Somebody have the policy files for postfix? I tried with Debian ones but fails in policy compilation.
Where can i get these files?
thanks!!!
and for example, if i want to add postfix to targeted policy, copying the .te and .fc files from strict-sources to targeted-sources should be work? or i need to change anything else?
On Tue, 2004-12-28 at 18:27 -0500, Daniel J Walsh wrote:
Diego Woitasen wrote:
Somebody have the policy files for postfix? I tried with Debian ones but fails in policy compilation.
Where can i get these files?
thanks!!!
selinux-policy-strict-sources has the files.
Dan
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Diego Woitasen wrote:
and for example, if i want to add postfix to targeted policy, copying the .te and .fc files from strict-sources to targeted-sources should be work? or i need to change anything else?
Yes. But you will need to relabel the files that are touched by postfix.fc There might be other problems with other modules that are doing ifdef(`postfix.te', `...') Or if postfix.te does some things expecting a strict policy environment.
Dan
On Tue, 2004-12-28 at 18:27 -0500, Daniel J Walsh wrote:
Diego Woitasen wrote:
Somebody have the policy files for postfix? I tried with Debian ones but fails in policy compilation.
Where can i get these files?
thanks!!!
selinux-policy-strict-sources has the files.
Dan
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
yeah... i seee
some macros are not defined in targeted, like can_network_[server| client]. I solved this problem, but now when i do make policy i get this msg:
domains/program/postfix.te:190:ERROR 'unknown type sysadm_mail_t' at token ';' on line 16044:
any ideas?
On Wed, 2004-12-29 at 10:30 -0500, Daniel J Walsh wrote:
Diego Woitasen wrote:
and for example, if i want to add postfix to targeted policy, copying the .te and .fc files from strict-sources to targeted-sources should be work? or i need to change anything else?
Yes. But you will need to relabel the files that are touched by postfix.fc There might be other problems with other modules that are doing ifdef(`postfix.te', `...') Or if postfix.te does some things expecting a strict policy environment.
Dan
On Tue, 2004-12-28 at 18:27 -0500, Daniel J Walsh wrote:
Diego Woitasen wrote:
Somebody have the policy files for postfix? I tried with Debian ones but fails in policy compilation.
Where can i get these files?
thanks!!!
selinux-policy-strict-sources has the files.
Dan
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Diego Woitasen wrote:
yeah... i seee
some macros are not defined in targeted, like can_network_[server| client]. I solved this problem, but now when i do make policy i get this msg:
domains/program/postfix.te:190:ERROR 'unknown type sysadm_mail_t' at token ';' on line 16044:
any ideas?
On Wed, 2004-12-29 at 10:30 -0500, Daniel J Walsh wrote:
Diego Woitasen wrote:
and for example, if i want to add postfix to targeted policy, copying the .te and .fc files from strict-sources to targeted-sources should be work? or i need to change anything else?
Yes. But you will need to relabel the files that are touched by postfix.fc There might be other problems with other modules that are doing ifdef(`postfix.te', `...') Or if postfix.te does some things expecting a strict policy environment.
Dan
On Tue, 2004-12-28 at 18:27 -0500, Daniel J Walsh wrote:
Diego Woitasen wrote:
Somebody have the policy files for postfix? I tried with Debian ones but fails in policy compilation.
Where can i get these files?
thanks!!!
selinux-policy-strict-sources has the files.
Dan
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Try sucking in mta.te also.
no, the same message...
On Wed, 2004-12-29 at 12:11 -0500, Daniel J Walsh wrote:
Diego Woitasen wrote:
yeah... i seee
some macros are not defined in targeted, like can_network_[server| client]. I solved this problem, but now when i do make policy i get this msg:
domains/program/postfix.te:190:ERROR 'unknown type sysadm_mail_t' at token ';' on line 16044:
any ideas?
On Wed, 2004-12-29 at 10:30 -0500, Daniel J Walsh wrote:
Diego Woitasen wrote:
and for example, if i want to add postfix to targeted policy, copying the .te and .fc files from strict-sources to targeted-sources should be work? or i need to change anything else?
Yes. But you will need to relabel the files that are touched by postfix.fc There might be other problems with other modules that are doing ifdef(`postfix.te', `...') Or if postfix.te does some things expecting a strict policy environment.
Dan
On Tue, 2004-12-28 at 18:27 -0500, Daniel J Walsh wrote:
Diego Woitasen wrote:
Somebody have the policy files for postfix? I tried with Debian ones but fails in policy compilation.
Where can i get these files?
thanks!!!
selinux-policy-strict-sources has the files.
Dan
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Try sucking in mta.te also.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Diego Woitasen wrote:
no, the same message...
Try these two.
Replace unconfied.te with this one and use this postfix.te.
