dan,
thanks... these files works very fine.
regards,
diegows
On Wed, 2004-12-29 at 12:46 -0500, Daniel J Walsh wrote:
> Diego Woitasen wrote:
>
> >no, the same message...
> >
> >
> >
> >
> Try these two.
>
> Replace unconfied.te with this one and use this postfix.te.
>
> Dan
> plain text document attachment (unconfined.te)
> #DESC Unconfined - The unconfined domain
>
> # This is the initial domain, and is used for everything that
> # is not explicitly confined. It has no restrictions.
> # It needs to be carefully protected from the confined domains.
>
> type unconfined_t, domain, privuser, privrole, privowner, admin, auth_write, fs_domain, privmem;
> role system_r types unconfined_t;
> role user_r types unconfined_t;
> role sysadm_r types unconfined_t;
> unconfined_domain(unconfined_t)
>
> # Define some type aliases to help with compatibility with
> # macros and domains from the "strict" policy.
> typealias bin_t alias su_exec_t;
> typealias unconfined_t alias { kernel_t init_t initrc_t sysadm_t rpm_t rpm_script_t logrotate_t };
> type mount_t, domain;
> type initrc_devpts_t, ptyfile;
> define(`admin_tty_type', `{ tty_device_t devpts_t }')
>
> # User home directory type.
> type user_home_t, file_type, sysadmfile;
> type user_home_dir_t, file_type, sysadmfile;
> file_type_auto_trans(unconfined_t, home_root_t, user_home_dir_t, dir)
> file_type_auto_trans(unconfined_t, user_home_dir_t, user_home_t)
>
> define(`user_typealias', `
> ifelse($1,`user',`',`
> typealias user_home_t alias $1_home_t;
> typealias user_home_dir_t alias $1_home_dir_t;
> ')
> typealias tty_device_t alias $1_tty_device_t;
> typealias devpts_t alias $1_devpts_t;
> ')
> user_typealias(sysadm)
> user_typealias(staff)
> user_typealias(user)
>
> allow unconfined_t unlabeled_t:filesystem *;
> allow unlabeled_t unlabeled_t:filesystem associate;
> bool read_default_t false;
> plain text document attachment (postfix.te)
> #DESC Postfix - Mail server
> #
> # Author: Russell Coker <russell@xxxxxxxxxxxx>
> # X-Debian-Packages: postfix
> # Depends: mta.te
> #
>
> # Type for files created during execution of postfix.
> type postfix_var_run_t, file_type, sysadmfile, pidfile;
>
> type postfix_etc_t, file_type, sysadmfile;
> typealias postfix_etc_t alias etc_postfix_t;
> type postfix_exec_t, file_type, sysadmfile, exec_type;
> type postfix_public_t, file_type, sysadmfile;
> type postfix_private_t, file_type, sysadmfile;
> type postfix_spool_t, file_type, sysadmfile;
> type postfix_spool_maildrop_t, file_type, sysadmfile;
> type postfix_spool_flush_t, file_type, sysadmfile;
> type postfix_prng_t, file_type, sysadmfile;
> typealias system_mail_t alias sysadm_mail_t;
>
> # postfix needs this for newaliases
> allow { system_mail_t sysadm_mail_t } tmp_t:dir getattr;
>
> #################################
> #
> # Rules for the postfix_$1_t domain.
> #
> # postfix_$1_exec_t is the type of the postfix_$1 executables.
