]>
Commit | Line | Data |
---|---|---|
04926d07 CP |
1 | ## <summary>Postfix email server</summary> |
2 | ||
3 | ######################################## | |
4 | ## <summary> | |
5 | ## Postfix stub interface. No access allowed. | |
6 | ## </summary> | |
f7eaeebb | 7 | ## <param name="domain" unused="true"> |
885b83ec | 8 | ## <summary> |
f7eaeebb | 9 | ## Domain allowed access. |
885b83ec | 10 | ## </summary> |
04926d07 CP |
11 | ## </param> |
12 | # | |
13 | interface(`postfix_stub',` | |
14 | gen_require(` | |
15 | type postfix_master_t; | |
16 | ') | |
17 | ') | |
18 | ||
e58da022 CP |
19 | ######################################## |
20 | ## <summary> | |
21 | ## Creates types and rules for a basic | |
22 | ## postfix process domain. | |
23 | ## </summary> | |
24 | ## <param name="prefix"> | |
25 | ## <summary> | |
26 | ## Prefix for the domain. | |
27 | ## </summary> | |
28 | ## </param> | |
29 | # | |
04926d07 CP |
30 | template(`postfix_domain_template',` |
31 | type postfix_$1_t; | |
32 | type postfix_$1_exec_t; | |
33 | domain_type(postfix_$1_t) | |
0bfccda4 | 34 | domain_entry_file(postfix_$1_t, postfix_$1_exec_t) |
04926d07 CP |
35 | role system_r types postfix_$1_t; |
36 | ||
ba7ee7c8 | 37 | allow postfix_$1_t self:capability { sys_nice sys_chroot }; |
04926d07 | 38 | dontaudit postfix_$1_t self:capability sys_tty_config; |
ef394695 | 39 | allow postfix_$1_t self:process { signal_perms setpgid setsched }; |
04926d07 CP |
40 | allow postfix_$1_t self:unix_dgram_socket create_socket_perms; |
41 | allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms; | |
42 | allow postfix_$1_t self:unix_stream_socket connectto; | |
43 | ||
44 | allow postfix_master_t postfix_$1_t:process signal; | |
134a799c CP |
45 | #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456 |
46 | allow postfix_$1_t postfix_master_t:file read; | |
04926d07 | 47 | |
c0868a7a | 48 | allow postfix_$1_t postfix_etc_t:dir list_dir_perms; |
0bfccda4 | 49 | read_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t) |
d9e4cbd2 | 50 | read_lnk_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t) |
04926d07 CP |
51 | |
52 | can_exec(postfix_$1_t, postfix_$1_exec_t) | |
53 | ||
6c994054 | 54 | allow postfix_$1_t postfix_exec_t:file { mmap_file_perms lock }; |
04926d07 CP |
55 | |
56 | allow postfix_$1_t postfix_master_t:process sigchld; | |
57 | ||
c0868a7a | 58 | allow postfix_$1_t postfix_spool_t:dir list_dir_perms; |
04926d07 CP |
59 | |
60 | allow postfix_$1_t postfix_var_run_t:file manage_file_perms; | |
0bfccda4 | 61 | files_pid_filetrans(postfix_$1_t, postfix_var_run_t, file) |
04926d07 CP |
62 | |
63 | kernel_read_system_state(postfix_$1_t) | |
64 | kernel_read_network_state(postfix_$1_t) | |
445522dc | 65 | kernel_read_all_sysctls(postfix_$1_t) |
04926d07 CP |
66 | |
67 | dev_read_sysfs(postfix_$1_t) | |
68 | dev_read_rand(postfix_$1_t) | |
69 | dev_read_urand(postfix_$1_t) | |
70 | ||
71 | fs_search_auto_mountpoints(postfix_$1_t) | |
72 | fs_getattr_xattr_fs(postfix_$1_t) | |
134a799c | 73 | fs_rw_anon_inodefs_files(postfix_$1_t) |
04926d07 CP |
74 | |
75 | term_dontaudit_use_console(postfix_$1_t) | |
76 | ||
04926d07 CP |
77 | corecmd_exec_shell(postfix_$1_t) |
78 | ||
79 | files_read_etc_files(postfix_$1_t) | |
80 | files_read_etc_runtime_files(postfix_$1_t) | |
3eaa9939 | 81 | files_read_usr_files(postfix_$1_t) |
88dd3896 | 82 | files_read_usr_symlinks(postfix_$1_t) |
04926d07 | 83 | files_search_spool(postfix_$1_t) |
9e04f5c5 | 84 | files_getattr_tmp_dirs(postfix_$1_t) |
d9e4cbd2 | 85 | files_search_all_mountpoints(postfix_$1_t) |
04926d07 | 86 | |
a5f5eba4 | 87 | init_dontaudit_use_fds(postfix_$1_t) |
04926d07 CP |
