Gecko [ 122.154.134.11 ]

Name	Size	Permission
abrt.if	8.77 KB	-rw-r--r--
afs.if	2.07 KB	-rw-r--r--
aiccu.if	2.33 KB	-rw-r--r--
aide.if	1.29 KB	-rw-r--r--
aisexec.if	2.69 KB	-rw-r--r--
amavis.if	5.87 KB	-rw-r--r--
antivirus.if	6.23 KB	-rw-r--r--
apache.if	37.34 KB	-rw-r--r--
apcupsd.if	3.45 KB	-rw-r--r--
apm.if	2.04 KB	-rw-r--r--
arpwatch.if	3.09 KB	-rw-r--r--
asterisk.if	2.02 KB	-rw-r--r--
audioentropy.if	56 B	-rw-r--r--
automount.if	3.83 KB	-rw-r--r--
avahi.if	3.21 KB	-rw-r--r--
bacula.if	2.44 KB	-rw-r--r--
bcfg2.if	2.9 KB	-rw-r--r--
bind.if	7.84 KB	-rw-r--r--
bitlbee.if	1.26 KB	-rw-r--r--
bluetooth.if	5.63 KB	-rw-r--r--
boinc.if	3.01 KB	-rw-r--r--
bugzilla.if	851 B	-rw-r--r--
cachefilesd.if	1.2 KB	-rw-r--r--
canna.if	1.35 KB	-rw-r--r--
ccs.if	1.45 KB	-rw-r--r--
certmaster.if	3.09 KB	-rw-r--r--
certmonger.if	5.09 KB	-rw-r--r--
cfengine.if	2.98 KB	-rw-r--r--
cgdcbxd.if	1.3 KB	-rw-r--r--
cgroup.if	3.14 KB	-rw-r--r--
chronyd.if	3.61 KB	-rw-r--r--
cinder.if	1.33 KB	-rw-r--r--
cipe.if	46 B	-rw-r--r--
clamav.if	4.23 KB	-rw-r--r--
clockspeed.if	952 B	-rw-r--r--
clogd.if	1.89 KB	-rw-r--r--
cloudform.if	809 B	-rw-r--r--
cmirrord.if	2.56 KB	-rw-r--r--
cobbler.if	4.83 KB	-rw-r--r--
collectd.if	3.03 KB	-rw-r--r--
comsat.if	45 B	-rw-r--r--
condor.if	6.91 KB	-rw-r--r--
conman.if	1.51 KB	-rw-r--r--
consolekit.if	2.63 KB	-rw-r--r--
corosync.if	3.87 KB	-rw-r--r--
courier.if	5.2 KB	-rw-r--r--
cpucontrol.if	382 B	-rw-r--r--
cron.if	15.03 KB	-rw-r--r--
ctdbd.if	5.61 KB	-rw-r--r--
cups.if	6.95 KB	-rw-r--r--
cvs.if	2 KB	-rw-r--r--
cyphesis.if	412 B	-rw-r--r--
cyrus.if	2.13 KB	-rw-r--r--
dante.if	62 B	-rw-r--r--
dbskk.if	82 B	-rw-r--r--
dbus.if	12.09 KB	-rw-r--r--
dcc.if	3.35 KB	-rw-r--r--
ddclient.if	2.03 KB	-rw-r--r--
denyhosts.if	1.93 KB	-rw-r--r--
devicekit.if	4.91 KB	-rw-r--r--
dhcp.if	1.99 KB	-rw-r--r--
dictd.if	1.24 KB	-rw-r--r--
dirsrv-admin.if	3.36 KB	-rw-r--r--
dirsrv.if	5.29 KB	-rw-r--r--
