Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/contrib/postfix.if
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/contrib/postfix.if')
-rw-r--r--policy/modules/contrib/postfix.if757
1 files changed, 0 insertions, 757 deletions
diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if
deleted file mode 100644
index 6e26d71a..00000000
--- a/policy/modules/contrib/postfix.if
+++ /dev/null
@@ -1,757 +0,0 @@
-## <summary>Postfix email server.</summary>
-
-########################################
-## <summary>
-## Postfix stub interface. No access allowed.
-## </summary>
-## <param name="domain" unused="true">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`postfix_stub',`
- gen_require(`
- type postfix_master_t;
- ')
-')
-
-#######################################
-## <summary>
-## The template to define a postfix domain.
-## </summary>
-## <param name="domain_prefix">
-## <summary>
-## Domain prefix to be used.
-## </summary>
-## </param>
-#
-template(`postfix_domain_template',`
- gen_require(`
- attribute postfix_domain;
- ')
-
- ########################################
- #
- # Declarations
- #
-
- type postfix_$1_t, postfix_domain;
- type postfix_$1_exec_t;
- domain_type(postfix_$1_t)
- domain_entry_file(postfix_$1_t, postfix_$1_exec_t)
- role system_r types postfix_$1_t;
-
- ########################################
- #
- # Policy
- #
-
- can_exec(postfix_$1_t, postfix_$1_exec_t)
-
- auth_use_nsswitch(postfix_$1_t)
-')
-
-#######################################
-## <summary>
-## The template to define a postfix server domain.
-## </summary>
-## <param name="domain_prefix">
-## <summary>
-## Domain prefix to be used.
-## </summary>
-## </param>
-#
-template(`postfix_server_domain_template',`
- gen_require(`
- attribute postfix_server_domain, postfix_server_tmp_content;
- ')
-
- ########################################
- #
- # Declarations
- #
-
- postfix_domain_template($1)
-
- typeattribute postfix_$1_t postfix_server_domain;
-
- type postfix_$1_tmp_t, postfix_server_tmp_content;
- files_tmp_file(postfix_$1_tmp_t)
-
- ########################################
- #
- # Declarations
- #
-
- manage_dirs_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t)
- manage_files_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t)
- files_tmp_filetrans(postfix_$1_t, postfix_$1_tmp_t, { file dir })
-
- domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
-')
-
-#######################################
-## <summary>
-## The template to define a postfix user domain.
-## </summary>
-## <param name="domain_prefix">
-## <summary>
-## Domain prefix to be used.
-## </summary>
-## </param>
-#
-template(`postfix_user_domain_template',`
- gen_require(`
- attribute postfix_user_domains, postfix_user_domtrans;
- ')
-
- ########################################
- #
- # Declarations
- #
-
- postfix_domain_template($1)
-
- typeattribute postfix_$1_t postfix_user_domains;
-
- ########################################
- #
- # Policy
- #
-
- allow postfix_$1_t self:capability dac_override;
-
- domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)
-
- domain_use_interactive_fds(postfix_$1_t)
-')
-
-########################################
-## <summary>
-## Read postfix configuration content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`postfix_read_config',`
- gen_require(`
- type postfix_etc_t;
- ')
-
- files_search_etc($1)
- allow $1 postfix_etc_t:dir list_dir_perms;
- allow $1 postfix_etc_t:file read_file_perms;
- allow $1 postfix_etc_t:lnk_file read_lnk_file_perms;
-')
-
-########################################
-## <summary>
-## Create specified object in postfix
-## etc directories with a type transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="private type">
-## <summary>
-## The type of the object to be created.
-## </summary>
-## </param>
-## <param name="object">
-## <summary>
-## The object class of the object being created.
