1 policy_module(postfix, 1.12.0)
3 ########################################
10 ## Allow postfix_local domain full write access to mail_spool directories
14 gen_tunable(allow_postfix_local_write_mail_spool, false)
16 attribute postfix_spool_type;
17 attribute postfix_user_domains;
18 # domains that transition to the
19 # postfix user domains
20 attribute postfix_user_domtrans;
22 postfix_server_domain_template(bounce)
24 type postfix_spool_bounce_t, postfix_spool_type;
25 files_type(postfix_spool_bounce_t)
27 postfix_server_domain_template(cleanup)
30 files_config_file(postfix_etc_t)
33 application_executable_file(postfix_exec_t)
35 postfix_server_domain_template(local)
36 mta_mailserver_delivery(postfix_local_t)
38 # Handle vacation script
39 mta_send_mail(postfix_local_t)
41 userdom_read_user_home_content_files(postfix_local_t)
43 tunable_policy(`allow_postfix_local_write_mail_spool',`
44 mta_manage_spool(postfix_local_t)
47 # Program for creating database files
49 type postfix_map_exec_t;
50 application_domain(postfix_map_t, postfix_map_exec_t)
51 role system_r types postfix_map_t;
53 type postfix_map_tmp_t;
54 files_tmp_file(postfix_map_tmp_t)
56 postfix_domain_template(master)
57 typealias postfix_master_t alias postfix_t;
58 # alias is a hack to make the disable trans bool
59 # generation macro work
60 mta_mailserver(postfix_t, postfix_master_exec_t)
62 type postfix_initrc_exec_t;
63 init_script_file(postfix_initrc_exec_t)
65 postfix_server_domain_template(pickup)
67 postfix_server_domain_template(pipe)
69 postfix_user_domain_template(postdrop)
70 mta_mailserver_user_agent(postfix_postdrop_t)
72 postfix_user_domain_template(postqueue)
73 mta_mailserver_user_agent(postfix_postqueue_t)
75 type postfix_private_t;
76 files_type(postfix_private_t)
79 files_type(postfix_prng_t)
81 postfix_server_domain_template(qmgr)
83 postfix_user_domain_template(showq)
85 postfix_server_domain_template(smtp)
86 mta_mailserver_sender(postfix_smtp_t)
88 postfix_server_domain_template(smtpd)
90 type postfix_spool_t, postfix_spool_type;
91 files_type(postfix_spool_t)
93 type postfix_spool_maildrop_t, postfix_spool_type;
94 files_type(postfix_spool_maildrop_t)
96 type postfix_spool_flush_t, postfix_spool_type;
97 files_type(postfix_spool_flush_t)
99 type postfix_public_t;
100 files_type(postfix_public_t)
102 type postfix_var_run_t;
103 files_pid_file(postfix_var_run_t)
105 # the data_directory config parameter
107 files_type(postfix_data_t)
109 postfix_server_domain_template(virtual)
110 mta_mailserver_delivery(postfix_virtual_t)
112 ########################################
114 # Postfix master process local policy
117 # chown is to set the correct ownership of queue dirs
118 allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
119 allow postfix_master_t self:fifo_file rw_fifo_file_perms;
120 allow postfix_master_t self:tcp_socket create_stream_socket_perms;
121 allow postfix_master_t self:udp_socket create_socket_perms;
122 allow postfix_master_t self:process setrlimit;
124 allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
125 allow postfix_master_t postfix_etc_t:file rw_file_perms;
126 mta_filetrans_aliases(postfix_master_t, postfix_etc_t)
128 can_exec(postfix_master_t, postfix_exec_t)
130 allow postfix_master_t postfix_data_t:dir manage_dir_perms;
131 allow postfix_master_t postfix_data_t:file manage_file_perms;
133 allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
135 allow postfix_master_t postfix_postdrop_exec_t:file getattr;
137 allow postfix_master_t postfix_postqueue_exec_t:file getattr;
139 manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
140 manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
142 domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
144 allow postfix_master_t postfix_prng_t:file rw_file_perms;
146 manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
147 manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
149 domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
151 # allow access to deferred queue and allow removing bogus incoming entries
152 manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
153 manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
154 files_spool_filetrans(postfix_master_t, postfix_spool_t, dir)
156 allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
157 allow postfix_master_t postfix_spool_bounce_t:file getattr;