distcc.if	50 B	-rw-r--r--
djbdns.if	2.46 KB	-rw-r--r--
dkim.if	57 B	-rw-r--r--
dnsmasq.if	4.97 KB	-rw-r--r--
dovecot.if	4.32 KB	-rw-r--r--
drbd.if	2.24 KB	-rw-r--r--
dspam.if	5.09 KB	-rw-r--r--
exim.if	4.81 KB	-rw-r--r--
fail2ban.if	4.47 KB	-rw-r--r--
fcoemon.if	1.56 KB	-rw-r--r--
fetchmail.if	713 B	-rw-r--r--
finger.if	747 B	-rw-r--r--
fprintd.if	790 B	-rw-r--r--
freeipmi.if	1.77 KB	-rw-r--r--
ftp.if	4.4 KB	-rw-r--r--
gatekeeper.if	57 B	-rw-r--r--
git.if	1.67 KB	-rw-r--r--
glance.if	5.2 KB	-rw-r--r--
glusterd.if	4.29 KB	-rw-r--r--
gnomeclock.if	1.72 KB	-rw-r--r--
gpm.if	1.52 KB	-rw-r--r--
gpsd.if	1.28 KB	-rw-r--r--
hal.if	8.23 KB	-rw-r--r--
hddtemp.if	722 B	-rw-r--r--
howl.if	352 B	-rw-r--r--
hypervkvp.if	1.58 KB	-rw-r--r--
i18n_input.if	327 B	-rw-r--r--
icecast.if	3.59 KB	-rw-r--r--
ifplugd.if	2.66 KB	-rw-r--r--
imaze.if	40 B	-rw-r--r--
inetd.if	4.32 KB	-rw-r--r--
inn.if	4.33 KB	-rw-r--r--
ipmievd.if	1.81 KB	-rw-r--r--
ircd.if	33 B	-rw-r--r--
irqbalance.if	43 B	-rw-r--r--
isns.if	880 B	-rw-r--r--
jabber.if	3.21 KB	-rw-r--r--
keepalived.if	475 B	-rw-r--r--
kerberos.if	9.23 KB	-rw-r--r--
kerneloops.if	2.41 KB	-rw-r--r--
keystone.if	3.95 KB	-rw-r--r--
ksmtuned.if	1.57 KB	-rw-r--r--
ktalk.if	38 B	-rw-r--r--
l2tpd.if	3.37 KB	-rw-r--r--
ldap.if	3.97 KB	-rw-r--r--
likewise.if	2.44 KB	-rw-r--r--
linuxptp.if	2.72 KB	-rw-r--r--
lircd.if	1.93 KB	-rw-r--r--
lldpad.if	1.97 KB	-rw-r--r--
lpd.if	4 KB	-rw-r--r--
lsm.if	753 B	-rw-r--r--
mailman.if	8.55 KB	-rw-r--r--
matahari.if	5.21 KB	-rw-r--r--
memcached.if	2.4 KB	-rw-r--r--
milter.if	3.43 KB	-rw-r--r--
mip6d.if	432 B	-rw-r--r--
mirrormanager.if	5.17 KB	-rw-r--r--
modemmanager.if	905 B	-rw-r--r--
monop.if	38 B	-rw-r--r--
mpd.if	5.73 KB	-rw-r--r--
mta.if	22.27 KB	-rw-r--r--
munin.if	4.66 KB	-rw-r--r--
mysql.if	8.46 KB	-rw-r--r--
nagios.if	7.73 KB	-rw-r--r--
nessus.if	349 B	-rw-r--r--
networkmanager.if	5.4 KB	-rw-r--r--
nis.if	8.57 KB	-rw-r--r--
