374 lines
16 KiB
Plaintext
374 lines
16 KiB
Plaintext
#DESC Postfix - Mail server
|
|
#
|
|
# Author: Russell Coker <russell@coker.com.au>
|
|
# X-Debian-Packages: postfix
|
|
# Depends: mta.te
|
|
#
|
|
|
|
# Type for files created during execution of postfix.
|
|
type postfix_var_run_t, file_type, sysadmfile, pidfile;
|
|
|
|
type postfix_etc_t, file_type, sysadmfile;
|
|
type postfix_exec_t, file_type, sysadmfile, exec_type;
|
|
type postfix_public_t, file_type, sysadmfile;
|
|
type postfix_private_t, file_type, sysadmfile;
|
|
type postfix_spool_t, file_type, sysadmfile;
|
|
type postfix_spool_maildrop_t, file_type, sysadmfile;
|
|
type postfix_spool_flush_t, file_type, sysadmfile;
|
|
type postfix_prng_t, file_type, sysadmfile;
|
|
|
|
# postfix needs this for newaliases
|
|
allow { system_mail_t sysadm_mail_t } tmp_t:dir getattr;
|
|
|
|
#################################
|
|
#
|
|
# Rules for the postfix_$1_t domain.
|
|
#
|
|
# postfix_$1_exec_t is the type of the postfix_$1 executables.
|
|
#
|
|
define(`postfix_domain', `
|
|
daemon_core_rules(postfix_$1, `$2')
|
|
allow postfix_$1_t self:process setpgid;
|
|
allow postfix_$1_t postfix_master_t:process sigchld;
|
|
allow postfix_master_t postfix_$1_t:process signal;
|
|
|
|
allow postfix_$1_t { etc_t postfix_etc_t postfix_spool_t }:dir r_dir_perms;
|
|
allow postfix_$1_t postfix_etc_t:file r_file_perms;
|
|
read_locale(postfix_$1_t)
|
|
allow postfix_$1_t etc_t:file { getattr read };
|
|
allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
|
|
allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow postfix_$1_t self:unix_stream_socket connectto;
|
|
|
|
allow postfix_$1_t { sbin_t bin_t }:dir r_dir_perms;
|
|
allow postfix_$1_t { bin_t usr_t }:lnk_file { getattr read };
|
|
allow postfix_$1_t shell_exec_t:file rx_file_perms;
|
|
allow postfix_$1_t { var_t var_spool_t }:dir { search getattr };
|
|
allow postfix_$1_t postfix_exec_t:file rx_file_perms;
|
|
allow postfix_$1_t devtty_t:chr_file rw_file_perms;
|
|
allow postfix_$1_t etc_runtime_t:file r_file_perms;
|
|
allow postfix_$1_t proc_t:dir r_dir_perms;
|
|
allow postfix_$1_t proc_t:file r_file_perms;
|
|
allow postfix_$1_t postfix_exec_t:dir r_dir_perms;
|
|
allow postfix_$1_t fs_t:filesystem getattr;
|
|
allow postfix_$1_t proc_net_t:dir search;
|
|
allow postfix_$1_t proc_net_t:file { getattr read };
|
|
can_exec(postfix_$1_t, postfix_$1_exec_t)
|
|
r_dir_file(postfix_$1_t, cert_t)
|
|
allow postfix_$1_t { urandom_device_t random_device_t }:chr_file { read getattr };
|
|
|
|
allow postfix_$1_t tmp_t:dir getattr;
|
|
|
|
file_type_auto_trans(postfix_$1_t, var_run_t, postfix_var_run_t, file)
|
|
|
|
read_sysctl(postfix_$1_t)
|
|
|
|
')dnl end postfix_domain
|
|
|
|
ifdef(`crond.te',
|
|
`allow system_mail_t crond_t:tcp_socket { read write create };')
|
|
|
|
postfix_domain(master, `, mail_server_domain')
|
|
rhgb_domain(postfix_master_t)
|
|
|
|
# for a find command
|
|
dontaudit postfix_master_t security_t:dir search;
|
|
|
|
read_sysctl(postfix_master_t)
|
|
|
|
ifdef(`targeted_policy', `
|
|
bool postfix_disable_trans false;
|
|
if (!postfix_disable_trans) {
|
|
')
|
|
domain_auto_trans(initrc_t, postfix_master_exec_t, postfix_master_t)
|
|
allow initrc_t postfix_master_t:process { noatsecure siginh rlimitinh };
|
|
|
|
domain_auto_trans(sysadm_t, postfix_master_exec_t, postfix_master_t)
|
|
allow sysadm_t postfix_master_t:process { noatsecure siginh rlimitinh };
|
