||
|
||||
#######################################
|
||||
|
|
@ -490,6 +496,24 @@ interface(`mta_append_spool',`
|
|||
allow $1 mail_spool_t:file create_file_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Delete from the mail spool.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`mta_delete_spool',`
|
||||
gen_require(`
|
||||
type mail_spool_t;
|
||||
')
|
||||
|
||||
files_search_spool($1)
|
||||
allow $1 mail_spool_t:dir { list_dir_perms write remove_name };
|
||||
allow $1 mail_spool_t:file unlink;
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# mta_manage_spool(domain)
|
||||
|
|
@ -523,3 +547,37 @@ interface(`mta_manage_queue',`
|
|||
allow $1 mqueue_spool_t:dir rw_dir_perms;
|
||||
allow $1 mqueue_spool_t:file create_file_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Read sendmail binary.
|
||||
## </summmary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
# cjp: added for postfix
|
||||
interface(`mta_read_sendmail_bin',`
|
||||
gen_require(`
|
||||
type sendmail_exec_t;;
|
||||
')
|
||||
|
||||
allow $1 sendmail_exec_t:file r_file_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Read and write unix domain stream sockets
|
||||
## of user mail domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`mta_rw_user_mail_stream_socket',`
|
||||
gen_require(`
|
||||
attribute user_mail_domain;
|
||||
')
|
||||
|
||||
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
|
||||
')
|
||||
|
|
|
|||
|
|
@ -11,6 +11,8 @@ attribute mailserver_delivery;
|
|||
attribute mailserver_domain;
|
||||
attribute mailserver_sender;
|
||||
|
||||
attribute user_mail_domain;
|
||||
|
||||
type etc_aliases_t;
|
||||
files_type(etc_aliases_t)
|
||||
|
||||
|
|
@ -152,8 +154,23 @@ optional_policy(`nscd.te',`
|
|||
nscd_use_socket(system_mail_t)
|
||||
')
|
||||
|
||||
optional_policy(`postfix.te',`
|
||||
postfix_stub(system_mail_t)
|
||||
|
||||
allow system_mail_t etc_aliases_t:dir create_dir_perms;
|
||||
allow system_mail_t etc_aliases_t:file create_file_perms;
|
||||
allow system_mail_t etc_aliases_t:lnk_file create_lnk_perms;
|
||||
allow system_mail_t etc_aliases_t:sock_file create_file_perms;
|
||||
allow system_mail_t etc_aliases_t:fifo_file create_file_perms;
|
||||
files_create_etc_config(sysadm_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file })
|
||||
|
||||
optional_policy(`crond.te',`
|
||||
cron_crw_tcp_socket(system_mail_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`sendmail.te',`
|
||||
sendmail_stub()
|
||||
sendmail_stub(system_mail_t)
|
||||
|
||||
allow system_mail_t etc_mail_t:dir { getattr search };
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,59 @@
|
|||
# postfix
|
||||
/etc/postfix(/.*)? gen_context(system_u:object_r:postfix_etc_t,s0)
|
||||
ifdef(`distro_redhat', `
|
||||
/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
|
||||
/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
|
||||
/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
|
||||
/usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
|
||||
/usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
|
||||
/usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
|
||||
/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
|
||||
/usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
|
||||
/usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
|
||||
/usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
|
||||
/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
|
||||
/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
|
||||
/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
|
||||
', `
|
||||
/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
|
||||
/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
|
||||
/usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
|
||||
/usr/lib/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
|
||||
/usr/lib/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
|
||||
/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
|
||||
/usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
|
||||
/usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
|
||||
/usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
|
||||
/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
|
||||
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
|
||||
/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
|
||||
')
|
||||
/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
|
||||
/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
|
||||
/usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
|
||||
/usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
|
||||
/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
|
||||
/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
|
||||
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
|
||||
/usr/sbin/postlock -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
|
||||
/usr/sbin/postlog -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
|
||||
/usr/sbin/postmap -- gen_context(system_u:object_r:postfix_map_exec_t,s0)
|
||||
/usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
|
||||
/usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
|
||||
/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
||||
/usr/sbin/sendmail.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
||||
/var/spool/postfix(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
|
||||
/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
|
||||
/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
|
||||
/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
|
||||
/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
|
||||
/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
|
||||
/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
|
||||
/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0)
|
||||
/var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
|
||||
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
|
||||
/var/spool/postfix/lib(64)?/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
|
||||
/var/spool/postfix/lib(64)?/[^/]*/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
|
||||
/var/spool/postfix/lib(64)?/devfsd/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
|
||||
|
|
@ -0,0 +1,219 @@
|
|||
## <summary>Postfix email server</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Postfix stub interface. No access allowed.
