Please take our Survey
logo       
<prev   next>

Choosing A Webhost:
A web hosting service is a type of Internet hosting service that allows individuals and organizations to provide their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center, called colocation. more...

Re: .te and .fc files for postfix and fedora: msg#00264

Subject: Re: .te and .fc files for postfix and fedora 
This is a multi-part message in MIME format.
Diego Woitasen wrote:


no, the same message...



Try these two.

Replace unconfied.te with this one and use this postfix.te.

Dan

#DESC Unconfined - The unconfined domain

# This is the initial domain, and is used for everything that
# is not explicitly confined.  It has no restrictions.
# It needs to be carefully protected from the confined domains.

type unconfined_t, domain, privuser, privrole, privowner, admin, auth_write, 
fs_domain, privmem;
role system_r types unconfined_t;
role user_r types unconfined_t;
role sysadm_r types unconfined_t;
unconfined_domain(unconfined_t)

# Define some type aliases to help with compatibility with
# macros and domains from the "strict" policy.
typealias bin_t alias su_exec_t;
typealias unconfined_t alias { kernel_t init_t initrc_t sysadm_t rpm_t 
rpm_script_t logrotate_t };
type mount_t, domain;
type initrc_devpts_t, ptyfile;
define(`admin_tty_type', `{ tty_device_t devpts_t }')

# User home directory type.
type user_home_t, file_type, sysadmfile;
type user_home_dir_t, file_type, sysadmfile;
file_type_auto_trans(unconfined_t, home_root_t, user_home_dir_t, dir)
file_type_auto_trans(unconfined_t, user_home_dir_t, user_home_t)

define(`user_typealias', `
ifelse($1,`user',`',`
typealias user_home_t alias $1_home_t;
typealias user_home_dir_t alias $1_home_dir_t;
')
typealias tty_device_t alias $1_tty_device_t;
typealias devpts_t alias $1_devpts_t;
')
user_typealias(sysadm)
user_typealias(staff)
user_typealias(user)

allow unconfined_t unlabeled_t:filesystem *;
allow unlabeled_t unlabeled_t:filesystem associate;
bool read_default_t false;

#DESC Postfix - Mail server
#
# Author:  Russell Coker <russell@xxxxxxxxxxxx>
# X-Debian-Packages: postfix
# Depends: mta.te
#

# Type for files created during execution of postfix.
type postfix_var_run_t, file_type, sysadmfile, pidfile;

type postfix_etc_t, file_type, sysadmfile;
typealias postfix_etc_t alias etc_postfix_t;
type postfix_exec_t, file_type, sysadmfile, exec_type;
type postfix_public_t, file_type, sysadmfile;
type postfix_private_t, file_type, sysadmfile;
type postfix_spool_t, file_type, sysadmfile;
type postfix_spool_maildrop_t, file_type, sysadmfile;
type postfix_spool_flush_t, file_type, sysadmfile;
type postfix_prng_t, file_type, sysadmfile;
typealias system_mail_t alias sysadm_mail_t;

# postfix needs this for newaliases
allow { system_mail_t sysadm_mail_t } tmp_t:dir getattr;

#################################
#
# Rules for the postfix_$1_t domain.
#
# postfix_$1_exec_t is the type of the postfix_$1 executables.
#
define(`postfix_domain', `
daemon_core_rules(postfix_$1, `$2')
allow postfix_$1_t self:process setpgid;
allow postfix_$1_t postfix_master_t:process sigchld;
allow postfix_master_t postfix_$1_t:process signal;

allow postfix_$1_t { etc_t postfix_etc_t postfix_spool_t }:dir r_dir_perms;
allow postfix_$1_t postfix_etc_t:file r_file_perms;
read_locale(postfix_$1_t)
allow postfix_$1_t etc_t:file { getattr read };
allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
allow postfix_$1_t self:unix_stream_socket connectto;