nova.if	1.17 KB	-rw-r--r--
nscd.if	6.18 KB	-rw-r--r--
nsd.if	634 B	-rw-r--r--
nslcd.if	2.31 KB	-rw-r--r--
ntop.if	2.98 KB	-rw-r--r--
ntp.if	3.56 KB	-rw-r--r--
numad.if	762 B	-rw-r--r--
nut.if	47 B	-rw-r--r--
nx.if	1.78 KB	-rw-r--r--
oav.if	973 B	-rw-r--r--
oddjob.if	3.88 KB	-rw-r--r--
oident.if	1.47 KB	-rw-r--r--
openca.if	1.37 KB	-rw-r--r--
openct.if	1.78 KB	-rw-r--r--
openhpid.if	2.94 KB	-rw-r--r--
openshift-origin.if	23 B	-rw-r--r--
openshift.if	13.75 KB	-rw-r--r--
openvpn.if	3.2 KB	-rw-r--r--
openvswitch.if	3.37 KB	-rw-r--r--
openwsman.if	428 B	-rw-r--r--
oracleasm.if	1.42 KB	-rw-r--r--
osad.if	3 KB	-rw-r--r--
pacemaker.if	3.41 KB	-rw-r--r--
pads.if	1.05 KB	-rw-r--r--
passenger.if	3.44 KB	-rw-r--r--
pcp.if	2.8 KB	-rw-r--r--
pcscd.if	1.8 KB	-rw-r--r--
pegasus.if	62 B	-rw-r--r--
perdition.if	378 B	-rw-r--r--
pingd.if	1.96 KB	-rw-r--r--
piranha.if	4.14 KB	-rw-r--r--
pkcsslotd.if	2.34 KB	-rw-r--r--
plymouthd.if	6.52 KB	-rw-r--r--
policykit.if	5.65 KB	-rw-r--r--
portmap.if	1.92 KB	-rw-r--r--
portreserve.if	2.7 KB	-rw-r--r--
portslave.if	419 B	-rw-r--r--
postfix.if	19.5 KB	-rw-r--r--
postfixpolicyd.if	1022 B	-rw-r--r--
postgresql.if	15.28 KB	-rw-r--r--
postgrey.if	1.8 KB	-rw-r--r--
ppp.if	7.1 KB	-rw-r--r--
prelude.if	3.23 KB	-rw-r--r--
privoxy.if	972 B	-rw-r--r--
procmail.if	1.84 KB	-rw-r--r--
psad.if	5.39 KB	-rw-r--r--
publicfile.if	83 B	-rw-r--r--
puppet.if	5.12 KB	-rw-r--r--
pxe.if	63 B	-rw-r--r--
pyicqt.if	66 B	-rw-r--r--
pyzor.if	2.71 KB	-rw-r--r--
qmail.if	4.16 KB	-rw-r--r--
qpidd.if	5.02 KB	-rw-r--r--
quantum.if	4.68 KB	-rw-r--r--
radius.if	1.37 KB	-rw-r--r--
radvd.if	1.18 KB	-rw-r--r--
razor.if	5.12 KB	-rw-r--r--
rdisc.if	373 B	-rw-r--r--
redis.if	4.83 KB	-rw-r--r--
remotelogin.if	779 B	-rw-r--r--
resmgr.if	465 B	-rw-r--r--
rgmanager.if	4.6 KB	-rw-r--r--
rhcs.if	16.67 KB	-rw-r--r--
rhev.if	2.04 KB	-rw-r--r--
rhgb.if	3.57 KB	-rw-r--r--
rhnsd.if	1.73 KB	-rw-r--r--
