mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-09-04 00:05:14 +00:00
Merge branch 'cboltz-postfix-profiles' into 'master'
update postfix profiles On openSUSE Leap 15.1, the postfix binaries live in /usr/lib/postfix/bin/ which was not covered in the postfix.\* attachment and mrix rules. Also add several permissions to the postfix.\* profiles needed on openSUSE Leap 15.1. PR: https://gitlab.com/apparmor/apparmor/merge_requests/380 Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen
@@ -11,12 +11,12 @@
|
|||||||
|
|
||||||
#include <tunables/global>
|
#include <tunables/global>
|
||||||
|
|
||||||
profile postfix-anvil /usr/lib/postfix/{sbin/,}anvil {
|
profile postfix-anvil /usr/lib/postfix/{bin/,sbin/,}anvil {
|
||||||
#include <abstractions/base>
|
#include <abstractions/base>
|
||||||
#include <abstractions/nameservice>
|
#include <abstractions/nameservice>
|
||||||
#include <abstractions/postfix-common>
|
#include <abstractions/postfix-common>
|
||||||
|
|
||||||
/usr/lib/postfix/{sbin/,}anvil rmix,
|
/usr/lib/postfix/{bin/,sbin/,}anvil mrix,
|
||||||
|
|
||||||
/etc/postfix/main.cf r,
|
/etc/postfix/main.cf r,
|
||||||
/{var/spool/postfix/,}private/anvil rw,
|
/{var/spool/postfix/,}private/anvil rw,
|
||||||
|
|||||||
@@ -2,6 +2,7 @@
|
|||||||
#
|
#
|
||||||
# Copyright (C) 2002-2006 Novell/SUSE
|
# Copyright (C) 2002-2006 Novell/SUSE
|
||||||
# Copyright (C) 2018 Canonical, Ltd.
|
# Copyright (C) 2018 Canonical, Ltd.
|
||||||
|
# Copyright (C) 2019 Christian Boltz
|
||||||
#
|
#
|
||||||
# This program is free software; you can redistribute it and/or
|
# This program is free software; you can redistribute it and/or
|
||||||
# modify it under the terms of version 2 of the GNU General Public
|
# modify it under the terms of version 2 of the GNU General Public
|
||||||
@@ -11,21 +12,24 @@
|
|||||||
|
|
||||||
#include <tunables/global>
|
#include <tunables/global>
|
||||||
|
|
||||||
profile postfix-bounce /usr/lib/postfix/{sbin/,}bounce {
|
profile postfix-bounce /usr/lib/postfix/{bin/,sbin/,}bounce {
|
||||||
#include <abstractions/base>
|
#include <abstractions/base>
|
||||||
#include <abstractions/nameservice>
|
#include <abstractions/nameservice>
|
||||||
#include <abstractions/postfix-common>
|
#include <abstractions/postfix-common>
|
||||||
|
|
||||||
/usr/lib/postfix/{sbin/,}bounce rmix,
|
/usr/lib/postfix/{bin/,sbin/,}bounce mrix,
|
||||||
|
|
||||||
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* rwl,
|
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* rwkl,
|
||||||
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/ rwl,
|
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/ rwl,
|
||||||
|
/{var/spool/postfix/,}active/[0-9A-F]/* rwk,
|
||||||
/{var/spool/postfix/,}active/[0-9A-F]/ rwl,
|
/{var/spool/postfix/,}active/[0-9A-F]/ rwl,
|
||||||
/{var/spool/postfix/,}bounce/[0-9A-F]/[0-9A-F]/* rwl,
