diff options
author | Sven Vermeulen <sven.vermeulen@siphos.be> | 2014-08-23 21:15:48 +0200 |
---|---|---|
committer | Sven Vermeulen <sven.vermeulen@siphos.be> | 2014-09-21 16:03:49 +0200 |
commit | f5bf00584ecda77ddf39a181d073bb43af75f909 (patch) | |
tree | 7c1a7340302504b8dabaad1080f068ac4e63cbec | |
parent | Allow salt minion to read SELinux configuration (diff) | |
download | hardened-refpolicy-f5bf00584ecda77ddf39a181d073bb43af75f909.tar.gz hardened-refpolicy-f5bf00584ecda77ddf39a181d073bb43af75f909.tar.bz2 hardened-refpolicy-f5bf00584ecda77ddf39a181d073bb43af75f909.zip |
sendmail - Introduce postfix_user_sendmail_privs
The postfix_user_sendmail_privs interface is used to add the proper set
of permissions to the (user|system)_sendmail_t domains.
-rw-r--r-- | policy/modules/contrib/postfix.if | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if index 8e7d1e7d..a51026e1 100644 --- a/policy/modules/contrib/postfix.if +++ b/policy/modules/contrib/postfix.if @@ -756,3 +756,52 @@ interface(`postfix_admin',` can_exec($1, postfix_showq_exec_t) ') ') + +# ifdef distro_gentoo + +######################################### +## <summary> +## Assign privileges for Postfix sendmail +## </summary> +## <desc> +## <p> +## The privileges are extensive as many postfix commands are symbolic +## links to the sendmail application. Example is the mailq command. +## </p> +## </desc> +## <param name="domain"> +## <summary> +## Domain to assign privileges to +## </summary> +## </param> +# +interface(`postfix_user_sendmail_privs',` + gen_require(` + type postfix_postdrop_t; + ') + allow $1 self:process { setrlimit }; + allow $1 self:tcp_socket create_socket_perms; + allow $1 self:unix_dgram_socket create_socket_perms; + + allow postfix_postdrop_t $1:unix_stream_socket rw_socket_perms; + + kernel_read_network_state($1) + + domain_use_interactive_fds($1) + + logging_send_syslog_msg($1) + + auth_use_nsswitch($1) + + miscfiles_read_localization($1) + + userdom_use_user_terminals($1) + + optional_policy(` + postfix_exec_postqueue($1) + postfix_domtrans_postdrop($1) + postfix_read_config($1) + postfix_read_spool_files($1) + postfix_stream_connect_master($1) + ') +') |