> #
> define(`postfix_domain', `
> daemon_core_rules(postfix_$1, `$2')
> allow postfix_$1_t self:process setpgid;
> allow postfix_$1_t postfix_master_t:process sigchld;
> allow postfix_master_t postfix_$1_t:process signal;
>
> allow postfix_$1_t { etc_t postfix_etc_t postfix_spool_t }:dir r_dir_perms;
> allow postfix_$1_t postfix_etc_t:file r_file_perms;
> read_locale(postfix_$1_t)
> allow postfix_$1_t etc_t:file { getattr read };
> allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
> allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
> allow postfix_$1_t self:unix_stream_socket connectto;
>
> allow postfix_$1_t { sbin_t bin_t }:dir r_dir_perms;
> allow postfix_$1_t { bin_t usr_t }:lnk_file { getattr read };
> allow postfix_$1_t shell_exec_t:file rx_file_perms;
> allow postfix_$1_t { var_t var_spool_t }:dir { search getattr };
> allow postfix_$1_t postfix_exec_t:file rx_file_perms;
> allow postfix_$1_t devtty_t:chr_file rw_file_perms;
> allow postfix_$1_t etc_runtime_t:file r_file_perms;
> allow postfix_$1_t proc_t:dir r_dir_perms;
> allow postfix_$1_t proc_t:file r_file_perms;
> allow postfix_$1_t postfix_exec_t:dir r_dir_perms;
> allow postfix_$1_t fs_t:filesystem getattr;
> can_exec(postfix_$1_t, postfix_$1_exec_t)
>
> allow postfix_$1_t tmp_t:dir getattr;
>
> file_type_auto_trans(postfix_$1_t, var_run_t, postfix_var_run_t, file)
>
> allow postfix_$1_t { sysctl_t sysctl_kernel_t }:dir search;
> allow postfix_$1_t sysctl_kernel_t:file { getattr read };
>
> ')dnl end postfix_domain
>
> ifdef(`crond.te',
> `allow system_mail_t crond_t:tcp_socket { read write create };')
>
> postfix_domain(master, `, mail_server_domain')
> rhgb_domain(postfix_master_t)
>
> read_sysctl(postfix_master_t)
>
> ifdef(`direct_sysadm_daemon', `
> dontaudit postfix_master_t admin_tty_type:chr_file { read write };
> ')
>
> domain_auto_trans(initrc_t, postfix_master_exec_t, postfix_master_t)
> allow initrc_t postfix_master_t:process { noatsecure siginh rlimitinh };
> ifdef(`direct_sysadm_daemon', `
> domain_auto_trans(sysadm_t, postfix_master_exec_t, postfix_master_t)
> allow sysadm_t postfix_master_t:process { noatsecure siginh rlimitinh };
> role_transition sysadm_r postfix_master_exec_t system_r;
> domain_auto_trans(sysadm_mail_t, postfix_master_exec_t, system_mail_t)
> allow system_mail_t sysadm_t:process sigchld;
> allow system_mail_t privfd:fd use;
> ')dnl end direct_sysadm_daemon
>
> allow postfix_master_t privfd:fd use;
> ifdef(`newrole.te', `allow postfix_master_t newrole_t:process sigchld;')
> allow postfix_master_t initrc_devpts_t:chr_file rw_file_perms;
>
> # postfix does a "find" on startup for some reason - keep it quiet
> dontaudit postfix_master_t selinux_config_t:dir search;
> can_exec({ sysadm_mail_t system_mail_t }, postfix_master_exec_t)
> ifdef(`distro_redhat', `
> file_type_auto_trans({ sysadm_mail_t system_mail_t postfix_master_t }, postfix_etc_t, etc_aliases_t)
> ', `
> file_type_auto_trans({ sysadm_mail_t system_mail_t }, etc_t, etc_aliases_t)
> ')
> allow postfix_master_t sendmail_exec_t:file r_file_perms;
> allow postfix_master_t sbin_t:lnk_file { getattr read };
> ifdef(`pppd.te', `
> domain_auto_trans(pppd_t, postfix_master_exec_t, postfix_master_t)
> ')
> can_exec(postfix_master_t, { ls_exec_t sbin_t })
> allow postfix_master_t sysctl_kernel_t:dir r_dir_perms;
> allow postfix_master_t sysctl_kernel_t:file r_file_perms;
> allow postfix_master_t self:fifo_file rw_file_perms;
> allow postfix_master_t usr_t:file r_file_perms;
> can_exec(postfix_master_t, { shell_exec_t bin_t postfix_exec_t })
> # chown is to set the correct ownership of queue dirs
> allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
> allow postfix_master_t postfix_public_t:fifo_file create_file_perms;
> allow postfix_master_t postfix_public_t:sock_file create_file_perms;
