]> git.ipfire.org Git - people/stevee/selinux-policy.git/blame - policy/modules/services/postfix.if
projects / people / stevee / selinux-policy.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add a boolean to turn off all instances of ptrace in the policy
[people/stevee/selinux-policy.git] / policy / modules / services / postfix.if
CommitLineData
04926d07
CP		 1## <summary>Postfix email server</summary>
2
3########################################
4## <summary>
5## Postfix stub interface. No access allowed.
6## </summary>
f7eaeebb 7## <param name="domain" unused="true">
885b83ec 8## <summary>
f7eaeebb 9## Domain allowed access.
885b83ec 10## </summary>
04926d07
CP		 11## </param>
12#
13interface(`postfix_stub',`
14 gen_require(`
15 type postfix_master_t;
16 ')
17')
18
e58da022
CP		 19########################################
20## <summary>
21## Creates types and rules for a basic
22## postfix process domain.
23## </summary>
24## <param name="prefix">
25## <summary>
26## Prefix for the domain.
27## </summary>
28## </param>
29#
04926d07
CP		 30template(`postfix_domain_template',`
31 type postfix_$1_t;
32 type postfix_$1_exec_t;
33 domain_type(postfix_$1_t)
0bfccda4 34 domain_entry_file(postfix_$1_t, postfix_$1_exec_t)
04926d07
CP		 35 role system_r types postfix_$1_t;
36
ba7ee7c8 37 allow postfix_$1_t self:capability { sys_nice sys_chroot };
04926d07 38 dontaudit postfix_$1_t self:capability sys_tty_config;
ef394695 39 allow postfix_$1_t self:process { signal_perms setpgid setsched };
04926d07
CP		 40 allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
41 allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
42 allow postfix_$1_t self:unix_stream_socket connectto;
43
44 allow postfix_master_t postfix_$1_t:process signal;
134a799c
CP		 45 #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456
46 allow postfix_$1_t postfix_master_t:file read;
04926d07 47
c0868a7a 48 allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
0bfccda4 49 read_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t)
d9e4cbd2 50 read_lnk_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t)
04926d07
CP		 51
52 can_exec(postfix_$1_t, postfix_$1_exec_t)
53
6c994054 54 allow postfix_$1_t postfix_exec_t:file { mmap_file_perms lock };
04926d07
CP		 55
56 allow postfix_$1_t postfix_master_t:process sigchld;
57
c0868a7a 58 allow postfix_$1_t postfix_spool_t:dir list_dir_perms;
04926d07
CP		 59
60 allow postfix_$1_t postfix_var_run_t:file manage_file_perms;
0bfccda4 61 files_pid_filetrans(postfix_$1_t, postfix_var_run_t, file)
04926d07
CP		 62
63 kernel_read_system_state(postfix_$1_t)
64 kernel_read_network_state(postfix_$1_t)
445522dc 65 kernel_read_all_sysctls(postfix_$1_t)
04926d07
CP		 66
67 dev_read_sysfs(postfix_$1_t)
68 dev_read_rand(postfix_$1_t)
69 dev_read_urand(postfix_$1_t)
70
71 fs_search_auto_mountpoints(postfix_$1_t)
72 fs_getattr_xattr_fs(postfix_$1_t)
134a799c 73 fs_rw_anon_inodefs_files(postfix_$1_t)
04926d07
CP		 74
75 term_dontaudit_use_console(postfix_$1_t)
76
04926d07
CP		 77 corecmd_exec_shell(postfix_$1_t)
78
79 files_read_etc_files(postfix_$1_t)
80 files_read_etc_runtime_files(postfix_$1_t)
3eaa9939 81 files_read_usr_files(postfix_$1_t)
88dd3896 82 files_read_usr_symlinks(postfix_$1_t)
04926d07 83 files_search_spool(postfix_$1_t)
9e04f5c5 84 files_getattr_tmp_dirs(postfix_$1_t)
d9e4cbd2 85 files_search_all_mountpoints(postfix_$1_t)
04926d07 86
a5f5eba4 87 init_dontaudit_use_fds(postfix_$1_t)
04926d07
CP		 88 init_sigchld(postfix_$1_t)
89
c0cf6e0a
CP		 90 auth_use_nsswitch(postfix_$1_t)
91
04926d07
CP		 92 logging_send_syslog_msg(postfix_$1_t)
93
94 miscfiles_read_localization(postfix_$1_t)
83406219 95 miscfiles_read_generic_certs(postfix_$1_t)
04926d07 96
15722ec9 97 userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t)
04926d07 98
bb7170f6 99 optional_policy(`
04926d07
CP		 100 udev_read_db(postfix_$1_t)
101 ')
102')
103
e58da022
CP		 104########################################
105## <summary>
106## Creates a postfix server process domain.