|
ifdef(`targeted_policy', `', `
|
|
role_transition sysadm_r postfix_master_exec_t system_r;
|
|
')
|
|
allow postfix_master_t postfix_etc_t:file rw_file_perms;
|
|
dontaudit postfix_master_t admin_tty_type:chr_file { read write };
|
|
allow postfix_master_t devpts_t:dir search;
|
|
|
|
domain_auto_trans(sysadm_mail_t, postfix_master_exec_t, system_mail_t)
|
|
allow system_mail_t sysadm_t:process sigchld;
|
|
allow system_mail_t privfd:fd use;
|
|
|
|
ifdef(`pppd.te', `
|
|
domain_auto_trans(pppd_t, postfix_master_exec_t, postfix_master_t)
|
|
')
|
|
|
|
ifdef(`targeted_policy', `
|
|
}
|
|
')
|
|
|
|
allow postfix_master_t privfd:fd use;
|
|
ifdef(`newrole.te', `allow postfix_master_t newrole_t:process sigchld;')
|
|
allow postfix_master_t initrc_devpts_t:chr_file rw_file_perms;
|
|
|
|
# postfix does a "find" on startup for some reason - keep it quiet
|
|
dontaudit postfix_master_t selinux_config_t:dir search;
|
|
can_exec({ sysadm_mail_t system_mail_t }, postfix_master_exec_t)
|
|
ifdef(`distro_redhat', `
|
|
# compatability for old default main.cf
|
|
file_type_auto_trans({ sysadm_mail_t system_mail_t postfix_master_t }, postfix_etc_t, etc_aliases_t)
|
|
# for newer main.cf that uses /etc/aliases
|
|
file_type_auto_trans(postfix_master_t, etc_t, etc_aliases_t)
|
|
')
|
|
file_type_auto_trans({ sysadm_mail_t system_mail_t }, etc_t, etc_aliases_t)
|
|
allow postfix_master_t sendmail_exec_t:file r_file_perms;
|
|
allow postfix_master_t sbin_t:lnk_file { getattr read };
|
|
|
|
can_exec(postfix_master_t, { ls_exec_t sbin_t })
|
|
allow postfix_master_t self:fifo_file rw_file_perms;
|
|
allow postfix_master_t usr_t:file r_file_perms;
|
|
can_exec(postfix_master_t, { shell_exec_t bin_t postfix_exec_t })
|
|
# chown is to set the correct ownership of queue dirs
|
|
allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
|
|
allow postfix_master_t postfix_public_t:fifo_file create_file_perms;
|
|
allow postfix_master_t postfix_public_t:sock_file create_file_perms;
|
|
allow postfix_master_t postfix_public_t:dir rw_dir_perms;
|
|
allow postfix_master_t postfix_private_t:dir rw_dir_perms;
|
|
allow postfix_master_t postfix_private_t:sock_file create_file_perms;
|
|
allow postfix_master_t postfix_private_t:fifo_file create_file_perms;
|
|
can_network(postfix_master_t)
|
|
allow postfix_master_t port_type:tcp_socket name_connect;
|
|
can_ypbind(postfix_master_t)
|
|
allow postfix_master_t { amavisd_send_port_t smtp_port_t }:tcp_socket name_bind;
|
|
allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
|
|
allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr };
|
|
allow postfix_master_t postfix_prng_t:file getattr;
|
|
allow postfix_master_t privfd:fd use;
|
|
allow postfix_master_t etc_aliases_t:file rw_file_perms;
|
|
allow postfix_master_t var_lib_t:dir search;
|
|
|
|
ifdef(`saslauthd.te',`
|
|
allow postfix_smtpd_t saslauthd_var_run_t:dir { search getattr };
|
|
allow postfix_smtpd_t saslauthd_var_run_t:sock_file { read write };
|
|
can_unix_connect(postfix_smtpd_t,saslauthd_t)
|
|
')
|
|
|
|
create_dir_file(postfix_master_t, postfix_spool_flush_t)
|
|
allow postfix_master_t postfix_prng_t:file rw_file_perms;
|
|
# for ls to get the current context
|
|
allow postfix_master_t self:file { getattr read };
|
|
|
|
# allow access to deferred queue and allow removing bogus incoming entries
|
|
allow postfix_master_t postfix_spool_t:dir create_dir_perms;
|
|