|
/{var/spool/postfix/,}bounce/[0-9A-F]/[0-9A-F]/* rwl,
|
||||||
/{var/spool/postfix/,}bounce/[0-9A-F]/[0-9A-F]/ rwl,
|
/{var/spool/postfix/,}bounce/[0-9A-F]/[0-9A-F]/ rwl,
|
||||||
|
/{var/spool/postfix/,}bounce/[0-9A-F]/* rwk,
|
||||||
/{var/spool/postfix/,}bounce/[0-9A-F]/ rwl,
|
/{var/spool/postfix/,}bounce/[0-9A-F]/ rwl,
|
||||||
/{var/spool/postfix/,}defer/[0-9A-F]/[0-9A-F]/* rwl,
|
/{var/spool/postfix/,}defer/[0-9A-F]/[0-9A-F]/* rwkl,
|
||||||
/{var/spool/postfix/,}defer/[0-9A-F]/[0-9A-F]/ rwl,
|
/{var/spool/postfix/,}defer/[0-9A-F]/[0-9A-F]/ rwl,
|
||||||
|
/{var/spool/postfix/,}defer/[0-9A-F]/* rwkl,
|
||||||
/{var/spool/postfix/,}defer/[0-9A-F]/ rwl,
|
/{var/spool/postfix/,}defer/[0-9A-F]/ rwl,
|
||||||
/{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/* rwl,
|
/{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/* rwl,
|
||||||
/{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/ rwl,
|
/{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/ rwl,
|
||||||
@@ -33,6 +37,7 @@ profile postfix-bounce /usr/lib/postfix/{sbin/,}bounce {
|
|||||||
/{var/spool/postfix/,}trace/[0-9A-F]/[0-9A-F]/* rwl,
|
/{var/spool/postfix/,}trace/[0-9A-F]/[0-9A-F]/* rwl,
|
||||||
/{var/spool/postfix/,}trace/[0-9A-F]/[0-9A-F]/ rwl,
|
/{var/spool/postfix/,}trace/[0-9A-F]/[0-9A-F]/ rwl,
|
||||||
/{var/spool/postfix/,}trace/[0-9A-F]/ rwl,
|
/{var/spool/postfix/,}trace/[0-9A-F]/ rwl,
|
||||||
|
/{var/spool/postfix/,}trace/[0-9A-F]* rwk,
|
||||||
/{var/spool/postfix/,}public/cleanup w,
|
/{var/spool/postfix/,}public/cleanup w,
|
||||||
|
|
||||||
/{var/spool/postfix/,}pid/unix.bounce rwk,
|
/{var/spool/postfix/,}pid/unix.bounce rwk,
|
||||||
|
|||||||
@@ -2,6 +2,7 @@
|
|||||||
#
|
#
|
||||||
# Copyright (C) 2002-2006 Novell/SUSE
|
# Copyright (C) 2002-2006 Novell/SUSE
|
||||||
# Copyright (C) 2018 Canonical, Ltd.
|
# Copyright (C) 2018 Canonical, Ltd.
|
||||||
|
# Copyright (C) 2019 Christian Boltz
|
||||||
#
|
#
|
||||||
# This program is free software; you can redistribute it and/or
|
# This program is free software; you can redistribute it and/or
|
||||||
# modify it under the terms of version 2 of the GNU General Public
|
# modify it under the terms of version 2 of the GNU General Public
|
||||||
@@ -11,14 +12,15 @@
|
|||||||
|
|
||||||
#include <tunables/global>
|
#include <tunables/global>
|
||||||
|
|
||||||
profile postfix-cleanup /usr/lib/postfix/{sbin/,}cleanup {
|
profile postfix-cleanup /usr/lib/postfix/{bin/,sbin/,}cleanup {
|
||||||
#include <abstractions/base>
|
#include <abstractions/base>
|
||||||
#include <abstractions/nameservice>
|
#include <abstractions/nameservice>
|
||||||
#include <abstractions/postfix-common>
|
#include <abstractions/postfix-common>
|
||||||
|
|
||||||
capability net_bind_service,
|
capability net_bind_service,
|
||||||
|
capability dac_read_search,
|
||||||
|
|
||||||