88 | init_sigchld(postfix_$1_t) |
89 | ||
c0cf6e0a CP |
90 | auth_use_nsswitch(postfix_$1_t) |
91 | ||
04926d07 CP |
92 | logging_send_syslog_msg(postfix_$1_t) |
93 | ||
94 | miscfiles_read_localization(postfix_$1_t) | |
83406219 | 95 | miscfiles_read_generic_certs(postfix_$1_t) |
04926d07 | 96 | |
15722ec9 | 97 | userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t) |
04926d07 | 98 | |
bb7170f6 | 99 | optional_policy(` |
04926d07 CP |
100 | udev_read_db(postfix_$1_t) |
101 | ') | |
102 | ') | |
103 | ||
e58da022 CP |
104 | ######################################## |
105 | ## <summary> | |
106 | ## Creates a postfix server process domain. | |
107 | ## </summary> | |
108 | ## <param name="prefix"> | |
109 | ## <summary> | |
110 | ## Prefix of the domain. | |
111 | ## </summary> | |
112 | ## </param> | |
113 | # | |
04926d07 CP |
114 | template(`postfix_server_domain_template',` |
115 | postfix_domain_template($1) | |
116 | ||
d9e4cbd2 CP |
117 | type postfix_$1_tmp_t; |
118 | files_tmp_file(postfix_$1_tmp_t) | |
119 | ||
e07eb246 | 120 | allow postfix_$1_t self:capability { setuid setgid sys_chroot dac_override }; |
04926d07 CP |
121 | allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; |
122 | allow postfix_$1_t self:tcp_socket create_socket_perms; | |
123 | allow postfix_$1_t self:udp_socket create_socket_perms; | |
124 | ||
d9e4cbd2 CP |
125 | manage_dirs_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t) |
126 | manage_files_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t) | |
127 | files_tmp_filetrans(postfix_$1_t, postfix_$1_tmp_t, { file dir }) | |
128 | ||
c0868a7a | 129 | domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t) |
04926d07 | 130 | |
19006686 CP |
131 | corenet_all_recvfrom_unlabeled(postfix_$1_t) |
132 | corenet_all_recvfrom_netlabel(postfix_$1_t) | |
668b3093 CP |
133 | corenet_tcp_sendrecv_generic_if(postfix_$1_t) |
134 | corenet_udp_sendrecv_generic_if(postfix_$1_t) | |
c1262146 CP |
135 | corenet_tcp_sendrecv_generic_node(postfix_$1_t) |
136 | corenet_udp_sendrecv_generic_node(postfix_$1_t) | |
04926d07 CP |
137 | corenet_tcp_sendrecv_all_ports(postfix_$1_t) |
138 | corenet_udp_sendrecv_all_ports(postfix_$1_t) | |
c1262146 CP |
139 | corenet_tcp_bind_generic_node(postfix_$1_t) |
140 | corenet_udp_bind_generic_node(postfix_$1_t) | |
04926d07 | 141 | corenet_tcp_connect_all_ports(postfix_$1_t) |
141cffdd | 142 | corenet_sendrecv_all_client_packets(postfix_$1_t) |
04926d07 CP |
143 | ') |
144 | ||
e58da022 CP |
145 | ######################################## |
146 | ## <summary> | |
147 | ## Creates a process domain for programs | |
148 | ## that are ran by users. | |
149 | ## </summary> | |
150 | ## <param name="prefix"> | |
151 | ## <summary> | |
152 | ## Prefix of the domain. | |
153 | ## </summary> | |
154 | ## </param> | |
155 | # | |
04926d07 | 156 | template(`postfix_user_domain_template',` |
fc0e8ce9 CP |
157 | gen_require(` |
158 | attribute postfix_user_domains, postfix_user_domtrans; | |
159 | ') | |
160 | ||
04926d07 CP |
161 | postfix_domain_template($1) |
162 | ||
fc0e8ce9 CP |
163 | typeattribute postfix_$1_t postfix_user_domains; |
164 | ||
04926d07 CP |
165 | allow postfix_$1_t self:capability dac_override; |
166 | ||
c0868a7a | 167 | domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t) |
04926d07 | 168 | |
15722ec9 | 169 | domain_use_interactive_fds(postfix_$1_t) |
9883378b DW |
170 | |
171 | application_domain(postfix_$1_t, postfix_$1_exec_t) | |
fc0e8ce9 | 172 | ') |
04926d07 | 173 | |
04926d07 CP |
174 | ######################################## |
175 | ## <summary> | |
176 | ## Read postfix configuration files. | |
177 | ## </summary> | |