Dan
#DESC Unconfined - The unconfined domain
# This is the initial domain, and is used for everything that # is not explicitly confined. It has no restrictions. # It needs to be carefully protected from the confined domains.
type unconfined_t, domain, privuser, privrole, privowner, admin, auth_write, fs_domain, privmem; role system_r types unconfined_t; role user_r types unconfined_t; role sysadm_r types unconfined_t; unconfined_domain(unconfined_t)
# Define some type aliases to help with compatibility with # macros and domains from the "strict" policy. typealias bin_t alias su_exec_t; typealias unconfined_t alias { kernel_t init_t initrc_t sysadm_t rpm_t rpm_script_t logrotate_t }; type mount_t, domain; type initrc_devpts_t, ptyfile; define(`admin_tty_type', `{ tty_device_t devpts_t }')
# User home directory type. type user_home_t, file_type, sysadmfile; type user_home_dir_t, file_type, sysadmfile; file_type_auto_trans(unconfined_t, home_root_t, user_home_dir_t, dir) file_type_auto_trans(unconfined_t, user_home_dir_t, user_home_t)
define(`user_typealias', ` ifelse($1,`user',`',` typealias user_home_t alias $1_home_t; typealias user_home_dir_t alias $1_home_dir_t; ') typealias tty_device_t alias $1_tty_device_t; typealias devpts_t alias $1_devpts_t; ') user_typealias(sysadm) user_typealias(staff) user_typealias(user)
allow unconfined_t unlabeled_t:filesystem *; allow unlabeled_t unlabeled_t:filesystem associate; bool read_default_t false;
#DESC Postfix - Mail server # # Author: Russell Coker russell@coker.com.au # X-Debian-Packages: postfix # Depends: mta.te #
# Type for files created during execution of postfix. type postfix_var_run_t, file_type, sysadmfile, pidfile;
type postfix_etc_t, file_type, sysadmfile; typealias postfix_etc_t alias etc_postfix_t; type postfix_exec_t, file_type, sysadmfile, exec_type; type postfix_public_t, file_type, sysadmfile; type postfix_private_t, file_type, sysadmfile; type postfix_spool_t, file_type, sysadmfile; type postfix_spool_maildrop_t, file_type, sysadmfile; type postfix_spool_flush_t, file_type, sysadmfile; type postfix_prng_t, file_type, sysadmfile; typealias system_mail_t alias sysadm_mail_t;
# postfix needs this for newaliases allow { system_mail_t sysadm_mail_t } tmp_t:dir getattr;
################################# # # Rules for the postfix_$1_t domain. # # postfix_$1_exec_t is the type of the postfix_$1 executables. # define(`postfix_domain', ` daemon_core_rules(postfix_$1, `$2') allow postfix_$1_t self:process setpgid; allow postfix_$1_t postfix_master_t:process sigchld; allow postfix_master_t postfix_$1_t:process signal;
allow postfix_$1_t { etc_t postfix_etc_t postfix_spool_t }:dir r_dir_perms; allow postfix_$1_t postfix_etc_t:file r_file_perms; read_locale(postfix_$1_t) allow postfix_$1_t etc_t:file { getattr read }; allow postfix_$1_t self:unix_dgram_socket create_socket_perms; allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms; allow postfix_$1_t self:unix_stream_socket connectto;
allow postfix_$1_t { sbin_t bin_t }:dir r_dir_perms; allow postfix_$1_t { bin_t usr_t }:lnk_file { getattr read }; allow postfix_$1_t shell_exec_t:file rx_file_perms; allow postfix_$1_t { var_t var_spool_t }:dir { search getattr }; allow postfix_$1_t postfix_exec_t:file rx_file_perms; allow postfix_$1_t devtty_t:chr_file rw_file_perms; allow postfix_$1_t etc_runtime_t:file r_file_perms; allow postfix_$1_t proc_t:dir r_dir_perms; allow postfix_$1_t proc_t:file r_file_perms; allow postfix_$1_t postfix_exec_t:dir r_dir_perms; allow postfix_$1_t fs_t:filesystem getattr; can_exec(postfix_$1_t, postfix_$1_exec_t)
allow postfix_$1_t tmp_t:dir getattr;
file_type_auto_trans(postfix_$1_t, var_run_t, postfix_var_run_t, file)
allow postfix_$1_t { sysctl_t sysctl_kernel_t }:dir search; allow postfix_$1_t sysctl_kernel_t:file { getattr read };
')dnl end postfix_domain
ifdef(`crond.te', `allow system_mail_t crond_t:tcp_socket { read write create };')
postfix_domain(master, `, mail_server_domain') rhgb_domain(postfix_master_t)
read_sysctl(postfix_master_t)
ifdef(`direct_sysadm_daemon', ` dontaudit postfix_master_t admin_tty_type:chr_file { read write }; ')
domain_auto_trans(initrc_t, postfix_master_exec_t, postfix_master_t) allow initrc_t postfix_master_t:process { noatsecure siginh rlimitinh }; ifdef(`direct_sysadm_daemon', ` domain_auto_trans(sysadm_t, postfix_master_exec_t, postfix_master_t) allow sysadm_t postfix_master_t:process { noatsecure siginh rlimitinh }; role_transition sysadm_r postfix_master_exec_t system_r; domain_auto_trans(sysadm_mail_t, postfix_master_exec_t, system_mail_t) allow system_mail_t sysadm_t:process sigchld; allow system_mail_t privfd:fd use; ')dnl end direct_sysadm_daemon
allow postfix_master_t privfd:fd use; ifdef(`newrole.te', `allow postfix_master_t newrole_t:process sigchld;') allow postfix_master_t initrc_devpts_t:chr_file rw_file_perms;