> allow postfix_master_t postfix_public_t:dir rw_dir_perms;
> allow postfix_master_t postfix_private_t:dir rw_dir_perms;
> allow postfix_master_t postfix_private_t:sock_file create_file_perms;
> allow postfix_master_t postfix_private_t:fifo_file create_file_perms;
> can_network(postfix_master_t)
> can_ypbind(postfix_master_t)
> allow postfix_master_t smtp_port_t:tcp_socket name_bind;
> allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
> allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr };
> allow postfix_master_t postfix_prng_t:file getattr;
> allow postfix_master_t privfd:fd use;
> allow postfix_master_t etc_aliases_t:file rw_file_perms;
>
> ifdef(`saslauthd.te',`
> allow postfix_smtpd_t saslauthd_var_run_t:dir { search getattr };
> allow postfix_smtpd_t saslauthd_var_run_t:sock_file { read write };
> can_unix_connect(postfix_smtpd_t,saslauthd_t)
> ')
>
> create_dir_file(postfix_master_t, postfix_spool_flush_t)
> allow postfix_master_t random_device_t:chr_file { read getattr };
> allow postfix_master_t postfix_prng_t:file rw_file_perms;
> # for ls to get the current context
> allow postfix_master_t self:file { getattr read };
> ifdef(`direct_sysadm_daemon', `
> allow postfix_master_t postfix_etc_t:file rw_file_perms;
> allow postfix_master_t devpts_t:dir search;
> ')
>
> # for SSP
> allow postfix_master_t urandom_device_t:chr_file read;
>
> # allow access to deferred queue and allow removing bogus incoming entries
> allow postfix_master_t postfix_spool_t:dir create_dir_perms;
> allow postfix_master_t postfix_spool_t:file create_file_perms;
>
> dontaudit postfix_master_t man_t:dir search;
>
> define(`postfix_server_domain', `
> postfix_domain($1, `$2')
> domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
> allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
> allow postfix_$1_t self:capability { setuid setgid dac_override };
> can_network(postfix_$1_t)
> can_ypbind(postfix_$1_t)
> ')
>
> postfix_server_domain(smtp, `, mail_server_sender')
> allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
> allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search;
> allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write;
> allow postfix_smtp_t urandom_device_t:chr_file { getattr read };
> allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto;
> # if you have two different mail servers on the same host let them talk via
> # SMTP, also if one mail server wants to talk to itself then allow it and let
> # the SMTP protocol sort it out (SE Linux is not to prevent mail server
> # misconfiguration)
> can_tcp_connect(postfix_smtp_t, mail_server_domain)
>
> postfix_server_domain(smtpd)
> allow postfix_smtpd_t urandom_device_t:chr_file { getattr read };
> allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
> allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search;
> allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms;
> allow postfix_smtpd_t postfix_master_t:unix_stream_socket connectto;
> # for OpenSSL certificates
> r_dir_file(postfix_smtpd_t,usr_t)
> allow postfix_smtpd_t etc_aliases_t:file r_file_perms;
>
> # for prng_exch
> allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
>
> allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms;
>
> postfix_server_domain(local, `, mta_delivery_agent')
> ifdef(`procmail.te', `
> domain_auto_trans(postfix_local_t, procmail_exec_t, procmail_t)
> # for a bug in the postfix local program
> dontaudit procmail_t postfix_local_t:tcp_socket { read write };
> dontaudit procmail_t postfix_master_t:fd use;
> ')
> allow postfix_local_t etc_aliases_t:file r_file_perms;
> allow postfix_local_t self:fifo_file rw_file_perms;
> allow postfix_local_t self:process setrlimit;
> allow postfix_local_t postfix_spool_t:file rw_file_perms;
> # for .forward - maybe we need a new type for it?
