From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Fri, 11 Mar 2011 15:04:06 +0100 Subject: [refpolicy] Postfix policy questions Message-ID: <20110311140406.GA19004@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi folks I'm trying to figure out why the Postfix policy is as it is currently in the reference policy. It looks as if the administrative tasks (like postqueue, postsuper, ...) as shielded from being used by default by any role (not even sysadm_r). Unlike most other services I encounter, where sysadm_r has been granted the necessary permissions to transition towards the management domains of those services, this seems to be explicitly not added for Postfix. What is the reasoning behind this? I could assume that this is so that system administrators cannot access nor manipulate the e-mails sent from the users (i.e. privacy), but a system administrator is well able to read files in /var/spool/postfix/* so I'm guessing this is not the case. One of the reasons why I recon that it is not meant for sysadm to call the postfix administrative commands is that there is no interface that allows him to do so: postfix_domtrans_master won't work as sysadm_r is never allowed to transition to the postfix_master_t domain (nor execute postfix_master_exec_t). Wkr, Sven Vermeulen