postfix: update policy and merge with local changes

policy/modules/postfix.fc

@@ -1,23 +1,23 @@
-/etc/postfix.*	gen_context(system_u:object_r:postfix_etc_t,s0)
+/etc/postfix(/.*)?			gen_context(system_u:object_r:postfix_etc_t,s0)
 /etc/postfix/postfix-script.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
 /etc/postfix/prng_exch	--	gen_context(system_u:object_r:postfix_prng_t,s0)
 
 /etc/rc\.d/init\.d/postfix	--	gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
 
-/usr/lib/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
-/usr/lib/postfix/cleanup	--	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
-/usr/lib/postfix/local	--	gen_context(system_u:object_r:postfix_local_exec_t,s0)
-/usr/lib/postfix/master	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/lib/postfix/pickup	--	gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
-/usr/lib/postfix/(n)?qmgr	--	gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
-/usr/lib/postfix/showq	--	gen_context(system_u:object_r:postfix_showq_exec_t,s0)
-/usr/lib/postfix/smtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/lib/postfix/lmtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/lib/postfix/scache	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/lib/postfix/smtpd	--	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
-/usr/lib/postfix/bounce	--	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
-/usr/lib/postfix/pipe	--	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
-/usr/lib/postfix/virtual	--	gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
+/usr/lib/postfix/(sbin/)?.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
+/usr/lib/postfix/(sbin/)?cleanup	--	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+/usr/lib/postfix/(sbin/)?local	--	gen_context(system_u:object_r:postfix_local_exec_t,s0)
+/usr/lib/postfix/(sbin/)?master	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/lib/postfix/(sbin/)?pickup	--	gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
+/usr/lib/postfix/(sbin/)?(n)?qmgr	--	gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+/usr/lib/postfix/(sbin/)?showq	--	gen_context(system_u:object_r:postfix_showq_exec_t,s0)
+/usr/lib/postfix/(sbin/)?smtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/(sbin/)?lmtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/(sbin/)?scache	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/(sbin/)?smtpd	--	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
+/usr/lib/postfix/(sbin/)?bounce	--	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
+/usr/lib/postfix/(sbin/)?pipe	--	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+/usr/lib/postfix/(sbin/)?virtual	--	gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
 
 /usr/libexec/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
 /usr/libexec/postfix/cleanup	--	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
@@ -44,7 +44,6 @@
 /usr/sbin/postmap	--	gen_context(system_u:object_r:postfix_map_exec_t,s0)
 /usr/sbin/postqueue	--	gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
 /usr/sbin/postsuper	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/sbin/postconf    --      gen_context(system_u:object_r:postfix_master_exec_t,s0)
 
 /var/lib/postfix.*	gen_context(system_u:object_r:postfix_data_t,s0)
 

policy/modules/postfix.if

@@ -720,10 +720,7 @@ interface(`postfix_admin',`
 	allow $1 postfix_domain:process { ptrace signal_perms };
 	ps_process_pattern($1, postfix_domain)
 
-	init_labeled_script_domtrans($1, postfix_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 postfix_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_startstop_service($1, $2, postfix_t, postfix_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t postfix_keytab_t })

policy/modules/postfix.te

@@ -1,4 +1,4 @@
-policy_module(postfix, 1.16.4)
+policy_module(postfix, 1.17.1)
 
 ########################################
 #
@@ -172,6 +172,7 @@ optional_policy(`
 #
 
 allow postfix_server_domain self:capability { setuid setgid dac_override };
+allow postfix_master_t self:process getsched;
 
 allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
 
@@ -179,6 +180,7 @@ corenet_all_recvfrom_unlabeled(postfix_server_domain)
 corenet_all_recvfrom_netlabel(postfix_server_domain)
 corenet_tcp_sendrecv_generic_if(postfix_server_domain)
 corenet_tcp_sendrecv_generic_node(postfix_server_domain)
+corenet_tcp_bind_all_unreserved_ports(postfix_master_t)
 
 corenet_sendrecv_all_client_packets(postfix_server_domain)
 corenet_tcp_connect_all_ports(postfix_server_domain)
@@ -234,6 +236,8 @@ manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flus
 manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
 filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_flush_t, dir, "flush")
 
+hostname_exec(postfix_master_t)
+
 create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_private_t)
 manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
 manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
@@ -272,7 +276,7 @@ corenet_udp_sendrecv_generic_node(postfix_master_t)
 corenet_tcp_sendrecv_all_ports(postfix_master_t)
 corenet_udp_sendrecv_all_ports(postfix_master_t)
 corenet_tcp_bind_generic_node(postfix_master_t)
-corenet_tcp_bind_all_unreserved_ports(postfix_master_t)
+corenet_udp_bind_generic_node(postfix_master_t)
 
 corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
 corenet_tcp_bind_amavisd_send_port(postfix_master_t)
@@ -316,9 +320,6 @@ mta_spec_filetrans_aliases(postfix_master_t, postfix_etc_t, file)
 mta_read_sendmail_bin(postfix_master_t)
 mta_getattr_spool(postfix_master_t)
 
-connect_udev_udp_socket(postfix_master_t)
-corenet_udp_bind_generic_node(postfix_master_t)
-
 optional_policy(`
 	cyrus_stream_connect(postfix_master_t)
 ')
@@ -330,6 +331,11 @@ optional_policy(`
 
 optional_policy(`
 	mailman_manage_data_files(postfix_master_t)
+	mailman_search_data(postfix_pipe_t)
+')
+
+optional_policy(`
+	milter_getattr_data_dir(postfix_master_t)
 ')
 
 optional_policy(`
@@ -375,6 +381,7 @@ allow postfix_cleanup_t self:process setrlimit;
 
 allow postfix_cleanup_t postfix_smtpd_t:tcp_socket rw_stream_socket_perms;
 allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms;
+allow postfix_cleanup_t postfix_smtpd_t:fd use;
 
 allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms;
 allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms;
@@ -404,6 +411,10 @@ optional_policy(`
 	mailman_read_data_files(postfix_cleanup_t)
 ')
 
+optional_policy(`
+	dkim_stream_connect(postfix_cleanup_t)
+')
+
 ########################################
 #
 # Local local policy
@@ -436,6 +447,7 @@ tunable_policy(`postfix_local_write_mail_spool',`
 optional_policy(`
 	clamav_search_lib(postfix_local_t)
 	clamav_exec_clamscan(postfix_local_t)
+	clamav_stream_connect(postfix_smtpd_t)
 ')
 
 optional_policy(`
@@ -561,6 +573,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
 
 corecmd_exec_bin(postfix_pipe_t)
 
+write_sock_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
+
+
+
 optional_policy(`
 	dovecot_domtrans_deliver(postfix_pipe_t)
 ')
@@ -571,6 +587,7 @@ optional_policy(`
 
 optional_policy(`
 	mailman_domtrans_queue(postfix_pipe_t)
+	mailman_domtrans(postfix_pipe_t)
 ')
 
 optional_policy(`
@@ -599,8 +616,10 @@ rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
 manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 
 allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
+
+# for /var/spool/postfix/public/pickup
+allow postfix_postdrop_t postfix_public_t:sock_file { getattr write };
 allow postfix_postdrop_t postfix_master_t:unix_stream_socket connectto;
-allow postfix_postdrop_t postfix_public_t:sock_file { write getattr };
 
 mcs_file_read_all(postfix_postdrop_t)
 mcs_file_write_all(postfix_postdrop_t)