1900668638
The latest revision of the labeled policy patches which enable both labeled and unlabeled policy support for NetLabel. This revision takes into account Chris' feedback from the first version and reduces the number of interface calls in each domain down to two at present: one for unlabeled access, one for NetLabel access. The older, transport layer specific interfaces, are still present for use by third-party modules but are not used in the default policy modules. trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore. This patch changes the policy to use the netmsg initial SID as the "base" SID/context for NetLabel packets which only have MLS security attributes. Currently we use the unlabeled initial SID which makes it very difficult to distinquish between actual unlabeled packets and those packets which have MLS security attributes.
563 lines
17 KiB
Plaintext
563 lines
17 KiB
Plaintext
|
|
policy_module(postfix,1.5.1)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
attribute postfix_user_domains;
|
|
# domains that transition to the
|
|
# postfix user domains
|
|
attribute postfix_user_domtrans;
|
|
|
|
postfix_server_domain_template(bounce)
|
|
|
|
type postfix_spool_bounce_t;
|
|
files_type(postfix_spool_bounce_t)
|
|
|
|
postfix_server_domain_template(cleanup)
|
|
|
|
type postfix_etc_t;
|
|
files_type(postfix_etc_t)
|
|
|
|
type postfix_exec_t;
|
|
corecmd_executable_file(postfix_exec_t)
|
|
|
|
postfix_server_domain_template(local)
|
|
mta_mailserver_delivery(postfix_local_t)
|
|
|
|
type postfix_local_tmp_t;
|
|
files_tmp_file(postfix_local_tmp_t)
|
|
|
|
# Program for creating database files
|
|
type postfix_map_t;
|
|
type postfix_map_exec_t;
|
|
domain_type(postfix_map_t)
|
|
domain_entry_file(postfix_map_t,postfix_map_exec_t)
|
|
|
|
type postfix_map_tmp_t;
|
|
files_tmp_file(postfix_map_tmp_t)
|
|
|
|
postfix_domain_template(master)
|
|
typealias postfix_master_t alias postfix_t;
|
|
# alias is a hack to make the disable trans bool
|
|
# generation macro work
|
|
mta_mailserver(postfix_t,postfix_master_exec_t)
|
|
|
|
postfix_server_domain_template(pickup)
|
|
|
|
postfix_server_domain_template(pipe)
|
|
|
|
postfix_user_domain_template(postdrop)
|
|
mta_mailserver_user_agent(postfix_postdrop_t)
|
|
|
|
postfix_user_domain_template(postqueue)
|
|
|
|
type postfix_private_t;
|
|
files_type(postfix_private_t)
|
|
|
|
type postfix_prng_t;
|
|
files_type(postfix_prng_t)
|
|
|
|
postfix_server_domain_template(qmgr)
|
|
|
|
postfix_user_domain_template(showq)
|
|
|
|
postfix_server_domain_template(smtp)
|
|
mta_mailserver_sender(postfix_smtp_t)
|
|
|
|
postfix_server_domain_template(smtpd)
|
|
|
|
type postfix_spool_t;
|
|
files_type(postfix_spool_t)
|
|
|
|
type postfix_spool_maildrop_t;
|
|
files_type(postfix_spool_maildrop_t)
|
|
|
|
type postfix_spool_flush_t;
|
|
files_type(postfix_spool_flush_t)
|
|
|
|
type postfix_public_t;
|
|
files_type(postfix_public_t)
|
|
|
|
type postfix_var_run_t;
|
|
files_pid_file(postfix_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
# Postfix master process local policy
|
|
#
|
|
|
|
# chown is to set the correct ownership of queue dirs
|
|
allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
|
|
allow postfix_master_t self:fifo_file rw_fifo_file_perms;
|
|
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
|
|
allow postfix_master_t self:udp_socket create_socket_perms;
|
|
|
|
allow postfix_master_t postfix_etc_t:file rw_file_perms;
|
|
|
|
can_exec(postfix_master_t,postfix_exec_t)
|
|
|
|
allow postfix_master_t postfix_map_exec_t:file rx_file_perms;
|
|
|
|
allow postfix_master_t postfix_postdrop_exec_t:file getattr;
|
|
|
|
allow postfix_master_t postfix_postqueue_exec_t:file getattr;
|
|
|
|
manage_fifo_files_pattern(postfix_master_t,postfix_private_t,postfix_private_t)
|
|
manage_sock_files_pattern(postfix_master_t,postfix_private_t,postfix_private_t)
|
|
|
|
domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
|
|
|
|
allow postfix_master_t postfix_prng_t:file rw_file_perms;
|
|
|
|