178 | ## <param name="domain"> | |
885b83ec | 179 | ## <summary> |
04926d07 | 180 | ## Domain allowed access. |
885b83ec | 181 | ## </summary> |
04926d07 | 182 | ## </param> |
bbcd3c97 | 183 | ## <rolecap/> |
04926d07 CP |
184 | # |
185 | interface(`postfix_read_config',` | |
186 | gen_require(` | |
187 | type postfix_etc_t; | |
188 | ') | |
189 | ||
d9e4cbd2 CP |
190 | read_files_pattern($1, postfix_etc_t, postfix_etc_t) |
191 | read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t) | |
04926d07 CP |
192 | files_search_etc($1) |
193 | ') | |
194 | ||
1504ff3e CP |
195 | ######################################## |
196 | ## <summary> | |
197 | ## Create files with the specified type in | |
198 | ## the postfix configuration directories. | |
199 | ## </summary> | |
200 | ## <param name="domain"> | |
885b83ec | 201 | ## <summary> |
1504ff3e | 202 | ## Domain allowed access. |
885b83ec | 203 | ## </summary> |
1504ff3e CP |
204 | ## </param> |
205 | ## <param name="private type"> | |
885b83ec | 206 | ## <summary> |
1504ff3e | 207 | ## The type of the object to be created. |
885b83ec | 208 | ## </summary> |
1504ff3e | 209 | ## </param> |
1c1ac67f | 210 | ## <param name="object"> |
885b83ec | 211 | ## <summary> |
1c1ac67f | 212 | ## The object class of the object being created. |
885b83ec | 213 | ## </summary> |
1504ff3e CP |
214 | ## </param> |
215 | # | |
103fe280 | 216 | interface(`postfix_config_filetrans',` |
1504ff3e CP |
217 | gen_require(` |
218 | type postfix_etc_t; | |
219 | ') | |
220 | ||
221 | files_search_etc($1) | |
7dd47a9a | 222 | filetrans_pattern($1, postfix_etc_t, $2, $3, $4) |
1504ff3e CP |
223 | ') |
224 | ||
3e6c816d CP |
225 | ######################################## |
226 | ## <summary> | |
227 | ## Do not audit attempts to read and | |
228 | ## write postfix local delivery | |
229 | ## TCP sockets. | |
230 | ## </summary> | |
231 | ## <param name="domain"> | |
885b83ec | 232 | ## <summary> |
3e6c816d | 233 | ## Domain to not audit. |
885b83ec | 234 | ## </summary> |
3e6c816d CP |
235 | ## </param> |
236 | # | |
1815bad1 | 237 | interface(`postfix_dontaudit_rw_local_tcp_sockets',` |
3e6c816d CP |
238 | gen_require(` |
239 | type postfix_local_t; | |
240 | ') | |
241 | ||
242 | dontaudit $1 postfix_local_t:tcp_socket { read write }; | |
243 | ') | |
244 | ||
d9e4cbd2 CP |
245 | ######################################## |
246 | ## <summary> | |
247 | ## Allow read/write postfix local pipes | |
248 | ## TCP sockets. | |
249 | ## </summary> | |
250 | ## <param name="domain"> | |
251 | ## <summary> | |
252 | ## Domain allowed access. | |
253 | ## </summary> | |
254 | ## </param> | |
255 | # | |
256 | interface(`postfix_rw_local_pipes',` | |
257 | gen_require(` | |
258 | type postfix_local_t; | |
259 | ') | |
260 | ||
261 | allow $1 postfix_local_t:fifo_file rw_fifo_file_perms; | |
262 | ') | |
263 | ||
134a799c CP |
264 | ######################################## |
265 | ## <summary> | |
266 | ## Allow domain to read postfix local process state | |
267 | ## </summary> | |
268 | ## <param name="domain"> | |
269 | ## <summary> | |
288845a6 | 270 | ## Domain allowed access. |
134a799c CP |
271 | ## </summary> |
272 | ## </param> | |
273 | # | |
274 | interface(`postfix_read_local_state',` | |
275 | gen_require(` | |
276 | type postfix_local_t; | |
277 | ') | |
278 | ||
23952dea DG |
279 | kernel_search_proc($1) |
280 | ps_process_pattern($1, postfix_local_t) | |
134a799c CP |
281 | ') |
282 | ||
283 | ######################################## | |
284 | ## <summary> | |
285 | ## Allow domain to read postfix master process state | |
286 | ## </summary> | |
287 | ## <param name="domain"> | |
288 | ## <summary> | |