|
||||
## </summary>
|
||||
## <param name="domain" optional="true">
|
||||
## N/A
|
||||
## </param>
|
||||
#
|
||||
interface(`postfix_stub',`
|
||||
gen_require(`
|
||||
type postfix_master_t;
|
||||
')
|
||||
')
|
||||
|
||||
template(`postfix_domain_template',`
|
||||
type postfix_$1_t;
|
||||
type postfix_$1_exec_t;
|
||||
domain_type(postfix_$1_t)
|
||||
domain_entry_file(postfix_$1_t,postfix_$1_exec_t)
|
||||
role system_r types postfix_$1_t;
|
||||
|
||||
dontaudit postfix_$1_t self:capability sys_tty_config;
|
||||
allow postfix_$1_t self:process { signal_perms setpgid };
|
||||
allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
|
||||
allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow postfix_$1_t self:unix_stream_socket connectto;
|
||||
|
||||
allow postfix_master_t postfix_$1_t:process signal;
|
||||
|
||||
allow postfix_$1_t postfix_etc_t:dir r_dir_perms;
|
||||
allow postfix_$1_t postfix_etc_t:file r_file_perms;
|
||||
|
||||
can_exec(postfix_$1_t, postfix_$1_exec_t)
|
||||
|
||||
allow postfix_$1_t postfix_exec_t:file rx_file_perms;
|
||||
# cjp: ???
|
||||
allow postfix_$1_t postfix_exec_t:dir r_dir_perms;
|
||||
|
||||
allow postfix_$1_t postfix_master_t:process sigchld;
|
||||
|
||||
allow postfix_$1_t postfix_spool_t:dir r_dir_perms;
|
||||
|
||||
allow postfix_$1_t postfix_var_run_t:file manage_file_perms;
|
||||
files_create_pid(postfix_$1_t,postfix_var_run_t)
|
||||
|
||||
kernel_read_system_state(postfix_$1_t)
|
||||
kernel_read_network_state(postfix_$1_t)
|
||||
kernel_read_all_sysctl(postfix_$1_t)
|
||||
|
||||
dev_read_sysfs(postfix_$1_t)
|
||||
dev_read_rand(postfix_$1_t)
|
||||
dev_read_urand(postfix_$1_t)
|
||||
|
||||
fs_search_auto_mountpoints(postfix_$1_t)
|
||||
fs_getattr_xattr_fs(postfix_$1_t)
|
||||
|
||||
term_dontaudit_use_console(postfix_$1_t)
|
||||
|
||||
corecmd_list_bin(postfix_$1_t)
|
||||
corecmd_list_sbin(postfix_$1_t)
|
||||
corecmd_read_bin_symlink(postfix_$1_t)
|
||||
corecmd_read_sbin_symlink(postfix_$1_t)
|
||||
corecmd_exec_shell(postfix_$1_t)
|
||||
|
||||
files_read_etc_files(postfix_$1_t)
|
||||
files_read_etc_runtime_files(postfix_$1_t)
|
||||
files_search_spool(postfix_$1_t)
|
||||
files_getattr_tmp_dir(postfix_$1_t)
|
||||
|
||||
init_use_fd(postfix_$1_t)
|
||||
init_sigchld(postfix_$1_t)
|
||||
|
||||
libs_use_ld_so(postfix_$1_t)
|
||||
libs_use_shared_libs(postfix_$1_t)
|
||||
|
||||
logging_send_syslog_msg(postfix_$1_t)
|
||||
|
||||
miscfiles_read_localization(postfix_$1_t)
|
||||
miscfiles_read_certs(postfix_$1_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(postfix_$1_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_tty(postfix_$1_t)
|
||||
term_dontaudit_use_generic_pty(postfix_$1_t)
|
||||
files_dontaudit_read_root_file(postfix_$1_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev.te',`
|
||||
udev_read_db(postfix_$1_t)
|
||||
')
|
||||
')
|
||||
|
||||
template(`postfix_server_domain_template',`
|
||||
postfix_domain_template($1)
|
||||
|
||||
allow postfix_$1_t self:capability { setuid setgid dac_override };
|
||||
allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
|
||||
allow postfix_$1_t self:tcp_socket create_socket_perms;
|
||||
allow postfix_$1_t self:udp_socket create_socket_perms;
|
||||
|
||||
domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(postfix_$1_t)
|
||||
corenet_udp_sendrecv_all_if(postfix_$1_t)
|
||||
corenet_raw_sendrecv_all_if(postfix_$1_t)
|
||||
corenet_tcp_sendrecv_all_nodes(postfix_$1_t)
|
||||
corenet_udp_sendrecv_all_nodes(postfix_$1_t)
|
||||
corenet_raw_sendrecv_all_nodes(postfix_$1_t)
|
||||
corenet_tcp_sendrecv_all_ports(postfix_$1_t)
|
||||
corenet_udp_sendrecv_all_ports(postfix_$1_t)
|
||||
corenet_tcp_bind_all_nodes(postfix_$1_t)
|
||||
corenet_udp_bind_all_nodes(postfix_$1_t)
|
||||
corenet_tcp_connect_all_ports(postfix_$1_t)
|
||||
|
||||
sysnet_read_config(postfix_$1_t)
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(postfix_$1_t)
|
||||
')
|
||||
')
|
||||
|
||||
template(`postfix_user_domain_template',`
|
||||
postfix_domain_template($1)
|
||||
|
||||
allow postfix_$1_t self:capability dac_override;
|
||||
|
||||
domain_auto_trans(user_mail_domain, postfix_$1_exec_t, postfix_$1_t)
|
||||
|
||||
# this is replaced by run interfaces
|
||||
role sysadm_r types postfix_$1_t;
|
||||
allow postfix_$1_t userdomain:process sigchld;
|
||||
allow postfix_$1_t userdomain:fifo_file { write getattr };
