---
mta.if | 18 ++++++++++++++++++
postfix.te | 8 ++++++--
2 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/mta.if b/mta.if
index 2b99dd5..2bff433 100644
--- a/mta.if
+++ b/mta.if
@@ -589,6 +589,24 @@ interface(`mta_read_aliases',`
allow $1 etc_aliases_t:file read_file_perms;
')
+########################################
+## <summary>
+## Read mail address alias files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_map_aliases',`
+ gen_require(`
+ type etc_aliases_t;
+ ')
+
+ allow $1 etc_aliases_t:file map;
+')
+
########################################
## <summary>
## Create, read, write, and delete
diff --git a/postfix.te b/postfix.te
index 7c060c8..c7eb914 100644
--- a/postfix.te
+++ b/postfix.te
@@ -115,7 +115,7 @@ allow postfix_domain self:fifo_file rw_fifo_file_perms;
allow postfix_domain self:unix_stream_socket { accept connectto listen };
allow postfix_domain postfix_etc_t:dir list_dir_perms;
-allow postfix_domain postfix_etc_t:file read_file_perms;
+allow postfix_domain postfix_etc_t:file { read_file_perms map };
allow postfix_domain postfix_etc_t:lnk_file read_lnk_file_perms;
allow postfix_domain postfix_master_t:file read_file_perms;
@@ -405,6 +405,7 @@ corenet_tcp_connect_kismet_port(postfix_cleanup_t)
corenet_tcp_sendrecv_kismet_port(postfix_cleanup_t)
mta_read_aliases(postfix_cleanup_t)
+mta_map_aliases(postfix_cleanup_t)
optional_policy(`
dkim_stream_connect(postfix_cleanup_t)
@@ -436,6 +437,7 @@ logging_dontaudit_search_logs(postfix_local_t)
mta_delete_spool(postfix_local_t)
mta_read_aliases(postfix_local_t)
+mta_map_aliases(postfix_local_t)
mta_read_config(postfix_local_t)
mta_send_mail(postfix_local_t)
@@ -489,7 +491,7 @@ allow postfix_map_t self:capability { dac_read_search dac_override setgid setuid
allow postfix_map_t self:tcp_socket { accept listen };
allow postfix_map_t postfix_etc_t:dir manage_dir_perms;
-allow postfix_map_t postfix_etc_t:file manage_file_perms;
+allow postfix_map_t postfix_etc_t:file { manage_file_perms map };
allow postfix_map_t postfix_etc_t:lnk_file manage_lnk_file_perms;
manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
@@ -776,6 +778,7 @@ fs_getattr_all_dirs(postfix_smtpd_t)
fs_getattr_all_fs(postfix_smtpd_t)
mta_read_aliases(postfix_smtpd_t)
+mta_map_aliases(postfix_smtpd_t)
optional_policy(`
dovecot_stream_connect_auth(postfix_smtpd_t)
@@ -817,6 +820,7 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
corecmd_exec_bin(postfix_virtual_t)
mta_read_aliases(postfix_virtual_t)
+mta_map_aliases(postfix_virtual_t)
mta_delete_spool(postfix_virtual_t)
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
--
2.14.1
On 09/11/2017 10:41 PM, Luis Ressel via refpolicy wrote:
> ---
> mta.if | 18 ++++++++++++++++++
> postfix.te | 8 ++++++--
> 2 files changed, 24 insertions(+), 2 deletions(-)
>
> diff --git a/mta.if b/mta.if
> index 2b99dd5..2bff433 100644
> --- a/mta.if
> +++ b/mta.if
> @@ -589,6 +589,24 @@ interface(`mta_read_aliases',`
> allow $1 etc_aliases_t:file read_file_perms;
> ')
>
> +########################################
> +## <summary>
> +## Read mail address alias files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mta_map_aliases',`
> + gen_require(`
> + type etc_aliases_t;
> + ')
> +
> + allow $1 etc_aliases_t:file map;
> +')
> +
> ########################################
> ## <summary>
> ## Create, read, write, and delete
> diff --git a/postfix.te b/postfix.te
> index 7c060c8..c7eb914 100644
> --- a/postfix.te
> +++ b/postfix.te
> @@ -115,7 +115,7 @@ allow postfix_domain self:fifo_file rw_fifo_file_perms;
> allow postfix_domain self:unix_stream_socket { accept connectto listen };
>
> allow postfix_domain postfix_etc_t:dir list_dir_perms;
> -allow postfix_domain postfix_etc_t:file read_file_perms;
> +allow postfix_domain postfix_etc_t:file { read_file_perms map };
> allow postfix_domain postfix_etc_t:lnk_file read_lnk_file_perms;
>
> allow postfix_domain postfix_master_t:file read_file_perms;
> @@ -405,6 +405,7 @@ corenet_tcp_connect_kismet_port(postfix_cleanup_t)
> corenet_tcp_sendrecv_kismet_port(postfix_cleanup_t)
>
> mta_read_aliases(postfix_cleanup_t)
> +mta_map_aliases(postfix_cleanup_t)
>
> optional_policy(`
> dkim_stream_connect(postfix_cleanup_t)
> @@ -436,6 +437,7 @@ logging_dontaudit_search_logs(postfix_local_t)
>
> mta_delete_spool(postfix_local_t)
> mta_read_aliases(postfix_local_t)
> +mta_map_aliases(postfix_local_t)
> mta_read_config(postfix_local_t)
> mta_send_mail(postfix_local_t)
>
> @@ -489,7 +491,7 @@ allow postfix_map_t self:capability { dac_read_search dac_override setgid setuid
> allow postfix_map_t self:tcp_socket { accept listen };
>
> allow postfix_map_t postfix_etc_t:dir manage_dir_perms;
> -allow postfix_map_t postfix_etc_t:file manage_file_perms;
> +allow postfix_map_t postfix_etc_t:file { manage_file_perms map };
> allow postfix_map_t postfix_etc_t:lnk_file manage_lnk_file_perms;
>
> manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
> @@ -776,6 +778,7 @@ fs_getattr_all_dirs(postfix_smtpd_t)
> fs_getattr_all_fs(postfix_smtpd_t)
>
> mta_read_aliases(postfix_smtpd_t)
> +mta_map_aliases(postfix_smtpd_t)
>
> optional_policy(`
> dovecot_stream_connect_auth(postfix_smtpd_t)
> @@ -817,6 +820,7 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
> corecmd_exec_bin(postfix_virtual_t)
>
> mta_read_aliases(postfix_virtual_t)
> +mta_map_aliases(postfix_virtual_t)
> mta_delete_spool(postfix_virtual_t)
> mta_read_config(postfix_virtual_t)
> mta_manage_spool(postfix_virtual_t)
Merged.
--
Chris PeBenito