allow postfix_master_t postfix_spool_t:file create_file_perms;
|
|
|
|
dontaudit postfix_master_t man_t:dir search;
|
|
|
|
define(`postfix_server_domain', `
|
|
postfix_domain($1, `$2')
|
|
domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
|
|
allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
|
|
allow postfix_$1_t self:capability { setuid setgid dac_override };
|
|
can_network_client(postfix_$1_t)
|
|
allow postfix_$1_t port_type:tcp_socket name_connect;
|
|
can_ypbind(postfix_$1_t)
|
|
')
|
|
|
|
postfix_server_domain(smtp, `, mail_server_sender')
|
|
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
|
|
allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search;
|
|
allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write;
|
|
allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto;
|
|
# if you have two different mail servers on the same host let them talk via
|
|
# SMTP, also if one mail server wants to talk to itself then allow it and let
|
|
# the SMTP protocol sort it out (SE Linux is not to prevent mail server
|
|
# misconfiguration)
|
|
can_tcp_connect(postfix_smtp_t, mail_server_domain)
|
|
|
|
postfix_server_domain(smtpd)
|
|
allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
|
|
allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search;
|
|
allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms;
|
|
allow postfix_smtpd_t postfix_master_t:unix_stream_socket connectto;
|
|
# for OpenSSL certificates
|
|
r_dir_file(postfix_smtpd_t,usr_t)
|
|
allow postfix_smtpd_t etc_aliases_t:file r_file_perms;
|
|
allow postfix_smtpd_t self:file { getattr read };
|
|
|
|
# for prng_exch
|
|
allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
|
|
|
|
allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms;
|
|
|
|
postfix_server_domain(local, `, mta_delivery_agent')
|
|
ifdef(`procmail.te', `
|
|
domain_auto_trans(postfix_local_t, procmail_exec_t, procmail_t)
|
|
# for a bug in the postfix local program
|
|
dontaudit procmail_t postfix_local_t:tcp_socket { read write };
|
|
dontaudit procmail_t postfix_master_t:fd use;
|
|
')
|
|
allow postfix_local_t etc_aliases_t:file r_file_perms;
|
|
allow postfix_local_t self:fifo_file rw_file_perms;
|
|
allow postfix_local_t self:process { setsched setrlimit };
|
|
allow postfix_local_t postfix_spool_t:file rw_file_perms;
|
|
# for .forward - maybe we need a new type for it?
|
|
allow postfix_local_t postfix_private_t:dir search;
|
|
allow postfix_local_t postfix_private_t:sock_file rw_file_perms;
|
|
allow postfix_local_t postfix_master_t:unix_stream_socket connectto;
|
|
allow postfix_local_t postfix_public_t:dir search;
|
|
allow postfix_local_t postfix_public_t:sock_file write;
|
|
tmp_domain(postfix_local)
|
|
can_exec(postfix_local_t,{ shell_exec_t bin_t })
|
|
ifdef(`spamc.te', `
|
|
can_exec(postfix_local_t, spamc_exec_t)
|
|
')
|
|
allow postfix_local_t mail_spool_t:dir { remove_name };
|
|
allow postfix_local_t mail_spool_t:file { unlink };
|
|
# For reading spamassasin
|
|
r_dir_file(postfix_local_t, etc_mail_t)
|
|
|
|
define(`postfix_public_domain',`
|
|
postfix_server_domain($1)
|
|
allow postfix_$1_t postfix_public_t:dir search;
|
|
')
|
|
|
|
postfix_public_domain(cleanup)
|
|
create_dir_file(postfix_cleanup_t, postfix_spool_t)
|
|
allow postfix_cleanup_t postfix_public_t:fifo_file rw_file_perms;
|
|
allow postfix_cleanup_t postfix_public_t:sock_file { getattr write };
|
|
allow postfix_cleanup_t postfix_private_t:dir search;
