/[gentoo-projects]/selinux/postfix/postfix.te
Gentoo

Contents of /selinux/postfix/postfix.te

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.14 - (show annotations) (download)
Thu Nov 24 11:06:59 2005 UTC (8 years, 7 months ago) by kaiowas
Branch: MAIN
CVS Tags: HEAD
Changes since 1.13: +24 -15 lines
merge with upstream

1 #DESC Postfix - Mail server
2 #
3 # Author: Russell Coker <russell@coker.com.au>
4 # X-Debian-Packages: postfix
5 # Depends: mta.te
6 #
7
8 # Type for files created during execution of postfix.
9 type postfix_var_run_t, file_type, sysadmfile, pidfile;
10
11 type postfix_etc_t, file_type, sysadmfile;
12 type postfix_exec_t, file_type, exec_type;
13 type postfix_public_t, file_type, sysadmfile;
14 type postfix_private_t, file_type, sysadmfile;
15 type postfix_spool_t, file_type, sysadmfile;
16 type postfix_spool_maildrop_t, file_type, sysadmfile;
17 type postfix_spool_flush_t, file_type, sysadmfile;
18 type postfix_prng_t, file_type, sysadmfile;
19
20 # postfix needs this for newaliases
21 allow { system_mail_t sysadm_mail_t } tmp_t:dir getattr;
22
23 #################################
24 #
25 # Rules for the postfix_$1_t domain.
26 #
27 # postfix_$1_exec_t is the type of the postfix_$1 executables.
28 #
29 define(`postfix_domain', `
30 daemon_core_rules(postfix_$1, `$2')
31 allow postfix_$1_t self:process setpgid;
32 allow postfix_$1_t postfix_master_t:process sigchld;
33 allow postfix_master_t postfix_$1_t:process signal;
34
35 allow postfix_$1_t { etc_t postfix_etc_t postfix_spool_t }:dir r_dir_perms;
36 allow postfix_$1_t postfix_etc_t:file r_file_perms;
37 read_locale(postfix_$1_t)
38 allow postfix_$1_t etc_t:file { getattr read };
39 allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
40 allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
41 allow postfix_$1_t self:unix_stream_socket connectto;
42
43 allow postfix_$1_t { sbin_t bin_t }:dir r_dir_perms;
44 allow postfix_$1_t { bin_t usr_t }:lnk_file { getattr read };
45 allow postfix_$1_t shell_exec_t:file rx_file_perms;
46 allow postfix_$1_t { var_t var_spool_t }:dir { search getattr };
47 allow postfix_$1_t postfix_exec_t:file rx_file_perms;
48 allow postfix_$1_t devtty_t:chr_file rw_file_perms;
49 allow postfix_$1_t etc_runtime_t:file r_file_perms;
50 allow postfix_$1_t proc_t:dir r_dir_perms;
51 allow postfix_$1_t proc_t:file r_file_perms;
52 allow postfix_$1_t postfix_exec_t:dir r_dir_perms;
53 allow postfix_$1_t fs_t:filesystem getattr;
54 allow postfix_$1_t proc_net_t:dir search;
55 allow postfix_$1_t proc_net_t:file { getattr read };
56 can_exec(postfix_$1_t, postfix_$1_exec_t)
57 r_dir_file(postfix_$1_t, cert_t)
58 allow postfix_$1_t { urandom_device_t random_device_t }:chr_file { read getattr };
59
60 allow postfix_$1_t tmp_t:dir getattr;
61
62 file_type_auto_trans(postfix_$1_t, var_run_t, postfix_var_run_t, file)
63
64 read_sysctl(postfix_$1_t)
65
66 ')dnl end postfix_domain
67
68 ifdef(`crond.te',
69 `allow system_mail_t crond_t:tcp_socket { read write create };')
70
71 postfix_domain(master, `, mail_server_domain')
72 rhgb_domain(postfix_master_t)
73
74 # for a find command
75 dontaudit postfix_master_t security_t:dir search;
76
77 read_sysctl(postfix_master_t)
78
79 domain_auto_trans(initrc_t, postfix_master_exec_t, postfix_master_t)
80 allow initrc_t postfix_master_t:process { noatsecure siginh rlimitinh };
81
82 ifdef(`direct_sysadm_daemon', `
83
84 domain_auto_trans(sysadm_t, postfix_master_exec_t, postfix_master_t)