manage_fifo_files_pattern(postfix_master_t,postfix_public_t,postfix_public_t)
|
|
manage_sock_files_pattern(postfix_master_t,postfix_public_t,postfix_public_t)
|
|
|
|
domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
|
|
|
|
# allow access to deferred queue and allow removing bogus incoming entries
|
|
manage_dirs_pattern(postfix_master_t,postfix_spool_t,postfix_spool_t)
|
|
manage_files_pattern(postfix_master_t,postfix_spool_t,postfix_spool_t)
|
|
|
|
allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
|
|
allow postfix_master_t postfix_spool_bounce_t:file getattr;
|
|
|
|
manage_dirs_pattern(postfix_master_t,postfix_spool_flush_t,postfix_spool_flush_t)
|
|
manage_files_pattern(postfix_master_t,postfix_spool_flush_t,postfix_spool_flush_t)
|
|
manage_lnk_files_pattern(postfix_master_t,postfix_spool_flush_t,postfix_spool_flush_t)
|
|
|
|
delete_files_pattern(postfix_master_t,postfix_spool_maildrop_t,postfix_spool_maildrop_t)
|
|
rename_files_pattern(postfix_master_t,postfix_spool_maildrop_t,postfix_spool_maildrop_t)
|
|
|
|
kernel_read_all_sysctls(postfix_master_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(postfix_master_t)
|
|
corenet_all_recvfrom_netlabel(postfix_master_t)
|
|
corenet_tcp_sendrecv_all_if(postfix_master_t)
|
|
corenet_udp_sendrecv_all_if(postfix_master_t)
|
|
corenet_tcp_sendrecv_all_nodes(postfix_master_t)
|
|
corenet_udp_sendrecv_all_nodes(postfix_master_t)
|
|
corenet_tcp_sendrecv_all_ports(postfix_master_t)
|
|
corenet_udp_sendrecv_all_ports(postfix_master_t)
|
|
corenet_tcp_bind_all_nodes(postfix_master_t)
|
|
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
|
|
corenet_tcp_bind_smtp_port(postfix_master_t)
|
|
corenet_tcp_connect_all_ports(postfix_master_t)
|
|
corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
|
|
corenet_sendrecv_smtp_server_packets(postfix_master_t)
|
|
corenet_sendrecv_all_client_packets(postfix_master_t)
|
|
|
|
# for a find command
|
|
selinux_dontaudit_search_fs(postfix_master_t)
|
|
|
|
corecmd_exec_shell(postfix_master_t)
|
|
corecmd_exec_bin(postfix_master_t)
|
|
|
|
domain_use_interactive_fds(postfix_master_t)
|
|
|
|
files_read_usr_files(postfix_master_t)
|
|
|
|
miscfiles_read_man_pages(postfix_master_t)
|
|
|
|
seutil_sigchld_newrole(postfix_master_t)
|
|
# postfix does a "find" on startup for some reason - keep it quiet
|
|
seutil_dontaudit_search_config(postfix_master_t)
|
|
|
|
sysnet_read_config(postfix_master_t)
|
|
|
|
mta_rw_aliases(postfix_master_t)
|
|
mta_read_sendmail_bin(postfix_master_t)
|
|
|
|
ifdef(`targeted_policy',`
|
|
term_dontaudit_use_unallocated_ttys(postfix_master_t)
|
|
term_dontaudit_use_generic_ptys(postfix_master_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
cyrus_stream_connect(postfix_master_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# for postalias
|
|
mailman_manage_data_files(postfix_master_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nis_use_ypbind(postfix_master_t)
|
|
')
|
|
|
|
###########################################################
|
|
#
|
|
# Partially converted rules. THESE ARE ONLY TEMPORARY
|
|
#
|
|
|
|
ifdef(`distro_redhat',`
|
|
# for newer main.cf that uses /etc/aliases
|
|
allow postfix_master_t etc_aliases_t:dir manage_dir_perms;
|
|
allow postfix_master_t etc_aliases_t:file manage_file_perms;
|
|
allow postfix_master_t etc_aliases_t:lnk_file manage_lnk_file_perms;
|
|
mta_etc_filetrans_aliases(postfix_master_t)
|
|
filetrans_pattern(postfix_master_t,postfix_etc_t,etc_aliases_t,{ dir file lnk_file })
|
|
')
|
|
|
|
# end partially converted rules
|
|
|
|
########################################
|
|
#
|
|
# Postfix bounce local policy
|
|
#
|
|
|
|
allow postfix_bounce_t self:capability dac_read_search;
|
|
allow postfix_bounce_t self:tcp_socket create_socket_perms;
|
|
|
|
allow postfix_bounce_t postfix_public_t:sock_file write;
|
|
allow postfix_bounce_t postfix_public_t:dir search;
|
|
|
|
manage_dirs_pattern(postfix_bounce_t,postfix_spool_t,postfix_spool_t)
|
|
manage_files_pattern(postfix_bounce_t,postfix_spool_t,postfix_spool_t)