107## </summary>
108## <param name="prefix">
109## <summary>
110## Prefix of the domain.
111## </summary>
112## </param>
113#
04926d07
CP		 114template(`postfix_server_domain_template',`
115 postfix_domain_template($1)
116
d9e4cbd2
CP		 117 type postfix_$1_tmp_t;
118 files_tmp_file(postfix_$1_tmp_t)
119
e07eb246 120 allow postfix_$1_t self:capability { setuid setgid sys_chroot dac_override };
04926d07
CP		 121 allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
122 allow postfix_$1_t self:tcp_socket create_socket_perms;
123 allow postfix_$1_t self:udp_socket create_socket_perms;
124
d9e4cbd2
CP		 125 manage_dirs_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t)
126 manage_files_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t)
127 files_tmp_filetrans(postfix_$1_t, postfix_$1_tmp_t, { file dir })
128
c0868a7a 129 domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
04926d07 130
19006686
CP		 131 corenet_all_recvfrom_unlabeled(postfix_$1_t)
132 corenet_all_recvfrom_netlabel(postfix_$1_t)
668b3093
CP		 133 corenet_tcp_sendrecv_generic_if(postfix_$1_t)
134 corenet_udp_sendrecv_generic_if(postfix_$1_t)
c1262146
CP		 135 corenet_tcp_sendrecv_generic_node(postfix_$1_t)
136 corenet_udp_sendrecv_generic_node(postfix_$1_t)
04926d07
CP		 137 corenet_tcp_sendrecv_all_ports(postfix_$1_t)
138 corenet_udp_sendrecv_all_ports(postfix_$1_t)
c1262146
CP		 139 corenet_tcp_bind_generic_node(postfix_$1_t)
140 corenet_udp_bind_generic_node(postfix_$1_t)
04926d07 141 corenet_tcp_connect_all_ports(postfix_$1_t)
141cffdd 142 corenet_sendrecv_all_client_packets(postfix_$1_t)
04926d07
CP		 143')
144
e58da022
CP		 145########################################
146## <summary>
147## Creates a process domain for programs
148## that are ran by users.
149## </summary>
150## <param name="prefix">
151## <summary>
152## Prefix of the domain.
153## </summary>
154## </param>
155#
04926d07 156template(`postfix_user_domain_template',`
fc0e8ce9
CP		 157 gen_require(`
158 attribute postfix_user_domains, postfix_user_domtrans;
159 ')
160
04926d07
CP		 161 postfix_domain_template($1)
162
fc0e8ce9
CP		 163 typeattribute postfix_$1_t postfix_user_domains;
164
04926d07
CP		 165 allow postfix_$1_t self:capability dac_override;
166
c0868a7a 167 domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)
04926d07 168
15722ec9 169 domain_use_interactive_fds(postfix_$1_t)
9883378b
DW		 170
171 application_domain(postfix_$1_t, postfix_$1_exec_t)
fc0e8ce9 172')
04926d07 173
04926d07
CP		 174########################################
175## <summary>
176## Read postfix configuration files.
177## </summary>
178## <param name="domain">
885b83ec 179## <summary>
04926d07 180## Domain allowed access.