85 allow sysadm_t postfix_master_t:process { noatsecure siginh rlimitinh };
86 role_transition sysadm_r postfix_master_exec_t system_r;
87 allow postfix_master_t postfix_etc_t:file rw_file_perms;
88 dontaudit postfix_master_t admin_tty_type:chr_file { read write };
89 allow postfix_master_t devpts_t:dir search;
90
91 domain_auto_trans(sysadm_mail_t, postfix_master_exec_t, system_mail_t)
92 allow system_mail_t sysadm_t:process sigchld;
93 allow system_mail_t privfd:fd use;
94
95 ifdef(`pppd.te', `
96 domain_auto_trans(pppd_t, postfix_master_exec_t, postfix_master_t)
97 ')
98 ')dnl end direct_sysadm_daemon
99
100 allow postfix_master_t privfd:fd use;
101 ifdef(`newrole.te', `allow postfix_master_t newrole_t:process sigchld;')
102 allow postfix_master_t initrc_devpts_t:chr_file rw_file_perms;
103
104 # postfix does a "find" on startup for some reason - keep it quiet
105 dontaudit postfix_master_t selinux_config_t:dir search;
106 can_exec({ sysadm_mail_t system_mail_t }, postfix_master_exec_t)
107 ifdef(`distro_redhat', `
108 # compatability for old default main.cf
109 file_type_auto_trans({ sysadm_mail_t system_mail_t postfix_master_t }, postfix_etc_t, etc_aliases_t)
110 # for newer main.cf that uses /etc/aliases
111 file_type_auto_trans(postfix_master_t, etc_t, etc_aliases_t)
112 ')
113 file_type_auto_trans({ sysadm_mail_t system_mail_t }, etc_t, etc_aliases_t)
114 allow postfix_master_t sendmail_exec_t:file r_file_perms;
115 allow postfix_master_t sbin_t:lnk_file { getattr read };
116
117 can_exec(postfix_master_t, { ls_exec_t sbin_t })
118 allow postfix_master_t self:fifo_file rw_file_perms;
119 allow postfix_master_t usr_t:file r_file_perms;
120 can_exec(postfix_master_t, { shell_exec_t bin_t postfix_exec_t })
121 # chown is to set the correct ownership of queue dirs
122 allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
123 allow postfix_master_t postfix_public_t:fifo_file create_file_perms;
124 allow postfix_master_t postfix_public_t:sock_file create_file_perms;
125 allow postfix_master_t postfix_public_t:dir rw_dir_perms;
126 allow postfix_master_t postfix_private_t:dir rw_dir_perms;
127 allow postfix_master_t postfix_private_t:sock_file create_file_perms;
128 allow postfix_master_t postfix_private_t:fifo_file create_file_perms;
129 can_network(postfix_master_t)
130 allow postfix_master_t port_type:tcp_socket name_connect;
131 can_ypbind(postfix_master_t)
132 allow postfix_master_t smtp_port_t:tcp_socket name_bind;
133 allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
134 allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr };
135 allow postfix_master_t postfix_prng_t:file getattr;
136 allow postfix_master_t privfd:fd use;
137 allow postfix_master_t etc_aliases_t:file rw_file_perms;
138 allow postfix_master_t var_lib_t:dir search;
139
140 ifdef(`saslauthd.te',`
141 allow postfix_smtpd_t saslauthd_var_run_t:dir { search getattr };
142 allow postfix_smtpd_t saslauthd_var_run_t:sock_file { read write };
143 can_unix_connect(postfix_smtpd_t,saslauthd_t)
144 ')
145
146 create_dir_file(postfix_master_t, postfix_spool_flush_t)
147 allow postfix_master_t postfix_prng_t:file rw_file_perms;
148 # for ls to get the current context
149 allow postfix_master_t self:file { getattr read };
150
151 # allow access to deferred queue and allow removing bogus incoming entries
152 allow postfix_master_t postfix_spool_t:dir create_dir_perms;