allow postfix_$1_t { sbin_t bin_t }:dir r_dir_perms;
allow postfix_$1_t { bin_t usr_t }:lnk_file { getattr read };
allow postfix_$1_t shell_exec_t:file rx_file_perms;
allow postfix_$1_t { var_t var_spool_t }:dir { search getattr };
allow postfix_$1_t postfix_exec_t:file rx_file_perms;
allow postfix_$1_t devtty_t:chr_file rw_file_perms;
allow postfix_$1_t etc_runtime_t:file r_file_perms;
allow postfix_$1_t proc_t:dir r_dir_perms;
allow postfix_$1_t proc_t:file r_file_perms;
allow postfix_$1_t postfix_exec_t:dir r_dir_perms;
allow postfix_$1_t fs_t:filesystem getattr;
can_exec(postfix_$1_t, postfix_$1_exec_t)

allow postfix_$1_t tmp_t:dir getattr;

file_type_auto_trans(postfix_$1_t, var_run_t, postfix_var_run_t, file)

allow postfix_$1_t { sysctl_t sysctl_kernel_t }:dir search;
allow postfix_$1_t sysctl_kernel_t:file { getattr read };

')dnl end postfix_domain

ifdef(`crond.te',
`allow system_mail_t crond_t:tcp_socket { read write create };')

postfix_domain(master, `, mail_server_domain')
rhgb_domain(postfix_master_t)

read_sysctl(postfix_master_t)

ifdef(`direct_sysadm_daemon', `
dontaudit postfix_master_t admin_tty_type:chr_file { read write };
')

domain_auto_trans(initrc_t, postfix_master_exec_t, postfix_master_t)
allow initrc_t postfix_master_t:process { noatsecure siginh rlimitinh };
ifdef(`direct_sysadm_daemon', `
domain_auto_trans(sysadm_t, postfix_master_exec_t, postfix_master_t)
allow sysadm_t postfix_master_t:process { noatsecure siginh rlimitinh };
role_transition sysadm_r postfix_master_exec_t system_r;
domain_auto_trans(sysadm_mail_t, postfix_master_exec_t, system_mail_t)
allow system_mail_t sysadm_t:process sigchld;
allow system_mail_t privfd:fd use;
')dnl end direct_sysadm_daemon

allow postfix_master_t privfd:fd use;
ifdef(`newrole.te', `allow postfix_master_t newrole_t:process sigchld;')
allow postfix_master_t initrc_devpts_t:chr_file rw_file_perms;

# postfix does a "find" on startup for some reason - keep it quiet
dontaudit postfix_master_t selinux_config_t:dir search;
can_exec({ sysadm_mail_t system_mail_t }, postfix_master_exec_t)
ifdef(`distro_redhat', `
file_type_auto_trans({ sysadm_mail_t system_mail_t postfix_master_t }, 
postfix_etc_t, etc_aliases_t)
', `
file_type_auto_trans({ sysadm_mail_t system_mail_t }, etc_t, etc_aliases_t)
')
allow postfix_master_t sendmail_exec_t:file r_file_perms;
allow postfix_master_t sbin_t:lnk_file { getattr read };
ifdef(`pppd.te', `
domain_auto_trans(pppd_t, postfix_master_exec_t, postfix_master_t)
')
can_exec(postfix_master_t, { ls_exec_t sbin_t })
allow postfix_master_t sysctl_kernel_t:dir r_dir_perms;
allow postfix_master_t sysctl_kernel_t:file r_file_perms;
allow postfix_master_t self:fifo_file rw_file_perms;
allow postfix_master_t usr_t:file r_file_perms;
can_exec(postfix_master_t, { shell_exec_t bin_t postfix_exec_t })
# chown is to set the correct ownership of queue dirs
allow postfix_master_t self:capability { chown dac_override kill setgid setuid 
net_bind_service sys_tty_config };
allow postfix_master_t postfix_public_t:fifo_file create_file_perms;
allow postfix_master_t postfix_public_t:sock_file create_file_perms;
allow postfix_master_t postfix_public_t:dir rw_dir_perms;
allow postfix_master_t postfix_private_t:dir rw_dir_perms;
allow postfix_master_t postfix_private_t:sock_file create_file_perms;
allow postfix_master_t postfix_private_t:fifo_file create_file_perms;
can_network(postfix_master_t)
can_ypbind(postfix_master_t)
allow postfix_master_t smtp_port_t:tcp_socket name_bind;
allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr };
allow postfix_master_t postfix_prng_t:file getattr;
allow postfix_master_t privfd:fd use;
allow postfix_master_t etc_aliases_t:file rw_file_perms;

