more postfix work
This commit is contained in:
parent
2192d4baa1
commit
88dd389695
@ -114,6 +114,17 @@ template(`mta_per_userdomain_template',`
|
|||||||
userdom_use_user_terminals($1,$1_mail_t)
|
userdom_use_user_terminals($1,$1_mail_t)
|
||||||
# Write to the user domain tty. cjp: why?
|
# Write to the user domain tty. cjp: why?
|
||||||
userdom_use_user_terminals($1,mta_user_agent)
|
userdom_use_user_terminals($1,mta_user_agent)
|
||||||
|
# Create dead.letter in user home directories.
|
||||||
|
userdom_manage_user_home_subdir_files($1,$1_mail_t)
|
||||||
|
userdom_create_user_home($1,$1_mail_t,file)
|
||||||
|
# for reading .forward - maybe we need a new type for it?
|
||||||
|
# also for delivering mail to maildir
|
||||||
|
userdom_manage_user_home_subdirs($1,mailserver_delivery)
|
||||||
|
userdom_manage_user_home_subdir_files($1,mailserver_delivery)
|
||||||
|
userdom_manage_user_home_subdir_symlinks($1,mailserver_delivery)
|
||||||
|
userdom_manage_user_home_subdir_pipes($1,mailserver_delivery)
|
||||||
|
userdom_manage_user_home_subdir_sockets($1,mailserver_delivery)
|
||||||
|
userdom_create_user_home($1,mailserver_delivery,{ dir file lnk_file fifo_file sock_file })
|
||||||
|
|
||||||
tunable_policy(`use_samba_home_dirs',`
|
tunable_policy(`use_samba_home_dirs',`
|
||||||
fs_manage_cifs_files($1_mail_t)
|
fs_manage_cifs_files($1_mail_t)
|
||||||
@ -153,16 +164,10 @@ template(`mta_per_userdomain_template',`
|
|||||||
# Inherit and use descriptors from gnome-pty-helper.
|
# Inherit and use descriptors from gnome-pty-helper.
|
||||||
ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;')
|
ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;')
|
||||||
|
|
||||||
# Create dead.letter in user home directories.
|
|
||||||
file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file)
|
|
||||||
# if you do not want to allow dead.letter then use the following instead
|
# if you do not want to allow dead.letter then use the following instead
|
||||||
#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
|
#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
|
||||||
#allow $1_mail_t $1_home_t:file r_file_perms;
|
#allow $1_mail_t $1_home_t:file r_file_perms;
|
||||||
|
|
||||||
# for reading .forward - maybe we need a new type for it?
|
|
||||||
# also for delivering mail to maildir
|
|
||||||
file_type_auto_trans(mailserver_delivery, $1_home_dir_t, $1_home_t)
|
|
||||||
|
|
||||||
ifdef(`qmail.te', `
|
ifdef(`qmail.te', `
|
||||||
allow $1_mail_t qmail_etc_t:dir search;
|
allow $1_mail_t qmail_etc_t:dir search;
|
||||||
allow $1_mail_t qmail_etc_t:{ file lnk_file } read;
|
allow $1_mail_t qmail_etc_t:{ file lnk_file } read;
|
||||||
@ -254,10 +259,15 @@ interface(`mta_mailserver_sender',`
|
|||||||
interface(`mta_mailserver_delivery',`
|
interface(`mta_mailserver_delivery',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute mailserver_delivery;
|
attribute mailserver_delivery;
|
||||||
|
type mail_spool_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
typeattribute $1 mailserver_delivery;
|
typeattribute $1 mailserver_delivery;
|
||||||
|
|
||||||
|
allow $1 mail_spool_t:dir ra_dir_perms;
|
||||||
|
allow $1 mail_spool_t:file { create ioctl read getattr lock append };
|
||||||
|
allow $1 mail_spool_t:lnk_file { create read getattr };
|
||||||
|
|
||||||
optional_policy(`dovecot.te',`
|
optional_policy(`dovecot.te',`
|
||||||
dovecot_manage_spool($1)
|
dovecot_manage_spool($1)
|
||||||
')
|
')
|
||||||
@ -301,11 +311,8 @@ interface(`mta_mailserver_user_agent',`
|
|||||||
#
|
#
|
||||||
interface(`mta_send_mail',`
|
interface(`mta_send_mail',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
|
attribute mta_user_agent;
|
||||||
type system_mail_t, sendmail_exec_t;
|
type system_mail_t, sendmail_exec_t;
|
||||||
class lnk_file r_file_perms;
|
|
||||||
class process sigchld;
|
|
||||||
class fd use;
|
|
||||||
class fifo_file rw_file_perms;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 sendmail_exec_t:lnk_file r_file_perms;
|
allow $1 sendmail_exec_t:lnk_file r_file_perms;
|
||||||