153 allow postfix_master_t postfix_spool_t:file create_file_perms;
154
155 dontaudit postfix_master_t man_t:dir search;
156
157 define(`postfix_server_domain', `
158 postfix_domain($1, `$2')
159 domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
160 allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
161 allow postfix_$1_t self:capability { setuid setgid dac_override };
162 can_network_client(postfix_$1_t)
163 allow postfix_$1_t port_type:tcp_socket name_connect;
164 can_ypbind(postfix_$1_t)
165 ')
166
167 postfix_server_domain(smtp, `, mail_server_sender')
168 allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
169 allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search;
170 allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write;
171 allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto;
172 # if you have two different mail servers on the same host let them talk via
173 # SMTP, also if one mail server wants to talk to itself then allow it and let
174 # the SMTP protocol sort it out (SE Linux is not to prevent mail server
175 # misconfiguration)
176 can_tcp_connect(postfix_smtp_t, mail_server_domain)
177
178 postfix_server_domain(smtpd)
179 allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
180 allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search;
181 allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms;
182 allow postfix_smtpd_t postfix_master_t:unix_stream_socket connectto;
183 # for OpenSSL certificates
184 r_dir_file(postfix_smtpd_t,usr_t)
185 allow postfix_smtpd_t etc_aliases_t:file r_file_perms;
186 allow postfix_smtpd_t self:file { getattr read };
187
188 # for prng_exch
189 allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
190
191 allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms;
192
193 postfix_server_domain(local, `, mta_delivery_agent')
194 ifdef(`procmail.te', `
195 domain_auto_trans(postfix_local_t, procmail_exec_t, procmail_t)
196 # for a bug in the postfix local program
197 dontaudit procmail_t postfix_local_t:tcp_socket { read write };
198 dontaudit procmail_t postfix_master_t:fd use;
199 ')
200 allow postfix_local_t etc_aliases_t:file r_file_perms;
201 allow postfix_local_t self:fifo_file rw_file_perms;
202 allow postfix_local_t self:process { setsched setrlimit };
203 allow postfix_local_t postfix_spool_t:file rw_file_perms;
204 # for .forward - maybe we need a new type for it?
205 allow postfix_local_t postfix_private_t:dir search;
206 allow postfix_local_t postfix_private_t:sock_file rw_file_perms;
207 allow postfix_local_t postfix_master_t:unix_stream_socket connectto;
208 allow postfix_local_t postfix_public_t:dir search;
209 allow postfix_local_t postfix_public_t:sock_file write;
210 tmp_domain(postfix_local)
211 can_exec(postfix_local_t,{ shell_exec_t bin_t })
212 ifdef(`spamc.te', `
213 can_exec(postfix_local_t, spamc_exec_t)
214 ')
215 allow postfix_local_t mail_spool_t:dir { remove_name };
216 allow postfix_local_t mail_spool_t:file { unlink };
217 # For reading spamassasin
218 #r_dir_file(postfix_local_t, etc_mail_t)
219
220 define(`postfix_public_domain',`
221 postfix_server_domain($1)
222 allow postfix_$1_t postfix_public_t:dir search;
223 ')
224
225 postfix_public_domain(cleanup)
226 create_dir_file(postfix_cleanup_t, postfix_spool_t)
227 allow postfix_cleanup_t postfix_public_t:fifo_file rw_file_perms;
228 allow postfix_cleanup_t postfix_public_t:sock_file { getattr write };
229 allow postfix_cleanup_t postfix_private_t:dir search;