rhsmcertd.if	5.95 KB	-rw-r--r--
ricci.if	6.3 KB	-rw-r--r--
rlogin.if	925 B	-rw-r--r--
roundup.if	938 B	-rw-r--r--
rpc.if	9.53 KB	-rw-r--r--
rpcbind.if	3.1 KB	-rw-r--r--
rshd.if	428 B	-rw-r--r--
rsync.if	3.62 KB	-rw-r--r--
rtas.if	2.54 KB	-rw-r--r--
rtkit.if	1.67 KB	-rw-r--r--
rwho.if	2.89 KB	-rw-r--r--
samba.if	19.02 KB	-rw-r--r--
sanlock.if	2.23 KB	-rw-r--r--
sasl.if	1.17 KB	-rw-r--r--
sblim.if	3.54 KB	-rw-r--r--
sendmail.if	7 KB	-rw-r--r--
sensord.if	817 B	-rw-r--r--
setroubleshoot.if	3.49 KB	-rw-r--r--
sge.if	54 B	-rw-r--r--
slpd.if	1.36 KB	-rw-r--r--
slrnpull.if	978 B	-rw-r--r--
smartmon.if	1.26 KB	-rw-r--r--
smokeping.if	3.32 KB	-rw-r--r--
smstools.if	2.57 KB	-rw-r--r--
snmp.if	4.93 KB	-rw-r--r--
snort.if	1.29 KB	-rw-r--r--
soundserver.if	1.3 KB	-rw-r--r--
spamassassin.if	7.62 KB	-rw-r--r--
speedtouch.if	56 B	-rw-r--r--
squid.if	4.32 KB	-rw-r--r--
ssh.if	23.08 KB	-rw-r--r--
sssd.if	5.23 KB	-rw-r--r--
stapserver.if	3.04 KB	-rw-r--r--
stunnel.if	577 B	-rw-r--r--
svnserve.if	1.57 KB	-rw-r--r--
swift.if	1.82 KB	-rw-r--r--
sysstat.if	433 B	-rw-r--r--
tcpd.if	903 B	-rw-r--r--
telnet.if	36 B	-rw-r--r--
tftp.if	3.12 KB	-rw-r--r--
tgtd.if	1.46 KB	-rw-r--r--
timidity.if	79 B	-rw-r--r--
tomcat.if	7.27 KB	-rw-r--r--
tor.if	1.31 KB	-rw-r--r--
transproxy.if	45 B	-rw-r--r--
tuned.if	2.45 KB	-rw-r--r--
ucspitcp.if	642 B	-rw-r--r--
ulogd.if	2.91 KB	-rw-r--r--
uptime.if	36 B	-rw-r--r--
usbmuxd.if	863 B	-rw-r--r--
uucp.if	2.35 KB	-rw-r--r--
uuidd.if	3.61 KB	-rw-r--r--
uwimap.if	461 B	-rw-r--r--
varnishd.if	4.42 KB	-rw-r--r--
vdagent.if	2.36 KB	-rw-r--r--
vhostmd.if	4.43 KB	-rw-r--r--
virt.if	19.61 KB	-rw-r--r--
w3c.if	43 B	-rw-r--r--
watchdog.if	895 B	-rw-r--r--
wdmd.if	2.49 KB	-rw-r--r--
xfs.if	1.07 KB	-rw-r--r--
xprint.if	37 B	-rw-r--r--
xserver.if	37.77 KB	-rw-r--r--
zabbix.if	3.97 KB	-rw-r--r--
zarafa.if	4.04 KB	-rw-r--r--
zebra.if	1.88 KB	-rw-r--r--
zosremote.if	991 B	-rw-r--r--