|
||||
allow postfix_$1_t { userdomain privfd }:fd use;
|
||||
|
||||
')
|
||||
|
||||
template(`postfix_public_domain_template',`
|
||||
postfix_server_domain_template($1)
|
||||
|
||||
allow postfix_$1_t postfix_public_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read postfix configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`postfix_read_config',`
|
||||
gen_require(`
|
||||
type postfix_etc_t;
|
||||
')
|
||||
|
||||
allow $1 postfix_etc_t:dir { getattr read search };
|
||||
allow $1 postfix_etc_t:file { read getattr };
|
||||
allow $1 postfix_etc_t:lnk_file { getattr read };
|
||||
files_search_etc($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute the master postfix program in the
|
||||
## postfix_master domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`postfix_domtrans_master',`
|
||||
gen_require(`
|
||||
type postfix_master_t, postfix_master_exec_t;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,postfix_master_exec_t,postfix_master_t)
|
||||
|
||||
allow $1 postfix_master_t:fd use;
|
||||
allow postfix_master_t $1:fd use;
|
||||
allow postfix_master_t $1:fifo_file rw_file_perms;
|
||||
allow postfix_master_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search postfix mail spool directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`postfix_search_spool',`
|
||||
gen_require(`
|
||||
type postfix_spool_t;
|
||||
')
|
||||
|
||||
allow $1 postfix_spool_t:dir search_dir_perms;
|
||||
files_search_spool($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## List postfix mail spool directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`postfix_list_spool',`
|
||||
gen_require(`
|
||||
type postfix_spool_t;
|
||||
')
|
||||
|
||||
allow $1 postfix_spool_t:dir list_dir_perms;
|
||||
files_search_spool($1)
|
||||
')
|
||||
|
|
@ -0,0 +1,569 @@
|
|||
|
||||
policy_module(postfix,1.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
postfix_public_domain_template(bounce)
|
||||
|
||||
type postfix_spool_bounce_t;
|
||||
files_type(postfix_spool_bounce_t)
|
||||
|
||||
postfix_public_domain_template(cleanup)
|
||||
|
||||
type postfix_etc_t;
|
||||
files_type(postfix_etc_t)
|
||||
|
||||
type postfix_exec_t;
|
||||
files_type(postfix_exec_t)
|
||||
|
||||
postfix_server_domain_template(local)
|
||||
mta_mailserver_delivery(postfix_local_t)
|
||||
|
||||
type postfix_local_tmp_t;
|
||||
files_tmp_file(postfix_local_tmp_t)
|
||||
|
||||
# Program for creating database files
|
||||
type postfix_map_t;
|
||||
type postfix_map_exec_t;
|
||||
domain_type(postfix_map_t)
|
||||
domain_entry_file(postfix_map_t,postfix_map_exec_t)
|
||||
|
||||
type postfix_map_tmp_t;
|
||||
files_tmp_file(postfix_map_tmp_t)
|
||||
|
||||
postfix_domain_template(master)
|
||||
mta_mailserver(postfix_master_t,postfix_master_exec_t)
|
||||
|
||||
postfix_public_domain_template(pickup)
|
||||
|
||||
postfix_public_domain_template(pipe)
|
||||
|
||||
postfix_user_domain_template(postdrop)
|
||||
mta_mailserver_user_agent(postfix_postdrop_t)
|
||||
|
||||
postfix_user_domain_template(postqueue)
|
||||
|
||||
type postfix_private_t;
|
||||
files_type(postfix_private_t)
|
||||
|
||||
type postfix_prng_t;
|
||||
files_type(postfix_prng_t)
|
||||
|
||||
postfix_public_domain_template(qmgr)
|
||||
|
||||
postfix_user_domain_template(showq)
|
||||
|
||||
postfix_server_domain_template(smtp)
|
||||
mta_mailserver_sender(postfix_smtp_t)
|
||||
|
||||
postfix_server_domain_template(smtpd)
|
||||
|
||||
type postfix_spool_t;
|
||||
files_type(postfix_spool_t)
|
||||
|
||||
type postfix_spool_maildrop_t;
|
||||
files_type(postfix_spool_maildrop_t)
|
||||
|
||||
type postfix_spool_flush_t;
|
||||
files_type(postfix_spool_flush_t)
|
||||
|
||||
type postfix_public_t;
|
||||
files_type(postfix_public_t)
|
||||
|
||||
type postfix_var_run_t;
|
||||
files_pid_file(postfix_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Postfix master process local policy
|
||||
#
|
||||
|
||||
# chown is to set the correct ownership of queue dirs
|
||||
allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
|
||||
allow postfix_master_t self:fifo_file rw_file_perms;
|
||||
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
|
||||
allow postfix_master_t self:udp_socket create_socket_perms;
|
||||
|
||||
can_exec(postfix_master_t,postfix_exec_t)
|
||||
|
||||
allow postfix_master_t postfix_map_exec_t:file rx_file_perms;