ifdef(`saslauthd.te',`
allow postfix_smtpd_t saslauthd_var_run_t:dir { search getattr };
allow postfix_smtpd_t saslauthd_var_run_t:sock_file { read write };
can_unix_connect(postfix_smtpd_t,saslauthd_t)
')

create_dir_file(postfix_master_t, postfix_spool_flush_t)
allow postfix_master_t random_device_t:chr_file { read getattr };
allow postfix_master_t postfix_prng_t:file rw_file_perms;
# for ls to get the current context
allow postfix_master_t self:file { getattr read };
ifdef(`direct_sysadm_daemon', `
allow postfix_master_t postfix_etc_t:file rw_file_perms;
allow postfix_master_t devpts_t:dir search;
')

# for SSP
allow postfix_master_t urandom_device_t:chr_file read;

# allow access to deferred queue and allow removing bogus incoming entries
allow postfix_master_t postfix_spool_t:dir create_dir_perms;
allow postfix_master_t postfix_spool_t:file create_file_perms;

dontaudit postfix_master_t man_t:dir search;

define(`postfix_server_domain', `
postfix_domain($1, `$2')
domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto 
rw_stream_socket_perms };
allow postfix_$1_t self:capability { setuid setgid dac_override };
can_network(postfix_$1_t)
can_ypbind(postfix_$1_t)
')

postfix_server_domain(smtp, `, mail_server_sender')
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search;
allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write;
allow postfix_smtp_t urandom_device_t:chr_file { getattr read };
allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto;
# if you have two different mail servers on the same host let them talk via
# SMTP, also if one mail server wants to talk to itself then allow it and let
# the SMTP protocol sort it out (SE Linux is not to prevent mail server
# misconfiguration)
can_tcp_connect(postfix_smtp_t, mail_server_domain)

postfix_server_domain(smtpd)
allow postfix_smtpd_t urandom_device_t:chr_file { getattr read };
allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search;
allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file 
rw_file_perms;
allow postfix_smtpd_t postfix_master_t:unix_stream_socket connectto;
# for OpenSSL certificates
r_dir_file(postfix_smtpd_t,usr_t)
allow postfix_smtpd_t etc_aliases_t:file r_file_perms;

# for prng_exch
allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;

allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms;

postfix_server_domain(local, `, mta_delivery_agent')
ifdef(`procmail.te', `
domain_auto_trans(postfix_local_t, procmail_exec_t, procmail_t)
# for a bug in the postfix local program
dontaudit procmail_t postfix_local_t:tcp_socket { read write };
dontaudit procmail_t postfix_master_t:fd use;
')
allow postfix_local_t etc_aliases_t:file r_file_perms;
allow postfix_local_t self:fifo_file rw_file_perms;
allow postfix_local_t self:process setrlimit;
allow postfix_local_t postfix_spool_t:file rw_file_perms;
# for .forward - maybe we need a new type for it?
allow postfix_local_t postfix_private_t:dir search;
allow postfix_local_t postfix_private_t:sock_file rw_file_perms;
allow postfix_local_t postfix_master_t:unix_stream_socket connectto;
allow postfix_local_t postfix_public_t:dir search;
allow postfix_local_t postfix_public_t:sock_file write;
can_exec(postfix_local_t, shell_exec_t)
ifdef(`arpwatch.te', `
allow postfix_local_t arpwatch_data_t:dir { search };
')

define(`postfix_public_domain',`
postfix_server_domain($1)
allow postfix_$1_t postfix_public_t:dir search;
')

postfix_public_domain(cleanup)
create_dir_file(postfix_cleanup_t, postfix_spool_t)
allow postfix_cleanup_t postfix_public_t:fifo_file rw_file_perms;
allow postfix_cleanup_t postfix_public_t:sock_file { getattr write };
allow postfix_cleanup_t postfix_private_t:dir search;
allow postfix_cleanup_t postfix_private_t:sock_file rw_file_perms;
allow postfix_cleanup_t postfix_master_t:unix_stream_socket connectto;
allow postfix_cleanup_t postfix_spool_bounce_t:dir r_dir_perms;
allow postfix_cleanup_t self:process setrlimit;