Code Editor : postfix.if

## <summary>Postfix email server</summary>

########################################
## <summary>
##	Postfix stub interface.  No access allowed.
## </summary>
## <param name="domain" unused="true">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`postfix_stub',`
	gen_require(`
		type postfix_master_t;
	')
')

########################################
## <summary>
##	Creates types and rules for a basic
##	postfix process domain.
## </summary>
## <param name="prefix">
##	<summary>
##	Prefix for the domain.
##	</summary>
## </param>
#
template(`postfix_domain_template',`
	type postfix_$1_t;
	type postfix_$1_exec_t;
	domain_type(postfix_$1_t)
	domain_entry_file(postfix_$1_t, postfix_$1_exec_t)
	role system_r types postfix_$1_t;

allow postfix_$1_t self:capability { sys_nice sys_chroot };
	dontaudit postfix_$1_t self:capability sys_tty_config;
	allow postfix_$1_t self:process { signal_perms setpgid setsched };
	allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
	allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
	allow postfix_$1_t self:unix_stream_socket connectto;
	allow postfix_$1_t self:fifo_file rw_fifo_file_perms;

allow postfix_master_t postfix_$1_t:process signal;
	#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456
	allow postfix_$1_t postfix_master_t:file read;

allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
	read_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t)
	read_lnk_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t)

can_exec(postfix_$1_t, postfix_$1_exec_t)

allow postfix_$1_t postfix_exec_t:file { mmap_file_perms lock };

allow postfix_$1_t postfix_master_t:process sigchld;

allow postfix_$1_t postfix_spool_t:dir list_dir_perms;

allow postfix_$1_t postfix_var_run_t:file manage_file_perms;
	files_pid_filetrans(postfix_$1_t, postfix_var_run_t, file)

kernel_read_system_state(postfix_$1_t)
	kernel_read_network_state(postfix_$1_t)
	kernel_read_all_sysctls(postfix_$1_t)

dev_read_sysfs(postfix_$1_t)
	dev_read_rand(postfix_$1_t)
	dev_read_urand(postfix_$1_t)

fs_search_auto_mountpoints(postfix_$1_t)
	fs_getattr_xattr_fs(postfix_$1_t)
	fs_rw_anon_inodefs_files(postfix_$1_t)

term_dontaudit_use_console(postfix_$1_t)

corecmd_exec_shell(postfix_$1_t)

files_read_etc_files(postfix_$1_t)
	files_read_etc_runtime_files(postfix_$1_t)
	files_read_usr_files(postfix_$1_t)
	files_read_usr_symlinks(postfix_$1_t)
	files_search_spool(postfix_$1_t)
	files_list_tmp(postfix_$1_t)
	files_getattr_tmp_dirs(postfix_$1_t)
	files_search_all_mountpoints(postfix_$1_t)

init_dontaudit_use_fds(postfix_$1_t)
	init_sigchld(postfix_$1_t)

auth_use_nsswitch(postfix_$1_t)

logging_send_syslog_msg(postfix_$1_t)

miscfiles_read_localization(postfix_$1_t)
	miscfiles_read_certs(postfix_$1_t)

userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t)

optional_policy(`
		udev_read_db(postfix_$1_t)
	')

optional_policy(`
		mysql_stream_connect(postfix_$1_t)
	')
')

########################################
## <summary>
##	Creates a postfix server process domain.
## </summary>
## <param name="prefix">
##	<summary>
##	Prefix of the domain.
##	</summary>
## </param>
#
template(`postfix_server_domain_template',`
	postfix_domain_template($1)

type postfix_$1_tmp_t;
	files_tmp_file(postfix_$1_tmp_t)

allow postfix_$1_t self:capability { setuid setgid sys_chroot dac_override };
	allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
	allow postfix_$1_t self:tcp_socket create_socket_perms;
	allow postfix_$1_t self:udp_socket create_socket_perms;

manage_dirs_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t)
	manage_files_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t)
	files_tmp_filetrans(postfix_$1_t, postfix_$1_tmp_t, { file dir })

domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)

corenet_all_recvfrom_unlabeled(postfix_$1_t)
	corenet_all_recvfrom_netlabel(postfix_$1_t)
	corenet_tcp_sendrecv_generic_if(postfix_$1_t)
	corenet_udp_sendrecv_generic_if(postfix_$1_t)
	corenet_tcp_sendrecv_generic_node(postfix_$1_t)
	corenet_udp_sendrecv_generic_node(postfix_$1_t)
	corenet_tcp_sendrecv_all_ports(postfix_$1_t)
	corenet_udp_sendrecv_all_ports(postfix_$1_t)
	corenet_tcp_bind_generic_node(postfix_$1_t)
	corenet_udp_bind_generic_node(postfix_$1_t)
	corenet_tcp_connect_all_ports(postfix_$1_t)
	corenet_sendrecv_all_client_packets(postfix_$1_t)

optional_policy(`
		mysql_stream_connect(postfix_$1_t)
	')
')