|
||||
|
||||
allow postfix_master_t postfix_postdrop_exec_t:file getattr;
|
||||
|
||||
allow postfix_master_t postfix_postqueue_exec_t:file getattr;
|
||||
|
||||
allow postfix_master_t postfix_private_t:dir rw_dir_perms;
|
||||
allow postfix_master_t postfix_private_t:sock_file create_file_perms;
|
||||
allow postfix_master_t postfix_private_t:fifo_file create_file_perms;
|
||||
|
||||
allow postfix_master_t postfix_prng_t:file rw_file_perms;
|
||||
|
||||
allow postfix_master_t postfix_public_t:fifo_file create_file_perms;
|
||||
allow postfix_master_t postfix_public_t:sock_file create_file_perms;
|
||||
allow postfix_master_t postfix_public_t:dir rw_dir_perms;
|
||||
|
||||
# allow access to deferred queue and allow removing bogus incoming entries
|
||||
allow postfix_master_t postfix_spool_t:dir create_dir_perms;
|
||||
allow postfix_master_t postfix_spool_t:file create_file_perms;
|
||||
|
||||
allow postfix_master_t postfix_spool_flush_t:dir create_dir_perms;
|
||||
allow postfix_master_t postfix_spool_flush_t:file create_file_perms;
|
||||
allow postfix_master_t postfix_spool_flush_t:lnk_file create_lnk_perms;
|
||||
|
||||
allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
|
||||
allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr };
|
||||
|
||||
kernel_read_all_sysctl(postfix_master_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(postfix_master_t)
|
||||
corenet_udp_sendrecv_all_if(postfix_master_t)
|
||||
corenet_raw_sendrecv_all_if(postfix_master_t)
|
||||
corenet_tcp_sendrecv_all_nodes(postfix_master_t)
|
||||
corenet_udp_sendrecv_all_nodes(postfix_master_t)
|
||||
corenet_raw_sendrecv_all_nodes(postfix_master_t)
|
||||
corenet_tcp_sendrecv_all_ports(postfix_master_t)
|
||||
corenet_udp_sendrecv_all_ports(postfix_master_t)
|
||||
corenet_tcp_bind_all_nodes(postfix_master_t)
|
||||
corenet_udp_bind_all_nodes(postfix_master_t)
|
||||
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
|
||||
corenet_tcp_bind_smtp_port(postfix_master_t)
|
||||
corenet_tcp_connect_all_ports(postfix_master_t)
|
||||
|
||||
# for a find command
|
||||
selinux_dontaudit_search_fs(postfix_master_t)
|
||||
|
||||
corecmd_exec_ls(postfix_master_t)
|
||||
corecmd_exec_sbin(postfix_master_t)
|
||||
corecmd_exec_shell(postfix_master_t)
|
||||
corecmd_exec_bin(postfix_master_t)
|
||||
|
||||
domain_use_wide_inherit_fd(postfix_master_t)
|
||||
|
||||
files_read_usr_files(postfix_master_t)
|
||||
|
||||
init_use_script_pty(postfix_master_t)
|
||||
|
||||
miscfiles_dontaudit_search_man_pages(postfix_master_t)
|
||||
|
||||
seutil_sigchld_newrole(postfix_master_t)
|
||||
# postfix does a "find" on startup for some reason - keep it quiet
|
||||
seutil_dontaudit_search_config(postfix_master_t)
|
||||
|
||||
sysnet_read_config(postfix_master_t)
|
||||
|
||||
mta_rw_aliases(postfix_master_t)
|
||||
mta_read_sendmail_bin(postfix_master_t)
|
||||
|
||||
optional_policy(`mount.te',`
|
||||
mount_send_nfs_client_request(postfix_master_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(postfix_master_t)
|
||||
')
|
||||
|
||||
###########################################################
|
||||
#
|
||||
# Partially converted rules. THESE ARE ONLY TEMPORARY
|
||||
#
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
# for newer main.cf that uses /etc/aliases
|
||||
allow postfix_master_t etc_t:dir rw_dir_perms;
|
||||
allow postfix_master_t etc_aliases_t:dir create_dir_perms;
|
||||
allow postfix_master_t etc_aliases_t:file create_file_perms;
|
||||
allow postfix_master_t etc_aliases_t:lnk_file create_lnk_perms;
|
||||
allow postfix_master_t etc_aliases_t:sock_file create_file_perms;
|
||||
allow postfix_master_t etc_aliases_t:fifo_file create_file_perms;
|
||||
type_transition postfix_master_t etc_t:{ file lnk_file sock_file fifo_file } etc_aliases_t;
|
||||
|
||||
allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
|
||||
allow postfix_master_t etc_aliases_t:dir create_dir_perms;
|
||||
allow postfix_master_t etc_aliases_t:file create_file_perms;
|
||||
allow postfix_master_t etc_aliases_t:lnk_file create_lnk_perms;
|
||||
allow postfix_master_t etc_aliases_t:sock_file create_file_perms;
|
||||
allow postfix_master_t etc_aliases_t:fifo_file create_file_perms;
|
||||
type_transition postfix_master_t postfix_etc_t:{ file lnk_file sock_file fifo_file } etc_aliases_t;
|
||||
')
|
||||
|
||||
