Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/contrib/postfix.te
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/contrib/postfix.te')
-rw-r--r--policy/modules/contrib/postfix.te799
1 files changed, 0 insertions, 799 deletions
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
deleted file mode 100644
index 9361cf8c..00000000
--- a/policy/modules/contrib/postfix.te
+++ /dev/null
@@ -1,799 +0,0 @@
-policy_module(postfix, 1.14.10)
-
-########################################
-#
-# Declarations
-#
-
-## <desc>
-## <p>
-## Determine whether postfix local
-## can manage mail spool content.
-## </p>
-## </desc>
-gen_tunable(postfix_local_write_mail_spool, true)
-
-attribute postfix_domain;
-attribute postfix_server_domain;
-attribute postfix_server_tmp_content;
-attribute postfix_spool_type;
-attribute postfix_user_domains;
-attribute postfix_user_domtrans;
-
-attribute_role postfix_map_roles;
-roleattribute system_r postfix_map_roles;
-
-postfix_server_domain_template(bounce)
-
-type postfix_spool_bounce_t, postfix_spool_type;
-files_type(postfix_spool_bounce_t)
-
-postfix_server_domain_template(cleanup)
-
-type postfix_etc_t;
-files_config_file(postfix_etc_t)
-
-type postfix_exec_t;
-application_executable_file(postfix_exec_t)
-
-postfix_server_domain_template(local)
-mta_mailserver_delivery(postfix_local_t)
-
-type postfix_map_t;
-type postfix_map_exec_t;
-application_domain(postfix_map_t, postfix_map_exec_t)
-role postfix_map_roles types postfix_map_t;
-
-type postfix_map_tmp_t;
-files_tmp_file(postfix_map_tmp_t)
-
-postfix_domain_template(master)
-typealias postfix_master_t alias postfix_t;
-mta_mailserver(postfix_t, postfix_master_exec_t)
-
-type postfix_initrc_exec_t;
-init_script_file(postfix_initrc_exec_t)
-
-postfix_server_domain_template(pickup)
-
-postfix_server_domain_template(pipe)
-
-postfix_user_domain_template(postdrop)
-mta_mailserver_user_agent(postfix_postdrop_t)
-
-postfix_user_domain_template(postqueue)
-mta_mailserver_user_agent(postfix_postqueue_t)
-
-type postfix_private_t;
-files_type(postfix_private_t)
-
-type postfix_prng_t;
-files_type(postfix_prng_t)
-
-postfix_server_domain_template(qmgr)
-
-postfix_user_domain_template(showq)
-
-postfix_server_domain_template(smtp)
-mta_mailserver_sender(postfix_smtp_t)
-
-postfix_server_domain_template(smtpd)
-
-type postfix_spool_t, postfix_spool_type;
-files_type(postfix_spool_t)
-
-type postfix_spool_maildrop_t, postfix_spool_type;
-files_type(postfix_spool_maildrop_t)
-
-type postfix_spool_flush_t, postfix_spool_type;
-files_type(postfix_spool_flush_t)
-
-type postfix_public_t;
-files_type(postfix_public_t)
-
-type postfix_var_run_t;
-files_pid_file(postfix_var_run_t)
-
-type postfix_data_t;
-files_type(postfix_data_t)
-
-postfix_server_domain_template(virtual)
-mta_mailserver_delivery(postfix_virtual_t)
-
-########################################
-#
-# Common postfix domain local policy
-#
-
-allow postfix_domain self:capability { sys_nice sys_chroot };
-dontaudit postfix_domain self:capability sys_tty_config;
-allow postfix_domain self:process { signal_perms setpgid setsched };
-allow postfix_domain self:fifo_file rw_fifo_file_perms;
-allow postfix_domain self:unix_stream_socket { accept connectto listen };
-
-allow postfix_domain postfix_etc_t:dir list_dir_perms;
-allow postfix_domain postfix_etc_t:file read_file_perms;
-allow postfix_domain postfix_etc_t:lnk_file read_lnk_file_perms;
-
-allow postfix_domain postfix_master_t:file read_file_perms;
-
-allow postfix_domain postfix_exec_t:file { mmap_file_perms lock };
-
-allow postfix_domain postfix_master_t:process sigchld;
-
-allow postfix_domain postfix_spool_t:dir list_dir_perms;
-
-manage_files_pattern(postfix_domain, postfix_var_run_t, postfix_var_run_t)
-files_pid_filetrans(postfix_domain, postfix_var_run_t, file)
-
-kernel_read_system_state(postfix_domain)
-kernel_read_network_state(postfix_domain)
-kernel_read_all_sysctls(postfix_domain)
-
-dev_read_sysfs(postfix_domain)
-dev_read_rand(postfix_domain)
-dev_read_urand(postfix_domain)
-
-fs_search_auto_mountpoints(postfix_domain)
-fs_getattr_all_fs(postfix_domain)
-fs_rw_anon_inodefs_files(postfix_domain)
-
-term_dontaudit_use_console(postfix_domain)
-
-corecmd_exec_shell(postfix_domain)
-
-files_read_etc_runtime_files(postfix_domain)
-files_read_usr_files(postfix_domain)
-files_search_spool(postfix_domain)
-files_getattr_tmp_dirs(postfix_domain)
-files_search_all_mountpoints(postfix_domain)
-
-init_dontaudit_use_fds(postfix_domain)