########################################
## <summary>
##	Creates a process domain for programs
##	that are ran by users.
## </summary>
## <param name="prefix">
##	<summary>
##	Prefix of the domain.
##	</summary>
## </param>
#
template(`postfix_user_domain_template',`
	gen_require(`
		attribute postfix_user_domains, postfix_user_domtrans;
	')

postfix_domain_template($1)

typeattribute postfix_$1_t postfix_user_domains;

allow postfix_$1_t self:capability dac_override;

domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)

domain_use_interactive_fds(postfix_$1_t)

application_domain(postfix_$1_t, postfix_$1_exec_t)
')

########################################
## <summary>
##	Read postfix configuration files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`postfix_read_config',`
	gen_require(`
		type postfix_etc_t;
	')

read_files_pattern($1, postfix_etc_t, postfix_etc_t)
	read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t)
	files_search_etc($1)
')

########################################
## <summary>
##	Create files with the specified type in
##	the postfix configuration directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="private type">
##	<summary>
##	The type of the object to be created.
##	</summary>
## </param>
## <param name="object">
##	<summary>
##	The object class of the object being created.
##	</summary>
## </param>
#
interface(`postfix_config_filetrans',`
	gen_require(`
		type postfix_etc_t;
	')

files_search_etc($1)
	filetrans_pattern($1, postfix_etc_t, $2, $3)
')

########################################
## <summary>
##	Do not audit attempts to read and
##	write postfix local delivery
##	TCP sockets.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`postfix_dontaudit_rw_local_tcp_sockets',`
	gen_require(`
		type postfix_local_t;
	')

dontaudit $1 postfix_local_t:tcp_socket { read write };
')

########################################
## <summary>
##	Allow read/write postfix local pipes
##	TCP sockets.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`postfix_rw_local_pipes',`
	gen_require(`
		type postfix_local_t;
	')

allow $1 postfix_local_t:fifo_file rw_fifo_file_perms;
')

#######################################
## <summary>
##  Allow read/write postfix public pipes
##  TCP sockets.
## </summary>
## <param name="domain">
##  <summary>
##  Domain allowed access.
##  </summary>
## </param>
#
interface(`postfix_rw_public_pipes',`
    gen_require(`
        type postfix_public_t;
    ')

allow $1 postfix_public_t:fifo_file rw_fifo_file_perms;
')

########################################
## <summary>
##	Allow domain to read postfix local process state
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`postfix_read_local_state',`
	gen_require(`
		type postfix_local_t;
	')

kernel_search_proc($1)
	ps_process_pattern($1, postfix_local_t)
')

########################################
## <summary>
##	Allow domain to read postfix master process state
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`postfix_read_master_state',`
	gen_require(`
		type postfix_master_t;
	')

kernel_search_proc($1)
	ps_process_pattern($1, postfix_master_t)
')

########################################
## <summary>
##	Use postfix master process file
##	file descriptors.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`postfix_use_fds_master',`
	gen_require(`
		type postfix_master_t;
	')

allow $1 postfix_master_t:fd use;
')

########################################
## <summary>
##	Do not audit attempts to use
##	postfix master process file
##	file descriptors.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`postfix_dontaudit_use_fds',`
	gen_require(`
		type postfix_master_t;
	')

dontaudit $1 postfix_master_t:fd use;
')

########################################
## <summary>
##	Execute postfix_map in the postfix_map domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`postfix_domtrans_map',`
	gen_require(`
		type postfix_map_t, postfix_map_exec_t;
	')

domtrans_pattern($1, postfix_map_exec_t, postfix_map_t)
')

########################################
## <summary>
##	Execute postfix_map in the postfix_map domain, and
##	allow the specified role the postfix_map domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`postfix_run_map',`
	gen_require(`
		type postfix_map_t;
	')

postfix_domtrans_map($1)
	role $2 types postfix_map_t;
')

########################################
## <summary>
##	Execute the master postfix program in the
##	postfix_master domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`postfix_domtrans_master',`
	gen_require(`
		type postfix_master_t, postfix_master_exec_t;
	')

domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
')