288845a6 | 289 | ## Domain allowed access. |
134a799c CP |
290 | ## </summary> |
291 | ## </param> | |
292 | # | |
293 | interface(`postfix_read_master_state',` | |
294 | gen_require(` | |
295 | type postfix_master_t; | |
296 | ') | |
297 | ||
23952dea DG |
298 | kernel_search_proc($1) |
299 | ps_process_pattern($1, postfix_master_t) | |
134a799c CP |
300 | ') |
301 | ||
2265b98c DG |
302 | ######################################## |
303 | ## <summary> | |
304 | ## Use postfix master process file | |
305 | ## file descriptors. | |
306 | ## </summary> | |
307 | ## <param name="domain"> | |
308 | ## <summary> | |
309 | ## Domain allowed access. | |
310 | ## </summary> | |
311 | ## </param> | |
312 | # | |
313 | interface(`postfix_use_fds_master',` | |
314 | gen_require(` | |
315 | type postfix_master_t; | |
316 | ') | |
317 | ||
318 | allow $1 postfix_master_t:fd use; | |
319 | ') | |
320 | ||
3e6c816d CP |
321 | ######################################## |
322 | ## <summary> | |
323 | ## Do not audit attempts to use | |
324 | ## postfix master process file | |
325 | ## file descriptors. | |
326 | ## </summary> | |
327 | ## <param name="domain"> | |
885b83ec | 328 | ## <summary> |
3e6c816d | 329 | ## Domain to not audit. |
885b83ec | 330 | ## </summary> |
3e6c816d CP |
331 | ## </param> |
332 | # | |
1c1ac67f | 333 | interface(`postfix_dontaudit_use_fds',` |
3e6c816d CP |
334 | gen_require(` |
335 | type postfix_master_t; | |
336 | ') | |
337 | ||
338 | dontaudit $1 postfix_master_t:fd use; | |
339 | ') | |
340 | ||
88dd3896 CP |
341 | ######################################## |
342 | ## <summary> | |
343 | ## Execute postfix_map in the postfix_map domain. | |
344 | ## </summary> | |
345 | ## <param name="domain"> | |
885b83ec | 346 | ## <summary> |
288845a6 | 347 | ## Domain allowed to transition. |
885b83ec | 348 | ## </summary> |
88dd3896 CP |
349 | ## </param> |
350 | # | |
351 | interface(`postfix_domtrans_map',` | |
352 | gen_require(` | |
353 | type postfix_map_t, postfix_map_exec_t; | |
354 | ') | |
355 | ||
0bfccda4 | 356 | domtrans_pattern($1, postfix_map_exec_t, postfix_map_t) |
88dd3896 CP |
357 | ') |
358 | ||
359 | ######################################## | |
360 | ## <summary> | |
361 | ## Execute postfix_map in the postfix_map domain, and | |
362 | ## allow the specified role the postfix_map domain. | |
363 | ## </summary> | |
364 | ## <param name="domain"> | |
885b83ec | 365 | ## <summary> |
288845a6 | 366 | ## Domain allowed to transition. |
885b83ec | 367 | ## </summary> |
88dd3896 CP |
368 | ## </param> |
369 | ## <param name="role"> | |
885b83ec | 370 | ## <summary> |
a7ee7f81 | 371 | ## Role allowed access. |
885b83ec | 372 | ## </summary> |
88dd3896 | 373 | ## </param> |
bbcd3c97 | 374 | ## <rolecap/> |
88dd3896 CP |
375 | # |
376 | interface(`postfix_run_map',` | |
377 | gen_require(` | |
378 | type postfix_map_t; | |
379 | ') | |
380 | ||
381 | postfix_domtrans_map($1) | |
382 | role $2 types postfix_map_t; | |
88dd3896 CP |
383 | ') |
384 | ||
04926d07 CP |
385 | ######################################## |
386 | ## <summary> | |
387 | ## Execute the master postfix program in the | |
388 | ## postfix_master domain. | |
389 | ## </summary> | |
390 | ## <param name="domain"> | |
885b83ec | 391 | ## <summary> |
288845a6 | 392 | ## Domain allowed to transition. |
885b83ec | 393 | ## </summary> |
04926d07 CP |
394 | ## </param> |
395 | # | |
396 | interface(`postfix_domtrans_master',` | |
397 | gen_require(` | |
398 | type postfix_master_t, postfix_master_exec_t; | |
399 | ') | |
400 | ||
0bfccda4 | 401 | domtrans_pattern($1, postfix_master_exec_t, postfix_master_t) |
04926d07 CP |
402 | ') |