230 allow postfix_cleanup_t postfix_private_t:sock_file rw_file_perms;
231 allow postfix_cleanup_t postfix_master_t:unix_stream_socket connectto;
232 allow postfix_cleanup_t postfix_spool_bounce_t:dir r_dir_perms;
233 allow postfix_cleanup_t self:process setrlimit;
234
235 allow user_mail_domain postfix_spool_t:dir r_dir_perms;
236 allow user_mail_domain postfix_etc_t:dir r_dir_perms;
237 allow { user_mail_domain initrc_t } postfix_etc_t:file r_file_perms;
238 allow user_mail_domain self:capability dac_override;
239
240 define(`postfix_user_domain', `
241 postfix_domain($1, `$2')
242 domain_auto_trans(user_mail_domain, postfix_$1_exec_t, postfix_$1_t)
243 in_user_role(postfix_$1_t)
244 role sysadm_r types postfix_$1_t;
245 allow postfix_$1_t userdomain:process sigchld;
246 allow postfix_$1_t userdomain:fifo_file { write getattr };
247 allow postfix_$1_t { userdomain privfd }:fd use;
248 allow postfix_$1_t self:capability dac_override;
249 ')
250
251 postfix_user_domain(postqueue)
252 allow postfix_postqueue_t postfix_public_t:dir search;
253 allow postfix_postqueue_t postfix_public_t:fifo_file getattr;
254 allow postfix_postqueue_t self:udp_socket { create ioctl };
255 allow postfix_postqueue_t self:tcp_socket create;
256 allow postfix_master_t postfix_postqueue_exec_t:file getattr;
257 domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
258 allow postfix_postqueue_t initrc_t:process sigchld;
259 allow postfix_postqueue_t initrc_t:fd use;
260
261 # to write the mailq output, it really should not need read access!
262 allow postfix_postqueue_t { ptyfile ttyfile }:chr_file { read write getattr };
263 ifdef(`gnome-pty-helper.te', `allow postfix_postqueue_t user_gph_t:fd use;')
264
265 # wants to write to /var/spool/postfix/public/showq
266 allow postfix_postqueue_t postfix_public_t:sock_file rw_file_perms;
267 allow postfix_postqueue_t postfix_master_t:unix_stream_socket connectto;
268 # write to /var/spool/postfix/public/qmgr
269 allow postfix_postqueue_t postfix_public_t:fifo_file write;
270 dontaudit postfix_postqueue_t net_conf_t:file r_file_perms;
271
272 postfix_user_domain(showq)
273 # the following auto_trans is usually in postfix server domain
274 domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
275 can_resolve(postfix_showq_t)
276 r_dir_file(postfix_showq_t, postfix_spool_maildrop_t)
277 domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
278 allow postfix_showq_t self:capability { setuid setgid };
279 allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
280 allow postfix_showq_t postfix_spool_t:file r_file_perms;
281 allow postfix_showq_t self:tcp_socket create_socket_perms;
282 allow postfix_showq_t { ttyfile ptyfile }:chr_file { read write };
283 dontaudit postfix_showq_t net_conf_t:file r_file_perms;
284
285 postfix_user_domain(postdrop, `, mta_user_agent')
286 can_resolve(postfix_postdrop_t)
287 allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms;
288 allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms;
289 allow postfix_postdrop_t user_mail_domain:unix_stream_socket rw_socket_perms;
290 allow postfix_postdrop_t postfix_public_t:dir search;
291 allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms;
292 dontaudit postfix_postdrop_t { ptyfile ttyfile }:chr_file { read write };
293 dontaudit postfix_postdrop_t net_conf_t:file r_file_perms;
294 allow postfix_master_t postfix_postdrop_exec_t:file getattr;
295 ifdef(`crond.te',