########################################
## <summary>
##	Execute the master postfix in the postfix master domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`postfix_initrc_domtrans',`
	gen_require(`
		type postfix_initrc_exec_t;
	')

init_labeled_script_domtrans($1, postfix_initrc_exec_t)
')

########################################
## <summary>
##	Execute the master postfix program in the
##	caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`postfix_exec_master',`
	gen_require(`
		type postfix_master_exec_t;
	')

can_exec($1, postfix_master_exec_t)
')

#######################################
## <summary>
##	Connect to postfix master process using a unix domain stream socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`postfix_stream_connect_master',`
	gen_require(`
		type postfix_master_t, postfix_public_t;
	')

stream_connect_pattern($1, postfix_public_t, postfix_public_t, postfix_master_t)
')

########################################
## <summary>
##	Allow read/write postfix master pipes
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`postfix_rw_master_pipes',`
	gen_require(`
		type postfix_master_t;
	')

allow $1 postfix_master_t:fifo_file rw_inherited_fifo_file_perms;
')

########################################
## <summary>
##	Execute the master postdrop in the
##	postfix_postdrop domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`postfix_domtrans_postdrop',`
	gen_require(`
		type postfix_postdrop_t, postfix_postdrop_exec_t;
	')

domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t)
')

########################################
## <summary>
##	Execute the master postqueue in the
##	postfix_postqueue domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`postfix_domtrans_postqueue',`
	gen_require(`
		type postfix_postqueue_t, postfix_postqueue_exec_t;
	')

domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t)
')

#######################################
## <summary>
##	Execute the master postqueue in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`postfix_exec_postqueue',`
	gen_require(`
		type postfix_postqueue_exec_t;
	')

can_exec($1, postfix_postqueue_exec_t)
')

########################################
## <summary>
##	Create a named socket in a postfix private directory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`postfix_create_private_sockets',`
	gen_require(`
		type postfix_private_t;
	')

allow $1 postfix_private_t:dir list_dir_perms;
	create_sock_files_pattern($1, postfix_private_t, postfix_private_t)
')

########################################
## <summary>
##	manage named socket in a postfix private directory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`postfix_manage_private_sockets',`
	gen_require(`
		type postfix_private_t;
	')

allow $1 postfix_private_t:dir list_dir_perms;
	manage_sock_files_pattern($1, postfix_private_t, postfix_private_t)
')

########################################
## <summary>
##	Execute the master postfix program in the
##	postfix_master domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`postfix_domtrans_smtp',`
	gen_require(`
		type postfix_smtp_t, postfix_smtp_exec_t;
	')

domtrans_pattern($1, postfix_smtp_exec_t, postfix_smtp_t)
')

########################################
## <summary>
##	Getattr postfix mail spool files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`postfix_getattr_spool_files',`
	gen_require(`
		attribute postfix_spool_type;
	')

files_search_spool($1)
	getattr_files_pattern($1, postfix_spool_type, postfix_spool_type)
')

########################################
## <summary>
##	Search postfix mail spool directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`postfix_search_spool',`
	gen_require(`
		attribute postfix_spool_type;
	')

allow $1 postfix_spool_type:dir search_dir_perms;
	files_search_spool($1)
')

########################################
## <summary>
##	List postfix mail spool directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`postfix_list_spool',`
	gen_require(`
		attribute postfix_spool_type;
	')

allow $1 postfix_spool_type:dir list_dir_perms;
	files_search_spool($1)
')

########################################
## <summary>
##	Read postfix mail spool files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`postfix_read_spool_files',`
	gen_require(`
		attribute postfix_spool_type;
	')

files_search_spool($1)
	read_files_pattern($1, postfix_spool_type, postfix_spool_type)
')

########################################
## <summary>
##	Create, read, write, and delete postfix mail spool files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`postfix_manage_spool_files',`
	gen_require(`
		attribute postfix_spool_type;
	')

files_search_spool($1)
	manage_files_pattern($1, postfix_spool_type, postfix_spool_type)
')