403 | ||
3eaa9939 DW |
404 | |
405 | ######################################## | |
406 | ## <summary> | |
407 | ## Execute the master postfix in the postfix master domain. | |
408 | ## </summary> | |
409 | ## <param name="domain"> | |
410 | ## <summary> | |
411 | ## Domain allowed access. | |
412 | ## </summary> | |
413 | ## </param> | |
414 | # | |
8e3f53a0 | 415 | interface(`postfix_initrc_domtrans',` |
3eaa9939 DW |
416 | gen_require(` |
417 | type postfix_initrc_exec_t; | |
418 | ') | |
419 | ||
420 | init_labeled_script_domtrans($1, postfix_initrc_exec_t) | |
421 | ') | |
422 | ||
1504ff3e CP |
423 | ######################################## |
424 | ## <summary> | |
425 | ## Execute the master postfix program in the | |
426 | ## caller domain. | |
427 | ## </summary> | |
428 | ## <param name="domain"> | |
885b83ec | 429 | ## <summary> |
1504ff3e | 430 | ## Domain allowed access. |
885b83ec | 431 | ## </summary> |
1504ff3e CP |
432 | ## </param> |
433 | # | |
434 | interface(`postfix_exec_master',` | |
435 | gen_require(` | |
436 | type postfix_master_exec_t; | |
437 | ') | |
438 | ||
3f67f722 | 439 | can_exec($1, postfix_master_exec_t) |
1504ff3e CP |
440 | ') |
441 | ||
d9e4cbd2 CP |
442 | ####################################### |
443 | ## <summary> | |
444 | ## Connect to postfix master process using a unix domain stream socket. | |
445 | ## </summary> | |
446 | ## <param name="domain"> | |
447 | ## <summary> | |
448 | ## Domain allowed access. | |
449 | ## </summary> | |
450 | ## </param> | |
d9e4cbd2 CP |
451 | # |
452 | interface(`postfix_stream_connect_master',` | |
453 | gen_require(` | |
454 | type postfix_master_t, postfix_public_t; | |
455 | ') | |
456 | ||
457 | stream_connect_pattern($1, postfix_public_t, postfix_public_t, postfix_master_t) | |
458 | ') | |
459 | ||
460 | ######################################## | |
f52efc83 DW |
461 | ## <summary> |
462 | ## Allow read/write postfix master pipes | |
463 | ## </summary> | |
464 | ## <param name="domain"> | |
465 | ## <summary> | |
466 | ## Domain allowed access. | |
467 | ## </summary> | |
468 | ## </param> | |
469 | # | |
470 | interface(`postfix_rw_master_pipes',` | |
471 | gen_require(` | |
472 | type postfix_master_t; | |
473 | ') | |
474 | ||
e6c1acfb | 475 | allow $1 postfix_master_t:fifo_file rw_inherited_fifo_file_perms; |
f52efc83 DW |
476 | ') |
477 | ||
478 | ######################################## | |
d9e4cbd2 CP |
479 | ## <summary> |
480 | ## Execute the master postdrop in the | |
481 | ## postfix_postdrop domain. | |
482 | ## </summary> | |
483 | ## <param name="domain"> | |
484 | ## <summary> | |
288845a6 | 485 | ## Domain allowed to transition. |
d9e4cbd2 CP |
486 | ## </summary> |
487 | ## </param> | |
488 | # | |
489 | interface(`postfix_domtrans_postdrop',` | |
490 | gen_require(` | |
491 | type postfix_postdrop_t, postfix_postdrop_exec_t; | |
492 | ') | |
493 | ||
494 | domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t) | |
495 | ') | |
496 | ||
497 | ######################################## | |
498 | ## <summary> | |
499 | ## Execute the master postqueue in the | |
500 | ## postfix_postqueue domain. | |
501 | ## </summary> | |
502 | ## <param name="domain"> | |
503 | ## <summary> | |
288845a6 | 504 | ## Domain allowed to transition. |
d9e4cbd2 CP |
505 | ## </summary> |
506 | ## </param> | |
507 | # | |
508 | interface(`postfix_domtrans_postqueue',` | |
509 | gen_require(` | |
510 | type postfix_postqueue_t, postfix_postqueue_exec_t; | |
511 | ') | |
512 | ||
513 | domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t) | |
514 | ') | |
515 | ||
516 | ####################################### | |
517 | ## <summary> | |