/usr/lib/postfix/{sbin/,}cleanup rmix,
|
/usr/lib/postfix/{bin/,sbin/,}cleanup mrix,
|
||||||
|
|
||||||
/{var/spool/postfix/,}incoming/[0-9]*.[0-9]* rwl,
|
/{var/spool/postfix/,}incoming/[0-9]*.[0-9]* rwl,
|
||||||
/{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/* rwl,
|
/{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/* rwl,
|
||||||
|
|||||||
@@ -12,8 +12,8 @@
|
|||||||
|
|
||||||
#include <tunables/global>
|
#include <tunables/global>
|
||||||
|
|
||||||
profile postfix-discard /usr/lib/postfix/{sbin/,}discard {
|
profile postfix-discard /usr/lib/postfix/{bin/,sbin/,}discard {
|
||||||
#include <abstractions/base>
|
#include <abstractions/base>
|
||||||
|
|
||||||
/usr/lib/postfix/{sbin/,}discard rmix,
|
/usr/lib/postfix/{bin/,sbin/,}discard mrix,
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -11,10 +11,10 @@
|
|||||||
|
|
||||||
#include <tunables/global>
|
#include <tunables/global>
|
||||||
|
|
||||||
profile postfix-dnsblog /usr/lib/postfix/{sbin/,}dnsblog {
|
profile postfix-dnsblog /usr/lib/postfix/{bin/,sbin/,}dnsblog {
|
||||||
#include <abstractions/base>
|
#include <abstractions/base>
|
||||||
|
|
||||||
/usr/lib/postfix/{sbin/,}dnsblog rmix,
|
/usr/lib/postfix/{bin/,sbin/,}dnsblog mrix,
|
||||||
|
|
||||||
/var/spool/postfix/private/dnsblog rw,
|
/var/spool/postfix/private/dnsblog rw,
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -12,12 +12,12 @@
|
|||||||
|
|
||||||
#include <tunables/global>
|
#include <tunables/global>
|
||||||
|
|
||||||
profile postfix-error /usr/lib/postfix/{sbin/,}error {
|
profile postfix-error /usr/lib/postfix/{bin/,sbin/,}error {
|
||||||
#include <abstractions/base>
|
#include <abstractions/base>
|
||||||
#include <abstractions/nameservice>
|
#include <abstractions/nameservice>
|
||||||
#include <abstractions/postfix-common>
|
#include <abstractions/postfix-common>
|
||||||
|
|
||||||
/usr/lib/postfix/{sbin/,}error rmix,
|
/usr/lib/postfix/{bin/,sbin/,}error mrix,
|
||||||
|
|
||||||
owner /var/spool/postfix/active/* rwk,
|
owner /var/spool/postfix/active/* rwk,
|
||||||
/var/spool/postfix/pid/unix.error rwk,
|
/var/spool/postfix/pid/unix.error rwk,
|
||||||
|
|||||||
@@ -11,12 +11,12 @@
|
|||||||
|
|
||||||
#include <tunables/global>
|
#include <tunables/global>
|
||||||
|
|
||||||
profile postfix-flush /usr/lib/postfix/{sbin/,}flush {
|
profile postfix-flush /usr/lib/postfix/{bin/,sbin/,}flush {
|
||||||
#include <abstractions/base>
|
#include <abstractions/base>
|
||||||
#include <abstractions/nameservice>
|
#include <abstractions/nameservice>
|
||||||
#include <abstractions/postfix-common>
|
#include <abstractions/postfix-common>
|
||||||
|
|
||||||
/usr/lib/postfix/{sbin/,}flush rmix,
|
/usr/lib/postfix/{bin/,sbin/,}flush mrix,
|
||||||
|
|
||||||
/{var/spool/postfix/,}deferred/ r,
|
/{var/spool/postfix/,}deferred/ r,
|
||||||
/{var/spool/postfix/,}deferred/[0-9A-F]/[0-9A-F]/* rwl,
