From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Mon, 22 May 2017 18:11:52 +0200
Subject: [refpolicy] [PATCH 16/19] Make postfix user content access optional
In-Reply-To: <20170522161155.9648-1-sven.vermeulen@siphos.be>
References: <20170522161155.9648-1-sven.vermeulen@siphos.be>
Message-ID: <20170522161155.9648-17-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The postfix virtual domain does not always need full manage rights on
the users' home directories and content. We make these rights optional
through the postfix_{read,manage}_{generic,all}_user_content booleans.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 postfix.te | 34 +++++++++++++++++++++++++++++-----
 1 file changed, 29 insertions(+), 5 deletions(-)

diff --git a/postfix.te b/postfix.te
index b60eaad..8000c09 100644
--- a/postfix.te
+++ b/postfix.te
@@ -13,6 +13,34 @@ policy_module(postfix, 1.17.3)
 ## </desc>
 gen_tunable(postfix_local_write_mail_spool, true)
 
+## <desc>
+##	<p>
+##	Grant the postfix domains read access to generic user content
+##	</p>
+## </desc>
+gen_tunable(`postfix_read_generic_user_content', true)
+
+## <desc>
+##	<p>
+##	Grant the postfix domains read access to all user content
+##	</p>
+## </desc>
+gen_tunable(`postfix_read_all_user_content', false)
+
+## <desc>
+##	<p>
+##	Grant the postfix domains manage rights on generic user content
+##	</p>
+## </desc>
+gen_tunable(`postfix_manage_generic_user_content', false)
+
+## <desc>
+##	<p>
+##	Grant the postfix domains manage rights on all user content
+##	</p>
+## </desc>
+gen_tunable(`postfix_manage_all_user_content', false)
+
 attribute postfix_domain;
 attribute postfix_server_domain;
 attribute postfix_server_tmp_content;
@@ -821,8 +849,4 @@ mta_delete_spool(postfix_virtual_t)
 mta_read_config(postfix_virtual_t)
 mta_manage_spool(postfix_virtual_t)
 
-userdom_manage_user_home_dirs(postfix_virtual_t)
-userdom_manage_user_home_content_dirs(postfix_virtual_t)
-userdom_manage_user_home_content_files(postfix_virtual_t)
-userdom_home_filetrans_user_home_dir(postfix_virtual_t)
-userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, { file dir })
+userdom_user_content_access_template(postfix, postfix_virtual_t)
-- 
2.13.0