296 `allow postfix_postdrop_t { crond_t system_crond_t }:fd use;
297 allow postfix_postdrop_t { crond_t system_crond_t }:fifo_file rw_file_perms;')
298 # usually it does not need a UDP socket
299 allow postfix_postdrop_t self:udp_socket create_socket_perms;
300 allow postfix_postdrop_t self:capability sys_resource;
301 allow postfix_postdrop_t self:tcp_socket create;
302
303 postfix_public_domain(pickup)
304 allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms;
305 allow postfix_pickup_t postfix_public_t:sock_file rw_file_perms;
306 allow postfix_pickup_t postfix_private_t:dir search;
307 allow postfix_pickup_t postfix_private_t:sock_file write;
308 allow postfix_pickup_t postfix_master_t:unix_stream_socket connectto;
309 allow postfix_pickup_t postfix_spool_maildrop_t:dir rw_dir_perms;
310 allow postfix_pickup_t postfix_spool_maildrop_t:file r_file_perms;
311 allow postfix_pickup_t postfix_spool_maildrop_t:file unlink;
312 allow postfix_pickup_t self:tcp_socket create_socket_perms;
313
314 postfix_public_domain(qmgr)
315 allow postfix_qmgr_t postfix_public_t:fifo_file rw_file_perms;
316 allow postfix_qmgr_t postfix_public_t:sock_file write;
317 allow postfix_qmgr_t postfix_private_t:dir search;
318 allow postfix_qmgr_t postfix_private_t:sock_file rw_file_perms;
319 allow postfix_qmgr_t postfix_master_t:unix_stream_socket connectto;
320
321 # for /var/spool/postfix/active
322 create_dir_file(postfix_qmgr_t, postfix_spool_t)
323
324 postfix_public_domain(bounce)
325 type postfix_spool_bounce_t, file_type, sysadmfile;
326 create_dir_file(postfix_bounce_t, postfix_spool_bounce_t)
327 create_dir_file(postfix_bounce_t, postfix_spool_t)
328 allow postfix_master_t postfix_spool_bounce_t:dir create_dir_perms;
329 allow postfix_master_t postfix_spool_bounce_t:file getattr;
330 allow postfix_bounce_t self:capability dac_read_search;
331 allow postfix_bounce_t postfix_public_t:sock_file write;
332 allow postfix_bounce_t self:tcp_socket create_socket_perms;
333
334 r_dir_file(postfix_qmgr_t, postfix_spool_bounce_t)
335
336 postfix_public_domain(pipe)
337 allow postfix_pipe_t postfix_spool_t:dir search;
338 allow postfix_pipe_t postfix_spool_t:file rw_file_perms;
339 allow postfix_pipe_t self:fifo_file { read write };
340 allow postfix_pipe_t postfix_private_t:dir search;
341 allow postfix_pipe_t postfix_private_t:sock_file write;
342 ifdef(`procmail.te', `
343 domain_auto_trans(postfix_pipe_t, procmail_exec_t, procmail_t)
344 ')
345 ifdef(`sendmail.te', `
346 r_dir_file(sendmail_t, postfix_etc_t)
347 allow sendmail_t postfix_spool_t:dir search;
348 ')
349
350 # Program for creating database files
351 application_domain(postfix_map)
352 base_file_read_access(postfix_map_t)
353 allow postfix_map_t { etc_t etc_runtime_t }:{ file lnk_file } { getattr read };
354 tmp_domain(postfix_map)
355 create_dir_file(postfix_map_t, postfix_etc_t)
356 allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
357 dontaudit postfix_map_t proc_t:dir { getattr read search };
358 dontaudit postfix_map_t local_login_t:fd use;
359 allow postfix_master_t postfix_map_exec_t:file rx_file_perms;
360 read_locale(postfix_map_t)
361 allow postfix_map_t self:capability setgid;
362 allow postfix_map_t self:unix_dgram_socket create_socket_perms;
363 dontaudit postfix_map_t var_t:dir search;
364 can_network_server(postfix_map_t)
365 allow postfix_map_t port_type:tcp_socket name_connect;

  ViewVC Help
Powered by ViewVC 1.1.20