159 manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
160 manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
161 manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
163 delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
164 rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
165 setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
167 kernel_read_all_sysctls(postfix_master_t)
169 corenet_all_recvfrom_unlabeled(postfix_master_t)
170 corenet_all_recvfrom_netlabel(postfix_master_t)
171 corenet_tcp_sendrecv_generic_if(postfix_master_t)
172 corenet_udp_sendrecv_generic_if(postfix_master_t)
173 corenet_tcp_sendrecv_generic_node(postfix_master_t)
174 corenet_udp_sendrecv_generic_node(postfix_master_t)
175 corenet_tcp_sendrecv_all_ports(postfix_master_t)
176 corenet_udp_sendrecv_all_ports(postfix_master_t)
177 corenet_udp_bind_generic_node(postfix_master_t)
178 corenet_udp_bind_all_unreserved_ports(postfix_master_t)
179 corenet_dontaudit_udp_bind_all_ports(postfix_master_t)
180 corenet_tcp_bind_generic_node(postfix_master_t)
181 corenet_tcp_bind_amavisd_send_port(postfix_master_t)
182 corenet_tcp_bind_smtp_port(postfix_master_t)
183 corenet_tcp_connect_all_ports(postfix_master_t)
184 corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
185 corenet_sendrecv_smtp_server_packets(postfix_master_t)
186 corenet_sendrecv_all_client_packets(postfix_master_t)
189 selinux_dontaudit_search_fs(postfix_master_t)
191 corecmd_exec_shell(postfix_master_t)
192 corecmd_exec_bin(postfix_master_t)
194 domain_use_interactive_fds(postfix_master_t)
196 files_read_usr_files(postfix_master_t)
197 files_search_var_lib(postfix_master_t)
198 files_search_tmp(postfix_master_t)
200 term_dontaudit_search_ptys(postfix_master_t)
202 miscfiles_read_man_pages(postfix_master_t)
204 seutil_sigchld_newrole(postfix_master_t)
205 # postfix does a "find" on startup for some reason - keep it quiet
206 seutil_dontaudit_search_config(postfix_master_t)
208 mta_rw_aliases(postfix_master_t)
209 mta_read_sendmail_bin(postfix_master_t)
210 mta_getattr_spool(postfix_master_t)
212 ifdef(`distro_redhat',`
213 # for newer main.cf that uses /etc/aliases
214 mta_manage_aliases(postfix_master_t)
215 mta_etc_filetrans_aliases(postfix_master_t)
219 cyrus_stream_connect(postfix_master_t)
223 kerberos_keytab_template(postfix, postfix_t)
228 mailman_manage_data_files(postfix_master_t)
232 mysql_stream_connect(postfix_master_t)
236 postgrey_search_spool(postfix_master_t)
240 sendmail_signal(postfix_master_t)
243 ########################################
245 # Postfix bounce local policy
248 allow postfix_bounce_t self:capability dac_read_search;
249 allow postfix_bounce_t self:tcp_socket create_socket_perms;
251 allow postfix_bounce_t postfix_public_t:sock_file write;
252 allow postfix_bounce_t postfix_public_t:dir search;
254 manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
255 manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
256 manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
257 files_spool_filetrans(postfix_bounce_t, postfix_spool_t, dir)
259 manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
260 manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
261 manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
263 ########################################
265 # Postfix cleanup local policy
268 allow postfix_cleanup_t self:process setrlimit;
270 # connect to master process
271 stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, postfix_master_t)
273 rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
274 write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
276 manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
277 manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
278 manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
279 files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir)
281 allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
283 corecmd_exec_bin(postfix_cleanup_t)
285 mta_read_aliases(postfix_cleanup_t)
288 mailman_read_data_files(postfix_cleanup_t)
291 ########################################
293 # Postfix local local policy
296 allow postfix_local_t self:fifo_file rw_fifo_file_perms;
297 allow postfix_local_t self:process { setsched setrlimit };
299 # connect to master process
300 stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
302 # for .forward - maybe we need a new type for it?