885b83ec 181## </summary>
04926d07 182## </param>
bbcd3c97 183## <rolecap/>
04926d07
CP		 184#
185interface(`postfix_read_config',`
186 gen_require(`
187 type postfix_etc_t;
188 ')
189
d9e4cbd2
CP		 190 read_files_pattern($1, postfix_etc_t, postfix_etc_t)
191 read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t)
04926d07
CP		 192 files_search_etc($1)
193')
194
1504ff3e
CP		 195########################################
196## <summary>
197## Create files with the specified type in
198## the postfix configuration directories.
199## </summary>
200## <param name="domain">
885b83ec 201## <summary>
1504ff3e 202## Domain allowed access.
885b83ec 203## </summary>
1504ff3e
CP		 204## </param>
205## <param name="private type">
885b83ec 206## <summary>
1504ff3e 207## The type of the object to be created.
885b83ec 208## </summary>
1504ff3e 209## </param>
1c1ac67f 210## <param name="object">
885b83ec 211## <summary>
1c1ac67f 212## The object class of the object being created.
885b83ec 213## </summary>
1504ff3e
CP		 214## </param>
215#
103fe280 216interface(`postfix_config_filetrans',`
1504ff3e
CP		 217 gen_require(`
218 type postfix_etc_t;
219 ')
220
221 files_search_etc($1)
7dd47a9a 222 filetrans_pattern($1, postfix_etc_t, $2, $3, $4)
1504ff3e
CP		 223')
224
3e6c816d
CP		 225########################################
226## <summary>
227## Do not audit attempts to read and
228## write postfix local delivery
229## TCP sockets.
230## </summary>
231## <param name="domain">
885b83ec 232## <summary>
3e6c816d 233## Domain to not audit.
885b83ec 234## </summary>
3e6c816d
CP		 235## </param>
236#
1815bad1 237interface(`postfix_dontaudit_rw_local_tcp_sockets',`
3e6c816d
CP		 238 gen_require(`
239 type postfix_local_t;
240 ')
241
242 dontaudit $1 postfix_local_t:tcp_socket { read write };
243')
244
d9e4cbd2
CP		 245########################################
246## <summary>
247## Allow read/write postfix local pipes
248## TCP sockets.
249## </summary>
250## <param name="domain">
251## <summary>
252## Domain allowed access.
253## </summary>
254## </param>
255#
256interface(`postfix_rw_local_pipes',`
257 gen_require(`
258 type postfix_local_t;
259 ')
260
261 allow $1 postfix_local_t:fifo_file rw_fifo_file_perms;
262')
263
134a799c
CP		 264########################################
265## <summary>
266## Allow domain to read postfix local process state
267## </summary>
268## <param name="domain">
269## <summary>
288845a6 270## Domain allowed access.
134a799c
CP		 271## </summary>
272## </param>
273#
274interface(`postfix_read_local_state',`
275 gen_require(`
276 type postfix_local_t;
277 ')
278
23952dea
DG		 279 kernel_search_proc($1)
280 ps_process_pattern($1, postfix_local_t)
134a799c
CP		 281')
282
283########################################
284## <summary>
285## Allow domain to read postfix master process state
286## </summary>
287## <param name="domain">
288## <summary>
288845a6 289## Domain allowed access.
134a799c
CP		 290## </summary>
291## </param>
292#
293interface(`postfix_read_master_state',`
294 gen_require(`
295 type postfix_master_t;
296 ')
297
23952dea
DG		 298 kernel_search_proc($1)
299 ps_process_pattern($1, postfix_master_t)
134a799c
CP		 300')
301
2265b98c
DG		 302########################################
303## <summary>
304## Use postfix master process file
305## file descriptors.
306## </summary>
307## <param name="domain">
308## <summary>
309## Domain allowed access.
310## </summary>
311## </param>
312#
313interface(`postfix_use_fds_master',`
314 gen_require(`
315 type postfix_master_t;
316 ')
317
318 allow $1 postfix_master_t:fd use;
319')
320
3e6c816d
CP		 321########################################
322## <summary>
323## Do not audit attempts to use
324## postfix master process file
325## file descriptors.