|
/{var/spool/postfix/,}deferred/[0-9A-F]/[0-9A-F]/* rwl,
|
||||||
|
|||||||
@@ -12,12 +12,12 @@
|
|||||||
|
|
||||||
#include <tunables/global>
|
#include <tunables/global>
|
||||||
|
|
||||||
profile postfix-lmtp /usr/lib/postfix/{sbin/,}lmtp {
|
profile postfix-lmtp /usr/lib/postfix/{bin/,sbin/,}lmtp {
|
||||||
#include <abstractions/base>
|
#include <abstractions/base>
|
||||||
#include <abstractions/nameservice>
|
#include <abstractions/nameservice>
|
||||||
#include <abstractions/postfix-common>
|
#include <abstractions/postfix-common>
|
||||||
|
|
||||||
/usr/lib/postfix/{sbin/,}lmtp rmix,
|
/usr/lib/postfix/{bin/,sbin/,}lmtp mrix,
|
||||||
|
|
||||||
/var/spool/postfix/active/* rwk,
|
/var/spool/postfix/active/* rwk,
|
||||||
/var/spool/postfix/pid/unix.lmtp rwk,
|
/var/spool/postfix/pid/unix.lmtp rwk,
|
||||||
|
|||||||
@@ -11,7 +11,7 @@
|
|||||||
|
|
||||||
#include <tunables/global>
|
#include <tunables/global>
|
||||||
|
|
||||||
profile postfix-local /usr/lib/postfix/{sbin/,}local {
|
profile postfix-local /usr/lib/postfix/{bin/,sbin/,}local {
|
||||||
#include <abstractions/base>
|
#include <abstractions/base>
|
||||||
#include <abstractions/bash>
|
#include <abstractions/bash>
|
||||||
#include <abstractions/nameservice>
|
#include <abstractions/nameservice>
|
||||||
@@ -24,7 +24,7 @@ profile postfix-local /usr/lib/postfix/{sbin/,}local {
|
|||||||
/var/mailman/mail/wrapper Px,
|
/var/mailman/mail/wrapper Px,
|
||||||
/usr/bin/mlmmj-recieve Px,
|
/usr/bin/mlmmj-recieve Px,
|
||||||
|
|
||||||
/usr/lib/postfix/{sbin/,}local rmix,
|
/usr/lib/postfix/{bin/,sbin/,}local mrix,
|
||||||
/{usr/,}bin/bash mixr,
|
/{usr/,}bin/bash mixr,
|
||||||
/{usr/,}bin/date mixr,
|
/{usr/,}bin/date mixr,
|
||||||
|
|
||||||
|
|||||||
@@ -2,6 +2,7 @@
|
|||||||
#
|
#
|
||||||
# Copyright (C) 2002-2006 Novell/SUSE
|
# Copyright (C) 2002-2006 Novell/SUSE
|
||||||
# Copyright (C) 2018 Canonical, Ltd.
|
# Copyright (C) 2018 Canonical, Ltd.
|
||||||
|
# Copyright (C) 2019 Christian Boltz
|
||||||
#
|
#
|
||||||
# This program is free software; you can redistribute it and/or
|
# This program is free software; you can redistribute it and/or
|
||||||
# modify it under the terms of version 2 of the GNU General Public
|
# modify it under the terms of version 2 of the GNU General Public
|
||||||
@@ -11,7 +12,7 @@
|
|||||||
|
|
||||||
#include <tunables/global>
|
#include <tunables/global>
|
||||||
|
|
||||||
profile postfix-master /usr/lib/postfix/{sbin/,}master {
|
profile postfix-master /usr/lib/postfix/{bin/,sbin/,}master {
|
||||||
#include <abstractions/base>
|
#include <abstractions/base>
|
||||||
#include <abstractions/nameservice>
|
#include <abstractions/nameservice>
|
||||||
#include <abstractions/postfix-common>
|
#include <abstractions/postfix-common>
|
||||||
@@ -28,25 +29,30 @@ profile postfix-master /usr/lib/postfix/{sbin/,}master {
