The process and capability IPC goes on top of local policy.

The process and capability IPC goes on top of local policy.

policy/modules/services/postfix.te

@@ -107,10 +107,10 @@ mta_mailserver_delivery(postfix_virtual_t)
 
 # chown is to set the correct ownership of queue dirs
 allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
+allow postfix_master_t self:process setrlimit;
 allow postfix_master_t self:fifo_file rw_fifo_file_perms;
 allow postfix_master_t self:tcp_socket create_stream_socket_perms;
 allow postfix_master_t self:udp_socket create_socket_perms;
-allow postfix_master_t self:process setrlimit;
 
 allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
 allow postfix_master_t postfix_etc_t:file rw_file_perms;
@@ -284,8 +284,8 @@ optional_policy(`
 # Postfix local local policy
 #
 
-allow postfix_local_t self:fifo_file rw_fifo_file_perms;
 allow postfix_local_t self:process { setsched setrlimit };
+allow postfix_local_t self:fifo_file rw_fifo_file_perms;
 
 # connect to master process
 stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
@@ -424,8 +424,8 @@ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_m
 # Postfix pipe local policy
 #
 
-allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
 allow postfix_pipe_t self:process setrlimit;
+allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
 
 write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
 
@@ -656,8 +656,8 @@ optional_policy(`
 # Postfix virtual local policy
 #
 
-allow postfix_virtual_t self:fifo_file rw_fifo_file_perms;
 allow postfix_virtual_t self:process { setsched setrlimit };
+allow postfix_virtual_t self:fifo_file rw_fifo_file_perms;
 
 allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
 

policy/modules/services/postfixpolicyd.te

@@ -23,9 +23,9 @@ files_pid_file(postfix_policyd_var_run_t)
 # Local Policy
 #
 
-allow postfix_policyd_t self:tcp_socket create_stream_socket_perms;
 allow postfix_policyd_t self:capability { sys_resource sys_chroot setgid setuid };
 allow postfix_policyd_t self:process setrlimit;
+allow postfix_policyd_t self:tcp_socket create_stream_socket_perms;
 allow postfix_policyd_t self:unix_dgram_socket { connect create write};
 
 allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms;

policy/modules/services/qmail.te

@@ -72,8 +72,8 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
 #   this component preprocesses mail from stdin and invokes qmail-queue
 #
 
-allow qmail_inject_t self:fifo_file write_fifo_file_perms;
 allow qmail_inject_t self:process signal_perms;
+allow qmail_inject_t self:fifo_file write_fifo_file_perms;
 
 allow qmail_inject_t qmail_queue_exec_t:file read_file_perms;
 
@@ -91,8 +91,8 @@ qmail_read_config(qmail_inject_t)
 #   this component delivers a mail message
 #
 
-allow qmail_local_t self:fifo_file write_file_perms;
 allow qmail_local_t self:process signal_perms;
+allow qmail_local_t self:fifo_file write_file_perms;
 allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
 
 manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
@@ -160,9 +160,9 @@ files_search_tmp(qmail_lspawn_t)
 allow qmail_queue_t qmail_lspawn_t:fd use;
 allow qmail_queue_t qmail_lspawn_t:fifo_file write_fifo_file_perms;
 
+allow qmail_queue_t qmail_smtpd_t:process sigchld;
 allow qmail_queue_t qmail_smtpd_t:fd use;
 allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms;
-allow qmail_queue_t qmail_smtpd_t:process sigchld;
 
 manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
 manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
@@ -288,8 +288,8 @@ miscfiles_read_localization(qmail_splogger_t)
 
 allow qmail_start_t self:capability { setgid setuid };
 dontaudit qmail_start_t self:capability sys_tty_config;
-allow qmail_start_t self:fifo_file rw_fifo_file_perms;
 allow qmail_start_t self:process signal_perms;
+allow qmail_start_t self:fifo_file rw_fifo_file_perms;
 
 can_exec(qmail_start_t, qmail_start_exec_t)