@ -316,11 +323,9 @@ interface(`mta_send_mail',`
|
|||||||
allow system_mail_t $1:fifo_file rw_file_perms;
|
allow system_mail_t $1:fifo_file rw_file_perms;
|
||||||
allow system_mail_t $1:process sigchld;
|
allow system_mail_t $1:process sigchld;
|
||||||
|
|
||||||
ifdef(`TODO',`
|
|
||||||
allow mta_user_agent $1:fd use;
|
allow mta_user_agent $1:fd use;
|
||||||
allow mta_user_agent $1:process sigchld;
|
allow mta_user_agent $1:process sigchld;
|
||||||
allow mta_user_agent $1:fifo_file { read write };
|
allow mta_user_agent $1:fifo_file { read write };
|
||||||
')
|
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
|
@ -28,7 +28,7 @@ files_type(mail_spool_t)
|
|||||||
type sendmail_exec_t;
|
type sendmail_exec_t;
|
||||||
files_type(sendmail_exec_t)
|
files_type(sendmail_exec_t)
|
||||||
|
|
||||||
type system_mail_t;
|
type system_mail_t, user_mail_domain;
|
||||||
domain_type(system_mail_t)
|
domain_type(system_mail_t)
|
||||||
domain_entry_file(system_mail_t,sendmail_exec_t)
|
domain_entry_file(system_mail_t,sendmail_exec_t)
|
||||||
role system_r types system_mail_t;
|
role system_r types system_mail_t;
|
||||||
@ -107,6 +107,16 @@ ifdef(`targeted_policy',`
|
|||||||
allow system_mail_t mqueue_spool_t:file create_file_perms;
|
allow system_mail_t mqueue_spool_t:file create_file_perms;
|
||||||
allow system_mail_t mqueue_spool_t:lnk_file create_lnk_perms;
|
allow system_mail_t mqueue_spool_t:lnk_file create_lnk_perms;
|
||||||
|
|
||||||
|
# for reading .forward - maybe we need a new type for it?
|
||||||
|
# also for delivering mail to maildir
|
||||||
|
# cjp: fix this to generic_user interfaces
|
||||||
|
userdom_manage_user_home_subdirs(user,mailserver_delivery)
|
||||||
|
userdom_manage_user_home_subdir_files(user,mailserver_delivery)
|
||||||
|
userdom_manage_user_home_subdir_symlinks(user,mailserver_delivery)
|
||||||
|
userdom_manage_user_home_subdir_pipes(user,mailserver_delivery)
|
||||||
|
userdom_manage_user_home_subdir_sockets(user,mailserver_delivery)
|
||||||
|
userdom_create_user_home(user,mailserver_delivery,{ dir file lnk_file fifo_file sock_file })
|
||||||
|
|
||||||
# cjp: another require-in-else to resolve
|
# cjp: another require-in-else to resolve
|
||||||
# optional_policy(`postfix.te',`',`
|
# optional_policy(`postfix.te',`',`
|
||||||
corecmd_exec_bin(system_mail_t)
|
corecmd_exec_bin(system_mail_t)
|
||||||
@ -201,9 +211,6 @@ ifdef(`targeted_policy',`
|
|||||||
r_dir_file(sysadm_mail_t, user_home_type)
|
r_dir_file(sysadm_mail_t, user_home_type)
|
||||||
')
|
')
|
||||||
|
|
||||||
allow system_mail_t privmail:fd use;
|
|
||||||
allow system_mail_t privmail:process sigchld;
|
|
||||||
allow system_mail_t privmail:fifo_file { read write };
|
|
||||||
|
|
||||||
optional_policy(`qmail.te',`
|
optional_policy(`qmail.te',`
|
||||||
allow system_mail_t qmail_etc_t:dir search;
|
allow system_mail_t qmail_etc_t:dir search;
|
||||||
|
@ -66,6 +66,7 @@ template(`postfix_domain_template',`
|
|||||||
|
|
||||||
files_read_etc_files(postfix_$1_t)
|
files_read_etc_files(postfix_$1_t)
|
||||||
files_read_etc_runtime_files(postfix_$1_t)
|
files_read_etc_runtime_files(postfix_$1_t)
|
||||||
|
files_read_usr_symlinks(postfix_$1_t)
|
||||||
files_search_spool(postfix_$1_t)
|
files_search_spool(postfix_$1_t)
|
||||||
files_getattr_tmp_dir(postfix_$1_t)
|
files_getattr_tmp_dir(postfix_$1_t)
|
||||||
|
|
||||||
@ -174,6 +175,52 @@ interface(`postfix_read_config',`
|
|||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute postfix_map in the postfix_map domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`postfix_domtrans_map',`
|
||||||
|
gen_require(`
|
||||||
|
type postfix_map_t, postfix_map_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
domain_auto_trans($1,postfix_map_exec_t,postfix_map_t)
|
||||||
|
|
||||||
|
allow $1 postfix_map_t:fd use;
|
||||||
|
allow postfix_map_t $1:fd use;
|
||||||
|
allow postfix_map_t $1:fifo_file rw_file_perms;
|
||||||
|
allow postfix_map_t $1:process sigchld;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute postfix_map in the postfix_map domain, and
