## Postfix email server ######################################## ## ## Postfix stub interface. No access allowed. ## ## ## ## Domain allowed access. ## ## # interface(`postfix_stub',` gen_require(` type postfix_master_t; ') ') ######################################## ## ## Creates types and rules for a basic ## postfix process domain. ## ## ## ## Prefix for the domain. ## ## # template(`postfix_domain_template',` type postfix_$1_t; type postfix_$1_exec_t; domain_type(postfix_$1_t) domain_entry_file(postfix_$1_t, postfix_$1_exec_t) role system_r types postfix_$1_t; dontaudit postfix_$1_t self:capability sys_tty_config; allow postfix_$1_t self:process { signal_perms setpgid }; allow postfix_$1_t self:unix_dgram_socket create_socket_perms; allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms; allow postfix_$1_t self:unix_stream_socket connectto; allow postfix_master_t postfix_$1_t:process signal; #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456 allow postfix_$1_t postfix_master_t:file read; allow postfix_$1_t postfix_etc_t:dir list_dir_perms; read_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t) read_lnk_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t) can_exec(postfix_$1_t, postfix_$1_exec_t) allow postfix_$1_t postfix_exec_t:file { mmap_file_perms lock }; allow postfix_$1_t postfix_master_t:process sigchld; allow postfix_$1_t postfix_spool_t:dir list_dir_perms; allow postfix_$1_t postfix_var_run_t:file manage_file_perms; files_pid_filetrans(postfix_$1_t, postfix_var_run_t, file) kernel_read_system_state(postfix_$1_t) kernel_read_network_state(postfix_$1_t) kernel_read_all_sysctls(postfix_$1_t) dev_read_sysfs(postfix_$1_t) dev_read_rand(postfix_$1_t) dev_read_urand(postfix_$1_t) fs_search_auto_mountpoints(postfix_$1_t) fs_getattr_xattr_fs(postfix_$1_t) fs_rw_anon_inodefs_files(postfix_$1_t) term_dontaudit_use_console(postfix_$1_t) corecmd_exec_shell(postfix_$1_t) files_read_etc_files(postfix_$1_t) files_read_etc_runtime_files(postfix_$1_t) files_read_usr_files(postfix_$1_t) files_read_usr_symlinks(postfix_$1_t) files_search_spool(postfix_$1_t) files_getattr_tmp_dirs(postfix_$1_t) files_search_all_mountpoints(postfix_$1_t) init_dontaudit_use_fds(postfix_$1_t) init_sigchld(postfix_$1_t) auth_use_nsswitch(postfix_$1_t) logging_send_syslog_msg(postfix_$1_t) miscfiles_read_localization(postfix_$1_t) miscfiles_read_generic_certs(postfix_$1_t) userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t) optional_policy(` udev_read_db(postfix_$1_t) ') ') ######################################## ## ## Creates a postfix server process domain. ## ## ## ## Prefix of the domain. ## ## # template(`postfix_server_domain_template',` postfix_domain_template($1) type postfix_$1_tmp_t; files_tmp_file(postfix_$1_tmp_t) allow postfix_$1_t self:capability { setuid setgid dac_override }; allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; allow postfix_$1_t self:tcp_socket create_socket_perms; allow postfix_$1_t self:udp_socket create_socket_perms; manage_dirs_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t) manage_files_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t) files_tmp_filetrans(postfix_$1_t, postfix_$1_tmp_t, { file dir }) domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t) corenet_all_recvfrom_unlabeled(postfix_$1_t) corenet_all_recvfrom_netlabel(postfix_$1_t) corenet_tcp_sendrecv_generic_if(postfix_$1_t) corenet_udp_sendrecv_generic_if(postfix_$1_t) corenet_tcp_sendrecv_generic_node(postfix_$1_t) corenet_udp_sendrecv_generic_node(postfix_$1_t) corenet_tcp_sendrecv_all_ports(postfix_$1_t) corenet_udp_sendrecv_all_ports(postfix_$1_t) corenet_tcp_bind_generic_node(postfix_$1_t) corenet_udp_bind_generic_node(postfix_$1_t) corenet_tcp_connect_all_ports(postfix_$1_t) corenet_sendrecv_all_client_packets(postfix_$1_t) ') ######################################## ## ## Creates a process domain for programs ## that are ran by users. ## ## ## ## Prefix of the domain. ## ## # template(`postfix_user_domain_template',` gen_require(` attribute postfix_user_domains, postfix_user_domtrans; ') postfix_domain_template($1) typeattribute postfix_$1_t postfix_user_domains; allow postfix_$1_t self:capability dac_override; domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t) domain_use_interactive_fds(postfix_$1_t) ') ######################################## ## ## Read postfix configuration files. ## ## ## ## Domain allowed access. ## ## ## # interface(`postfix_read_config',` gen_require(` type postfix_etc_t; ') read_files_pattern($1, postfix_etc_t, postfix_etc_t) read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t) files_search_etc($1) ') ######################################## ## ## Create files with the specified type in ## the postfix configuration directories. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created. ## ## ## ## ## The object class of the object being created. ## ## # interface(`postfix_config_filetrans',` gen_require(` type postfix_etc_t; ') files_search_etc($1) filetrans_pattern($1, postfix_etc_t, $2, $3) ') ######################################## ## ## Do not audit attempts to read and ## write postfix local delivery ## TCP sockets. ## ## ## ## Domain to not audit. ## ## # interface(`postfix_dontaudit_rw_local_tcp_sockets',` gen_require(` type postfix_local_t; ') dontaudit $1 postfix_local_t:tcp_socket { read write }; ') ######################################## ## ## Allow read/write postfix local pipes ## TCP sockets. ## ## ## ## Domain allowed access. ## ## # interface(`postfix_rw_local_pipes',` gen_require(` type postfix_local_t; ') allow $1 postfix_local_t:fifo_file rw_fifo_file_perms; ') ######################################## ## ## Allow domain to read postfix local process state ## ## ## ## Domain allowed access. ## ## # interface(`postfix_read_local_state',` gen_require(` type postfix_local_t; ') kernel_search_proc($1) ps_process_pattern($1, postfix_local_t) ') ######################################## ## ## Allow domain to read postfix master process state ## ## ## ## Domain allowed access. ## ## # interface(`postfix_read_master_state',` gen_require(` type postfix_master_t; ') kernel_search_proc($1) ps_process_pattern($1, postfix_master_t) ') ######################################## ## ## Do not audit attempts to use ## postfix master process file ## file descriptors. ## ## ## ## Domain to not audit. ## ## # interface(`postfix_dontaudit_use_fds',` gen_require(` type postfix_master_t; ') dontaudit $1 postfix_master_t:fd use; ') ######################################## ## ## Execute postfix_map in the postfix_map domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`postfix_domtrans_map',` gen_require(` type postfix_map_t, postfix_map_exec_t; ') domtrans_pattern($1, postfix_map_exec_t, postfix_map_t) ') ######################################## ## ## Execute postfix_map in the postfix_map domain, and ## allow the specified role the postfix_map domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # interface(`postfix_run_map',` gen_require(` type postfix_map_t; ') postfix_domtrans_map($1) role $2 types postfix_map_t; ') ######################################## ## ## Execute the master postfix program in the ## postfix_master domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`postfix_domtrans_master',` gen_require(` type postfix_master_t, postfix_master_exec_t; ') domtrans_pattern($1, postfix_master_exec_t, postfix_master_t) ') ######################################## ## ## Execute the master postfix in the postfix master domain. ## ## ## ## Domain allowed access. ## ## # interface(`postfix_initrc_domtrans', ` gen_require(` type postfix_initrc_exec_t; ') init_labeled_script_domtrans($1, postfix_initrc_exec_t) ') ######################################## ## ## Execute the master postfix program in the ## caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`postfix_exec_master',` gen_require(` type postfix_master_exec_t; ') can_exec($1, postfix_master_exec_t) ') ####################################### ## ## Connect to postfix master process using a unix domain stream socket. ## ## ## ## Domain allowed access. ## ## ## # interface(`postfix_stream_connect_master',` gen_require(` type postfix_master_t, postfix_public_t; ') stream_connect_pattern($1, postfix_public_t, postfix_public_t, postfix_master_t) ') ######################################## ## ## Execute the master postdrop in the ## postfix_postdrop domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`postfix_domtrans_postdrop',` gen_require(` type postfix_postdrop_t, postfix_postdrop_exec_t; ') domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t) ') ######################################## ## ## Execute the master postqueue in the ## postfix_postqueue domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`postfix_domtrans_postqueue',` gen_require(` type postfix_postqueue_t, postfix_postqueue_exec_t; ') domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t) ') ####################################### ## ## Execute the master postqueue in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`posftix_exec_postqueue',` gen_require(` type postfix_postqueue_exec_t; ') can_exec($1, postfix_postqueue_exec_t) ') ######################################## ## ## Create a named socket in a postfix private directory. ## ## ## ## Domain