326## </summary>
327## <param name="domain">
885b83ec 328## <summary>
3e6c816d 329## Domain to not audit.
885b83ec 330## </summary>
3e6c816d
CP		 331## </param>
332#
1c1ac67f 333interface(`postfix_dontaudit_use_fds',`
3e6c816d
CP		 334 gen_require(`
335 type postfix_master_t;
336 ')
337
338 dontaudit $1 postfix_master_t:fd use;
339')
340
88dd3896
CP		 341########################################
342## <summary>
343## Execute postfix_map in the postfix_map domain.
344## </summary>
345## <param name="domain">
885b83ec 346## <summary>
288845a6 347## Domain allowed to transition.
885b83ec 348## </summary>
88dd3896
CP		 349## </param>
350#
351interface(`postfix_domtrans_map',`
352 gen_require(`
353 type postfix_map_t, postfix_map_exec_t;
354 ')
355
0bfccda4 356 domtrans_pattern($1, postfix_map_exec_t, postfix_map_t)
88dd3896
CP		 357')
358
359########################################
360## <summary>
361## Execute postfix_map in the postfix_map domain, and
362## allow the specified role the postfix_map domain.
363## </summary>
364## <param name="domain">
885b83ec 365## <summary>
288845a6 366## Domain allowed to transition.
885b83ec 367## </summary>
88dd3896
CP		 368## </param>
369## <param name="role">
885b83ec 370## <summary>
a7ee7f81 371## Role allowed access.
885b83ec 372## </summary>
88dd3896 373## </param>
bbcd3c97 374## <rolecap/>
88dd3896
CP		 375#
376interface(`postfix_run_map',`
377 gen_require(`
378 type postfix_map_t;
379 ')
380
381 postfix_domtrans_map($1)
382 role $2 types postfix_map_t;
88dd3896
CP		 383')
384
04926d07
CP		 385########################################
386## <summary>
387## Execute the master postfix program in the
388## postfix_master domain.
389## </summary>
390## <param name="domain">
885b83ec 391## <summary>
288845a6 392## Domain allowed to transition.
885b83ec 393## </summary>
04926d07
CP		 394## </param>
395#
396interface(`postfix_domtrans_master',`
397 gen_require(`
398 type postfix_master_t, postfix_master_exec_t;
399 ')
400
0bfccda4 401 domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
04926d07
CP		 402')
403
3eaa9939
DW		 404
405########################################
406## <summary>
407## Execute the master postfix in the postfix master domain.
408## </summary>
409## <param name="domain">
410## <summary>
411## Domain allowed access.
412## </summary>
413## </param>
414#
8e3f53a0 415interface(`postfix_initrc_domtrans',`
3eaa9939
DW		 416 gen_require(`
417 type postfix_initrc_exec_t;
418 ')
419
420 init_labeled_script_domtrans($1, postfix_initrc_exec_t)
421')
422
1504ff3e
CP		 423########################################
424## <summary>
425## Execute the master postfix program in the
426## caller domain.
427## </summary>
428## <param name="domain">
885b83ec 429## <summary>
1504ff3e 430## Domain allowed access.
885b83ec 431## </summary>
1504ff3e
CP		 432## </param>
433#
434interface(`postfix_exec_master',`
435 gen_require(`
436 type postfix_master_exec_t;
437 ')
438
3f67f722 439 can_exec($1, postfix_master_exec_t)
1504ff3e
CP		 440')
441
d9e4cbd2
CP		 442#######################################
443## <summary>
444## Connect to postfix master process using a unix domain stream socket.
445## </summary>
446## <param name="domain">
447## <summary>
448## Domain allowed access.
449## </summary>
450## </param>
d9e4cbd2
CP		 451#
452interface(`postfix_stream_connect_master',`
453 gen_require(`
454 type postfix_master_t, postfix_public_t;
455 ')
456
457 stream_connect_pattern($1, postfix_public_t, postfix_public_t, postfix_master_t)
458')
459
460########################################
f52efc83
DW		 461## <summary>
462## Allow read/write postfix master pipes
463## </summary>
464## <param name="domain">
465## <summary>
466## Domain allowed access.
