diff options
Diffstat (limited to 'policy/modules/contrib/postfix.if')
-rw-r--r-- | policy/modules/contrib/postfix.if | 757 |
1 files changed, 0 insertions, 757 deletions
diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if deleted file mode 100644 index 6e26d71a..00000000 --- a/policy/modules/contrib/postfix.if +++ /dev/null @@ -1,757 +0,0 @@ -## <summary>Postfix email server.</summary> - -######################################## -## <summary> -## Postfix stub interface. No access allowed. -## </summary> -## <param name="domain" unused="true"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postfix_stub',` - gen_require(` - type postfix_master_t; - ') -') - -####################################### -## <summary> -## The template to define a postfix domain. -## </summary> -## <param name="domain_prefix"> -## <summary> -## Domain prefix to be used. -## </summary> -## </param> -# -template(`postfix_domain_template',` - gen_require(` - attribute postfix_domain; - ') - - ######################################## - # - # Declarations - # - - type postfix_$1_t, postfix_domain; - type postfix_$1_exec_t; - domain_type(postfix_$1_t) - domain_entry_file(postfix_$1_t, postfix_$1_exec_t) - role system_r types postfix_$1_t; - - ######################################## - # - # Policy - # - - can_exec(postfix_$1_t, postfix_$1_exec_t) - - auth_use_nsswitch(postfix_$1_t) -') - -####################################### -## <summary> -## The template to define a postfix server domain. -## </summary> -## <param name="domain_prefix"> -## <summary> -## Domain prefix to be used. -## </summary> -## </param> -# -template(`postfix_server_domain_template',` - gen_require(` - attribute postfix_server_domain, postfix_server_tmp_content; - ') - - ######################################## - # - # Declarations - # - - postfix_domain_template($1) - - typeattribute postfix_$1_t postfix_server_domain; - - type postfix_$1_tmp_t, postfix_server_tmp_content; - files_tmp_file(postfix_$1_tmp_t) - - ######################################## - # - # Declarations - # - - manage_dirs_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t) - manage_files_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t) - files_tmp_filetrans(postfix_$1_t, postfix_$1_tmp_t, { file dir }) - - domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t) -') - -####################################### -## <summary> -## The template to define a postfix user domain. -## </summary> -## <param name="domain_prefix"> -## <summary> -## Domain prefix to be used. -## </summary> -## </param> -# -template(`postfix_user_domain_template',` - gen_require(` - attribute postfix_user_domains, postfix_user_domtrans; - ') - - ######################################## - # - # Declarations - # - - postfix_domain_template($1) - - typeattribute postfix_$1_t postfix_user_domains; - - ######################################## - # - # Policy - # - - allow postfix_$1_t self:capability dac_override; - - domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t) - - domain_use_interactive_fds(postfix_$1_t) -') - -######################################## -## <summary> -## Read postfix configuration content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`postfix_read_config',` - gen_require(` - type postfix_etc_t; - ') - - files_search_etc($1) - allow $1 postfix_etc_t:dir list_dir_perms; - allow $1 postfix_etc_t:file read_file_perms; - allow $1 postfix_etc_t:lnk_file read_lnk_file_perms; -') - -######################################## -## <summary> -## Create specified object in postfix -## etc directories with a type transition. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="private type"> -## <summary> -## The type of the object to be created. -## </summary> -## </param> -## <param name="object"> -## <summary> -## The object class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`postfix_config_filetrans',` - gen_require(` - type postfix_etc_t; - ') - - filetrans_pattern($1, postfix_etc_t, $2, $3, $4) -') - -######################################## -## <summary> -## Do not audit attempts to read and -## write postfix local delivery -## TCP sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`postfix_dontaudit_rw_local_tcp_sockets',` - gen_require(` - type postfix_local_t; - ') - - dontaudit $1 postfix_local_t:tcp_socket { read write }; -') - -######################################## -## <summary> -## Read and write postfix local pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postfix_rw_local_pipes',` - gen_require(` - type postfix_local_t; - ') - - allow $1 postfix_local_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## <summary> -## Read postfix local process state files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postfix_read_local_state',` - gen_require(` - type postfix_local_t; - ') - - kernel_search_proc($1) - allow $1 postfix_local_t:dir list_dir_perms; - allow $1 postfix_local_t:file read_file_perms; - allow $1 postfix_local_t:lnk_file read_lnk_file_perms; -') - -######################################## -## <summary> -## Read and write inherited postfix master pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postfix_rw_inherited_master_pipes',` - gen_require(` - type postfix_master_t; - ') - - allow $1 postfix_master_t:fd use; - allow $1 postfix_master_t:fifo_file { getattr write append lock ioctl read }; -') - -######################################## -## <summary> -## Read postfix master process state files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postfix_read_master_state',` - gen_require(` - type postfix_master_t; - ') - - kernel_search_proc($1) - allow $1 postfix_master_t:dir list_dir_perms; - allow $1 postfix_master_t:file read_file_perms; - allow $1 postfix_master_t:lnk_file read_lnk_file_perms; -') - -######################################## -## <summary> -## Use postfix master file descriptors. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postfix_use_fds_master',` - gen_require(` - type postfix_master_t; - ') - - allow $1 postfix_master_t:fd use; -') - -######################################## -## <summary> -## Do not audit attempts to use -## postfix master process file -## file descriptors. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`postfix_dontaudit_use_fds',` - gen_require(` - type postfix_master_t; - ') - - dontaudit $1 postfix_master_t:fd use; -') - -######################################## -## <summary> -## Execute postfix_map in the postfix_map domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`postfix_domtrans_map',` - gen_require(` - type postfix_map_t, postfix_map_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, postfix_map_exec_t, postfix_map_t) -') - -######################################## -## <summary> -## Execute postfix map in the postfix -## map domain, and allow the specified -## role the postfix_map domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`postfix_run_map',` - gen_require(` - attribute_role postfix_map_roles; - ') - - postfix_domtrans_map($1) - roleattribute $2 postfix_map_roles; -') - -######################################## -## <summary> -## Execute the master postfix program -## in the postfix_master domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`postfix_domtrans_master',` - gen_require(` - type postfix_master_t, postfix_master_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, postfix_master_exec_t, postfix_master_t) -') - -######################################## -## <summary> -## Execute the master postfix program -## in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postfix_exec_master',` - gen_require(` - type postfix_master_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, postfix_master_exec_t) -') - -####################################### -## <summary> -## Connect to postfix master process -## using a unix domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`postfix_stream_connect_master',` - gen_require(` - type postfix_master_t, postfix_public_t; - ') - - stream_connect_pattern($1, postfix_public_t, postfix_public_t, postfix_master_t) -') - -######################################## -## <summary> -## Read and write postfix master -## unnamed pipes. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postfix_rw_master_pipes',` - refpolicywarn(`$0($*) has been deprecated, use postfix_rw_inherited_master_pipes() instead.') - postfix_rw_inherited_master_pipes($1) -') - -######################################## -## <summary> -## Execute the master postdrop in the -## postfix postdrop domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`postfix_domtrans_postdrop',` - gen_require(` - type postfix_postdrop_t, postfix_postdrop_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t) -') - -######################################## -## <summary> -## Execute the master postqueue in the -## postfix postqueue domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`postfix_domtrans_postqueue',` - gen_require(` - type postfix_postqueue_t, postfix_postqueue_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t) -') - -####################################### -## <summary> -## Execute the master postqueue in -## the caller domain. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`posftix_exec_postqueue',` - refpolicywarn(`$0($*) has been deprecated.') - postfix_exec_postqueue($1) -') - -####################################### -## <summary> -## Execute postfix postqueue in -## the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postfix_exec_postqueue',` - gen_require(` - type postfix_postqueue_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, postfix_postqueue_exec_t) -') - -######################################## -## <summary> -## Create postfix private sock files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postfix_create_private_sockets',` - gen_require(` - type postfix_private_t; - ') - - create_sock_files_pattern($1, postfix_private_t, postfix_private_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## postfix private sock files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postfix_manage_private_sockets',` - gen_require(` - type postfix_private_t; - ') - - manage_sock_files_pattern($1, postfix_private_t, postfix_private_t) -') - -######################################## -## <summary> -## Execute the smtp postfix program -## in the postfix smtp domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`postfix_domtrans_smtp',` - gen_require(` - type postfix_smtp_t, postfix_smtp_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, postfix_smtp_exec_t, postfix_smtp_t) -') - -######################################## -## <summary> -## Get attributes of all postfix mail -## spool files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postfix_getattr_all_spool_files',` - gen_require(` - attribute postfix_spool_type; - ') - - files_search_spool($1) - getattr_files_pattern($1, postfix_spool_type, postfix_spool_type) -') - -######################################## -## <summary> -## Search postfix mail spool directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postfix_search_spool',` - gen_require(` - type postfix_spool_t; - ') - - files_search_spool($1) - allow $1 postfix_spool_t:dir search_dir_perms; -') - -######################################## -## <summary> -## List postfix mail spool directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postfix_list_spool',` - gen_require(` - type postfix_spool_t; - ') - - files_search_spool($1) - allow $1 postfix_spool_t:dir list_dir_perms; -') - -######################################## -## <summary> -## Read postfix mail spool files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postfix_read_spool_files',` - gen_require(` - type postfix_spool_t; - ') - - files_search_spool($1) - read_files_pattern($1, postfix_spool_t, postfix_spool_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## postfix mail spool files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postfix_manage_spool_files',` - gen_require(` - type postfix_spool_t; - ') - - files_search_spool($1) - manage_files_pattern($1, postfix_spool_t, postfix_spool_t) -') - -######################################## -## <summary> -## Execute postfix user mail programs -## in their respective domains. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postfix_domtrans_user_mail_handler',` - gen_require(` - attribute postfix_user_domtrans; - ') - - typeattribute $1 postfix_user_domtrans; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an postfix environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`postfix_admin',` - gen_require(` - attribute postfix_domain, postfix_spool_type, postfix_server_tmp_content; - type postfix_initrc_exec_t, postfix_prng_t, postfix_etc_t; - type postfix_data_t, postfix_var_run_t, postfix_public_t; - type postfix_private_t, postfix_map_tmp_t, postfix_exec_t; - ') - - allow $1 postfix_domain:process { ptrace signal_perms }; - ps_process_pattern($1, postfix_domain) - - init_labeled_script_domtrans($1, postfix_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 postfix_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t }) - - files_search_spool($1) - admin_pattern($1, { postfix_public_t postfix_private_t postfix_spool_type }) - - files_search_var_lib($1) - admin_pattern($1, postfix_data_t) - - files_search_pids($1) - admin_pattern($1, postfix_var_run_t) - - files_search_tmp($1) - admin_pattern($1, { postfix_server_tmp_content postfix_map_tmp_t }) - - postfix_exec_master($1) - postfix_exec_postqueue($1) - postfix_stream_connect_master($1) - postfix_run_map($1, $2) - - ifdef(`distro_gentoo',` - gen_require(` - type postfix_showq_exec_t; - type postfix_postqueue_t; - ') - - allow postfix_postqueue_t $1:process sigchld; - - can_exec($1, postfix_showq_exec_t) - ') -') |