#######################################
## <summary>
##  Read, write, and delete postfix maildrop spool files.
## </summary>
## <param name="domain">
##  <summary>
##  Domain allowed access.
##  </summary>
## </param>
#
interface(`postfix_rw_spool_maildrop_files',`
    gen_require(`
        type postfix_spool_maildrop_t;
    ')

files_search_spool($1)
    rw_files_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
')

#######################################
## <summary>
##  Create, read, write, and delete postfix maildrop spool files.
## </summary>
## <param name="domain">
##  <summary>
##  Domain allowed access.
##  </summary>
## </param>
#
interface(`postfix_manage_spool_maildrop_files',`
    gen_require(`
        type postfix_spool_maildrop_t;
    ')

files_search_spool($1)
    manage_dirs_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
    manage_files_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
')

########################################
## <summary>
##	Execute postfix user mail programs
##	in their respective domains.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`postfix_domtrans_user_mail_handler',`
	gen_require(`
		attribute postfix_user_domtrans;
	')

typeattribute $1 postfix_user_domtrans;
')

########################################
## <summary>
##	All of the rules required to administrate
##	an postfix environment.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`postfix_admin',`
	gen_require(`
		attribute postfix_spool_type;
		type postfix_bounce_t, postfix_cleanup_t, postfix_local_t;
		type postfix_master_t, postfix_pickup_t, postfix_qmgr_t;
		type postfix_initrc_exec_t, postfix_data_t, postfix_etc_t;
		type postfix_map_tmp_t, postfix_prng_t, postfix_public_t;
		type postfix_smtpd_t, postfix_var_run_t;
	')

allow $1 postfix_bounce_t:process { ptrace signal_perms };
	ps_process_pattern($1, postfix_bounce_t)

allow $1 postfix_cleanup_t:process { ptrace signal_perms };
	ps_process_pattern($1, postfix_cleanup_t)

allow $1 postfix_local_t:process { ptrace signal_perms };
	ps_process_pattern($1, postfix_local_t)

allow $1 postfix_master_t:process { ptrace signal_perms };
	ps_process_pattern($1, postfix_master_t)

allow $1 postfix_pickup_t:process { ptrace signal_perms };
	ps_process_pattern($1, postfix_pickup_t)

allow $1 postfix_qmgr_t:process { ptrace signal_perms };
	ps_process_pattern($1, postfix_qmgr_t)

allow $1 postfix_smtpd_t:process { ptrace signal_perms };
	ps_process_pattern($1, postfix_smtpd_t)

postfix_run_map($1, $2)
	postfix_run_postdrop($1, $2)

postfix_initrc_domtrans($1)
	domain_system_change_exemption($1)
    role_transition $2 postfix_initrc_exec_t system_r;
	allow $2 system_r;

postfix_stream_connect_master($1)

admin_pattern($1, postfix_data_t)

files_list_etc($1)
	admin_pattern($1, postfix_etc_t)

files_list_spool($1)
	admin_pattern($1, postfix_spool_type)

admin_pattern($1, postfix_var_run_t)

files_list_tmp($1)
	admin_pattern($1, postfix_map_tmp_t)
	
	admin_pattern($1, postfix_prng_t)

admin_pattern($1, postfix_public_t)
')

########################################
## <summary>
##	Execute the master postdrop in the
##	postfix_postdrop domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
## <param name="role">
##  <summary>
##  The role to be allowed the iptables domain.
##  </summary>
## </param>
## <rolecap/>
#
interface(`postfix_run_postdrop',`
	gen_require(`
		type postfix_postdrop_t;
	')

postfix_domtrans_postdrop($1)
	role $2 types postfix_postdrop_t;
	allow postfix_postdrop_t $1:unix_stream_socket { read write getattr };

ifdef(`hide_broken_symptoms', `
        dontaudit postfix_postdrop_t $1:socket_class_set { getattr read write };
    ')
')

${this.title}

Code Editor : postfix.if