-## </summary>
-## </param>
-## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
-## </summary>
-## </param>
-#
-interface(`postfix_config_filetrans',`
- gen_require(`
- type postfix_etc_t;
- ')
-
- filetrans_pattern($1, postfix_etc_t, $2, $3, $4)
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read and
-## write postfix local delivery
-## TCP sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`postfix_dontaudit_rw_local_tcp_sockets',`
- gen_require(`
- type postfix_local_t;
- ')
-
- dontaudit $1 postfix_local_t:tcp_socket { read write };
-')
-
-########################################
-## <summary>
-## Read and write postfix local pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`postfix_rw_local_pipes',`
- gen_require(`
- type postfix_local_t;
- ')
-
- allow $1 postfix_local_t:fifo_file rw_fifo_file_perms;
-')
-
-########################################
-## <summary>
-## Read postfix local process state files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`postfix_read_local_state',`
- gen_require(`
- type postfix_local_t;
- ')
-
- kernel_search_proc($1)
- allow $1 postfix_local_t:dir list_dir_perms;
- allow $1 postfix_local_t:file read_file_perms;
- allow $1 postfix_local_t:lnk_file read_lnk_file_perms;
-')
-
-########################################
-## <summary>
-## Read and write inherited postfix master pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`postfix_rw_inherited_master_pipes',`
- gen_require(`
- type postfix_master_t;
- ')
-
- allow $1 postfix_master_t:fd use;
- allow $1 postfix_master_t:fifo_file { getattr write append lock ioctl read };
-')
-
-########################################
-## <summary>
-## Read postfix master process state files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`postfix_read_master_state',`
- gen_require(`
- type postfix_master_t;
- ')
-
- kernel_search_proc($1)
- allow $1 postfix_master_t:dir list_dir_perms;
- allow $1 postfix_master_t:file read_file_perms;
- allow $1 postfix_master_t:lnk_file read_lnk_file_perms;
-')
-
-########################################
-## <summary>
-## Use postfix master file descriptors.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`postfix_use_fds_master',`
- gen_require(`
- type postfix_master_t;
- ')
-
- allow $1 postfix_master_t:fd use;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to use
-## postfix master process file
-## file descriptors.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`postfix_dontaudit_use_fds',`
- gen_require(`
- type postfix_master_t;
- ')
-
- dontaudit $1 postfix_master_t:fd use;
-')
-
-########################################
-## <summary>
-## Execute postfix_map in the postfix_map domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`postfix_domtrans_map',`
- gen_require(`
- type postfix_map_t, postfix_map_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, postfix_map_exec_t, postfix_map_t)
-')
-
-########################################
-## <summary>
-## Execute postfix map in the postfix
-## map domain, and allow the specified
-## role the postfix_map domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`postfix_run_map',`
- gen_require(`
- attribute_role postfix_map_roles;
- ')
-
- postfix_domtrans_map($1)
- roleattribute $2 postfix_map_roles;
-')
-
-########################################
-## <summary>
-## Execute the master postfix program
-## in the postfix_master domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`postfix_domtrans_master',`
- gen_require(`
- type postfix_master_t, postfix_master_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
-')
-
-########################################
-## <summary>
-## Execute the master postfix program
-## in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`postfix_exec_master',`
- gen_require(`
- type postfix_master_exec_t;
- ')
-
- corecmd_search_bin($1)
- can_exec($1, postfix_master_exec_t)
-')
-
-#######################################
-## <summary>
-## Connect to postfix master process
-## using a unix domain stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`postfix_stream_connect_master',`
- gen_require(`
- type postfix_master_t, postfix_public_t;
- ')
-
- stream_connect_pattern($1, postfix_public_t, postfix_public_t, postfix_master_t)
-')
-
-########################################
-## <summary>
-## Read and write postfix master
-## unnamed pipes. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`postfix_rw_master_pipes',`
- refpolicywarn(`$0($*) has been deprecated, use postfix_rw_inherited_master_pipes() instead.')
- postfix_rw_inherited_master_pipes($1)
-')
-
-########################################
-## <summary>
-## Execute the master postdrop in the
-## postfix postdrop domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`postfix_domtrans_postdrop',`
- gen_require(`
- type postfix_postdrop_t, postfix_postdrop_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t)
-')
-
-########################################
-## <summary>
-## Execute the master postqueue in the
-## postfix postqueue domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`postfix_domtrans_postqueue',`
- gen_require(`
- type postfix_postqueue_t, postfix_postqueue_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t)
-')
-
-#######################################
-## <summary>
-## Execute the master postqueue in
-## the caller domain. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`posftix_exec_postqueue',`
- refpolicywarn(`$0($*) has been deprecated.')