467## </summary>
468## </param>
469#
470interface(`postfix_rw_master_pipes',`
471 gen_require(`
472 type postfix_master_t;
473 ')
474
e6c1acfb 475 allow $1 postfix_master_t:fifo_file rw_inherited_fifo_file_perms;
f52efc83
DW		 476')
477
478########################################
d9e4cbd2
CP		 479## <summary>
480## Execute the master postdrop in the
481## postfix_postdrop domain.
482## </summary>
483## <param name="domain">
484## <summary>
288845a6 485## Domain allowed to transition.
d9e4cbd2
CP		 486## </summary>
487## </param>
488#
489interface(`postfix_domtrans_postdrop',`
490 gen_require(`
491 type postfix_postdrop_t, postfix_postdrop_exec_t;
492 ')
493
494 domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t)
495')
496
497########################################
498## <summary>
499## Execute the master postqueue in the
500## postfix_postqueue domain.
501## </summary>
502## <param name="domain">
503## <summary>
288845a6 504## Domain allowed to transition.
d9e4cbd2
CP		 505## </summary>
506## </param>
507#
508interface(`postfix_domtrans_postqueue',`
509 gen_require(`
510 type postfix_postqueue_t, postfix_postqueue_exec_t;
511 ')
512
513 domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t)
514')
515
516#######################################
517## <summary>
518## Execute the master postqueue in the caller domain.
519## </summary>
520## <param name="domain">
521## <summary>
522## Domain allowed access.
523## </summary>
524## </param>
525#
48e3b84f 526interface(`postfix_exec_postqueue',`
d9e4cbd2
CP		 527 gen_require(`
528 type postfix_postqueue_exec_t;
529 ')
530
531 can_exec($1, postfix_postqueue_exec_t)
532')
533
134a799c
CP		 534########################################
535## <summary>
536## Create a named socket in a postfix private directory.
537## </summary>
538## <param name="domain">
539## <summary>
540## Domain allowed access.
541## </summary>
542## </param>
543#
d9e4cbd2 544interface(`postfix_create_private_sockets',`
134a799c
CP		 545 gen_require(`
546 type postfix_private_t;
547 ')
548
549 allow $1 postfix_private_t:dir list_dir_perms;
0bfccda4 550 create_sock_files_pattern($1, postfix_private_t, postfix_private_t)
134a799c
CP		 551')
552
d9e4cbd2
CP		 553########################################
554## <summary>
555## manage named socket in a postfix private directory.
556## </summary>
557## <param name="domain">
558## <summary>
559## Domain allowed access.
560## </summary>
561## </param>
562#
563interface(`postfix_manage_private_sockets',`
564 gen_require(`
565 type postfix_private_t;
566 ')
567
568 allow $1 postfix_private_t:dir list_dir_perms;
569 manage_sock_files_pattern($1, postfix_private_t, postfix_private_t)
570')
571
123a990b
CP		 572########################################
573## <summary>
574## Execute the master postfix program in the
575## postfix_master domain.
576## </summary>
577## <param name="domain">
578## <summary>
288845a6 579## Domain allowed to transition.
123a990b
CP		 580## </summary>
581## </param>
582#
583interface(`postfix_domtrans_smtp',`
584 gen_require(`
585 type postfix_smtp_t, postfix_smtp_exec_t;
586 ')
587
0bfccda4 588 domtrans_pattern($1, postfix_smtp_exec_t, postfix_smtp_t)
123a990b
CP		 589')
590
3eaa9939
DW		 591########################################
592## <summary>
593## Getattr postfix mail spool files.
594## </summary>
595## <param name="domain">
596## <summary>
597## Domain allowed access.
598## </summary>
599## </param>
600#
601interface(`postfix_getattr_spool_files',`
602 gen_require(`
603 attribute postfix_spool_type;
604 ')
605
606 files_search_spool($1)
607 getattr_files_pattern($1, postfix_spool_type, postfix_spool_type)
608')
609
04926d07
CP		 610########################################
611## <summary>
612## Search postfix mail spool directories.