-init_sigchld(postfix_domain)
-
-logging_send_syslog_msg(postfix_domain)
-
-miscfiles_read_localization(postfix_domain)
-miscfiles_read_generic_certs(postfix_domain)
-
-userdom_dontaudit_use_unpriv_user_fds(postfix_domain)
-
-optional_policy(`
- udev_read_db(postfix_domain)
-')
-
-########################################
-#
-# Common postfix server domain local policy
-#
-
-allow postfix_server_domain self:capability { setuid setgid dac_override };
-
-allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
-
-corenet_all_recvfrom_unlabeled(postfix_server_domain)
-corenet_all_recvfrom_netlabel(postfix_server_domain)
-corenet_tcp_sendrecv_generic_if(postfix_server_domain)
-corenet_tcp_sendrecv_generic_node(postfix_server_domain)
-
-corenet_sendrecv_all_client_packets(postfix_server_domain)
-corenet_tcp_connect_all_ports(postfix_server_domain)
-corenet_tcp_sendrecv_all_ports(postfix_server_domain)
-
-########################################
-#
-# Common postfix user domain local policy
-#
-
-allow postfix_user_domains self:capability dac_override;
-
-domain_use_interactive_fds(postfix_user_domains)
-
-########################################
-#
-# Master local policy
-#
-
-allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config };
-allow postfix_master_t self:capability2 block_suspend;
-allow postfix_master_t self:process setrlimit;
-allow postfix_master_t self:tcp_socket create_stream_socket_perms;
-allow postfix_master_t self:udp_socket create_socket_perms;
-
-allow postfix_master_t postfix_domain:fifo_file rw_fifo_file_perms;
-allow postfix_master_t postfix_domain:process signal;
-
-allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
-allow postfix_master_t postfix_etc_t:file rw_file_perms;
-
-allow postfix_master_t postfix_data_t:dir manage_dir_perms;
-allow postfix_master_t postfix_data_t:file manage_file_perms;
-
-allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
-
-allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms;
-
-allow postfix_master_t postfix_prng_t:file rw_file_perms;
-
-manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
-manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
-files_spool_filetrans(postfix_master_t, postfix_spool_t, dir)
-
-allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
-allow postfix_master_t postfix_spool_bounce_t:file getattr_file_perms;
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_bounce_t, dir, "bounce")
-
-manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
-manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
-manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_flush_t, dir, "flush")
-
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_private_t)
-manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
-manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
-setattr_dirs_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_private_t, dir, "private")
-
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_public_t)
-manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
-manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
-setattr_dirs_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_public_t, dir, "public")
-
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t)
-delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop")
-
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t)
-setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid")
-
-can_exec(postfix_master_t, postfix_exec_t)
-
-domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
-domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
-
-corenet_all_recvfrom_unlabeled(postfix_master_t)
-corenet_all_recvfrom_netlabel(postfix_master_t)
-corenet_tcp_sendrecv_generic_if(postfix_master_t)
-corenet_udp_sendrecv_generic_if(postfix_master_t)
-corenet_tcp_sendrecv_generic_node(postfix_master_t)
-corenet_udp_sendrecv_generic_node(postfix_master_t)
-corenet_tcp_sendrecv_all_ports(postfix_master_t)
-corenet_udp_sendrecv_all_ports(postfix_master_t)
-corenet_tcp_bind_generic_node(postfix_master_t)
-
-corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
-corenet_tcp_bind_amavisd_send_port(postfix_master_t)
-
-corenet_sendrecv_smtp_server_packets(postfix_master_t)
-corenet_tcp_bind_smtp_port(postfix_master_t)
-
-corenet_sendrecv_spamd_server_packets(postfix_master_t)
-corenet_tcp_bind_spamd_port(postfix_master_t)
-
-corenet_sendrecv_all_client_packets(postfix_master_t)
-corenet_tcp_connect_all_ports(postfix_master_t)
-
-# Can this be conditional?