- postfix_exec_postqueue($1)
-')
-
-#######################################
-## <summary>
-## Execute postfix postqueue in
-## the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`postfix_exec_postqueue',`
- gen_require(`
- type postfix_postqueue_exec_t;
- ')
-
- corecmd_search_bin($1)
- can_exec($1, postfix_postqueue_exec_t)
-')
-
-########################################
-## <summary>
-## Create postfix private sock files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`postfix_create_private_sockets',`
- gen_require(`
- type postfix_private_t;
- ')
-
- create_sock_files_pattern($1, postfix_private_t, postfix_private_t)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## postfix private sock files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`postfix_manage_private_sockets',`
- gen_require(`
- type postfix_private_t;
- ')
-
- manage_sock_files_pattern($1, postfix_private_t, postfix_private_t)
-')
-
-########################################
-## <summary>
-## Execute the smtp postfix program
-## in the postfix smtp domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`postfix_domtrans_smtp',`
- gen_require(`
- type postfix_smtp_t, postfix_smtp_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, postfix_smtp_exec_t, postfix_smtp_t)
-')
-
-########################################
-## <summary>
-## Get attributes of all postfix mail
-## spool files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`postfix_getattr_all_spool_files',`
- gen_require(`
- attribute postfix_spool_type;
- ')
-
- files_search_spool($1)
- getattr_files_pattern($1, postfix_spool_type, postfix_spool_type)
-')
-
-########################################
-## <summary>
-## Search postfix mail spool directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`postfix_search_spool',`
- gen_require(`
- type postfix_spool_t;
- ')
-
- files_search_spool($1)
- allow $1 postfix_spool_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## List postfix mail spool directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`postfix_list_spool',`
- gen_require(`
- type postfix_spool_t;
- ')
-
- files_search_spool($1)
- allow $1 postfix_spool_t:dir list_dir_perms;
-')
-
-########################################
-## <summary>
-## Read postfix mail spool files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`postfix_read_spool_files',`
- gen_require(`
- type postfix_spool_t;
- ')
-
- files_search_spool($1)
- read_files_pattern($1, postfix_spool_t, postfix_spool_t)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## postfix mail spool files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`postfix_manage_spool_files',`
- gen_require(`
- type postfix_spool_t;
- ')
-
- files_search_spool($1)
- manage_files_pattern($1, postfix_spool_t, postfix_spool_t)
-')
-
-########################################
-## <summary>
-## Execute postfix user mail programs
-## in their respective domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`postfix_domtrans_user_mail_handler',`
- gen_require(`
- attribute postfix_user_domtrans;
- ')
-
- typeattribute $1 postfix_user_domtrans;
-')
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an postfix environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`postfix_admin',`
- gen_require(`
- attribute postfix_domain, postfix_spool_type, postfix_server_tmp_content;
- type postfix_initrc_exec_t, postfix_prng_t, postfix_etc_t;
- type postfix_data_t, postfix_var_run_t, postfix_public_t;
- type postfix_private_t, postfix_map_tmp_t, postfix_exec_t;
- ')
-
- allow $1 postfix_domain:process { ptrace signal_perms };
- ps_process_pattern($1, postfix_domain)
-
- init_labeled_script_domtrans($1, postfix_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 postfix_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_search_etc($1)
- admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t })
-
- files_search_spool($1)
- admin_pattern($1, { postfix_public_t postfix_private_t postfix_spool_type })
-
- files_search_var_lib($1)
- admin_pattern($1, postfix_data_t)
-
- files_search_pids($1)
- admin_pattern($1, postfix_var_run_t)
-
- files_search_tmp($1)
- admin_pattern($1, { postfix_server_tmp_content postfix_map_tmp_t })
-
- postfix_exec_master($1)
- postfix_exec_postqueue($1)
- postfix_stream_connect_master($1)
- postfix_run_map($1, $2)
-
- ifdef(`distro_gentoo',`
- gen_require(`
- type postfix_showq_exec_t;
- type postfix_postqueue_t;
- ')
-
- allow postfix_postqueue_t $1:process sigchld;
-
- can_exec($1, postfix_showq_exec_t)
- ')
-')