# postfix needs this for newaliases
|
||||
allow { system_mail_t sysadm_mail_t } tmp_t:dir getattr;
|
||||
|
||||
can_exec({ sysadm_mail_t system_mail_t }, postfix_master_exec_t)
|
||||
|
||||
allow sysadm_mail_t etc_aliases_t:dir create_dir_perms;
|
||||
allow sysadm_mail_t etc_aliases_t:file create_file_perms;
|
||||
allow sysadm_mail_t etc_aliases_t:lnk_file create_lnk_perms;
|
||||
allow sysadm_mail_t etc_aliases_t:sock_file create_file_perms;
|
||||
allow sysadm_mail_t etc_aliases_t:fifo_file create_file_perms;
|
||||
files_create_etc_config(system_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file })
|
||||
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
# compatability for old default main.cf
|
||||
allow { sysadm_mail_t system_mail_t } etc_aliases_t:dir create_dir_perms;
|
||||
allow { sysadm_mail_t system_mail_t } etc_aliases_t:file create_file_perms;
|
||||
allow { sysadm_mail_t system_mail_t } etc_aliases_t:lnk_file create_lnk_perms;
|
||||
allow { sysadm_mail_t system_mail_t } etc_aliases_t:sock_file create_file_perms;
|
||||
allow { sysadm_mail_t system_mail_t } etc_aliases_t:fifo_file create_file_perms;
|
||||
|
||||
allow { sysadm_mail_t system_mail_t } postfix_etc_t:dir rw_dir_perms;
|
||||
type_transition { sysadm_mail_t system_mail_t } postfix_etc_t:{ file lnk_file sock_file fifo_file } etc_aliases_t;
|
||||
|
||||
allow { sysadm_mail_t system_mail_t } etc_aliases_t:dir create_dir_perms;
|
||||
allow { sysadm_mail_t system_mail_t } etc_aliases_t:file create_file_perms;
|
||||
allow { sysadm_mail_t system_mail_t } etc_aliases_t:lnk_file create_lnk_perms;
|
||||
allow { sysadm_mail_t system_mail_t } etc_aliases_t:sock_file create_file_perms;
|
||||
allow { sysadm_mail_t system_mail_t } etc_aliases_t:fifo_file create_file_perms;
|
||||
|
||||
allow { sysadm_mail_t system_mail_t } postfix_etc_t:dir rw_dir_perms;
|
||||
type_transition { sysadm_mail_t system_mail_t } postfix_etc_t:{ file lnk_file sock_file fifo_file } etc_aliases_t;
|
||||
')
|
||||
|
||||
# end partially converted rules
|
||||
|
||||
########################################
|
||||
#
|
||||
# Postfix bounce local policy
|
||||
#
|
||||
|
||||
allow postfix_bounce_t self:capability dac_read_search;
|
||||
allow postfix_bounce_t self:tcp_socket create_socket_perms;
|
||||
|
||||
allow postfix_bounce_t postfix_public_t:sock_file write;
|
||||
|
||||
allow postfix_bounce_t postfix_spool_t:dir create_dir_perms;
|
||||
allow postfix_bounce_t postfix_spool_t:file create_file_perms;
|
||||
allow postfix_bounce_t postfix_spool_t:lnk_file create_lnk_perms;
|
||||
|
||||
allow postfix_bounce_t postfix_spool_bounce_t:dir create_dir_perms;
|
||||
allow postfix_bounce_t postfix_spool_bounce_t:file create_file_perms;
|
||||
allow postfix_bounce_t postfix_spool_bounce_t:lnk_file create_lnk_perms;
|
||||
|
||||
########################################
|
||||
#
|
||||
# Postfix cleanup local policy
|
||||
#
|
||||
|
||||
allow postfix_cleanup_t self:process setrlimit;
|
||||
|
||||
# connect to master process
|
||||
allow postfix_cleanup_t postfix_master_t:unix_stream_socket connectto;
|
||||
allow postfix_cleanup_t postfix_private_t:dir search;
|
||||
allow postfix_cleanup_t postfix_private_t:sock_file rw_file_perms;
|
||||
|
||||
allow postfix_cleanup_t postfix_public_t:fifo_file rw_file_perms;
|
||||
allow postfix_cleanup_t postfix_public_t:sock_file { getattr write };
|
||||
|
||||
allow postfix_cleanup_t postfix_spool_t:dir create_dir_perms;
|
||||
allow postfix_cleanup_t postfix_spool_t:file create_file_perms;
|
||||
allow postfix_cleanup_t postfix_spool_t:lnk_file create_lnk_perms;
|
||||
|
||||
allow postfix_cleanup_t postfix_spool_bounce_t:dir r_dir_perms;
|
||||
|
||||
########################################
|
||||
#
|
||||
# Postfix local local policy
|
||||
#
|
||||
|
||||
allow postfix_local_t self:fifo_file rw_file_perms;
|
||||
allow postfix_local_t self:process { setsched setrlimit };
|
||||
|
||||
allow postfix_local_t postfix_local_tmp_t:dir create_dir_perms;
|
||||
allow postfix_local_t postfix_local_tmp_t:file create_file_perms;
|
||||
files_create_tmp_files(postfix_local_t, postfix_local_tmp_t, { file dir })
|
||||
|
||||
# connect to master process
|
||||
allow postfix_local_t postfix_master_t:unix_stream_socket connectto;
|
||||
allow postfix_local_t postfix_public_t:dir search;
|
||||
allow postfix_local_t postfix_public_t:sock_file write;