|
|
manage_lnk_files_pattern(postfix_bounce_t,postfix_spool_t,postfix_spool_t)
|
|
|
|
manage_dirs_pattern(postfix_bounce_t,postfix_spool_bounce_t,postfix_spool_bounce_t)
|
|
manage_files_pattern(postfix_bounce_t,postfix_spool_bounce_t,postfix_spool_bounce_t)
|
|
manage_lnk_files_pattern(postfix_bounce_t,postfix_spool_bounce_t,postfix_spool_bounce_t)
|
|
|
|
########################################
|
|
#
|
|
# Postfix cleanup local policy
|
|
#
|
|
|
|
allow postfix_cleanup_t self:process setrlimit;
|
|
|
|
# connect to master process
|
|
stream_connect_pattern(postfix_cleanup_t,postfix_private_t,postfix_private_t,postfix_master_t)
|
|
|
|
rw_fifo_files_pattern(postfix_cleanup_t,postfix_public_t,postfix_public_t)
|
|
write_sock_files_pattern(postfix_cleanup_t,postfix_public_t,postfix_public_t)
|
|
|
|
manage_dirs_pattern(postfix_cleanup_t,postfix_spool_t,postfix_spool_t)
|
|
manage_files_pattern(postfix_cleanup_t,postfix_spool_t,postfix_spool_t)
|
|
manage_lnk_files_pattern(postfix_cleanup_t,postfix_spool_t,postfix_spool_t)
|
|
|
|
allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
|
|
|
|
corecmd_exec_bin(postfix_cleanup_t)
|
|
|
|
########################################
|
|
#
|
|
# Postfix local local policy
|
|
#
|
|
|
|
allow postfix_local_t self:fifo_file rw_fifo_file_perms;
|
|
allow postfix_local_t self:process { setsched setrlimit };
|
|
|
|
manage_dirs_pattern(postfix_local_t,postfix_local_tmp_t,postfix_local_tmp_t)
|
|
manage_files_pattern(postfix_local_t,postfix_local_tmp_t,postfix_local_tmp_t)
|
|
files_tmp_filetrans(postfix_local_t, postfix_local_tmp_t, { file dir })
|
|
|
|
# connect to master process
|
|
stream_connect_pattern(postfix_local_t,postfix_public_t,postfix_public_t,postfix_master_t)
|
|
|
|
# for .forward - maybe we need a new type for it?
|
|
rw_sock_files_pattern(postfix_local_t,postfix_private_t,postfix_private_t)
|
|
|
|
allow postfix_local_t postfix_spool_t:file rw_file_perms;
|
|
|
|
corecmd_exec_shell(postfix_local_t)
|
|
corecmd_exec_bin(postfix_local_t)
|
|
|
|
files_read_etc_files(postfix_local_t)
|
|
|
|
mta_read_aliases(postfix_local_t)
|
|
mta_delete_spool(postfix_local_t)
|
|
# For reading spamassasin
|
|
mta_read_config(postfix_local_t)
|
|
|
|
optional_policy(`
|
|
clamav_search_lib(postfix_local_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# for postalias
|
|
mailman_manage_data_files(postfix_local_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
procmail_domtrans(postfix_local_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Postfix map local policy
|
|
#
|
|
|
|
allow postfix_map_t self:capability setgid;
|
|
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
|
|
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
|
|
allow postfix_map_t self:udp_socket create_socket_perms;
|
|
|
|
manage_dirs_pattern(postfix_map_t,postfix_etc_t,postfix_etc_t)
|
|
manage_files_pattern(postfix_map_t,postfix_etc_t,postfix_etc_t)
|
|
manage_lnk_files_pattern(postfix_map_t,postfix_etc_t,postfix_etc_t)
|
|
|
|
manage_dirs_pattern(postfix_map_t,postfix_map_tmp_t,postfix_map_tmp_t)
|
|
manage_files_pattern(postfix_map_t,postfix_map_tmp_t,postfix_map_tmp_t)
|
|
files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir })
|
|
|
|
kernel_read_kernel_sysctls(postfix_map_t)
|
|
kernel_dontaudit_list_proc(postfix_map_t)
|
|
kernel_dontaudit_read_system_state(postfix_map_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(postfix_map_t)
|
|
corenet_all_recvfrom_netlabel(postfix_map_t)
|
|
corenet_tcp_sendrecv_all_if(postfix_map_t)
|
|
corenet_udp_sendrecv_all_if(postfix_map_t)
|
|
corenet_tcp_sendrecv_all_nodes(postfix_map_t)
|
|
corenet_udp_sendrecv_all_nodes(postfix_map_t)
|
|
corenet_tcp_sendrecv_all_ports(postfix_map_t)
|
|
corenet_udp_sendrecv_all_ports(postfix_map_t)
|
|
corenet_tcp_connect_all_ports(postfix_map_t)
|
|
corenet_sendrecv_all_client_packets(postfix_map_t)
|
|
|
|
corecmd_list_bin(postfix_map_t)
|
|
corecmd_read_bin_symlinks(postfix_map_t)
|
|
corecmd_read_bin_files(postfix_map_t)
|
|
corecmd_read_bin_pipes(postfix_map_t)