allow user_mail_domain postfix_spool_t:dir r_dir_perms;
allow user_mail_domain postfix_etc_t:dir r_dir_perms;
allow { user_mail_domain initrc_t } postfix_etc_t:file r_file_perms;
allow user_mail_domain self:capability dac_override;

define(`postfix_user_domain', `
postfix_domain($1, `$2')
domain_auto_trans(user_mail_domain, postfix_$1_exec_t, postfix_$1_t)
in_user_role(postfix_$1_t)
role sysadm_r types postfix_$1_t;
allow postfix_$1_t userdomain:process sigchld;
allow postfix_$1_t userdomain:fifo_file { write getattr };
allow postfix_$1_t { userdomain privfd }:fd use;
allow postfix_$1_t self:capability dac_override;
')

postfix_user_domain(postqueue)
allow postfix_postqueue_t postfix_public_t:dir search;
allow postfix_postqueue_t postfix_public_t:fifo_file getattr;
allow postfix_postqueue_t self:udp_socket { create ioctl };
allow postfix_master_t postfix_postqueue_exec_t:file getattr;
domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, 
postfix_postqueue_t)
allow postfix_postqueue_t initrc_t:process sigchld;
allow postfix_postqueue_t initrc_t:fd use;

# to write the mailq output, it really should not need read access!
allow postfix_postqueue_t { ptyfile ttyfile }:chr_file { read write getattr };
ifdef(`gnome-pty-helper.te', `allow postfix_postqueue_t user_gph_t:fd use;')

# wants to write to /var/spool/postfix/public/showq
allow postfix_postqueue_t postfix_public_t:sock_file rw_file_perms;
allow postfix_postqueue_t postfix_master_t:unix_stream_socket connectto;
# write to /var/spool/postfix/public/qmgr
allow postfix_postqueue_t postfix_public_t:fifo_file write;
dontaudit postfix_postqueue_t net_conf_t:file r_file_perms;

postfix_user_domain(showq)
# the following auto_trans is usually in postfix server domain
domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
allow postfix_showq_t self:udp_socket { create ioctl };
r_dir_file(postfix_showq_t, postfix_spool_maildrop_t)
domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
allow postfix_showq_t self:capability { setuid setgid };
allow postfix_showq_t postfix_master_t:unix_stream_socket { accept 
rw_socket_perms };
allow postfix_showq_t postfix_spool_t:file r_file_perms;
allow postfix_showq_t self:tcp_socket create_socket_perms;
allow postfix_showq_t { ttyfile ptyfile }:chr_file { read write };
dontaudit postfix_showq_t net_conf_t:file r_file_perms;

postfix_user_domain(postdrop, `, mta_user_agent')
allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms;
allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms;
allow postfix_postdrop_t user_mail_domain:unix_stream_socket rw_socket_perms;
allow postfix_postdrop_t postfix_public_t:dir search;
allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms;
dontaudit postfix_postdrop_t { ptyfile ttyfile }:chr_file { read write };
dontaudit postfix_postdrop_t net_conf_t:file r_file_perms;
allow postfix_master_t postfix_postdrop_exec_t:file getattr;
ifdef(`crond.te',
`allow postfix_postdrop_t { crond_t system_crond_t }:fd use;
allow postfix_postdrop_t { crond_t system_crond_t }:fifo_file rw_file_perms;')
# usually it does not need a UDP socket
allow postfix_postdrop_t self:udp_socket create_socket_perms;
allow postfix_postdrop_t self:capability sys_resource;

postfix_public_domain(pickup)
allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms;
allow postfix_pickup_t postfix_public_t:sock_file rw_file_perms;
allow postfix_pickup_t postfix_private_t:dir search;
allow postfix_pickup_t postfix_private_t:sock_file write;
allow postfix_pickup_t postfix_master_t:unix_stream_socket connectto;
allow postfix_pickup_t postfix_spool_maildrop_t:dir rw_dir_perms;
allow postfix_pickup_t postfix_spool_maildrop_t:file r_file_perms;
allow postfix_pickup_t postfix_spool_maildrop_t:file unlink;
allow postfix_pickup_t self:tcp_socket create_socket_perms;

postfix_public_domain(qmgr)
allow postfix_qmgr_t postfix_public_t:fifo_file rw_file_perms;
allow postfix_qmgr_t postfix_public_t:sock_file write;
allow postfix_qmgr_t postfix_private_t:dir search;
allow postfix_qmgr_t postfix_private_t:sock_file rw_file_perms;
allow postfix_qmgr_t postfix_master_t:unix_stream_socket connectto;