|
|
allow postfix_cleanup_t postfix_private_t:sock_file rw_file_perms;
|
|
allow postfix_cleanup_t postfix_master_t:unix_stream_socket connectto;
|
|
allow postfix_cleanup_t postfix_spool_bounce_t:dir r_dir_perms;
|
|
allow postfix_cleanup_t self:process setrlimit;
|
|
|
|
allow user_mail_domain postfix_spool_t:dir r_dir_perms;
|
|
allow user_mail_domain postfix_etc_t:dir r_dir_perms;
|
|
allow { user_mail_domain initrc_t } postfix_etc_t:file r_file_perms;
|
|
allow user_mail_domain self:capability dac_override;
|
|
|
|
define(`postfix_user_domain', `
|
|
postfix_domain($1, `$2')
|
|
domain_auto_trans(user_mail_domain, postfix_$1_exec_t, postfix_$1_t)
|
|
in_user_role(postfix_$1_t)
|
|
role sysadm_r types postfix_$1_t;
|
|
allow postfix_$1_t userdomain:process sigchld;
|
|
allow postfix_$1_t userdomain:fifo_file { write getattr };
|
|
allow postfix_$1_t { userdomain privfd }:fd use;
|
|
allow postfix_$1_t self:capability dac_override;
|
|
')
|
|
|
|
postfix_user_domain(postqueue)
|
|
allow postfix_postqueue_t postfix_public_t:dir search;
|
|
allow postfix_postqueue_t postfix_public_t:fifo_file getattr;
|
|
allow postfix_postqueue_t self:udp_socket { create ioctl };
|
|
allow postfix_postqueue_t self:tcp_socket create;
|
|
allow postfix_master_t postfix_postqueue_exec_t:file getattr;
|
|
domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
|
|
allow postfix_postqueue_t initrc_t:process sigchld;
|
|
allow postfix_postqueue_t initrc_t:fd use;
|
|
|
|
# to write the mailq output, it really should not need read access!
|
|
allow postfix_postqueue_t { ptyfile ttyfile }:chr_file { read write getattr };
|
|
ifdef(`gnome-pty-helper.te', `allow postfix_postqueue_t user_gph_t:fd use;')
|
|
|
|
# wants to write to /var/spool/postfix/public/showq
|
|
allow postfix_postqueue_t postfix_public_t:sock_file rw_file_perms;
|
|
allow postfix_postqueue_t postfix_master_t:unix_stream_socket connectto;
|
|
# write to /var/spool/postfix/public/qmgr
|
|
allow postfix_postqueue_t postfix_public_t:fifo_file write;
|
|
dontaudit postfix_postqueue_t net_conf_t:file r_file_perms;
|
|
|
|
postfix_user_domain(showq)
|
|
# the following auto_trans is usually in postfix server domain
|
|
domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
|
|
can_resolve(postfix_showq_t)
|
|
r_dir_file(postfix_showq_t, postfix_spool_maildrop_t)
|
|
domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
|
|
allow postfix_showq_t self:capability { setuid setgid };
|
|
allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
|
|
allow postfix_showq_t postfix_spool_t:file r_file_perms;
|
|
allow postfix_showq_t self:tcp_socket create_socket_perms;
|
|
allow postfix_showq_t { ttyfile ptyfile }:chr_file { read write };
|
|
dontaudit postfix_showq_t net_conf_t:file r_file_perms;
|
|
|
|
postfix_user_domain(postdrop, `, mta_user_agent')
|
|
can_resolve(postfix_postdrop_t)
|
|
allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms;
|
|
allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms;
|
|
allow postfix_postdrop_t user_mail_domain:unix_stream_socket rw_socket_perms;
|
|
allow postfix_postdrop_t postfix_public_t:dir search;
|
|
allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms;
|
|
dontaudit postfix_postdrop_t { ptyfile ttyfile }:chr_file { read write };
|
|
dontaudit postfix_postdrop_t net_conf_t:file r_file_perms;
|
|
allow postfix_master_t postfix_postdrop_exec_t:file getattr;
|
|
ifdef(`crond.te',