|
|
corecmd_read_bin_sockets(postfix_map_t)
|
|
|
|
files_list_home(postfix_map_t)
|
|
files_read_usr_files(postfix_map_t)
|
|
files_read_etc_files(postfix_map_t)
|
|
files_read_etc_runtime_files(postfix_map_t)
|
|
files_dontaudit_search_var(postfix_map_t)
|
|
|
|
libs_use_ld_so(postfix_map_t)
|
|
libs_use_shared_libs(postfix_map_t)
|
|
|
|
logging_send_syslog_msg(postfix_map_t)
|
|
|
|
miscfiles_read_localization(postfix_map_t)
|
|
|
|
seutil_read_config(postfix_map_t)
|
|
|
|
sysnet_read_config(postfix_map_t)
|
|
|
|
ifdef(`targeted_policy',`
|
|
term_dontaudit_use_unallocated_ttys(postfix_map_t)
|
|
term_dontaudit_use_generic_ptys(postfix_map_t)
|
|
')
|
|
|
|
tunable_policy(`read_default_t',`
|
|
files_list_default(postfix_map_t)
|
|
files_read_default_files(postfix_map_t)
|
|
files_read_default_symlinks(postfix_map_t)
|
|
files_read_default_sockets(postfix_map_t)
|
|
files_read_default_pipes(postfix_map_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
locallogin_dontaudit_use_fds(postfix_map_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nscd_socket_use(postfix_map_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Postfix pickup local policy
|
|
#
|
|
|
|
allow postfix_pickup_t self:tcp_socket create_socket_perms;
|
|
|
|
stream_connect_pattern(postfix_pickup_t,postfix_private_t,postfix_private_t,postfix_master_t)
|
|
|
|
rw_fifo_files_pattern(postfix_pickup_t,postfix_public_t,postfix_public_t)
|
|
rw_sock_files_pattern(postfix_pickup_t,postfix_public_t,postfix_public_t)
|
|
|
|
postfix_list_spool(postfix_pickup_t)
|
|
|
|
allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
|
|
read_files_pattern(postfix_pickup_t,postfix_spool_maildrop_t,postfix_spool_maildrop_t)
|
|
delete_files_pattern(postfix_pickup_t,postfix_spool_maildrop_t,postfix_spool_maildrop_t)
|
|
|
|
########################################
|
|
#
|
|
# Postfix pipe local policy
|
|
#
|
|
|
|
allow postfix_pipe_t self:fifo_file { read write };
|
|
|
|
write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t)
|
|
|
|
write_fifo_files_pattern(postfix_pipe_t,postfix_public_t,postfix_public_t)
|
|
|
|
rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
|
|
|
|
optional_policy(`
|
|
procmail_domtrans(postfix_pipe_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mailman_domtrans_queue(postfix_pipe_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
uucp_domtrans_uux(postfix_pipe_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Postfix postdrop local policy
|
|
#
|
|
|
|
# usually it does not need a UDP socket
|
|
allow postfix_postdrop_t self:capability sys_resource;
|
|
allow postfix_postdrop_t self:tcp_socket create;
|
|
allow postfix_postdrop_t self:udp_socket create_socket_perms;
|
|
|
|
rw_fifo_files_pattern(postfix_postdrop_t,postfix_public_t,postfix_public_t)
|
|
|
|
postfix_list_spool(postfix_postdrop_t)
|
|
manage_files_pattern(postfix_postdrop_t,postfix_spool_maildrop_t,postfix_spool_maildrop_t)
|
|
|
|
corenet_udp_sendrecv_all_if(postfix_postdrop_t)
|
|
corenet_udp_sendrecv_all_nodes(postfix_postdrop_t)
|
|
|
|
term_dontaudit_use_all_user_ptys(postfix_postdrop_t)
|
|
term_dontaudit_use_all_user_ttys(postfix_postdrop_t)
|
|
|
|
sysnet_dns_name_resolve(postfix_postdrop_t)
|
|
|
|
mta_rw_user_mail_stream_sockets(postfix_postdrop_t)
|
|
|
|
ifdef(`targeted_policy', `
|
|
term_use_unallocated_ttys(postfix_postdrop_t)
|
|
term_use_generic_ptys(postfix_postdrop_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ppp_use_fds(postfix_postqueue_t)
|
|
ppp_sigchld(postfix_postqueue_t)
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# Postfix postqueue local policy
|
|
#
|
|
|
|
allow postfix_postqueue_t self:tcp_socket create;
|
|
allow postfix_postqueue_t self:udp_socket { create ioctl };
|
|
|
|
# wants to write to /var/spool/postfix/public/showq
|
|
stream_connect_pattern(postfix_postqueue_t,postfix_public_t,postfix_public_t,postfix_master_t)
|
|
|
|
# write to /var/spool/postfix/public/qmgr
|
|
write_fifo_files_pattern(postfix_postqueue_t,postfix_public_t,postfix_public_t)
