Allow init to run postfix aliases.db file and read /etc/aliases file

diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
index e50a72cbcec4a28729593622b06d23f04323ddf0..2216f6ae8a670db24599f1887def5efb85344fe1 100644 (file)
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -815,6 +815,24 @@ interface(`postfix_run_postdrop',`
        role $2 types postfix_postdrop_t;
 ')
 
+########################################
+## <summary>
+##     Execute postfix exec in the users domain
+## </summary>
+## <param name="domain">
+##     <summary>
+##      Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`postfix_exec',`
+       gen_require(`
+               type postfix_exec_t;
+       ')
+
+       can_exec($1, postfix_exec_t)
+')
+
 ########################################
 ## <summary>
 ##     Transition to postfix named content

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index f44bdae867d101105a2ec767a83683bf66614f7f..5ee6a57658bb95b249a2482cf426e250039828a2 100644 (file)
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -257,6 +257,11 @@ optional_policy(`
        modutils_domtrans_insmod(init_t)
 ')
 
+optional_policy(`
+       postfix_exec(init_t)
+       mta_read_aliases(init_t)
+')
+
 tunable_policy(`init_systemd',`
        allow init_t self:unix_dgram_socket { create_socket_perms sendto };
        allow init_t self:process { setsockcreate setfscreate setrlimit };