-corenet_sendrecv_all_server_packets(postfix_master_t)
-corenet_udp_bind_all_unreserved_ports(postfix_master_t)
-corenet_dontaudit_udp_bind_all_ports(postfix_master_t)
-
-selinux_dontaudit_search_fs(postfix_master_t)
-
-corecmd_exec_bin(postfix_master_t)
-
-domain_use_interactive_fds(postfix_master_t)
-
-files_search_tmp(postfix_master_t)
-
-mcs_file_read_all(postfix_master_t)
-
-term_dontaudit_search_ptys(postfix_master_t)
-
-miscfiles_read_man_pages(postfix_master_t)
-
-seutil_sigchld_newrole(postfix_master_t)
-seutil_dontaudit_search_config(postfix_master_t)
-
-mta_manage_aliases(postfix_master_t)
-mta_etc_filetrans_aliases(postfix_master_t, file, "aliases")
-mta_etc_filetrans_aliases(postfix_master_t, file, "aliases.db")
-mta_etc_filetrans_aliases(postfix_master_t, file, "aliasesdb-stamp")
-mta_spec_filetrans_aliases(postfix_master_t, postfix_etc_t, file)
-mta_read_sendmail_bin(postfix_master_t)
-mta_getattr_spool(postfix_master_t)
-
-ifdef(`distro_gentoo',`
- filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "defer")
- filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "deferred")
-')
-
-optional_policy(`
- cyrus_stream_connect(postfix_master_t)
-')
-
-optional_policy(`
- kerberos_keytab_template(postfix, postfix_t)
-')
-
-optional_policy(`
- mailman_manage_data_files(postfix_master_t)
-')
-
-optional_policy(`
- mysql_stream_connect(postfix_master_t)
-')
-
-optional_policy(`
- postgrey_search_spool(postfix_master_t)
-')
-
-optional_policy(`
- sendmail_signal(postfix_master_t)
-')
-
-########################################
-#
-# Bounce local policy
-#
-
-allow postfix_bounce_t self:capability dac_read_search;
-
-write_sock_files_pattern(postfix_bounce_t, postfix_public_t, postfix_public_t)
-
-manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
-manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
-manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
-files_spool_filetrans(postfix_bounce_t, postfix_spool_t, dir)
-
-manage_files_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-manage_dirs_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-allow postfix_bounce_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
-
-manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
-manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
-manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
-
-########################################
-#
-# Cleanup local policy
-#
-
-allow postfix_cleanup_t self:process setrlimit;
-
-allow postfix_cleanup_t postfix_smtpd_t:tcp_socket rw_stream_socket_perms;
-allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms;
-
-allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms;
-allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms;
-allow postfix_cleanup_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
-
-stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, postfix_master_t)
-
-rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
-write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
-
-manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
-manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
-manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
-files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir)
-
-allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
-
-corecmd_exec_bin(postfix_cleanup_t)
-
-corenet_sendrecv_kismet_client_packets(postfix_cleanup_t)
-corenet_tcp_connect_kismet_port(postfix_cleanup_t)
-corenet_tcp_sendrecv_kismet_port(postfix_cleanup_t)
-
-mta_read_aliases(postfix_cleanup_t)
-
-optional_policy(`
- mailman_read_data_files(postfix_cleanup_t)
-')
-
-########################################
-#
-# Local local policy
-#
-
-allow postfix_local_t self:capability chown;
-allow postfix_local_t self:process setrlimit;
-
-stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
-
-rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
-
-allow postfix_local_t postfix_spool_t:file rw_file_perms;
-
-domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
-
-corecmd_exec_bin(postfix_local_t)
-
-logging_dontaudit_search_logs(postfix_local_t)
-
-mta_delete_spool(postfix_local_t)
-mta_read_aliases(postfix_local_t)
-mta_read_config(postfix_local_t)
-mta_send_mail(postfix_local_t)
-
-tunable_policy(`postfix_local_write_mail_spool',`
- mta_manage_spool(postfix_local_t)
-')
-
-optional_policy(`
- clamav_search_lib(postfix_local_t)
- clamav_exec_clamscan(postfix_local_t)
-')
-
-optional_policy(`
- dovecot_domtrans_deliver(postfix_local_t)
-')
-
-optional_policy(`
- dspam_domtrans(postfix_local_t)