|
||||
|
||||
# for .forward - maybe we need a new type for it?
|
||||
allow postfix_local_t postfix_private_t:dir search;
|
||||
allow postfix_local_t postfix_private_t:sock_file rw_file_perms;
|
||||
|
||||
allow postfix_local_t postfix_spool_t:file rw_file_perms;
|
||||
|
||||
corecmd_exec_shell(postfix_local_t)
|
||||
corecmd_exec_bin(postfix_local_t)
|
||||
|
||||
mta_read_aliases(postfix_local_t)
|
||||
mta_delete_spool(postfix_local_t)
|
||||
# For reading spamassasin
|
||||
mta_read_config(postfix_local_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`procmail.te', `
|
||||
domain_auto_trans(postfix_local_t, procmail_exec_t, procmail_t)
|
||||
# for a bug in the postfix local program
|
||||
dontaudit procmail_t postfix_local_t:tcp_socket { read write };
|
||||
dontaudit procmail_t postfix_master_t:fd use;
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
########################################
|
||||
#
|
||||
# Postfix map local policy
|
||||
#
|
||||
|
||||
allow postfix_map_t self:capability setgid;
|
||||
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
|
||||
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
|
||||
allow postfix_map_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow postfix_map_t postfix_etc_t:dir create_dir_perms;
|
||||
allow postfix_map_t postfix_etc_t:file create_file_perms;
|
||||
allow postfix_map_t postfix_etc_t:lnk_file create_lnk_perms;
|
||||
|
||||
allow postfix_map_t postfix_map_tmp_t:dir create_dir_perms;
|
||||
allow postfix_map_t postfix_map_tmp_t:file create_file_perms;
|
||||
files_create_tmp_files(postfix_map_t, postfix_map_tmp_t, { file dir })
|
||||
|
||||
kernel_read_kernel_sysctl(postfix_map_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(postfix_map_t)
|
||||
corenet_udp_sendrecv_all_if(postfix_map_t)
|
||||
corenet_raw_sendrecv_all_if(postfix_map_t)
|
||||
corenet_tcp_sendrecv_all_nodes(postfix_map_t)
|
||||
corenet_udp_sendrecv_all_nodes(postfix_map_t)
|
||||
corenet_raw_sendrecv_all_nodes(postfix_map_t)
|
||||
corenet_tcp_bind_all_nodes(postfix_map_t)
|
||||
corenet_udp_bind_all_nodes(postfix_map_t)
|
||||
corenet_tcp_sendrecv_all_ports(postfix_map_t)
|
||||
corenet_udp_sendrecv_all_ports(postfix_map_t)
|
||||
corenet_tcp_connect_all_ports(postfix_map_t)
|
||||
|
||||
corecmd_list_bin(postfix_map_t)
|
||||
corecmd_read_bin_symlink(postfix_map_t)
|
||||
corecmd_read_bin_file(postfix_map_t)
|
||||
corecmd_read_bin_pipe(postfix_map_t)
|
||||
corecmd_read_bin_socket(postfix_map_t)
|
||||
corecmd_list_sbin(postfix_map_t)
|
||||
corecmd_read_sbin_symlink(postfix_map_t)
|
||||
corecmd_read_sbin_file(postfix_map_t)
|
||||
corecmd_read_sbin_pipe(postfix_map_t)
|
||||
corecmd_read_sbin_socket(postfix_map_t)
|
||||
|
||||
files_list_home(postfix_map_t)
|
||||
files_read_usr_files(postfix_map_t)
|
||||
files_read_etc_files(postfix_map_t)
|
||||
files_read_etc_runtime_files(postfix_map_t)
|
||||
files_dontaudit_search_var(postfix_map_t)
|
||||
|
||||
libs_use_ld_so(postfix_map_t)
|
||||
libs_use_shared_libs(postfix_map_t)
|
||||
|
||||
miscfiles_read_localization(postfix_map_t)
|
||||
|
||||
seutil_read_config(postfix_map_t)
|
||||
|
||||
sysnet_read_config(postfix_map_t)
|
||||
|
||||
tunable_policy(`read_default_t',`
|
||||
files_list_default(postfix_map_t)
|
||||
files_read_default_files(postfix_map_t)
|
||||
files_read_default_symlinks(postfix_map_t)
|
||||
files_read_default_sockets(postfix_map_t)
|
||||
files_read_default_pipes(postfix_map_t)
|
||||
')
|
||||
|
||||
optional_policy(`locallogin.te',`
|
||||
locallogin_dontaudit_use_fd(postfix_map_t)
|
||||
')