518 | ## Execute the master postqueue in the caller domain. | |
519 | ## </summary> | |
520 | ## <param name="domain"> | |
521 | ## <summary> | |
522 | ## Domain allowed access. | |
523 | ## </summary> | |
524 | ## </param> | |
525 | # | |
48e3b84f | 526 | interface(`postfix_exec_postqueue',` |
d9e4cbd2 CP |
527 | gen_require(` |
528 | type postfix_postqueue_exec_t; | |
529 | ') | |
530 | ||
531 | can_exec($1, postfix_postqueue_exec_t) | |
532 | ') | |
533 | ||
134a799c CP |
534 | ######################################## |
535 | ## <summary> | |
536 | ## Create a named socket in a postfix private directory. | |
537 | ## </summary> | |
538 | ## <param name="domain"> | |
539 | ## <summary> | |
540 | ## Domain allowed access. | |
541 | ## </summary> | |
542 | ## </param> | |
543 | # | |
d9e4cbd2 | 544 | interface(`postfix_create_private_sockets',` |
134a799c CP |
545 | gen_require(` |
546 | type postfix_private_t; | |
547 | ') | |
548 | ||
549 | allow $1 postfix_private_t:dir list_dir_perms; | |
0bfccda4 | 550 | create_sock_files_pattern($1, postfix_private_t, postfix_private_t) |
134a799c CP |
551 | ') |
552 | ||
d9e4cbd2 CP |
553 | ######################################## |
554 | ## <summary> | |
555 | ## manage named socket in a postfix private directory. | |
556 | ## </summary> | |
557 | ## <param name="domain"> | |
558 | ## <summary> | |
559 | ## Domain allowed access. | |
560 | ## </summary> | |
561 | ## </param> | |
562 | # | |
563 | interface(`postfix_manage_private_sockets',` | |
564 | gen_require(` | |
565 | type postfix_private_t; | |
566 | ') | |
567 | ||
568 | allow $1 postfix_private_t:dir list_dir_perms; | |
569 | manage_sock_files_pattern($1, postfix_private_t, postfix_private_t) | |
570 | ') | |
571 | ||
123a990b CP |
572 | ######################################## |
573 | ## <summary> | |
574 | ## Execute the master postfix program in the | |
575 | ## postfix_master domain. | |
576 | ## </summary> | |
577 | ## <param name="domain"> | |
578 | ## <summary> | |
288845a6 | 579 | ## Domain allowed to transition. |
123a990b CP |
580 | ## </summary> |
581 | ## </param> | |
582 | # | |
583 | interface(`postfix_domtrans_smtp',` | |
584 | gen_require(` | |
585 | type postfix_smtp_t, postfix_smtp_exec_t; | |
586 | ') | |
587 | ||
0bfccda4 | 588 | domtrans_pattern($1, postfix_smtp_exec_t, postfix_smtp_t) |
123a990b CP |
589 | ') |
590 | ||
3eaa9939 DW |
591 | ######################################## |
592 | ## <summary> | |
593 | ## Getattr postfix mail spool files. | |
594 | ## </summary> | |
595 | ## <param name="domain"> | |
596 | ## <summary> | |
597 | ## Domain allowed access. | |
598 | ## </summary> | |
599 | ## </param> | |
600 | # | |
601 | interface(`postfix_getattr_spool_files',` | |
602 | gen_require(` | |
603 | attribute postfix_spool_type; | |
604 | ') | |
605 | ||
606 | files_search_spool($1) | |
607 | getattr_files_pattern($1, postfix_spool_type, postfix_spool_type) | |
608 | ') | |
609 | ||
04926d07 CP |
610 | ######################################## |
611 | ## <summary> | |
612 | ## Search postfix mail spool directories. | |
613 | ## </summary> | |
614 | ## <param name="domain"> | |
885b83ec | 615 | ## <summary> |
04926d07 | 616 | ## Domain allowed access. |
885b83ec | 617 | ## </summary> |
04926d07 CP |
618 | ## </param> |
619 | # | |
620 | interface(`postfix_search_spool',` | |
621 | gen_require(` | |
3eaa9939 | 622 | attribute postfix_spool_type; |
04926d07 CP |
623 | ') |
624 | ||
3eaa9939 | 625 | allow $1 postfix_spool_type:dir search_dir_perms; |
04926d07 CP |
626 | files_search_spool($1) |
627 | ') | |
628 | ||
629 | ######################################## | |
630 | ## <summary> | |