303 rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
305 allow postfix_local_t postfix_spool_t:file rw_file_perms;
307 corecmd_exec_shell(postfix_local_t)
308 corecmd_exec_bin(postfix_local_t)
310 files_read_etc_files(postfix_local_t)
312 logging_dontaudit_search_logs(postfix_local_t)
314 mta_read_aliases(postfix_local_t)
315 mta_delete_spool(postfix_local_t)
316 # For reading spamassasin
317 mta_read_config(postfix_local_t)
319 domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
320 # Might be a leak, but I need a postfix expert to explain
321 allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
324 clamav_search_lib(postfix_local_t)
325 clamav_exec_clamscan(postfix_local_t)
330 mailman_manage_data_files(postfix_local_t)
331 mailman_append_log(postfix_local_t)
332 mailman_read_log(postfix_local_t)
336 nagios_search_spool(postfix_local_t)
340 procmail_domtrans(postfix_local_t)
344 zarafa_deliver_domtrans(postfix_local_t)
347 ########################################
349 # Postfix map local policy
351 allow postfix_map_t self:capability { dac_override setgid setuid };
352 allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
353 allow postfix_map_t self:unix_dgram_socket create_socket_perms;
354 allow postfix_map_t self:tcp_socket create_stream_socket_perms;
355 allow postfix_map_t self:udp_socket create_socket_perms;
357 manage_dirs_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
358 manage_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
359 manage_lnk_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
361 manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
362 manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
363 files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir })
365 kernel_read_kernel_sysctls(postfix_map_t)
366 kernel_dontaudit_list_proc(postfix_map_t)
367 kernel_dontaudit_read_system_state(postfix_map_t)
369 corenet_all_recvfrom_unlabeled(postfix_map_t)
370 corenet_all_recvfrom_netlabel(postfix_map_t)
371 corenet_tcp_sendrecv_generic_if(postfix_map_t)
372 corenet_udp_sendrecv_generic_if(postfix_map_t)
373 corenet_tcp_sendrecv_generic_node(postfix_map_t)
374 corenet_udp_sendrecv_generic_node(postfix_map_t)
375 corenet_tcp_sendrecv_all_ports(postfix_map_t)
376 corenet_udp_sendrecv_all_ports(postfix_map_t)
377 corenet_tcp_connect_all_ports(postfix_map_t)
378 corenet_sendrecv_all_client_packets(postfix_map_t)
380 corecmd_list_bin(postfix_map_t)
381 corecmd_read_bin_symlinks(postfix_map_t)
382 corecmd_read_bin_files(postfix_map_t)
383 corecmd_read_bin_pipes(postfix_map_t)
384 corecmd_read_bin_sockets(postfix_map_t)
386 files_list_home(postfix_map_t)
387 files_read_usr_files(postfix_map_t)
388 files_read_etc_files(postfix_map_t)
389 files_read_etc_runtime_files(postfix_map_t)
390 files_dontaudit_search_var(postfix_map_t)
392 auth_use_nsswitch(postfix_map_t)
394 logging_send_syslog_msg(postfix_map_t)
396 miscfiles_read_localization(postfix_map_t)
399 locallogin_dontaudit_use_fds(postfix_map_t)
404 mailman_manage_data_files(postfix_map_t)
407 ########################################
409 # Postfix pickup local policy
412 allow postfix_pickup_t self:tcp_socket create_socket_perms;
414 stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
416 rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
417 rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
419 postfix_list_spool(postfix_pickup_t)
421 allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
422 read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
423 delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
425 ########################################
427 # Postfix pipe local policy
430 allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
431 allow postfix_pipe_t self:process setrlimit;
433 write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
435 write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
437 rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
439 domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
441 corecmd_exec_bin(postfix_pipe_t)
444 dovecot_domtrans_deliver(postfix_pipe_t)
448 procmail_domtrans(postfix_pipe_t)
452 mailman_domtrans_queue(postfix_pipe_t)
456 mta_manage_spool(postfix_pipe_t)
457 mta_send_mail(postfix_pipe_t)
461 spamassassin_domtrans_client(postfix_pipe_t)
462 spamassassin_kill_client(postfix_pipe_t)
466 uucp_domtrans_uux(postfix_pipe_t)
469 ########################################
471 # Postfix postdrop local policy
474 # usually it does not need a UDP socket
475 allow postfix_postdrop_t self:capability sys_resource;
476 allow postfix_postdrop_t self:tcp_socket create;
477 allow postfix_postdrop_t self:udp_socket create_socket_perms;
479 rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
481 postfix_list_spool(postfix_postdrop_t)
482 manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
484 corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
485 corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
487 term_dontaudit_use_all_ptys(postfix_postdrop_t)
488 term_dontaudit_use_all_ttys(postfix_postdrop_t)
490 mta_rw_user_mail_stream_sockets(postfix_postdrop_t)
493 apache_dontaudit_rw_fifo_file(postfix_postdrop_t)
497 cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
500 # https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239951
502 fstools_read_pipes(postfix_postdrop_t)
506 sendmail_rw_unix_stream_sockets(postfix_postdrop_t)
510 uucp_manage_spool(postfix_postdrop_t)
513 #######################################
515 # Postfix postqueue local policy
518 allow postfix_postqueue_t self:tcp_socket create;
519 allow postfix_postqueue_t self:udp_socket { create ioctl };
521 # wants to write to /var/spool/postfix/public/showq
522 stream_connect_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t, postfix_master_t)
524 # write to /var/spool/postfix/public/qmgr
525 write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t)
527 domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
529 # to write the mailq output, it really should not need read access!