|
||||
|
||||
# a "run" interface needs to be
|
||||
# added, and have sysadm_t use it
|
||||
# in a optional_policy block.
|
||||
|
||||
########################################
|
||||
#
|
||||
# Postfix pickup local policy
|
||||
#
|
||||
|
||||
allow postfix_pickup_t self:tcp_socket create_socket_perms;
|
||||
|
||||
allow postfix_pickup_t postfix_master_t:unix_stream_socket connectto;
|
||||
|
||||
allow postfix_pickup_t postfix_private_t:dir search;
|
||||
allow postfix_pickup_t postfix_private_t:sock_file write;
|
||||
|
||||
allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms;
|
||||
allow postfix_pickup_t postfix_public_t:sock_file rw_file_perms;
|
||||
|
||||
allow postfix_pickup_t postfix_spool_maildrop_t:dir rw_dir_perms;
|
||||
allow postfix_pickup_t postfix_spool_maildrop_t:file r_file_perms;
|
||||
allow postfix_pickup_t postfix_spool_maildrop_t:file unlink;
|
||||
|
||||
########################################
|
||||
#
|
||||
# Postfix pipe local policy
|
||||
#
|
||||
|
||||
allow postfix_pipe_t self:fifo_file { read write };
|
||||
|
||||
allow postfix_pipe_t postfix_private_t:dir search;
|
||||
allow postfix_pipe_t postfix_private_t:sock_file write;
|
||||
|
||||
allow postfix_pipe_t postfix_spool_t:dir search;
|
||||
allow postfix_pipe_t postfix_spool_t:file rw_file_perms;
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`procmail.te', `
|
||||
domain_auto_trans(postfix_pipe_t, procmail_exec_t, procmail_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
########################################
|
||||
#
|
||||
# Postfix postdrop local policy
|
||||
#
|
||||
|
||||
# usually it does not need a UDP socket
|
||||
allow postfix_postdrop_t self:capability sys_resource;
|
||||
allow postfix_postdrop_t self:tcp_socket create;
|
||||
allow postfix_postdrop_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow postfix_postdrop_t postfix_public_t:dir search;
|
||||
allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms;
|
||||
|
||||
allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms;
|
||||
allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms;
|
||||
|
||||
term_dontaudit_use_all_user_ptys(postfix_postdrop_t)
|
||||
term_dontaudit_use_all_user_ttys(postfix_postdrop_t)
|
||||
|
||||
sysnet_dontaudit_read_config(postfix_postdrop_t)
|
||||
|
||||
mta_rw_user_mail_stream_socket(postfix_postdrop_t)
|
||||
|
||||
optional_policy(`crond.te',`
|
||||
cron_use_fd(postfix_postdrop_t)
|
||||
cron_rw_pipe(postfix_postdrop_t)
|
||||
cron_use_system_job_fd(postfix_postdrop_t)
|
||||
cron_rw_system_job_pipe(postfix_postdrop_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# Postfix postqueue local policy
|
||||
#
|
||||
|
||||
allow postfix_postqueue_t self:tcp_socket create;
|
||||
allow postfix_postqueue_t self:udp_socket { create ioctl };
|
||||
|
||||
# wants to write to /var/spool/postfix/public/showq
|
||||
allow postfix_postqueue_t postfix_public_t:sock_file rw_file_perms;
|
||||
allow postfix_postqueue_t postfix_master_t:unix_stream_socket connectto;
|
||||
|
||||
allow postfix_postqueue_t postfix_public_t:dir search;
|
||||
# write to /var/spool/postfix/public/qmgr
|
||||
allow postfix_postqueue_t postfix_public_t:fifo_file { getattr write };
|
||||
|
||||
domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
|
||||
|
||||
# to write the mailq output, it really should not need read access!
|
||||
term_use_all_user_ptys(postfix_showq_t)
|
||||
term_use_all_user_ttys(postfix_showq_t)
|
||||
|
||||
init_sigchld_script(postfix_postqueue_t)
|
||||
init_use_script_fd(postfix_postqueue_t)
|
||||
|
||||
sysnet_dontaudit_read_config(postfix_postqueue_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`gnome-pty-helper.te', `allow postfix_postqueue_t user_gph_t:fd use;')
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Postfix qmgr local policy
|
||||
#
|
||||
|
||||
allow postfix_qmgr_t postfix_master_t:unix_stream_socket connectto;
|
||||
|
||||
allow postfix_qmgr_t postfix_private_t:dir search;
|
||||
allow postfix_qmgr_t postfix_private_t:sock_file rw_file_perms;
|
||||
|
||||
allow postfix_qmgr_t postfix_public_t:fifo_file rw_file_perms;
|
||||
allow postfix_qmgr_t postfix_public_t:sock_file write;
|
||||
|
||||
# for /var/spool/postfix/active
|
||||
allow postfix_qmgr_t postfix_spool_t:dir create_dir_perms;
|
||||
allow postfix_qmgr_t postfix_spool_t:file create_file_perms;
|
||||
allow postfix_qmgr_t postfix_spool_t:lnk_file create_lnk_perms;
|
||||
|
||||
allow postfix_qmgr_t postfix_spool_bounce_t:dir { getattr read search };
|
||||
allow postfix_qmgr_t postfix_spool_bounce_t:file { read getattr };
|
||||
allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
|
||||
|
||||
########################################
|
||||
#
|
||||
# Postfix showq local policy
|
||||
#
|
||||
|
||||
allow postfix_showq_t self:capability { setuid setgid };
|
||||
allow postfix_showq_t self:tcp_socket create_socket_perms;
|
||||
|
||||
domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
|
||||
# the following auto_trans is usually in postfix server domain
|
||||
domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
|
||||
|
||||
allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
|
||||
|
||||
allow postfix_showq_t postfix_spool_t:file r_file_perms;
|
||||
|
||||
allow postfix_showq_t postfix_spool_maildrop_t:dir { getattr read search };
|
||||
allow postfix_showq_t postfix_spool_maildrop_t:file { read getattr };
|
||||
allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
|
||||
|
||||
term_use_all_user_ptys(postfix_showq_t)
|
||||
term_use_all_user_ttys(postfix_showq_t)
|
||||
|
||||
sysnet_dns_name_resolve(postfix_showq_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Postfix smtp delivery local policy
|
||||
#
|
||||
|
||||
# connect to master process
|
||||
allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto;
|
||||
allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search;
|
||||
allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write;
|
||||
|
||||
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
|
||||
|
||||
kernel_tcp_recvfrom(postfix_smtp_t)
|
||||
|
||||
# if you have two different mail servers on the same host let them talk via
|
||||
# SMTP, also if one mail server wants to talk to itself then allow it and let
|
||||
# the SMTP protocol sort it out (SE Linux is not to prevent mail server
|
||||
# misconfiguration)
|
||||
mta_tcp_connect_all_mailservers(postfix_smtp_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Postfix smtpd local policy
|
||||
#
|
||||
allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
|
||||
|
||||
# connect to master process
|
||||
allow postfix_smtpd_t postfix_master_t:unix_stream_socket connectto;
|
||||
allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search;
|
||||
allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms;
|
||||
|
||||
# for prng_exch
|
||||
allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
|
||||
allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms;
|
||||
|
||||
# for OpenSSL certificates
|
||||
files_read_usr_files(postfix_smtpd_t)
|
||||
mta_read_aliases(postfix_smtpd_t)
|
||||
|
||||
optional_policy(`sasl.te',`
|
||||
sasl_connect(postfix_smtpd_t)
|
||||
')
|
||||
|
|
@ -176,6 +176,20 @@ ifdef(`targeted_policy', `
|
|||
term_dontaudit_use_unallocated_tty(pppd_t)
|
||||
term_dontaudit_use_generic_pty(pppd_t)
|
||||
files_dontaudit_read_root_file(pppd_t)
|
||||
|
||||
optional_policy(`postfix.te',`
|
||||
gen_require(`
|
||||
bool postfix_master_disable_transgre;
|
||||
')
|
||||
|
||||
if(!postfix_master_disable_trans) {
|
||||
postfix_domtrans_master(pppd_t)
|
||||
}
|
||||
')
|
||||
',`
|
||||
optional_policy(`postfix.te',`
|
||||
postfix_domtrans_master(pppd_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`modutils.te',`
|
||||
|
|
|
|||
|
|
@ -117,6 +117,11 @@ optional_policy(`nscd.te',`
|
|||
nscd_use_socket(sendmail_t)
|
||||
')
|
||||
|
||||
optional_policy(`postfix.te',`
|
||||
postfix_read_config(sendmail_t)
|
||||
postfix_search_spool(sendmail_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(sendmail_t)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -1905,6 +1905,22 @@ interface(`files_associate_tmp',`
|
|||
allow $1 tmp_t:filesystem associate;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of the tmp directory (/tmp).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_getattr_tmp_dir',`
|
||||
gen_require(`
|
||||
type tmp_t;
|
||||
')
|
||||
|
||||
allow $1 tmp_t:dir getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get the
|
||||
|
|
|
|||
|
|
@ -538,6 +538,22 @@ interface(`init_get_script_process_group',`
|
|||
allow $1 initrc_t:process getpgid;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send SIGCHLD signals to init scripts.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`init_sigchld_script',`
|
||||
gen_require(`
|
||||
type initrc_t;
|
||||
')
|
||||
|
||||
allow $1 initrc_t:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write init script unnamed pipes.
|
||||
|
|
|
|||
|
|
@ -556,6 +556,10 @@ optional_policy(`postgresql.te',`
|
|||
postgresql_read_config(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`postfix.te',`
|
||||
postfix_list_spool(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`quota.te',`
|
||||
quota_manage_flags(initrc_t)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -98,6 +98,22 @@ interface(`miscfiles_legacy_read_localization',`
|
|||
allow $1 locale_t:file execute;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to search man pages.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`miscfiles_dontaudit_search_man_pages',`
|
||||
gen_require(`
|
||||
type man_t;
|
||||
')
|
||||
|
||||
dontaudit $1 man_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read man pages
|
||||
|
|
|
|||
|
|
@ -177,6 +177,22 @@ interface(`sysnet_read_config',`
|
|||
allow $1 net_conf_t:file r_file_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read network config files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`sysnet_dontaudit_read_config',`
|
||||
gen_require(`
|
||||
type net_conf_t;
|
||||
')
|
||||
|
||||
dontaudit $1 net_conf_t:file r_file_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Create files in /etc with the type used for
|
||||
|
|
|
|||
Loading…
Reference in New Issue