# postfix does a "find" on startup for some reason - keep it quiet dontaudit postfix_master_t selinux_config_t:dir search; can_exec({ sysadm_mail_t system_mail_t }, postfix_master_exec_t) ifdef(`distro_redhat', ` file_type_auto_trans({ sysadm_mail_t system_mail_t postfix_master_t }, postfix_etc_t, etc_aliases_t) ', ` file_type_auto_trans({ sysadm_mail_t system_mail_t }, etc_t, etc_aliases_t) ') allow postfix_master_t sendmail_exec_t:file r_file_perms; allow postfix_master_t sbin_t:lnk_file { getattr read }; ifdef(`pppd.te', ` domain_auto_trans(pppd_t, postfix_master_exec_t, postfix_master_t) ') can_exec(postfix_master_t, { ls_exec_t sbin_t }) allow postfix_master_t sysctl_kernel_t:dir r_dir_perms; allow postfix_master_t sysctl_kernel_t:file r_file_perms; allow postfix_master_t self:fifo_file rw_file_perms; allow postfix_master_t usr_t:file r_file_perms; can_exec(postfix_master_t, { shell_exec_t bin_t postfix_exec_t }) # chown is to set the correct ownership of queue dirs allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; allow postfix_master_t postfix_public_t:fifo_file create_file_perms; allow postfix_master_t postfix_public_t:sock_file create_file_perms; allow postfix_master_t postfix_public_t:dir rw_dir_perms; allow postfix_master_t postfix_private_t:dir rw_dir_perms; allow postfix_master_t postfix_private_t:sock_file create_file_perms; allow postfix_master_t postfix_private_t:fifo_file create_file_perms; can_network(postfix_master_t) can_ypbind(postfix_master_t) allow postfix_master_t smtp_port_t:tcp_socket name_bind; allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms; allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr }; allow postfix_master_t postfix_prng_t:file getattr; allow postfix_master_t privfd:fd use; allow postfix_master_t etc_aliases_t:file rw_file_perms;
ifdef(`saslauthd.te',` allow postfix_smtpd_t saslauthd_var_run_t:dir { search getattr }; allow postfix_smtpd_t saslauthd_var_run_t:sock_file { read write }; can_unix_connect(postfix_smtpd_t,saslauthd_t) ')
create_dir_file(postfix_master_t, postfix_spool_flush_t) allow postfix_master_t random_device_t:chr_file { read getattr }; allow postfix_master_t postfix_prng_t:file rw_file_perms; # for ls to get the current context allow postfix_master_t self:file { getattr read }; ifdef(`direct_sysadm_daemon', ` allow postfix_master_t postfix_etc_t:file rw_file_perms; allow postfix_master_t devpts_t:dir search; ')
# for SSP allow postfix_master_t urandom_device_t:chr_file read;
# allow access to deferred queue and allow removing bogus incoming entries allow postfix_master_t postfix_spool_t:dir create_dir_perms; allow postfix_master_t postfix_spool_t:file create_file_perms;
dontaudit postfix_master_t man_t:dir search;
define(`postfix_server_domain', ` postfix_domain($1, `$2') domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t) allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; allow postfix_$1_t self:capability { setuid setgid dac_override }; can_network(postfix_$1_t) can_ypbind(postfix_$1_t) ')
postfix_server_domain(smtp, `, mail_server_sender') allow postfix_smtp_t postfix_spool_t:file rw_file_perms; allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search; allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write; allow postfix_smtp_t urandom_device_t:chr_file { getattr read }; allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto; # if you have two different mail servers on the same host let them talk via # SMTP, also if one mail server wants to talk to itself then allow it and let # the SMTP protocol sort it out (SE Linux is not to prevent mail server # misconfiguration) can_tcp_connect(postfix_smtp_t, mail_server_domain)
postfix_server_domain(smtpd) allow postfix_smtpd_t urandom_device_t:chr_file { getattr read }; allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms; allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search; allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms; allow postfix_smtpd_t postfix_master_t:unix_stream_socket connectto; # for OpenSSL certificates r_dir_file(postfix_smtpd_t,usr_t) allow postfix_smtpd_t etc_aliases_t:file r_file_perms;
# for prng_exch allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms;
postfix_server_domain(local, `, mta_delivery_agent') ifdef(`procmail.te', ` domain_auto_trans(postfix_local_t, procmail_exec_t, procmail_t) # for a bug in the postfix local program dontaudit procmail_t postfix_local_t:tcp_socket { read write }; dontaudit procmail_t postfix_master_t:fd use; ') allow postfix_local_t etc_aliases_t:file r_file_perms; allow postfix_local_t self:fifo_file rw_file_perms; allow postfix_local_t self:process setrlimit; allow postfix_local_t postfix_spool_t:file rw_file_perms; # for .forward - maybe we need a new type for it? allow postfix_local_t postfix_private_t:dir search; allow postfix_local_t postfix_private_t:sock_file rw_file_perms; allow postfix_local_t postfix_master_t:unix_stream_socket connectto; allow postfix_local_t postfix_public_t:dir search; allow postfix_local_t postfix_public_t:sock_file write; can_exec(postfix_local_t, shell_exec_t) ifdef(`arpwatch.te', ` allow postfix_local_t arpwatch_data_t:dir { search }; ')
define(`postfix_public_domain',` postfix_server_domain($1) allow postfix_$1_t postfix_public_t:dir search; ')
postfix_public_domain(cleanup) create_dir_file(postfix_cleanup_t, postfix_spool_t) allow postfix_cleanup_t postfix_public_t:fifo_file rw_file_perms; allow postfix_cleanup_t postfix_public_t:sock_file { getattr write }; allow postfix_cleanup_t postfix_private_t:dir search; allow postfix_cleanup_t postfix_private_t:sock_file rw_file_perms; allow postfix_cleanup_t postfix_master_t:unix_stream_socket connectto; allow postfix_cleanup_t postfix_spool_bounce_t:dir r_dir_perms; allow postfix_cleanup_t self:process setrlimit;
allow user_mail_domain postfix_spool_t:dir r_dir_perms; allow user_mail_domain postfix_etc_t:dir r_dir_perms; allow { user_mail_domain initrc_t } postfix_etc_t:file r_file_perms; allow user_mail_domain self:capability dac_override;
define(`postfix_user_domain', ` postfix_domain($1, `$2') domain_auto_trans(user_mail_domain, postfix_$1_exec_t, postfix_$1_t) in_user_role(postfix_$1_t) role sysadm_r types postfix_$1_t; allow postfix_$1_t userdomain:process sigchld; allow postfix_$1_t userdomain:fifo_file { write getattr }; allow postfix_$1_t { userdomain privfd }:fd use; allow postfix_$1_t self:capability dac_override; ')
postfix_user_domain(postqueue) allow postfix_postqueue_t postfix_public_t:dir search; allow postfix_postqueue_t postfix_public_t:fifo_file getattr; allow postfix_postqueue_t self:udp_socket { create ioctl }; allow postfix_master_t postfix_postqueue_exec_t:file getattr; domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t) allow postfix_postqueue_t initrc_t:process sigchld; allow postfix_postqueue_t initrc_t:fd use;
# to write the mailq output, it really should not need read access! allow postfix_postqueue_t { ptyfile ttyfile }:chr_file { read write getattr }; ifdef(`gnome-pty-helper.te', `allow postfix_postqueue_t user_gph_t:fd use;')
# wants to write to /var/spool/postfix/public/showq allow postfix_postqueue_t postfix_public_t:sock_file rw_file_perms; allow postfix_postqueue_t postfix_master_t:unix_stream_socket connectto; # write to /var/spool/postfix/public/qmgr allow postfix_postqueue_t postfix_public_t:fifo_file write; dontaudit postfix_postqueue_t net_conf_t:file r_file_perms;
postfix_user_domain(showq) # the following auto_trans is usually in postfix server domain domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) allow postfix_showq_t self:udp_socket { create ioctl }; r_dir_file(postfix_showq_t, postfix_spool_maildrop_t) domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) allow postfix_showq_t self:capability { setuid setgid }; allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms }; allow postfix_showq_t postfix_spool_t:file r_file_perms; allow postfix_showq_t self:tcp_socket create_socket_perms; allow postfix_showq_t { ttyfile ptyfile }:chr_file { read write }; dontaudit postfix_showq_t net_conf_t:file r_file_perms;
postfix_user_domain(postdrop, `, mta_user_agent') allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms; allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms; allow postfix_postdrop_t user_mail_domain:unix_stream_socket rw_socket_perms; allow postfix_postdrop_t postfix_public_t:dir search; allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms; dontaudit postfix_postdrop_t { ptyfile ttyfile }:chr_file { read write }; dontaudit postfix_postdrop_t net_conf_t:file r_file_perms; allow postfix_master_t postfix_postdrop_exec_t:file getattr; ifdef(`crond.te', `allow postfix_postdrop_t { crond_t system_crond_t }:fd use; allow postfix_postdrop_t { crond_t system_crond_t }:fifo_file rw_file_perms;') # usually it does not need a UDP socket allow postfix_postdrop_t self:udp_socket create_socket_perms; allow postfix_postdrop_t self:capability sys_resource;
postfix_public_domain(pickup) allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms; allow postfix_pickup_t postfix_public_t:sock_file rw_file_perms; allow postfix_pickup_t postfix_private_t:dir search; allow postfix_pickup_t postfix_private_t:sock_file write; allow postfix_pickup_t postfix_master_t:unix_stream_socket connectto; allow postfix_pickup_t postfix_spool_maildrop_t:dir rw_dir_perms; allow postfix_pickup_t postfix_spool_maildrop_t:file r_file_perms; allow postfix_pickup_t postfix_spool_maildrop_t:file unlink; allow postfix_pickup_t self:tcp_socket create_socket_perms;
postfix_public_domain(qmgr) allow postfix_qmgr_t postfix_public_t:fifo_file rw_file_perms; allow postfix_qmgr_t postfix_public_t:sock_file write; allow postfix_qmgr_t postfix_private_t:dir search; allow postfix_qmgr_t postfix_private_t:sock_file rw_file_perms; allow postfix_qmgr_t postfix_master_t:unix_stream_socket connectto;
# for /var/spool/postfix/active create_dir_file(postfix_qmgr_t, postfix_spool_t)
postfix_public_domain(bounce) type postfix_spool_bounce_t, file_type, sysadmfile; create_dir_file(postfix_bounce_t, postfix_spool_bounce_t) create_dir_file(postfix_bounce_t, postfix_spool_t) allow postfix_master_t postfix_spool_bounce_t:dir create_dir_perms; allow postfix_master_t postfix_spool_bounce_t:file getattr; allow postfix_bounce_t self:capability dac_read_search; allow postfix_bounce_t postfix_public_t:sock_file write; allow postfix_bounce_t self:tcp_socket create_socket_perms;
r_dir_file(postfix_qmgr_t, postfix_spool_bounce_t)
postfix_public_domain(pipe) allow postfix_pipe_t postfix_spool_t:dir search; allow postfix_pipe_t postfix_spool_t:file rw_file_perms; allow postfix_pipe_t self:fifo_file { read write }; allow postfix_pipe_t postfix_private_t:dir search; allow postfix_pipe_t postfix_private_t:sock_file write; ifdef(`procmail.te', ` domain_auto_trans(postfix_pipe_t, procmail_exec_t, procmail_t) ') ifdef(`sendmail.te', ` allow sendmail_t postfix_etc_t:dir search; ')
# Program for creating database files application_domain(postfix_map) base_file_read_access(postfix_map_t) allow postfix_map_t { etc_t etc_runtime_t }:{ file lnk_file } { getattr read }; tmp_domain(postfix_map) create_dir_file(postfix_map_t, postfix_etc_t) allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; dontaudit postfix_map_t proc_t:dir { getattr read search }; ifdef(`login.te', dontaudit postfix_map_t local_login_t:fd use; ') allow postfix_master_t postfix_map_exec_t:file rx_file_perms; read_locale(postfix_map_t) allow postfix_map_t self:capability setgid; allow postfix_map_t self:unix_dgram_socket create_socket_perms; dontaudit postfix_map_t var_t:dir search; can_network(postfix_map_t) allow postfix_local_t mail_spool_t:dir { remove_name }; allow postfix_local_t mail_spool_t:file { unlink };
dan, thanks... these files works very fine.
regards, diegows
On Wed, 2004-12-29 at 12:46 -0500, Daniel J Walsh wrote:
Diego Woitasen wrote:
no, the same message...
Try these two.
Replace unconfied.te with this one and use this postfix.te.
Dan plain text document attachment (unconfined.te) #DESC Unconfined - The unconfined domain
# This is the initial domain, and is used for everything that # is not explicitly confined. It has no restrictions. # It needs to be carefully protected from the confined domains.
type unconfined_t, domain, privuser, privrole, privowner, admin, auth_write, fs_domain, privmem; role system_r types unconfined_t; role user_r types unconfined_t; role sysadm_r types unconfined_t; unconfined_domain(unconfined_t)
# Define some type aliases to help with compatibility with # macros and domains from the "strict" policy. typealias bin_t alias su_exec_t; typealias unconfined_t alias { kernel_t init_t initrc_t sysadm_t rpm_t rpm_script_t logrotate_t }; type mount_t, domain; type initrc_devpts_t, ptyfile; define(`admin_tty_type', `{ tty_device_t devpts_t }')
# User home directory type. type user_home_t, file_type, sysadmfile; type user_home_dir_t, file_type, sysadmfile; file_type_auto_trans(unconfined_t, home_root_t, user_home_dir_t, dir) file_type_auto_trans(unconfined_t, user_home_dir_t, user_home_t)
define(`user_typealias', ` ifelse($1,`user',`',` typealias user_home_t alias $1_home_t; typealias user_home_dir_t alias $1_home_dir_t; ') typealias tty_device_t alias $1_tty_device_t; typealias devpts_t alias $1_devpts_t; ') user_typealias(sysadm) user_typealias(staff) user_typealias(user)
allow unconfined_t unlabeled_t:filesystem *; allow unlabeled_t unlabeled_t:filesystem associate; bool read_default_t false; plain text document attachment (postfix.te) #DESC Postfix - Mail server # # Author: Russell Coker russell@coker.com.au # X-Debian-Packages: postfix # Depends: mta.te #
# Type for files created during execution of postfix. type postfix_var_run_t, file_type, sysadmfile, pidfile;
type postfix_etc_t, file_type, sysadmfile; typealias postfix_etc_t alias etc_postfix_t; type postfix_exec_t, file_type, sysadmfile, exec_type; type postfix_public_t, file_type, sysadmfile; type postfix_private_t, file_type, sysadmfile; type postfix_spool_t, file_type, sysadmfile; type postfix_spool_maildrop_t, file_type, sysadmfile; type postfix_spool_flush_t, file_type, sysadmfile; type postfix_prng_t, file_type, sysadmfile; typealias system_mail_t alias sysadm_mail_t;
# postfix needs this for newaliases allow { system_mail_t sysadm_mail_t } tmp_t:dir getattr;
################################# # # Rules for the postfix_$1_t domain. # # postfix_$1_exec_t is the type of the postfix_$1 executables. # define(`postfix_domain', ` daemon_core_rules(postfix_$1, `$2') allow postfix_$1_t self:process setpgid; allow postfix_$1_t postfix_master_t:process sigchld; allow postfix_master_t postfix_$1_t:process signal;
allow postfix_$1_t { etc_t postfix_etc_t postfix_spool_t }:dir r_dir_perms; allow postfix_$1_t postfix_etc_t:file r_file_perms; read_locale(postfix_$1_t) allow postfix_$1_t etc_t:file { getattr read }; allow postfix_$1_t self:unix_dgram_socket create_socket_perms; allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms; allow postfix_$1_t self:unix_stream_socket connectto;
allow postfix_$1_t { sbin_t bin_t }:dir r_dir_perms; allow postfix_$1_t { bin_t usr_t }:lnk_file { getattr read }; allow postfix_$1_t shell_exec_t:file rx_file_perms; allow postfix_$1_t { var_t var_spool_t }:dir { search getattr }; allow postfix_$1_t postfix_exec_t:file rx_file_perms; allow postfix_$1_t devtty_t:chr_file rw_file_perms; allow postfix_$1_t etc_runtime_t:file r_file_perms; allow postfix_$1_t proc_t:dir r_dir_perms; allow postfix_$1_t proc_t:file r_file_perms; allow postfix_$1_t postfix_exec_t:dir r_dir_perms; allow postfix_$1_t fs_t:filesystem getattr; can_exec(postfix_$1_t, postfix_$1_exec_t)
allow postfix_$1_t tmp_t:dir getattr;
file_type_auto_trans(postfix_$1_t, var_run_t, postfix_var_run_t, file)
allow postfix_$1_t { sysctl_t sysctl_kernel_t }:dir search; allow postfix_$1_t sysctl_kernel_t:file { getattr read };
')dnl end postfix_domain
ifdef(`crond.te', `allow system_mail_t crond_t:tcp_socket { read write create };')
postfix_domain(master, `, mail_server_domain') rhgb_domain(postfix_master_t)
read_sysctl(postfix_master_t)
ifdef(`direct_sysadm_daemon', ` dontaudit postfix_master_t admin_tty_type:chr_file { read write }; ')
domain_auto_trans(initrc_t, postfix_master_exec_t, postfix_master_t) allow initrc_t postfix_master_t:process { noatsecure siginh rlimitinh }; ifdef(`direct_sysadm_daemon', ` domain_auto_trans(sysadm_t, postfix_master_exec_t, postfix_master_t) allow sysadm_t postfix_master_t:process { noatsecure siginh rlimitinh }; role_transition sysadm_r postfix_master_exec_t system_r; domain_auto_trans(sysadm_mail_t, postfix_master_exec_t, system_mail_t) allow system_mail_t sysadm_t:process sigchld; allow system_mail_t privfd:fd use; ')dnl end direct_sysadm_daemon
allow postfix_master_t privfd:fd use; ifdef(`newrole.te', `allow postfix_master_t newrole_t:process sigchld;') allow postfix_master_t initrc_devpts_t:chr_file rw_file_perms;
# postfix does a "find" on startup for some reason - keep it quiet dontaudit postfix_master_t selinux_config_t:dir search; can_exec({ sysadm_mail_t system_mail_t }, postfix_master_exec_t) ifdef(`distro_redhat', ` file_type_auto_trans({ sysadm_mail_t system_mail_t postfix_master_t }, postfix_etc_t, etc_aliases_t) ', ` file_type_auto_trans({ sysadm_mail_t system_mail_t }, etc_t, etc_aliases_t) ') allow postfix_master_t sendmail_exec_t:file r_file_perms; allow postfix_master_t sbin_t:lnk_file { getattr read }; ifdef(`pppd.te', ` domain_auto_trans(pppd_t, postfix_master_exec_t, postfix_master_t) ') can_exec(postfix_master_t, { ls_exec_t sbin_t }) allow postfix_master_t sysctl_kernel_t:dir r_dir_perms; allow postfix_master_t sysctl_kernel_t:file r_file_perms; allow postfix_master_t self:fifo_file rw_file_perms; allow postfix_master_t usr_t:file r_file_perms; can_exec(postfix_master_t, { shell_exec_t bin_t postfix_exec_t }) # chown is to set the correct ownership of queue dirs allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; allow postfix_master_t postfix_public_t:fifo_file create_file_perms; allow postfix_master_t postfix_public_t:sock_file create_file_perms; allow postfix_master_t postfix_public_t:dir rw_dir_perms; allow postfix_master_t postfix_private_t:dir rw_dir_perms; allow postfix_master_t postfix_private_t:sock_file create_file_perms; allow postfix_master_t postfix_private_t:fifo_file create_file_perms; can_network(postfix_master_t) can_ypbind(postfix_master_t) allow postfix_master_t smtp_port_t:tcp_socket name_bind; allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms; allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr }; allow postfix_master_t postfix_prng_t:file getattr; allow postfix_master_t privfd:fd use; allow postfix_master_t etc_aliases_t:file rw_file_perms;
ifdef(`saslauthd.te',` allow postfix_smtpd_t saslauthd_var_run_t:dir { search getattr }; allow postfix_smtpd_t saslauthd_var_run_t:sock_file { read write }; can_unix_connect(postfix_smtpd_t,saslauthd_t) ')
create_dir_file(postfix_master_t, postfix_spool_flush_t) allow postfix_master_t random_device_t:chr_file { read getattr }; allow postfix_master_t postfix_prng_t:file rw_file_perms; # for ls to get the current context allow postfix_master_t self:file { getattr read }; ifdef(`direct_sysadm_daemon', ` allow postfix_master_t postfix_etc_t:file rw_file_perms; allow postfix_master_t devpts_t:dir search; ')
# for SSP allow postfix_master_t urandom_device_t:chr_file read;
# allow access to deferred queue and allow removing bogus incoming entries allow postfix_master_t postfix_spool_t:dir create_dir_perms; allow postfix_master_t postfix_spool_t:file create_file_perms;
dontaudit postfix_master_t man_t:dir search;
define(`postfix_server_domain', ` postfix_domain($1, `$2') domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t) allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; allow postfix_$1_t self:capability { setuid setgid dac_override }; can_network(postfix_$1_t) can_ypbind(postfix_$1_t) ')
postfix_server_domain(smtp, `, mail_server_sender') allow postfix_smtp_t postfix_spool_t:file rw_file_perms; allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search; allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write; allow postfix_smtp_t urandom_device_t:chr_file { getattr read }; allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto; # if you have two different mail servers on the same host let them talk via # SMTP, also if one mail server wants to talk to itself then allow it and let # the SMTP protocol sort it out (SE Linux is not to prevent mail server # misconfiguration) can_tcp_connect(postfix_smtp_t, mail_server_domain)
postfix_server_domain(smtpd) allow postfix_smtpd_t urandom_device_t:chr_file { getattr read }; allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms; allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search; allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms; allow postfix_smtpd_t postfix_master_t:unix_stream_socket connectto; # for OpenSSL certificates r_dir_file(postfix_smtpd_t,usr_t) allow postfix_smtpd_t etc_aliases_t:file r_file_perms;
# for prng_exch allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms;
postfix_server_domain(local, `, mta_delivery_agent') ifdef(`procmail.te', ` domain_auto_trans(postfix_local_t, procmail_exec_t, procmail_t) # for a bug in the postfix local program dontaudit procmail_t postfix_local_t:tcp_socket { read write }; dontaudit procmail_t postfix_master_t:fd use; ') allow postfix_local_t etc_aliases_t:file r_file_perms; allow postfix_local_t self:fifo_file rw_file_perms; allow postfix_local_t self:process setrlimit; allow postfix_local_t postfix_spool_t:file rw_file_perms; # for .forward - maybe we need a new type for it? allow postfix_local_t postfix_private_t:dir search; allow postfix_local_t postfix_private_t:sock_file rw_file_perms; allow postfix_local_t postfix_master_t:unix_stream_socket connectto; allow postfix_local_t postfix_public_t:dir search; allow postfix_local_t postfix_public_t:sock_file write; can_exec(postfix_local_t, shell_exec_t) ifdef(`arpwatch.te', ` allow postfix_local_t arpwatch_data_t:dir { search }; ')
define(`postfix_public_domain',` postfix_server_domain($1) allow postfix_$1_t postfix_public_t:dir search; ')
postfix_public_domain(cleanup) create_dir_file(postfix_cleanup_t, postfix_spool_t) allow postfix_cleanup_t postfix_public_t:fifo_file rw_file_perms; allow postfix_cleanup_t postfix_public_t:sock_file { getattr write }; allow postfix_cleanup_t postfix_private_t:dir search; allow postfix_cleanup_t postfix_private_t:sock_file rw_file_perms; allow postfix_cleanup_t postfix_master_t:unix_stream_socket connectto; allow postfix_cleanup_t postfix_spool_bounce_t:dir r_dir_perms; allow postfix_cleanup_t self:process setrlimit;
allow user_mail_domain postfix_spool_t:dir r_dir_perms; allow user_mail_domain postfix_etc_t:dir r_dir_perms; allow { user_mail_domain initrc_t } postfix_etc_t:file r_file_perms; allow user_mail_domain self:capability dac_override;
define(`postfix_user_domain', ` postfix_domain($1, `$2') domain_auto_trans(user_mail_domain, postfix_$1_exec_t, postfix_$1_t) in_user_role(postfix_$1_t) role sysadm_r types postfix_$1_t; allow postfix_$1_t userdomain:process sigchld; allow postfix_$1_t userdomain:fifo_file { write getattr }; allow postfix_$1_t { userdomain privfd }:fd use; allow postfix_$1_t self:capability dac_override; ')
postfix_user_domain(postqueue) allow postfix_postqueue_t postfix_public_t:dir search; allow postfix_postqueue_t postfix_public_t:fifo_file getattr; allow postfix_postqueue_t self:udp_socket { create ioctl }; allow postfix_master_t postfix_postqueue_exec_t:file getattr; domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t) allow postfix_postqueue_t initrc_t:process sigchld; allow postfix_postqueue_t initrc_t:fd use;
# to write the mailq output, it really should not need read access! allow postfix_postqueue_t { ptyfile ttyfile }:chr_file { read write getattr }; ifdef(`gnome-pty-helper.te', `allow postfix_postqueue_t user_gph_t:fd use;')
# wants to write to /var/spool/postfix/public/showq allow postfix_postqueue_t postfix_public_t:sock_file rw_file_perms; allow postfix_postqueue_t postfix_master_t:unix_stream_socket connectto; # write to /var/spool/postfix/public/qmgr allow postfix_postqueue_t postfix_public_t:fifo_file write; dontaudit postfix_postqueue_t net_conf_t:file r_file_perms;
postfix_user_domain(showq) # the following auto_trans is usually in postfix server domain domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) allow postfix_showq_t self:udp_socket { create ioctl }; r_dir_file(postfix_showq_t, postfix_spool_maildrop_t) domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) allow postfix_showq_t self:capability { setuid setgid }; allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms }; allow postfix_showq_t postfix_spool_t:file r_file_perms; allow postfix_showq_t self:tcp_socket create_socket_perms; allow postfix_showq_t { ttyfile ptyfile }:chr_file { read write }; dontaudit postfix_showq_t net_conf_t:file r_file_perms;
postfix_user_domain(postdrop, `, mta_user_agent') allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms; allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms; allow postfix_postdrop_t user_mail_domain:unix_stream_socket rw_socket_perms; allow postfix_postdrop_t postfix_public_t:dir search; allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms; dontaudit postfix_postdrop_t { ptyfile ttyfile }:chr_file { read write }; dontaudit postfix_postdrop_t net_conf_t:file r_file_perms; allow postfix_master_t postfix_postdrop_exec_t:file getattr; ifdef(`crond.te', `allow postfix_postdrop_t { crond_t system_crond_t }:fd use; allow postfix_postdrop_t { crond_t system_crond_t }:fifo_file rw_file_perms;') # usually it does not need a UDP socket allow postfix_postdrop_t self:udp_socket create_socket_perms; allow postfix_postdrop_t self:capability sys_resource;
postfix_public_domain(pickup) allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms; allow postfix_pickup_t postfix_public_t:sock_file rw_file_perms; allow postfix_pickup_t postfix_private_t:dir search; allow postfix_pickup_t postfix_private_t:sock_file write; allow postfix_pickup_t postfix_master_t:unix_stream_socket connectto; allow postfix_pickup_t postfix_spool_maildrop_t:dir rw_dir_perms; allow postfix_pickup_t postfix_spool_maildrop_t:file r_file_perms; allow postfix_pickup_t postfix_spool_maildrop_t:file unlink; allow postfix_pickup_t self:tcp_socket create_socket_perms;
postfix_public_domain(qmgr) allow postfix_qmgr_t postfix_public_t:fifo_file rw_file_perms; allow postfix_qmgr_t postfix_public_t:sock_file write; allow postfix_qmgr_t postfix_private_t:dir search; allow postfix_qmgr_t postfix_private_t:sock_file rw_file_perms; allow postfix_qmgr_t postfix_master_t:unix_stream_socket connectto;
# for /var/spool/postfix/active create_dir_file(postfix_qmgr_t, postfix_spool_t)
postfix_public_domain(bounce) type postfix_spool_bounce_t, file_type, sysadmfile; create_dir_file(postfix_bounce_t, postfix_spool_bounce_t) create_dir_file(postfix_bounce_t, postfix_spool_t) allow postfix_master_t postfix_spool_bounce_t:dir create_dir_perms; allow postfix_master_t postfix_spool_bounce_t:file getattr; allow postfix_bounce_t self:capability dac_read_search; allow postfix_bounce_t postfix_public_t:sock_file write; allow postfix_bounce_t self:tcp_socket create_socket_perms;
r_dir_file(postfix_qmgr_t, postfix_spool_bounce_t)
postfix_public_domain(pipe) allow postfix_pipe_t postfix_spool_t:dir search; allow postfix_pipe_t postfix_spool_t:file rw_file_perms; allow postfix_pipe_t self:fifo_file { read write }; allow postfix_pipe_t postfix_private_t:dir search; allow postfix_pipe_t postfix_private_t:sock_file write; ifdef(`procmail.te', ` domain_auto_trans(postfix_pipe_t, procmail_exec_t, procmail_t) ') ifdef(`sendmail.te', ` allow sendmail_t postfix_etc_t:dir search; ')
# Program for creating database files application_domain(postfix_map) base_file_read_access(postfix_map_t) allow postfix_map_t { etc_t etc_runtime_t }:{ file lnk_file } { getattr read }; tmp_domain(postfix_map) create_dir_file(postfix_map_t, postfix_etc_t) allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; dontaudit postfix_map_t proc_t:dir { getattr read search }; ifdef(`login.te', dontaudit postfix_map_t local_login_t:fd use; ') allow postfix_master_t postfix_map_exec_t:file rx_file_perms; read_locale(postfix_map_t) allow postfix_map_t self:capability setgid; allow postfix_map_t self:unix_dgram_socket create_socket_perms; dontaudit postfix_map_t var_t:dir search; can_network(postfix_map_t) allow postfix_local_t mail_spool_t:dir { remove_name }; allow postfix_local_t mail_spool_t:file { unlink }; -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org