530 term_use_all_ptys(postfix_postqueue_t)
531 term_use_all_ttys(postfix_postqueue_t)
533 init_sigchld_script(postfix_postqueue_t)
534 init_use_script_fds(postfix_postqueue_t)
537 cron_system_entry(postfix_postqueue_t, postfix_postqueue_exec_t)
541 ppp_use_fds(postfix_postqueue_t)
542 ppp_sigchld(postfix_postqueue_t)
545 ########################################
547 # Postfix qmgr local policy
550 stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
552 rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
554 # for /var/spool/postfix/active
555 manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
556 manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
557 manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
558 files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
560 allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
561 allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
562 allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
564 corecmd_exec_bin(postfix_qmgr_t)
566 ########################################
568 # Postfix showq local policy
571 allow postfix_showq_t self:capability { setuid setgid };
572 allow postfix_showq_t self:tcp_socket create_socket_perms;
574 allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
576 allow postfix_showq_t postfix_spool_t:file read_file_perms;
578 postfix_list_spool(postfix_showq_t)
580 allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
581 allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
582 allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
584 # to write the mailq output, it really should not need read access!
585 term_use_all_ptys(postfix_showq_t)
586 term_use_all_ttys(postfix_showq_t)
588 ########################################
590 # Postfix smtp delivery local policy
593 # connect to master process
594 allow postfix_smtp_t self:capability sys_chroot;
595 stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
597 allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
599 allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
601 files_search_all_mountpoints(postfix_smtp_t)
604 cyrus_stream_connect(postfix_smtp_t)
608 milter_stream_connect_all(postfix_smtp_t)
611 ########################################
613 # Postfix smtpd local policy
615 allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
617 # connect to master process
618 stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
620 # Connect to policy server
621 corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
624 allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
625 allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
627 corecmd_exec_bin(postfix_smtpd_t)
629 # for OpenSSL certificates
630 files_read_usr_files(postfix_smtpd_t)
632 # postfix checks the size of all mounted file systems
633 fs_getattr_all_dirs(postfix_smtpd_t)
634 fs_getattr_all_fs(postfix_smtpd_t)
636 mta_read_aliases(postfix_smtpd_t)
639 dovecot_stream_connect_auth(postfix_smtpd_t)
643 mailman_read_data_files(postfix_smtpd_t)
647 postgrey_stream_connect(postfix_smtpd_t)
651 sasl_connect(postfix_smtpd_t)
654 ########################################
656 # Postfix virtual local policy
659 allow postfix_virtual_t self:fifo_file rw_fifo_file_perms;
660 allow postfix_virtual_t self:process { setsched setrlimit };
662 allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
664 # connect to master process
665 stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
667 corecmd_exec_shell(postfix_virtual_t)
668 corecmd_exec_bin(postfix_virtual_t)
670 files_read_etc_files(postfix_virtual_t)
671 files_read_usr_files(postfix_virtual_t)
673 mta_read_aliases(postfix_virtual_t)
674 mta_delete_spool(postfix_virtual_t)
675 # For reading spamassasin
676 mta_read_config(postfix_virtual_t)
677 mta_manage_spool(postfix_virtual_t)
679 userdom_manage_user_home_dirs(postfix_virtual_t)
680 userdom_manage_user_home_content(postfix_virtual_t)
681 userdom_home_filetrans_user_home_dir(postfix_virtual_t)
682 userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })