From 4605adcba7a42c8be2de7cf8d817533d8164b711 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Wed, 7 Nov 2007 20:17:44 +0000
Subject: [PATCH] trunk: add postfixpolicyd from Jan-Frode Myklebust.

---
 Changelog                                 |  1 +
 policy/modules/kernel/corenetwork.te.in   |  1 +
 policy/modules/services/postfix.te        |  3 ++
 policy/modules/services/postfixpolicyd.fc |  5 +++
 policy/modules/services/postfixpolicyd.if |  1 +
 policy/modules/services/postfixpolicyd.te | 54 +++++++++++++++++++++++
 6 files changed, 65 insertions(+)
 create mode 100644 policy/modules/services/postfixpolicyd.fc
 create mode 100644 policy/modules/services/postfixpolicyd.if
 create mode 100644 policy/modules/services/postfixpolicyd.te

diff --git a/Changelog b/Changelog
index 3638a633..0945a24d 100644
--- a/Changelog
+++ b/Changelog
@@ -12,6 +12,7 @@
   of confined and unconfined users.
 - Added modules:
 	exim (Dan Walsh)
+	postfixpolicyd (Jan-Frode Myklebust)
 
 * Fri Sep 28 2007 Chris PeBenito <selinux@tresys.com> - 20070928
 - Add support for setting the unknown permissions handling.
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 349ae6e8..a4eed846 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -132,6 +132,7 @@ network_port(ocsp, tcp,9080,s0)
 network_port(openvpn, tcp,1194,s0, udp,1194,s0)
 network_port(pegasus_http, tcp,5988,s0)
 network_port(pegasus_https, tcp,5989,s0)
+network_port(postfix_policyd, tcp,10031,s0)
 network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
 network_port(portmap, udp,111,s0, tcp,111,s0)
 network_port(postgresql, tcp,5432,s0)
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index d947ce83..a996b85a 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -547,6 +547,9 @@ allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
 # connect to master process
 stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
 
+# Connect to policy server
+corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
+
 # for prng_exch
 allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
 allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
diff --git a/policy/modules/services/postfixpolicyd.fc b/policy/modules/services/postfixpolicyd.fc
new file mode 100644
index 00000000..945acea5
--- /dev/null
+++ b/policy/modules/services/postfixpolicyd.fc
@@ -0,0 +1,5 @@
+/etc/policyd.conf		--	gen_context(system_u:object_r:postfix_policyd_conf_t, s0)
+
+/usr/sbin/policyd		--	gen_context(system_u:object_r:postfix_policyd_exec_t, s0)
+
+/var/run/policyd\.pid		--	gen_context(system_u:object_r:postfix_policyd_var_run_t, s0)
diff --git a/policy/modules/services/postfixpolicyd.if b/policy/modules/services/postfixpolicyd.if
new file mode 100644
index 00000000..bafa81c0
--- /dev/null
+++ b/policy/modules/services/postfixpolicyd.if
@@ -0,0 +1 @@
+## <summary>Postfix policy server</summary>
diff --git a/policy/modules/services/postfixpolicyd.te b/policy/modules/services/postfixpolicyd.te
new file mode 100644
index 00000000..b9d86653
--- /dev/null
+++ b/policy/modules/services/postfixpolicyd.te
@@ -0,0 +1,54 @@
+
+policy_module(postfixpolicyd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type postfix_policyd_t;
+type postfix_policyd_exec_t;
+init_daemon_domain(postfix_policyd_t, postfix_policyd_exec_t)
+
+type postfix_policyd_conf_t;
+files_config_file(postfix_policyd_conf_t)
+
+type postfix_policyd_var_run_t;
+files_pid_file(postfix_policyd_var_run_t)
+
+########################################
+#
+# Local Policy
+#
+
+allow postfix_policyd_t self:tcp_socket create_stream_socket_perms;
+allow postfix_policyd_t self:capability { sys_resource sys_chroot setgid setuid };
+allow postfix_policyd_t self:process setrlimit;
+allow postfix_policyd_t self:unix_dgram_socket { connect create write};
+
+allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms;
+allow postfix_policyd_t postfix_policyd_conf_t:file read_file_perms;
+allow postfix_policyd_t postfix_policyd_conf_t:lnk_file { getattr read };
+
+manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
+files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
+
+corenet_all_recvfrom_unlabeled(postfix_policyd_t)
+corenet_tcp_sendrecv_generic_if(postfix_policyd_t)
+corenet_tcp_sendrecv_all_nodes(postfix_policyd_t)
+corenet_tcp_sendrecv_all_ports(postfix_policyd_t)
+corenet_tcp_bind_all_nodes(postfix_policyd_t)
+corenet_tcp_bind_postfix_policyd_port(postfix_policyd_t)
+corenet_tcp_bind_mysqld_port(postfix_policyd_t)
+
+files_read_etc_files(postfix_policyd_t)
+files_read_usr_files(postfix_policyd_t)
+
+libs_use_ld_so(postfix_policyd_t)
+libs_use_shared_libs(postfix_policyd_t)
+
+logging_send_syslog_msg(postfix_policyd_t)
+
+miscfiles_read_localization(postfix_policyd_t)
+
+sysnet_dns_name_resolve(postfix_policyd_t)