allowed access. ## ## # interface(`postfix_create_private_sockets',` gen_require(` type postfix_private_t; ') allow $1 postfix_private_t:dir list_dir_perms; create_sock_files_pattern($1, postfix_private_t, postfix_private_t) ') ######################################## ## ## manage named socket in a postfix private directory. ## ## ## ## Domain allowed access. ## ## # interface(`postfix_manage_private_sockets',` gen_require(` type postfix_private_t; ') allow $1 postfix_private_t:dir list_dir_perms; manage_sock_files_pattern($1, postfix_private_t, postfix_private_t) ') ######################################## ## ## Execute the master postfix program in the ## postfix_master domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`postfix_domtrans_smtp',` gen_require(` type postfix_smtp_t, postfix_smtp_exec_t; ') domtrans_pattern($1, postfix_smtp_exec_t, postfix_smtp_t) ') ######################################## ## ## Getattr postfix mail spool files. ## ## ## ## Domain allowed access. ## ## # interface(`postfix_getattr_spool_files',` gen_require(` attribute postfix_spool_type; ') files_search_spool($1) getattr_files_pattern($1, postfix_spool_type, postfix_spool_type) ') ######################################## ## ## Search postfix mail spool directories. ## ## ## ## Domain allowed access. ## ## # interface(`postfix_search_spool',` gen_require(` attribute postfix_spool_type; ') allow $1 postfix_spool_type:dir search_dir_perms; files_search_spool($1) ') ######################################## ## ## List postfix mail spool directories. ## ## ## ## Domain allowed access. ## ## # interface(`postfix_list_spool',` gen_require(` attribute postfix_spool_type; ') allow $1 postfix_spool_type:dir list_dir_perms; files_search_spool($1) ') ######################################## ## ## Read postfix mail spool files. ## ## ## ## Domain allowed access. ## ## # interface(`postfix_read_spool_files',` gen_require(` attribute postfix_spool_type; ') files_search_spool($1) read_files_pattern($1, postfix_spool_type, postfix_spool_type) ') ######################################## ## ## Create, read, write, and delete postfix mail spool files. ## ## ## ## Domain allowed access. ## ## # interface(`postfix_manage_spool_files',` gen_require(` attribute postfix_spool_type; ') files_search_spool($1) manage_files_pattern($1, postfix_spool_type, postfix_spool_type) ') ######################################## ## ## Execute postfix user mail programs ## in their respective domains. ## ## ## ## Domain allowed access. ## ## # interface(`postfix_domtrans_user_mail_handler',` gen_require(` attribute postfix_user_domtrans; ') typeattribute $1 postfix_user_domtrans; ') ######################################## ## ## All of the rules required to administrate ## an postfix environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## # interface(`postfix_admin', ` gen_require(` type postfix_bounce_t, postfix_cleanup_t, postfix_local_t; type postfix_master_t, postfix_pickup_t, postfix_qmgr_t; type postfix_smtpd_t; attribute postfix_spool_type; type postfix_initrc_exec_t, postfix_data_t, postfix_etc_t; type postfix_var_run_t; type postfix_map_tmp_t, postfix_prng_t, postfix_public_t; ') allow $1 postfix_bounce_t:process { ptrace signal_perms }; ps_process_pattern($1, postfix_bounce_t) allow $1 postfix_cleanup_t:process { ptrace signal_perms }; ps_process_pattern($1, postfix_cleanup_t) allow $1 postfix_local_t:process { ptrace signal_perms }; ps_process_pattern($1, postfix_local_t) allow $1 postfix_master_t:process { ptrace signal_perms }; ps_process_pattern($1, postfix_master_t) allow $1 postfix_pickup_t:process { ptrace signal_perms }; ps_process_pattern($1, postfix_pickup_t) allow $1 postfix_qmgr_t:process { ptrace signal_perms }; ps_process_pattern($1, postfix_qmgr_t) allow $1 postfix_smtpd_t:process { ptrace signal_perms }; ps_process_pattern($1, postfix_smtpd_t) postfix_run_map($1,$2) postfix_run_postdrop($1,$2) postfix_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 postfix_initrc_exec_t system_r; allow $2 system_r; admin_pattern($1, postfix_data_t) files_list_etc($1) admin_pattern($1, postfix_etc_t) files_search_spool($1) admin_pattern($1,postfix_spool_type) admin_pattern($1, postfix_var_run_t) files_search_tmp($1) admin_pattern($1, postfix_map_tmp_t) admin_pattern($1, postfix_prng_t) admin_pattern($1, postfix_public_t) ') ######################################## ## ## Execute the master postdrop in the ## postfix_postdrop domain. ## ## ## ## Domain allowed access. ## ## # interface(`postfix_run_postdrop',` gen_require(` type postfix_postdrop_t; ') postfix_domtrans_postdrop($1) role $2 types postfix_postdrop_t; ')