|
@@ -1,4 +1,4 @@
|
|
-policy_module(postfix, 1.16.4)
|
|
|
|
|
|
+policy_module(postfix, 1.17.1)
|
|
|
|
|
|
########################################
|
|
########################################
|
|
#
|
|
#
|
|
@@ -172,6 +172,7 @@ optional_policy(`
|
|
#
|
|
#
|
|
|
|
|
|
allow postfix_server_domain self:capability { setuid setgid dac_override };
|
|
allow postfix_server_domain self:capability { setuid setgid dac_override };
|
|
|
|
+allow postfix_master_t self:process getsched;
|
|
|
|
|
|
allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
|
|
allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
|
|
|
|
|
|
@@ -179,6 +180,7 @@ corenet_all_recvfrom_unlabeled(postfix_server_domain)
|
|
corenet_all_recvfrom_netlabel(postfix_server_domain)
|
|
corenet_all_recvfrom_netlabel(postfix_server_domain)
|
|
corenet_tcp_sendrecv_generic_if(postfix_server_domain)
|
|
corenet_tcp_sendrecv_generic_if(postfix_server_domain)
|
|
corenet_tcp_sendrecv_generic_node(postfix_server_domain)
|
|
corenet_tcp_sendrecv_generic_node(postfix_server_domain)
|
|
|
|
+corenet_tcp_bind_all_unreserved_ports(postfix_master_t)
|
|
|
|
|
|
corenet_sendrecv_all_client_packets(postfix_server_domain)
|
|
corenet_sendrecv_all_client_packets(postfix_server_domain)
|
|
corenet_tcp_connect_all_ports(postfix_server_domain)
|
|
corenet_tcp_connect_all_ports(postfix_server_domain)
|
|
@@ -234,6 +236,8 @@ manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flus
|
|
manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
|
|
manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
|
|
filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_flush_t, dir, "flush")
|
|
filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_flush_t, dir, "flush")
|
|
|
|
|
|
|
|
+hostname_exec(postfix_master_t)
|
|
|
|
+
|
|
create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_private_t)
|
|
create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_private_t)
|
|
manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
|
|
manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
|
|
manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
|
|
manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
|
|
@@ -272,7 +276,7 @@ corenet_udp_sendrecv_generic_node(postfix_master_t)
|
|
corenet_tcp_sendrecv_all_ports(postfix_master_t)
|
|
corenet_tcp_sendrecv_all_ports(postfix_master_t)
|
|
corenet_udp_sendrecv_all_ports(postfix_master_t)
|
|
corenet_udp_sendrecv_all_ports(postfix_master_t)
|
|
corenet_tcp_bind_generic_node(postfix_master_t)
|
|
corenet_tcp_bind_generic_node(postfix_master_t)
|
|
-corenet_tcp_bind_all_unreserved_ports(postfix_master_t)
|
|
|
|
|
|
+corenet_udp_bind_generic_node(postfix_master_t)
|
|
|
|
|
|
corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
|
|
corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
|
|
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
|
|
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
|
|
@@ -316,9 +320,6 @@ mta_spec_filetrans_aliases(postfix_master_t, postfix_etc_t, file)
|
|
mta_read_sendmail_bin(postfix_master_t)
|
|
mta_read_sendmail_bin(postfix_master_t)
|
|
mta_getattr_spool(postfix_master_t)
|
|
mta_getattr_spool(postfix_master_t)
|
|
|
|
|
|
-connect_udev_udp_socket(postfix_master_t)
|
|
|
|
-corenet_udp_bind_generic_node(postfix_master_t)
|
|
|
|
-
|
|
|
|
optional_policy(`
|
|
optional_policy(`
|
|
cyrus_stream_connect(postfix_master_t)
|
|
cyrus_stream_connect(postfix_master_t)
|
|
')
|
|
')
|
|
@@ -330,6 +331,11 @@ optional_policy(`
|
|
|
|
|
|
optional_policy(`
|
|
optional_policy(`
|
|
mailman_manage_data_files(postfix_master_t)
|
|
mailman_manage_data_files(postfix_master_t)
|
|
|
|
+ mailman_search_data(postfix_pipe_t)
|
|
|
|
+')
|
|
|
|
+
|
|
|
|
+optional_policy(`
|
|
|
|
+ milter_getattr_data_dir(postfix_master_t)
|
|
')
|
|
')
|
|
|
|
|
|
optional_policy(`
|
|
optional_policy(`
|
|
@@ -375,6 +381,7 @@ allow postfix_cleanup_t self:process setrlimit;
|
|
|
|
|
|
allow postfix_cleanup_t postfix_smtpd_t:tcp_socket rw_stream_socket_perms;
|
|
allow postfix_cleanup_t postfix_smtpd_t:tcp_socket rw_stream_socket_perms;
|
|
allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms;
|
|
allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms;
|
|
|
|
+allow postfix_cleanup_t postfix_smtpd_t:fd use;
|
|
|
|
|
|
allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms;
|
|
allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms;
|
|
allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms;
|
|
allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms;
|
|
@@ -404,6 +411,10 @@ optional_policy(`
|
|
mailman_read_data_files(postfix_cleanup_t)
|
|
mailman_read_data_files(postfix_cleanup_t)
|
|
')
|
|
')
|
|
|
|
|
|
|
|
+optional_policy(`
|
|
|
|
+ dkim_stream_connect(postfix_cleanup_t)
|
|
|
|
+')
|
|
|
|
+
|
|
########################################
|
|
########################################
|
|
#
|
|
#
|
|
# Local local policy
|
|
# Local local policy
|
|
@@ -436,6 +447,7 @@ tunable_policy(`postfix_local_write_mail_spool',`
|
|
optional_policy(`
|
|
optional_policy(`
|
|
clamav_search_lib(postfix_local_t)
|
|
clamav_search_lib(postfix_local_t)
|
|
clamav_exec_clamscan(postfix_local_t)
|
|
clamav_exec_clamscan(postfix_local_t)
|
|
|
|
+ clamav_stream_connect(postfix_smtpd_t)
|
|
')
|
|
')
|
|
|
|
|
|
optional_policy(`
|
|
optional_policy(`
|
|
@@ -561,6 +573,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
|
|
|
|
|
|
corecmd_exec_bin(postfix_pipe_t)
|
|
corecmd_exec_bin(postfix_pipe_t)
|
|
|
|
|
|
|
|
+write_sock_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
|
|
|
|
+
|
|
|
|
+
|
|
|
|
+
|
|
optional_policy(`
|
|
optional_policy(`
|
|
dovecot_domtrans_deliver(postfix_pipe_t)
|
|
dovecot_domtrans_deliver(postfix_pipe_t)
|
|
')
|
|
')
|
|
@@ -571,6 +587,7 @@ optional_policy(`
|
|
|
|
|
|
optional_policy(`
|
|
optional_policy(`
|
|
mailman_domtrans_queue(postfix_pipe_t)
|
|
mailman_domtrans_queue(postfix_pipe_t)
|
|
|
|
+ mailman_domtrans(postfix_pipe_t)
|
|
')
|
|
')
|
|
|
|
|
|
optional_policy(`
|
|
optional_policy(`
|
|
@@ -599,8 +616,10 @@ rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
|
|
manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
|
|
manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
|
|
|
|
|
|
allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
|
|
allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
|
|
|
|
+
|
|
|
|
+# for /var/spool/postfix/public/pickup
|
|
|
|
+allow postfix_postdrop_t postfix_public_t:sock_file { getattr write };
|
|
allow postfix_postdrop_t postfix_master_t:unix_stream_socket connectto;
|
|
allow postfix_postdrop_t postfix_master_t:unix_stream_socket connectto;
|
|
-allow postfix_postdrop_t postfix_public_t:sock_file { write getattr };
|
|
|
|
|
|
|
|
mcs_file_read_all(postfix_postdrop_t)
|
|
mcs_file_read_all(postfix_postdrop_t)
|
|
mcs_file_write_all(postfix_postdrop_t)
|
|
mcs_file_write_all(postfix_postdrop_t)
|