|
|
|
|
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
|
|
|
|
# to write the mailq output, it really should not need read access!
|
|
term_use_all_user_ptys(postfix_postqueue_t)
|
|
term_use_all_user_ttys(postfix_postqueue_t)
|
|
|
|
init_sigchld_script(postfix_postqueue_t)
|
|
init_use_script_fds(postfix_postqueue_t)
|
|
|
|
sysnet_dontaudit_read_config(postfix_postqueue_t)
|
|
|
|
########################################
|
|
#
|
|
# Postfix qmgr local policy
|
|
#
|
|
|
|
stream_connect_pattern(postfix_qmgr_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
|
|
|
|
rw_fifo_files_pattern(postfix_qmgr_t,postfix_public_t,postfix_public_t)
|
|
|
|
# for /var/spool/postfix/active
|
|
manage_dirs_pattern(postfix_qmgr_t,postfix_spool_t,postfix_spool_t)
|
|
manage_files_pattern(postfix_qmgr_t,postfix_spool_t,postfix_spool_t)
|
|
manage_lnk_files_pattern(postfix_qmgr_t,postfix_spool_t,postfix_spool_t)
|
|
|
|
allow postfix_qmgr_t postfix_spool_bounce_t:dir { getattr read search };
|
|
allow postfix_qmgr_t postfix_spool_bounce_t:file { read getattr };
|
|
allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
|
|
|
|
corecmd_exec_bin(postfix_qmgr_t)
|
|
|
|
########################################
|
|
#
|
|
# Postfix showq local policy
|
|
#
|
|
|
|
allow postfix_showq_t self:capability { setuid setgid };
|
|
allow postfix_showq_t self:tcp_socket create_socket_perms;
|
|
|
|
allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
|
|
|
|
allow postfix_showq_t postfix_spool_t:file read_file_perms;
|
|
|
|
postfix_list_spool(postfix_showq_t)
|
|
|
|
allow postfix_showq_t postfix_spool_maildrop_t:dir { getattr read search };
|
|
allow postfix_showq_t postfix_spool_maildrop_t:file { read getattr };
|
|
allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
|
|
|
|
# to write the mailq output, it really should not need read access!
|
|
term_use_all_user_ptys(postfix_showq_t)
|
|
term_use_all_user_ttys(postfix_showq_t)
|
|
|
|
sysnet_dns_name_resolve(postfix_showq_t)
|
|
|
|
########################################
|
|
#
|
|
# Postfix smtp delivery local policy
|
|
#
|
|
|
|
allow postfix_smtp_t self:netlink_route_socket r_netlink_socket_perms;
|
|
|
|
# connect to master process
|
|
stream_connect_pattern(postfix_smtp_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
|
|
|
|
allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
|
|
|
|
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
|
|
|
|
optional_policy(`
|
|
cyrus_stream_connect(postfix_smtp_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Postfix smtpd local policy
|
|
#
|
|
allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
|
|
|
|
# connect to master process
|
|
stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
|
|
|
|
# for prng_exch
|
|
allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
|
|
allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
|
|
|
|
corecmd_exec_bin(postfix_smtpd_t)
|
|
|
|
# for OpenSSL certificates
|
|
files_read_usr_files(postfix_smtpd_t)
|
|
mta_read_aliases(postfix_smtpd_t)
|
|
|
|
optional_policy(`
|
|
postgrey_stream_connect(postfix_smtpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
sasl_connect(postfix_smtpd_t)
|
|
')
|