631 | ## List postfix mail spool directories. | |
632 | ## </summary> | |
633 | ## <param name="domain"> | |
885b83ec | 634 | ## <summary> |
04926d07 | 635 | ## Domain allowed access. |
885b83ec | 636 | ## </summary> |
04926d07 CP |
637 | ## </param> |
638 | # | |
639 | interface(`postfix_list_spool',` | |
640 | gen_require(` | |
3eaa9939 | 641 | attribute postfix_spool_type; |
04926d07 CP |
642 | ') |
643 | ||
3eaa9939 | 644 | allow $1 postfix_spool_type:dir list_dir_perms; |
04926d07 CP |
645 | files_search_spool($1) |
646 | ') | |
fc0e8ce9 | 647 | |
134a799c CP |
648 | ######################################## |
649 | ## <summary> | |
650 | ## Read postfix mail spool files. | |
651 | ## </summary> | |
652 | ## <param name="domain"> | |
653 | ## <summary> | |
654 | ## Domain allowed access. | |
655 | ## </summary> | |
656 | ## </param> | |
657 | # | |
658 | interface(`postfix_read_spool_files',` | |
659 | gen_require(` | |
3eaa9939 | 660 | attribute postfix_spool_type; |
134a799c CP |
661 | ') |
662 | ||
663 | files_search_spool($1) | |
3eaa9939 | 664 | read_files_pattern($1, postfix_spool_type, postfix_spool_type) |
134a799c CP |
665 | ') |
666 | ||
9ff89c44 CP |
667 | ######################################## |
668 | ## <summary> | |
669 | ## Create, read, write, and delete postfix mail spool files. | |
670 | ## </summary> | |
671 | ## <param name="domain"> | |
672 | ## <summary> | |
673 | ## Domain allowed access. | |
674 | ## </summary> | |
675 | ## </param> | |
676 | # | |
677 | interface(`postfix_manage_spool_files',` | |
678 | gen_require(` | |
3eaa9939 | 679 | attribute postfix_spool_type; |
9ff89c44 CP |
680 | ') |
681 | ||
682 | files_search_spool($1) | |
3eaa9939 | 683 | manage_files_pattern($1, postfix_spool_type, postfix_spool_type) |
9ff89c44 CP |
684 | ') |
685 | ||
fc0e8ce9 CP |
686 | ######################################## |
687 | ## <summary> | |
688 | ## Execute postfix user mail programs | |
689 | ## in their respective domains. | |
690 | ## </summary> | |
691 | ## <param name="domain"> | |
885b83ec | 692 | ## <summary> |
fc0e8ce9 | 693 | ## Domain allowed access. |
885b83ec | 694 | ## </summary> |
fc0e8ce9 CP |
695 | ## </param> |
696 | # | |
697 | interface(`postfix_domtrans_user_mail_handler',` | |
698 | gen_require(` | |
699 | attribute postfix_user_domtrans; | |
700 | ') | |
701 | ||
702 | typeattribute $1 postfix_user_domtrans; | |
703 | ') | |
3eaa9939 DW |
704 | |
705 | ######################################## | |
706 | ## <summary> | |
707 | ## All of the rules required to administrate | |
708 | ## an postfix environment. | |
709 | ## </summary> | |
710 | ## <param name="domain"> | |
711 | ## <summary> | |
712 | ## Domain allowed access. | |
713 | ## </summary> | |
714 | ## </param> | |
715 | ## <param name="role"> | |
716 | ## <summary> | |
717 | ## Role allowed access. | |
718 | ## </summary> | |
719 | ## </param> | |
55c2e0e0 | 720 | ## <rolecap/> |
3eaa9939 | 721 | # |
624f2f43 | 722 | interface(`postfix_admin',` |
3eaa9939 | 723 | gen_require(` |
8f0b7460 | 724 | attribute postfix_spool_type; |
624f2f43 DG |
725 | type postfix_bounce_t, postfix_cleanup_t, postfix_local_t; |
726 | type postfix_master_t, postfix_pickup_t, postfix_qmgr_t; | |
3eaa9939 | 727 | type postfix_initrc_exec_t, postfix_data_t, postfix_etc_t; |
3eaa9939 | 728 | type postfix_map_tmp_t, postfix_prng_t, postfix_public_t; |
8f0b7460 | 729 | type postfix_smtpd_t, postfix_var_run_t; |
3eaa9939 DW |
730 | ') |
731 | ||
995bdbb1 | 732 | allow $1 postfix_bounce_t:process signal_perms; |
39e118bc | 733 | ps_process_pattern($1, postfix_bounce_t) |
995bdbb1 | 734 | tunable_policy(`deny_ptrace',`',` |