> allow postfix_local_t postfix_private_t:dir search;
> allow postfix_local_t postfix_private_t:sock_file rw_file_perms;
> allow postfix_local_t postfix_master_t:unix_stream_socket connectto;
> allow postfix_local_t postfix_public_t:dir search;
> allow postfix_local_t postfix_public_t:sock_file write;
> can_exec(postfix_local_t, shell_exec_t)
> ifdef(`arpwatch.te', `
> allow postfix_local_t arpwatch_data_t:dir { search };
> ')
>
> define(`postfix_public_domain',`
> postfix_server_domain($1)
> allow postfix_$1_t postfix_public_t:dir search;
> ')
>
> postfix_public_domain(cleanup)
> create_dir_file(postfix_cleanup_t, postfix_spool_t)
> allow postfix_cleanup_t postfix_public_t:fifo_file rw_file_perms;
> allow postfix_cleanup_t postfix_public_t:sock_file { getattr write };
> allow postfix_cleanup_t postfix_private_t:dir search;
> allow postfix_cleanup_t postfix_private_t:sock_file rw_file_perms;
> allow postfix_cleanup_t postfix_master_t:unix_stream_socket connectto;
> allow postfix_cleanup_t postfix_spool_bounce_t:dir r_dir_perms;
> allow postfix_cleanup_t self:process setrlimit;
>
> allow user_mail_domain postfix_spool_t:dir r_dir_perms;
> allow user_mail_domain postfix_etc_t:dir r_dir_perms;
> allow { user_mail_domain initrc_t } postfix_etc_t:file r_file_perms;
> allow user_mail_domain self:capability dac_override;
>
> define(`postfix_user_domain', `
> postfix_domain($1, `$2')
> domain_auto_trans(user_mail_domain, postfix_$1_exec_t, postfix_$1_t)
> in_user_role(postfix_$1_t)
> role sysadm_r types postfix_$1_t;
> allow postfix_$1_t userdomain:process sigchld;
> allow postfix_$1_t userdomain:fifo_file { write getattr };
> allow postfix_$1_t { userdomain privfd }:fd use;
> allow postfix_$1_t self:capability dac_override;
> ')
>
> postfix_user_domain(postqueue)
> allow postfix_postqueue_t postfix_public_t:dir search;
> allow postfix_postqueue_t postfix_public_t:fifo_file getattr;
> allow postfix_postqueue_t self:udp_socket { create ioctl };
> allow postfix_master_t postfix_postqueue_exec_t:file getattr;
> domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
> allow postfix_postqueue_t initrc_t:process sigchld;
> allow postfix_postqueue_t initrc_t:fd use;
>
> # to write the mailq output, it really should not need read access!
> allow postfix_postqueue_t { ptyfile ttyfile }:chr_file { read write getattr };
> ifdef(`gnome-pty-helper.te', `allow postfix_postqueue_t user_gph_t:fd use;')
>
> # wants to write to /var/spool/postfix/public/showq
> allow postfix_postqueue_t postfix_public_t:sock_file rw_file_perms;
> allow postfix_postqueue_t postfix_master_t:unix_stream_socket connectto;
> # write to /var/spool/postfix/public/qmgr
> allow postfix_postqueue_t postfix_public_t:fifo_file write;
> dontaudit postfix_postqueue_t net_conf_t:file r_file_perms;
>
> postfix_user_domain(showq)
> # the following auto_trans is usually in postfix server domain
> domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
> allow postfix_showq_t self:udp_socket { create ioctl };
> r_dir_file(postfix_showq_t, postfix_spool_maildrop_t)
> domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
> allow postfix_showq_t self:capability { setuid setgid };
> allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
> allow postfix_showq_t postfix_spool_t:file r_file_perms;
> allow postfix_showq_t self:tcp_socket create_socket_perms;
> allow postfix_showq_t { ttyfile ptyfile }:chr_file { read write };
> dontaudit postfix_showq_t net_conf_t:file r_file_perms;
>
> postfix_user_domain(postdrop, `, mta_user_agent')
> allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms;
> allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms;