613## </summary>
614## <param name="domain">
885b83ec 615## <summary>
04926d07 616## Domain allowed access.
885b83ec 617## </summary>
04926d07
CP		 618## </param>
619#
620interface(`postfix_search_spool',`
621 gen_require(`
3eaa9939 622 attribute postfix_spool_type;
04926d07
CP		 623 ')
624
3eaa9939 625 allow $1 postfix_spool_type:dir search_dir_perms;
04926d07
CP		 626 files_search_spool($1)
627')
628
629########################################
630## <summary>
631## List postfix mail spool directories.
632## </summary>
633## <param name="domain">
885b83ec 634## <summary>
04926d07 635## Domain allowed access.
885b83ec 636## </summary>
04926d07
CP		 637## </param>
638#
639interface(`postfix_list_spool',`
640 gen_require(`
3eaa9939 641 attribute postfix_spool_type;
04926d07
CP		 642 ')
643
3eaa9939 644 allow $1 postfix_spool_type:dir list_dir_perms;
04926d07
CP		 645 files_search_spool($1)
646')
fc0e8ce9 647
134a799c
CP		 648########################################
649## <summary>
650## Read postfix mail spool files.
651## </summary>
652## <param name="domain">
653## <summary>
654## Domain allowed access.
655## </summary>
656## </param>
657#
658interface(`postfix_read_spool_files',`
659 gen_require(`
3eaa9939 660 attribute postfix_spool_type;
134a799c
CP		 661 ')
662
663 files_search_spool($1)
3eaa9939 664 read_files_pattern($1, postfix_spool_type, postfix_spool_type)
134a799c
CP		 665')
666
9ff89c44
CP		 667########################################
668## <summary>
669## Create, read, write, and delete postfix mail spool files.
670## </summary>
671## <param name="domain">
672## <summary>
673## Domain allowed access.
674## </summary>
675## </param>
676#
677interface(`postfix_manage_spool_files',`
678 gen_require(`
3eaa9939 679 attribute postfix_spool_type;
9ff89c44
CP		 680 ')
681
682 files_search_spool($1)
3eaa9939 683 manage_files_pattern($1, postfix_spool_type, postfix_spool_type)
9ff89c44
CP		 684')
685
fc0e8ce9
CP		 686########################################
687## <summary>
688## Execute postfix user mail programs
689## in their respective domains.
690## </summary>
691## <param name="domain">
885b83ec 692## <summary>
fc0e8ce9 693## Domain allowed access.
885b83ec 694## </summary>
fc0e8ce9
CP		 695## </param>
696#
697interface(`postfix_domtrans_user_mail_handler',`
698 gen_require(`
699 attribute postfix_user_domtrans;
700 ')
701
702 typeattribute $1 postfix_user_domtrans;
703')
3eaa9939
DW		 704
705########################################
706## <summary>
707## All of the rules required to administrate
708## an postfix environment.
709## </summary>
710## <param name="domain">
711## <summary>
712## Domain allowed access.
713## </summary>
714## </param>
715## <param name="role">
716## <summary>
717## Role allowed access.