|
|
`allow postfix_postdrop_t { crond_t system_crond_t }:fd use;
|
|
allow postfix_postdrop_t { crond_t system_crond_t }:fifo_file rw_file_perms;')
|
|
# usually it does not need a UDP socket
|
|
allow postfix_postdrop_t self:udp_socket create_socket_perms;
|
|
allow postfix_postdrop_t self:tcp_socket create;
|
|
allow postfix_postdrop_t self:capability sys_resource;
|
|
allow postfix_postdrop_t self:tcp_socket create;
|
|
|
|
postfix_public_domain(pickup)
|
|
allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms;
|
|
allow postfix_pickup_t postfix_public_t:sock_file rw_file_perms;
|
|
allow postfix_pickup_t postfix_private_t:dir search;
|
|
allow postfix_pickup_t postfix_private_t:sock_file write;
|
|
allow postfix_pickup_t postfix_master_t:unix_stream_socket connectto;
|
|
allow postfix_pickup_t postfix_spool_maildrop_t:dir rw_dir_perms;
|
|
allow postfix_pickup_t postfix_spool_maildrop_t:file r_file_perms;
|
|
allow postfix_pickup_t postfix_spool_maildrop_t:file unlink;
|
|
allow postfix_pickup_t self:tcp_socket create_socket_perms;
|
|
|
|
postfix_public_domain(qmgr)
|
|
allow postfix_qmgr_t postfix_public_t:fifo_file rw_file_perms;
|
|
allow postfix_qmgr_t postfix_public_t:sock_file write;
|
|
allow postfix_qmgr_t postfix_private_t:dir search;
|
|
allow postfix_qmgr_t postfix_private_t:sock_file rw_file_perms;
|
|
allow postfix_qmgr_t postfix_master_t:unix_stream_socket connectto;
|
|
|
|
# for /var/spool/postfix/active
|
|
create_dir_file(postfix_qmgr_t, postfix_spool_t)
|
|
|
|
postfix_public_domain(bounce)
|
|
type postfix_spool_bounce_t, file_type, sysadmfile;
|
|
create_dir_file(postfix_bounce_t, postfix_spool_bounce_t)
|
|
create_dir_file(postfix_bounce_t, postfix_spool_t)
|
|
allow postfix_master_t postfix_spool_bounce_t:dir create_dir_perms;
|
|
allow postfix_master_t postfix_spool_bounce_t:file getattr;
|
|
allow postfix_bounce_t self:capability dac_read_search;
|
|
allow postfix_bounce_t postfix_public_t:sock_file write;
|
|
allow postfix_bounce_t self:tcp_socket create_socket_perms;
|
|
|
|
r_dir_file(postfix_qmgr_t, postfix_spool_bounce_t)
|
|
|
|
postfix_public_domain(pipe)
|
|
allow postfix_pipe_t postfix_spool_t:dir search;
|
|
allow postfix_pipe_t postfix_spool_t:file rw_file_perms;
|
|
allow postfix_pipe_t self:fifo_file { read write };
|
|
allow postfix_pipe_t postfix_private_t:dir search;
|
|
allow postfix_pipe_t postfix_private_t:sock_file write;
|
|
ifdef(`procmail.te', `
|
|
domain_auto_trans(postfix_pipe_t, procmail_exec_t, procmail_t)
|
|
')
|
|
ifdef(`sendmail.te', `
|
|
r_dir_file(sendmail_t, postfix_etc_t)
|
|
allow sendmail_t postfix_spool_t:dir search;
|
|
')
|
|
|
|
# Program for creating database files
|
|
application_domain(postfix_map)
|
|
base_file_read_access(postfix_map_t)
|
|
allow postfix_map_t { etc_t etc_runtime_t }:{ file lnk_file } { getattr read };
|
|
tmp_domain(postfix_map)
|
|
create_dir_file(postfix_map_t, postfix_etc_t)
|
|
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
|
|
dontaudit postfix_map_t proc_t:dir { getattr read search };
|
|
dontaudit postfix_map_t local_login_t:fd use;
|
|
allow postfix_master_t postfix_map_exec_t:file rx_file_perms;
|
|
read_locale(postfix_map_t)
|
|
allow postfix_map_t self:capability setgid;
|
|
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
|
|
dontaudit postfix_map_t var_t:dir search;
|
|
can_network_server(postfix_map_t)
|
|
allow postfix_map_t port_type:tcp_socket name_connect;
|