From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Fri, 11 Mar 2011 15:04:06 +0100
Subject: [refpolicy] Postfix policy questions
Message-ID: <20110311140406.GA19004@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi folks

I'm trying to figure out why the Postfix policy is as it is currently in the
reference policy. It looks as if the administrative tasks (like postqueue,
postsuper, ...) as shielded from being used by default by any role (not even
sysadm_r).

Unlike most other services I encounter, where sysadm_r has been granted the
necessary permissions to transition towards the management domains of those
services, this seems to be explicitly not added for Postfix. What is the
reasoning behind this?

I could assume that this is so that system administrators cannot access nor
manipulate the e-mails sent from the users (i.e. privacy), but a system
administrator is well able to read files in /var/spool/postfix/* so I'm
guessing this is not the case.

One of the reasons why I recon that it is not meant for sysadm to call the
postfix administrative commands is that there is no interface that allows
him to do so: postfix_domtrans_master won't work as sysadm_r is never
allowed to transition to the postfix_master_t domain (nor execute
postfix_master_exec_t).

Wkr,
	Sven Vermeulen