> allow postfix_postdrop_t user_mail_domain:unix_stream_socket rw_socket_perms;
> allow postfix_postdrop_t postfix_public_t:dir search;
> allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms;
> dontaudit postfix_postdrop_t { ptyfile ttyfile }:chr_file { read write };
> dontaudit postfix_postdrop_t net_conf_t:file r_file_perms;
> allow postfix_master_t postfix_postdrop_exec_t:file getattr;
> ifdef(`crond.te',
> `allow postfix_postdrop_t { crond_t system_crond_t }:fd use;
> allow postfix_postdrop_t { crond_t system_crond_t }:fifo_file rw_file_perms;')
> # usually it does not need a UDP socket
> allow postfix_postdrop_t self:udp_socket create_socket_perms;
> allow postfix_postdrop_t self:capability sys_resource;
>
> postfix_public_domain(pickup)
> allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms;
> allow postfix_pickup_t postfix_public_t:sock_file rw_file_perms;
> allow postfix_pickup_t postfix_private_t:dir search;
> allow postfix_pickup_t postfix_private_t:sock_file write;
> allow postfix_pickup_t postfix_master_t:unix_stream_socket connectto;
> allow postfix_pickup_t postfix_spool_maildrop_t:dir rw_dir_perms;
> allow postfix_pickup_t postfix_spool_maildrop_t:file r_file_perms;
> allow postfix_pickup_t postfix_spool_maildrop_t:file unlink;
> allow postfix_pickup_t self:tcp_socket create_socket_perms;
>
> postfix_public_domain(qmgr)
> allow postfix_qmgr_t postfix_public_t:fifo_file rw_file_perms;
> allow postfix_qmgr_t postfix_public_t:sock_file write;
> allow postfix_qmgr_t postfix_private_t:dir search;
> allow postfix_qmgr_t postfix_private_t:sock_file rw_file_perms;
> allow postfix_qmgr_t postfix_master_t:unix_stream_socket connectto;
>
> # for /var/spool/postfix/active
> create_dir_file(postfix_qmgr_t, postfix_spool_t)
>
> postfix_public_domain(bounce)
> type postfix_spool_bounce_t, file_type, sysadmfile;
> create_dir_file(postfix_bounce_t, postfix_spool_bounce_t)
> create_dir_file(postfix_bounce_t, postfix_spool_t)
> allow postfix_master_t postfix_spool_bounce_t:dir create_dir_perms;
> allow postfix_master_t postfix_spool_bounce_t:file getattr;
> allow postfix_bounce_t self:capability dac_read_search;
> allow postfix_bounce_t postfix_public_t:sock_file write;
> allow postfix_bounce_t self:tcp_socket create_socket_perms;
>
> r_dir_file(postfix_qmgr_t, postfix_spool_bounce_t)
>
> postfix_public_domain(pipe)
> allow postfix_pipe_t postfix_spool_t:dir search;
> allow postfix_pipe_t postfix_spool_t:file rw_file_perms;
> allow postfix_pipe_t self:fifo_file { read write };
> allow postfix_pipe_t postfix_private_t:dir search;
> allow postfix_pipe_t postfix_private_t:sock_file write;
> ifdef(`procmail.te', `
> domain_auto_trans(postfix_pipe_t, procmail_exec_t, procmail_t)
> ')
> ifdef(`sendmail.te', `
> allow sendmail_t postfix_etc_t:dir search;
> ')
>
> # Program for creating database files
> application_domain(postfix_map)
> base_file_read_access(postfix_map_t)
> allow postfix_map_t { etc_t etc_runtime_t }:{ file lnk_file } { getattr read };
> tmp_domain(postfix_map)
> create_dir_file(postfix_map_t, postfix_etc_t)
> allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
> dontaudit postfix_map_t proc_t:dir { getattr read search };
> ifdef(`login.te',
> dontaudit postfix_map_t local_login_t:fd use;
> ')
> allow postfix_master_t postfix_map_exec_t:file rx_file_perms;
> read_locale(postfix_map_t)
> allow postfix_map_t self:capability setgid;
> allow postfix_map_t self:unix_dgram_socket create_socket_perms;
> dontaudit postfix_map_t var_t:dir search;
> can_network(postfix_map_t)
> allow postfix_local_t mail_spool_t:dir { remove_name };
> allow postfix_local_t mail_spool_t:file { unlink };
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