# for /var/spool/postfix/active
create_dir_file(postfix_qmgr_t, postfix_spool_t)

postfix_public_domain(bounce)
type postfix_spool_bounce_t, file_type, sysadmfile;
create_dir_file(postfix_bounce_t, postfix_spool_bounce_t)
create_dir_file(postfix_bounce_t, postfix_spool_t)
allow postfix_master_t postfix_spool_bounce_t:dir create_dir_perms;
allow postfix_master_t postfix_spool_bounce_t:file getattr;
allow postfix_bounce_t self:capability dac_read_search;
allow postfix_bounce_t postfix_public_t:sock_file write;
allow postfix_bounce_t self:tcp_socket create_socket_perms;

r_dir_file(postfix_qmgr_t, postfix_spool_bounce_t)

postfix_public_domain(pipe)
allow postfix_pipe_t postfix_spool_t:dir search;
allow postfix_pipe_t postfix_spool_t:file rw_file_perms;
allow postfix_pipe_t self:fifo_file { read write };
allow postfix_pipe_t postfix_private_t:dir search;
allow postfix_pipe_t postfix_private_t:sock_file write;
ifdef(`procmail.te', `
domain_auto_trans(postfix_pipe_t, procmail_exec_t, procmail_t)
')
ifdef(`sendmail.te', `
allow sendmail_t postfix_etc_t:dir search;
')

# Program for creating database files
application_domain(postfix_map)
base_file_read_access(postfix_map_t)
allow postfix_map_t { etc_t etc_runtime_t }:{ file lnk_file } { getattr read };
tmp_domain(postfix_map)
create_dir_file(postfix_map_t, postfix_etc_t)
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
dontaudit postfix_map_t proc_t:dir { getattr read search };
ifdef(`login.te', 
dontaudit postfix_map_t local_login_t:fd use;
')
allow postfix_master_t postfix_map_exec_t:file rx_file_perms;
read_locale(postfix_map_t)
allow postfix_map_t self:capability setgid;
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
dontaudit postfix_map_t var_t:dir search;
can_network(postfix_map_t)
allow postfix_local_t mail_spool_t:dir { remove_name };
allow postfix_local_t mail_spool_t:file { unlink };
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: .te and .fc files for postfix and fedora, Diego Woitasen
Next by Date:  Re: .te and .fc files for postfix and fedora, Diego Woitasen
Previous by Thread:  Re: .te and .fc files for postfix and fedora, Diego Woitasen
Next by Thread:  Re: .te and .fc files for postfix and fedora, Diego Woitasen
Indexes:  [Date] [Thread] [Top] [All Lists]

Google Custom Search
Recently Viewed:
qnx.openqnx.dev...    gcc.libstdc++.c...    solaris.opensol...    information-ret...    misc.misterhous...    web.catalyst.ge...    apache.webservi...    redhat.release....    hardware.lirc/2...    kernel.autofs/2...    technology.sust...    linux.vdr/2003-...    editors.lyx.gen...    org.user-groups...    netbsd.devel.pk...    xdg.devel/2004-...    version-control...    jakarta.slide.d...    debian.packages...    creativecommons...    ports.ppc.embed...    bug-tracking.bu...   
Home | blog view | USPTO Patent Archive | advertise | OSDir is an inevitable website. super tiny logo

Free Magazines

Cisco News
Receive a free quarterly e-newsletter with exclusive articles on how Cisco IT uses its own products and solutions to enable the business.
subscribe

Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field.
subscribe

The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business.
subscribe

Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company.
subscribe

Total Telecom Total Telecom is "The Economist of the communications industry".
subscribe