diff options
| author |   Luis Ressel <aranea@aixah.de> | 2017-09-12 04:41:57 +0200 |
|---|---|---|
| committer | Luis Ressel <aranea@aixah.de> | 2017-09-14 21:34:44 +0200 |
| commit | db15b995c6a8f565f1c6c6ea3334d2d1b4dead2f (patch) | |
| tree | 5d6ce98fea61ba1444d77db910ea2a73aee6d769 | |
| parent | Module version bumps for chkrootkit, dkim, dmidecode, portage, and rkhunter. (diff) | |
| download | hardened-refpolicy-db15b995c6a8f565f1c6c6ea3334d2d1b4dead2f.tar.gz hardened-refpolicy-db15b995c6a8f565f1c6c6ea3334d2d1b4dead2f.tar.bz2 hardened-refpolicy-db15b995c6a8f565f1c6c6ea3334d2d1b4dead2f.zip | |
postfix: Some table drivers (notably cdb) need to mmap() their databases
| -rw-r--r-- | policy/modules/contrib/mta.if | 18 | ||||
| -rw-r--r-- | policy/modules/contrib/postfix.te | 8 |
2 files changed, 24 insertions, 2 deletions
diff --git a/policy/modules/contrib/mta.if b/policy/modules/contrib/mta.if index 0602746b..4384caae 100644 --- a/policy/modules/contrib/mta.if +++ b/policy/modules/contrib/mta.if @@ -608,6 +608,24 @@ interface(`mta_read_aliases',` ######################################## ## <summary> +## Read mail address alias files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_map_aliases',` + gen_require(` + type etc_aliases_t; + ') + + allow $1 etc_aliases_t:file map; +') + +######################################## +## <summary> ## Create, read, write, and delete ## mail address alias content. ## </summary> diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te index 62eaeba3..620e81b1 100644 --- a/policy/modules/contrib/postfix.te +++ b/policy/modules/contrib/postfix.te @@ -115,7 +115,7 @@ allow postfix_domain self:fifo_file rw_fifo_file_perms; allow postfix_domain self:unix_stream_socket { accept connectto listen }; allow postfix_domain postfix_etc_t:dir list_dir_perms; -allow postfix_domain postfix_etc_t:file read_file_perms; +allow postfix_domain postfix_etc_t:file { read_file_perms map }; allow postfix_domain postfix_etc_t:lnk_file read_lnk_file_perms; allow postfix_domain postfix_master_t:file read_file_perms; @@ -405,6 +405,7 @@ corenet_tcp_connect_kismet_port(postfix_cleanup_t) corenet_tcp_sendrecv_kismet_port(postfix_cleanup_t) mta_read_aliases(postfix_cleanup_t) +mta_map_aliases(postfix_cleanup_t) optional_policy(` dkim_stream_connect(postfix_cleanup_t) @@ -436,6 +437,7 @@ logging_dontaudit_search_logs(postfix_local_t) mta_delete_spool(postfix_local_t) mta_read_aliases(postfix_local_t) +mta_map_aliases(postfix_local_t) mta_read_config(postfix_local_t) mta_send_mail(postfix_local_t) @@ -489,7 +491,7 @@ allow postfix_map_t self:capability { dac_override setgid setuid }; allow postfix_map_t self:tcp_socket { accept listen }; allow postfix_map_t postfix_etc_t:dir manage_dir_perms; -allow postfix_map_t postfix_etc_t:file manage_file_perms; +allow postfix_map_t postfix_etc_t:file { manage_file_perms map }; allow postfix_map_t postfix_etc_t:lnk_file manage_lnk_file_perms; manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) @@ -776,6 +778,7 @@ fs_getattr_all_dirs(postfix_smtpd_t) fs_getattr_all_fs(postfix_smtpd_t) mta_read_aliases(postfix_smtpd_t) +mta_map_aliases(postfix_smtpd_t) optional_policy(` dovecot_stream_connect_auth(postfix_smtpd_t) @@ -817,6 +820,7 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t } corecmd_exec_bin(postfix_virtual_t) mta_read_aliases(postfix_virtual_t) +mta_map_aliases(postfix_virtual_t) mta_delete_spool(postfix_virtual_t) mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) |