718## </summary>
719## </param>
55c2e0e0 720## <rolecap/>
3eaa9939 721#
624f2f43 722interface(`postfix_admin',`
3eaa9939 723 gen_require(`
8f0b7460 724 attribute postfix_spool_type;
624f2f43
DG		 725 type postfix_bounce_t, postfix_cleanup_t, postfix_local_t;
726 type postfix_master_t, postfix_pickup_t, postfix_qmgr_t;
3eaa9939 727 type postfix_initrc_exec_t, postfix_data_t, postfix_etc_t;
3eaa9939 728 type postfix_map_tmp_t, postfix_prng_t, postfix_public_t;
8f0b7460 729 type postfix_smtpd_t, postfix_var_run_t;
3eaa9939
DW		 730 ')
731
995bdbb1 732 allow $1 postfix_bounce_t:process signal_perms;
39e118bc 733 ps_process_pattern($1, postfix_bounce_t)
995bdbb1 734 tunable_policy(`deny_ptrace',`',`
735 allow $1 postfix_bounce_t:process ptrace;
736 ')
3eaa9939 737
995bdbb1 738 allow $1 postfix_cleanup_t:process signal_perms;
39e118bc 739 ps_process_pattern($1, postfix_cleanup_t)
995bdbb1 740 tunable_policy(`deny_ptrace',`',`
741 allow $1 postfix_cleanup_t:process ptrace;
742 allow $1 postfix_local_t:process ptrace;
743 allow $1 postfix_master_t:process ptrace;
744 allow $1 postfix_pickup_t:process ptrace;
745 allow $1 postfix_qmgr_t:process ptrace;
746 allow $1 postfix_smtpd_t:process ptrace;
747 ')
3eaa9939 748
995bdbb1 749 allow $1 postfix_local_t:process signal_perms;
39e118bc 750 ps_process_pattern($1, postfix_local_t)
3eaa9939 751
995bdbb1 752 allow $1 postfix_master_t:process signal_perms;
39e118bc 753 ps_process_pattern($1, postfix_master_t)
3eaa9939 754
995bdbb1 755 allow $1 postfix_pickup_t:process signal_perms;
39e118bc 756 ps_process_pattern($1, postfix_pickup_t)
3eaa9939 757
995bdbb1 758 allow $1 postfix_qmgr_t:process signal_perms;
39e118bc 759 ps_process_pattern($1, postfix_qmgr_t)
3eaa9939 760
995bdbb1 761 allow $1 postfix_smtpd_t:process signal_perms;
39e118bc 762 ps_process_pattern($1, postfix_smtpd_t)
3eaa9939 763
2a724571
DG		 764 postfix_run_map($1, $2)
765 postfix_run_postdrop($1, $2)
624f2f43 766
3eaa9939
DW		 767 postfix_initrc_domtrans($1)
768 domain_system_change_exemption($1)
769 role_transition $2 postfix_initrc_exec_t system_r;
770 allow $2 system_r;
771
772 admin_pattern($1, postfix_data_t)
773
774 files_list_etc($1)
775 admin_pattern($1, postfix_etc_t)
776
61f40642 777 files_list_spool($1)
8e3f53a0 778 admin_pattern($1, postfix_spool_type)
3eaa9939
DW		 779
780 admin_pattern($1, postfix_var_run_t)
781
61f40642 782 files_list_tmp($1)
3eaa9939
DW		 783 admin_pattern($1, postfix_map_tmp_t)
784
785 admin_pattern($1, postfix_prng_t)
786
787 admin_pattern($1, postfix_public_t)
7dd47a9a
DW		 788
789 postfix_filetrans_named_content($1)
3eaa9939
DW		 790')
791
792########################################
793## <summary>
794## Execute the master postdrop in the
795## postfix_postdrop domain.
796## </summary>
797## <param name="domain">
798## <summary>
8ab34f01 799## Domain allowed to transition.
3eaa9939
DW		 800## </summary>
801## </param>
bc9873da
MG		 802## <param name="role">
803## <summary>
804## The role to be allowed the iptables domain.
805## </summary>
806## </param>
55c2e0e0 807## <rolecap/>
3eaa9939
DW		 808#
809interface(`postfix_run_postdrop',`
810 gen_require(`
811 type postfix_postdrop_t;
812 ')
813
814 postfix_domtrans_postdrop($1)
815 role $2 types postfix_postdrop_t;
816')
7dd47a9a
DW		 817
818########################################
819## <summary>
820## Transition to postfix named content
821## </summary>
822## <param name="domain">
823## <summary>
824## Domain allowed access.
825## </summary>
826## </param>
827#
828interface(`postfix_filetrans_named_content',`
829 gen_require(`
830 type postfix_exec_t;
831 type postfix_prng_t;
832 ')
833
834 postfix_config_filetrans($1, postfix_exec_t, file, "postfix-script")
835 postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
836')
The IPFire selinux policy.