-')
-
-optional_policy(`
- mailman_manage_data_files(postfix_local_t)
- mailman_append_log(postfix_local_t)
- mailman_read_log(postfix_local_t)
-')
-
-optional_policy(`
- nagios_search_spool(postfix_local_t)
-')
-
-optional_policy(`
- procmail_domtrans(postfix_local_t)
-')
-
-optional_policy(`
- sendmail_rw_pipes(postfix_local_t)
-')
-
-optional_policy(`
- zarafa_domtrans_deliver(postfix_local_t)
- zarafa_stream_connect_server(postfix_local_t)
-')
-
-########################################
-#
-# Map local policy
-#
-
-allow postfix_map_t self:capability { dac_override setgid setuid };
-allow postfix_map_t self:tcp_socket { accept listen };
-
-allow postfix_map_t postfix_etc_t:dir manage_dir_perms;
-allow postfix_map_t postfix_etc_t:file manage_file_perms;
-allow postfix_map_t postfix_etc_t:lnk_file manage_lnk_file_perms;
-
-manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
-manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
-files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir })
-
-kernel_read_kernel_sysctls(postfix_map_t)
-kernel_dontaudit_list_proc(postfix_map_t)
-kernel_dontaudit_read_system_state(postfix_map_t)
-
-corenet_all_recvfrom_unlabeled(postfix_map_t)
-corenet_all_recvfrom_netlabel(postfix_map_t)
-corenet_tcp_sendrecv_generic_if(postfix_map_t)
-corenet_tcp_sendrecv_generic_node(postfix_map_t)
-
-corenet_sendrecv_all_client_packets(postfix_map_t)
-corenet_tcp_connect_all_ports(postfix_map_t)
-corenet_tcp_sendrecv_all_ports(postfix_map_t)
-
-corecmd_list_bin(postfix_map_t)
-corecmd_read_bin_symlinks(postfix_map_t)
-corecmd_read_bin_files(postfix_map_t)
-corecmd_read_bin_pipes(postfix_map_t)
-corecmd_read_bin_sockets(postfix_map_t)
-
-files_list_home(postfix_map_t)
-files_read_usr_files(postfix_map_t)
-files_read_etc_runtime_files(postfix_map_t)
-files_dontaudit_search_var(postfix_map_t)
-
-auth_use_nsswitch(postfix_map_t)
-
-logging_send_syslog_msg(postfix_map_t)
-
-miscfiles_read_localization(postfix_map_t)
-
-optional_policy(`
- locallogin_dontaudit_use_fds(postfix_map_t)
-')
-
-optional_policy(`
- mailman_manage_data_files(postfix_map_t)
-')
-
-########################################
-#
-# Pickup local policy
-#
-
-stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
-
-rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
-rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
-
-allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
-read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
-delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
-
-allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
-read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-
-mcs_file_read_all(postfix_pickup_t)
-mcs_file_write_all(postfix_pickup_t)
-
-########################################
-#
-# Pipe local policy
-#
-
-allow postfix_pipe_t self:process setrlimit;
-
-write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-
-write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
-
-rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
-
-domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
-
-corecmd_exec_bin(postfix_pipe_t)
-
-optional_policy(`
- dovecot_domtrans_deliver(postfix_pipe_t)
-')
-
-optional_policy(`
- procmail_domtrans(postfix_pipe_t)
-')
-
-optional_policy(`
- mailman_domtrans_queue(postfix_pipe_t)
-')
-
-optional_policy(`
- mta_manage_spool(postfix_pipe_t)
- mta_send_mail(postfix_pipe_t)
-')
-
-optional_policy(`
- spamassassin_domtrans_client(postfix_pipe_t)
- spamassassin_kill_client(postfix_pipe_t)
-')
-
-optional_policy(`
- uucp_domtrans_uux(postfix_pipe_t)
-')
-
-########################################
-#
-# Postdrop local policy
-#
-
-allow postfix_postdrop_t self:capability sys_resource;
-
-rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
-
-manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-
-allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
-
-mcs_file_read_all(postfix_postdrop_t)
-mcs_file_write_all(postfix_postdrop_t)
-
-term_dontaudit_use_all_ptys(postfix_postdrop_t)
-term_dontaudit_use_all_ttys(postfix_postdrop_t)
-
-mta_rw_user_mail_stream_sockets(postfix_postdrop_t)
-
-optional_policy(`
- apache_dontaudit_rw_fifo_file(postfix_postdrop_t)
-')
-
-optional_policy(`
- cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
-')
-
-optional_policy(`
- fail2ban_dontaudit_use_fds(postfix_postdrop_t)
-')
-
-optional_policy(`
- fstools_read_pipes(postfix_postdrop_t)
-')
-
-optional_policy(`
- sendmail_rw_unix_stream_sockets(postfix_postdrop_t)
-')
-
-optional_policy(`
- uucp_manage_spool(postfix_postdrop_t)
