From: pebenito@ieee.org (Chris PeBenito)
Date: Tue, 12 Sep 2017 18:54:51 -0400
Subject: [refpolicy] [PATCH] postfix: Some table drivers (notably cdb)
 need to mmap() their databases
In-Reply-To: <20170912024157.23660-1-aranea@aixah.de>
References: <20170912024157.23660-1-aranea@aixah.de>
Message-ID: <4cb2d336-4709-f04a-b261-3700ee9a2b6e@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/11/2017 10:41 PM, Luis Ressel via refpolicy wrote:
> ---
>   mta.if     | 18 ++++++++++++++++++
>   postfix.te |  8 ++++++--
>   2 files changed, 24 insertions(+), 2 deletions(-)
> 
> diff --git a/mta.if b/mta.if
> index 2b99dd5..2bff433 100644
> --- a/mta.if
> +++ b/mta.if
> @@ -589,6 +589,24 @@ interface(`mta_read_aliases',`
>   	allow $1 etc_aliases_t:file read_file_perms;
>   ')
>   
> +########################################
> +## <summary>
> +##	Read mail address alias files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`mta_map_aliases',`
> +	gen_require(`
> +		type etc_aliases_t;
> +	')
> +
> +	allow $1 etc_aliases_t:file map;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Create, read, write, and delete
> diff --git a/postfix.te b/postfix.te
> index 7c060c8..c7eb914 100644
> --- a/postfix.te
> +++ b/postfix.te
> @@ -115,7 +115,7 @@ allow postfix_domain self:fifo_file rw_fifo_file_perms;
>   allow postfix_domain self:unix_stream_socket { accept connectto listen };
>   
>   allow postfix_domain postfix_etc_t:dir list_dir_perms;
> -allow postfix_domain postfix_etc_t:file read_file_perms;
> +allow postfix_domain postfix_etc_t:file { read_file_perms map };
>   allow postfix_domain postfix_etc_t:lnk_file read_lnk_file_perms;
>   
>   allow postfix_domain postfix_master_t:file read_file_perms;
> @@ -405,6 +405,7 @@ corenet_tcp_connect_kismet_port(postfix_cleanup_t)
>   corenet_tcp_sendrecv_kismet_port(postfix_cleanup_t)
>   
>   mta_read_aliases(postfix_cleanup_t)
> +mta_map_aliases(postfix_cleanup_t)
>   
>   optional_policy(`
>   	dkim_stream_connect(postfix_cleanup_t)
> @@ -436,6 +437,7 @@ logging_dontaudit_search_logs(postfix_local_t)
>   
>   mta_delete_spool(postfix_local_t)
>   mta_read_aliases(postfix_local_t)
> +mta_map_aliases(postfix_local_t)
>   mta_read_config(postfix_local_t)
>   mta_send_mail(postfix_local_t)
>   
> @@ -489,7 +491,7 @@ allow postfix_map_t self:capability { dac_read_search dac_override setgid setuid
>   allow postfix_map_t self:tcp_socket { accept listen };
>   
>   allow postfix_map_t postfix_etc_t:dir manage_dir_perms;
> -allow postfix_map_t postfix_etc_t:file manage_file_perms;
> +allow postfix_map_t postfix_etc_t:file { manage_file_perms map };
>   allow postfix_map_t postfix_etc_t:lnk_file manage_lnk_file_perms;
>   
>   manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
> @@ -776,6 +778,7 @@ fs_getattr_all_dirs(postfix_smtpd_t)
>   fs_getattr_all_fs(postfix_smtpd_t)
>   
>   mta_read_aliases(postfix_smtpd_t)
> +mta_map_aliases(postfix_smtpd_t)
>   
>   optional_policy(`
>   	dovecot_stream_connect_auth(postfix_smtpd_t)
> @@ -817,6 +820,7 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
>   corecmd_exec_bin(postfix_virtual_t)
>   
>   mta_read_aliases(postfix_virtual_t)
> +mta_map_aliases(postfix_virtual_t)
>   mta_delete_spool(postfix_virtual_t)
>   mta_read_config(postfix_virtual_t)
>   mta_manage_spool(postfix_virtual_t)

Merged.

-- 
Chris PeBenito