735 | allow $1 postfix_bounce_t:process ptrace; | |
736 | ') | |
3eaa9939 | 737 | |
995bdbb1 | 738 | allow $1 postfix_cleanup_t:process signal_perms; |
39e118bc | 739 | ps_process_pattern($1, postfix_cleanup_t) |
995bdbb1 | 740 | tunable_policy(`deny_ptrace',`',` |
741 | allow $1 postfix_cleanup_t:process ptrace; | |
742 | allow $1 postfix_local_t:process ptrace; | |
743 | allow $1 postfix_master_t:process ptrace; | |
744 | allow $1 postfix_pickup_t:process ptrace; | |
745 | allow $1 postfix_qmgr_t:process ptrace; | |
746 | allow $1 postfix_smtpd_t:process ptrace; | |
747 | ') | |
3eaa9939 | 748 | |
995bdbb1 | 749 | allow $1 postfix_local_t:process signal_perms; |
39e118bc | 750 | ps_process_pattern($1, postfix_local_t) |
3eaa9939 | 751 | |
995bdbb1 | 752 | allow $1 postfix_master_t:process signal_perms; |
39e118bc | 753 | ps_process_pattern($1, postfix_master_t) |
3eaa9939 | 754 | |
995bdbb1 | 755 | allow $1 postfix_pickup_t:process signal_perms; |
39e118bc | 756 | ps_process_pattern($1, postfix_pickup_t) |
3eaa9939 | 757 | |
995bdbb1 | 758 | allow $1 postfix_qmgr_t:process signal_perms; |
39e118bc | 759 | ps_process_pattern($1, postfix_qmgr_t) |
3eaa9939 | 760 | |
995bdbb1 | 761 | allow $1 postfix_smtpd_t:process signal_perms; |
39e118bc | 762 | ps_process_pattern($1, postfix_smtpd_t) |
3eaa9939 | 763 | |
2a724571 DG |
764 | postfix_run_map($1, $2) |
765 | postfix_run_postdrop($1, $2) | |
624f2f43 | 766 | |
3eaa9939 DW |
767 | postfix_initrc_domtrans($1) |
768 | domain_system_change_exemption($1) | |
769 | role_transition $2 postfix_initrc_exec_t system_r; | |
770 | allow $2 system_r; | |
771 | ||
772 | admin_pattern($1, postfix_data_t) | |
773 | ||
774 | files_list_etc($1) | |
775 | admin_pattern($1, postfix_etc_t) | |
776 | ||
61f40642 | 777 | files_list_spool($1) |
8e3f53a0 | 778 | admin_pattern($1, postfix_spool_type) |
3eaa9939 DW |
779 | |
780 | admin_pattern($1, postfix_var_run_t) | |
781 | ||
61f40642 | 782 | files_list_tmp($1) |
3eaa9939 DW |
783 | admin_pattern($1, postfix_map_tmp_t) |
784 | ||
785 | admin_pattern($1, postfix_prng_t) | |
786 | ||
787 | admin_pattern($1, postfix_public_t) | |
7dd47a9a DW |
788 | |
789 | postfix_filetrans_named_content($1) | |
3eaa9939 DW |
790 | ') |
791 | ||
792 | ######################################## | |
793 | ## <summary> | |
794 | ## Execute the master postdrop in the | |
795 | ## postfix_postdrop domain. | |
796 | ## </summary> | |
797 | ## <param name="domain"> | |
798 | ## <summary> | |
8ab34f01 | 799 | ## Domain allowed to transition. |
3eaa9939 DW |
800 | ## </summary> |
801 | ## </param> | |
bc9873da MG |
802 | ## <param name="role"> |
803 | ## <summary> | |
804 | ## The role to be allowed the iptables domain. | |
805 | ## </summary> | |
806 | ## </param> | |
55c2e0e0 | 807 | ## <rolecap/> |
3eaa9939 DW |
808 | # |
809 | interface(`postfix_run_postdrop',` | |
810 | gen_require(` | |
811 | type postfix_postdrop_t; | |
812 | ') | |
813 | ||
814 | postfix_domtrans_postdrop($1) | |
815 | role $2 types postfix_postdrop_t; | |
816 | ') | |
7dd47a9a DW |
817 | |
818 | ######################################## | |
819 | ## <summary> | |
820 | ## Transition to postfix named content | |
821 | ## </summary> | |
822 | ## <param name="domain"> | |
823 | ## <summary> | |
824 | ## Domain allowed access. | |
825 | ## </summary> | |
826 | ## </param> | |
827 | # | |
828 | interface(`postfix_filetrans_named_content',` | |
829 | gen_require(` | |
830 | type postfix_exec_t; | |
831 | type postfix_prng_t; | |
832 | ') | |
833 | ||
834 | postfix_config_filetrans($1, postfix_exec_t, file, "postfix-script") | |
835 | postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") | |
836 | ') |