-')
-
-#######################################
-#
-# Postqueue local policy
-#
-
-stream_connect_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t, postfix_master_t)
-
-write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t)
-
-domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
-
-term_use_all_ptys(postfix_postqueue_t)
-term_use_all_ttys(postfix_postqueue_t)
-
-init_sigchld_script(postfix_postqueue_t)
-init_use_script_fds(postfix_postqueue_t)
-
-optional_policy(`
- cron_system_entry(postfix_postqueue_t, postfix_postqueue_exec_t)
-')
-
-optional_policy(`
- ppp_use_fds(postfix_postqueue_t)
- ppp_sigchld(postfix_postqueue_t)
-')
-
-########################################
-#
-# Qmgr local policy
-#
-
-allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
-allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
-allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms;
-
-stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
-
-rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
-
-manage_files_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-manage_dirs_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
-
-manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
-manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
-manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
-files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
-
-corecmd_exec_bin(postfix_qmgr_t)
-
-########################################
-#
-# Showq local policy
-#
-
-allow postfix_showq_t self:capability { setuid setgid };
-
-allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
-
-allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
-allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
-allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
-
-allow postfix_showq_t postfix_spool_t:file read_file_perms;
-
-mcs_file_read_all(postfix_showq_t)
-
-term_use_all_ptys(postfix_showq_t)
-term_use_all_ttys(postfix_showq_t)
-
-########################################
-#
-# Smtp delivery local policy
-#
-
-allow postfix_smtp_t self:capability sys_chroot;
-
-stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
-
-allow postfix_smtp_t { postfix_prng_t postfix_spool_t }:file rw_file_perms;
-
-rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-
-optional_policy(`
- cyrus_stream_connect(postfix_smtp_t)
-')
-
-optional_policy(`
- dovecot_stream_connect(postfix_smtp_t)
-')
-
-optional_policy(`
- dspam_stream_connect(postfix_smtp_t)
-')
-
-optional_policy(`
- milter_stream_connect_all(postfix_smtp_t)
-')
-
-########################################
-#
-# Smtpd local policy
-#
-
-allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
-
-stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
-
-manage_dirs_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
-manage_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
-manage_lnk_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
-allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
-
-corenet_sendrecv_postfix_policyd_client_packets(postfix_smtpd_t)
-corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
-corenet_tcp_sendrecv_postfix_policyd_port(postfix_smtpd_t)
-
-corecmd_exec_bin(postfix_smtpd_t)
-
-fs_getattr_all_dirs(postfix_smtpd_t)
-fs_getattr_all_fs(postfix_smtpd_t)
-
-mta_read_aliases(postfix_smtpd_t)
-
-optional_policy(`
- dovecot_stream_connect_auth(postfix_smtpd_t)
- dovecot_stream_connect(postfix_smtpd_t)
-')
-
-optional_policy(`
- mailman_read_data_files(postfix_smtpd_t)
-')
-
-optional_policy(`
- milter_stream_connect_all(postfix_smtpd_t)
-')
-
-optional_policy(`
- postgrey_stream_connect(postfix_smtpd_t)
-')
-
-optional_policy(`
- sasl_connect(postfix_smtpd_t)
-')
-
-optional_policy(`
- spamassassin_read_spamd_pid_files(postfix_smtpd_t)
- spamassassin_stream_connect_spamd(postfix_smtpd_t)
-')
-
-########################################
-#
-# Virtual local policy
-#
-
-allow postfix_virtual_t self:process setrlimit;
-
-allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-
-stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
-
-corecmd_exec_bin(postfix_virtual_t)
-
-mta_read_aliases(postfix_virtual_t)
-mta_delete_spool(postfix_virtual_t)
-mta_read_config(postfix_virtual_t)
-mta_manage_spool(postfix_virtual_t)
-
-userdom_manage_user_home_dirs(postfix_virtual_t)
-userdom_manage_user_home_content_dirs(postfix_virtual_t)
-userdom_manage_user_home_content_files(postfix_virtual_t)
-userdom_home_filetrans_user_home_dir(postfix_virtual_t)
-userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, { file dir })