|
||||||
|
## allow the specified role the postfix_map domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
## <param name="role">
|
||||||
|
## The role to be allowed the postfix_map domain.
|
||||||
|
## </param>
|
||||||
|
## <param name="terminal">
|
||||||
|
## The type of the terminal allow the postfix_map domain to use.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`postfix_run_map',`
|
||||||
|
gen_require(`
|
||||||
|
type postfix_map_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
postfix_domtrans_map($1)
|
||||||
|
role $2 types postfix_map_t;
|
||||||
|
allow postfix_map_t $3:chr_file rw_term_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Execute the master postfix program in the
|
## Execute the master postfix program in the
|
||||||
|
@ -480,6 +480,10 @@ allow postfix_showq_t postfix_postqueue_t:fd use;
|
|||||||
allow postfix_showq_t postfix_postqueue_t:fifo_file rw_file_perms;
|
allow postfix_showq_t postfix_postqueue_t:fifo_file rw_file_perms;
|
||||||
allow postfix_showq_t postfix_postqueue_t:process sigchld;
|
allow postfix_showq_t postfix_postqueue_t:process sigchld;
|
||||||
|
|
||||||
|
# to write the mailq output, it really should not need read access!
|
||||||
|
term_use_all_user_ptys(postfix_postqueue_t)
|
||||||
|
term_use_all_user_ttys(postfix_postqueue_t)
|
||||||
|
|
||||||
init_sigchld_script(postfix_postqueue_t)
|
init_sigchld_script(postfix_postqueue_t)
|
||||||
init_use_script_fd(postfix_postqueue_t)
|
init_use_script_fd(postfix_postqueue_t)
|
||||||
|
|
||||||
|
@ -198,6 +198,10 @@ optional_policy(`modutils.te',`
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`mta.te',`
|
||||||
|
mta_send_mail(pppd_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`nis.te',`
|
optional_policy(`nis.te',`
|
||||||
nis_use_ypbind(pppd_t)
|
nis_use_ypbind(pppd_t)
|
||||||
')
|
')
|
||||||
|
@ -1363,12 +1363,11 @@ interface(`files_create_boot_flag',`
|
|||||||
interface(`files_read_etc_runtime_files',`
|
interface(`files_read_etc_runtime_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type etc_t, etc_runtime_t;
|
type etc_t, etc_runtime_t;
|
||||||
class dir r_dir_perms;
|
|
||||||
class file r_file_perms;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 etc_t:dir r_dir_perms;
|
allow $1 etc_t:dir r_dir_perms;
|
||||||
allow $1 etc_runtime_t:file r_file_perms;
|
allow $1 etc_runtime_t:file r_file_perms;
|
||||||
|
allow $1 etc_runtime_t:lnk_file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -537,6 +537,7 @@ optional_policy(`mailman.te',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`mta.te',`
|
optional_policy(`mta.te',`
|
||||||
|
mta_send_mail(initrc_t)
|
||||||
mta_dontaudit_read_spool_symlink(initrc_t)
|
mta_dontaudit_read_spool_symlink(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -35,6 +35,10 @@ ifdef(`targeted_policy',`
|
|||||||
|
|
||||||
userdom_unconfined(unconfined_t)
|
userdom_unconfined(unconfined_t)
|
||||||
|
|
||||||
|
optional_policy(`postfix.te',`
|
||||||
|
postfix_domtrans_map(unconfined_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`samba.te',`
|
optional_policy(`samba.te',`
|
||||||
samba_domtrans_net(unconfined_t)
|
samba_domtrans_net(unconfined_t)
|
||||||
')
|
')
|
||||||
|
@ -1004,6 +1004,39 @@ template(`userdom_search_user_home',`
|
|||||||
allow $2 $1_home_dir_t:dir { getattr search };
|
allow $2 $1_home_dir_t:dir { getattr search };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, write, and delete symbolic links
|
||||||
|
## in a user home subdirectory.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Create, read, write, and delete symbolic links
|
||||||
|
## in a user home subdirectory.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a templated interface, and should only
|
||||||
|
## be called from a per-userdomain template.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </param>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_manage_user_home_subdirs',`
|
||||||
|
gen_require(`
|
||||||
|
type $1_home_dir_t, $1_home_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_home($2)
|
||||||
|
allow $2 $1_home_dir_t:dir rw_dir_perms;
|
||||||
|
allow $2 $1_home_t:dir manage_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read user home files.
|
## Read user home files.
|
||||||
|
Loading…
Reference in New Issue
Block a user