|
|||||||
|
|
||||||
/etc/postfix/master.cf r,
|
/etc/postfix/master.cf r,
|
||||||
/{var/spool/postfix/,}pid/master.pid rwk,
|
/{var/spool/postfix/,}pid/master.pid rwk,
|
||||||
|
/{var/spool/postfix/,}pid/unix.lmtp wk,
|
||||||
|
|
||||||
/{var/spool/postfix/,}private/* wl,
|
/{var/spool/postfix/,}private/* wl,
|
||||||
/{var/spool/postfix/,}private/tlsmgr rwl,
|
/{var/spool/postfix/,}private/tlsmgr rwl,
|
||||||
/{var/spool/postfix/,}public/{cleanup,flush,pickup,qmgr,showq,tlsmgr} rwl,
|
/{var/spool/postfix/,}public/{cleanup,flush,pickup,qmgr,showq,tlsmgr} rwl,
|
||||||
|
|
||||||
/usr/lib/postfix/{sbin/,}anvil Px,
|
/usr/lib/postfix/{bin/,sbin/,}anvil Px,
|
||||||
/usr/lib/postfix/{sbin/,}bounce Px,
|
/usr/lib/postfix/{bin/,sbin/,}bounce Px,
|
||||||
/usr/lib/postfix/{sbin/,}cleanup Px,
|
/usr/lib/postfix/{bin/,sbin/,}cleanup Px,
|
||||||
/usr/lib/postfix/{sbin/,}flush Px,
|
/usr/lib/postfix/{bin/,sbin/,}flush Px,
|
||||||
/usr/lib/postfix/{sbin/,}local Px,
|
/usr/lib/postfix/{bin/,sbin/,}local Px,
|
||||||
/usr/lib/postfix/{sbin/,}master rmix,
|
/usr/lib/postfix/{bin/,sbin/,}lmtp mrPx,
|
||||||
/usr/lib/postfix/{sbin/,}nqmgr Px,
|
/usr/lib/postfix/{bin/,sbin/,}master mrix,
|
||||||
/usr/lib/postfix/{sbin/,}proxymap Px,
|
/usr/lib/postfix/{bin/,sbin/,}nqmgr Px,
|
||||||
/usr/lib/postfix/{sbin/,}pickup Px,
|
/usr/lib/postfix/{bin/,sbin/,}proxymap Px,
|
||||||
/usr/lib/postfix/{sbin/,}pipe Px,
|
/usr/lib/postfix/{bin/,sbin/,}pickup Px,
|
||||||
/usr/lib/postfix/{sbin/,}qmgr Px,
|
/usr/lib/postfix/{bin/,sbin/,}pipe Px,
|
||||||
/usr/lib/postfix/{sbin/,}scache Px,
|
/usr/lib/postfix/{bin/,sbin/,}qmgr Px,
|
||||||
/usr/lib/postfix/{sbin/,}showq Px,
|
/usr/lib/postfix/{bin/,sbin/,}scache Px,
|
||||||
/usr/lib/postfix/{sbin/,}smtp Px,
|
/usr/lib/postfix/{bin/,sbin/,}showq Px,
|
||||||
/usr/lib/postfix/{sbin/,}smtpd Px,
|
/usr/lib/postfix/{bin/,sbin/,}smtp Px,
|
||||||
/usr/lib/postfix/{sbin/,}tlsmgr Px,
|
/usr/lib/postfix/{bin/,sbin/,}smtpd Px,
|
||||||
/usr/lib/postfix/{sbin/,}trivial-rewrite Px,
|
/usr/lib/postfix/{bin/,sbin/,}tlsmgr Px,
|
||||||
|
/usr/lib/postfix/{bin/,sbin/,}trivial-rewrite Px,
|
||||||
|
|
||||||
|
owner /var/lib/postfix/master.lock rwk,
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -11,12 +11,12 @@
|
|||||||
|
|
||||||
#include <tunables/global>
|
#include <tunables/global>
|
||||||
|
|
||||||
profile postfix-nqmgr /usr/lib/postfix/{sbin/,}nqmgr {
|
profile postfix-nqmgr /usr/lib/postfix/{bin/,sbin/,}nqmgr {
|
||||||
#include <abstractions/base>
|
#include <abstractions/base>
|
||||||
#include <abstractions/nameservice>
|
#include <abstractions/nameservice>
|
||||||
#include <abstractions/postfix-common>
|
#include <abstractions/postfix-common>
|
||||||
|
|
||||||
/usr/lib/postfix/{sbin/,}nqmgr rmix,
|
/usr/lib/postfix/{bin/,sbin/,}nqmgr mrix,
|
||||||
|
|
||||||
/{var/spool/postfix/,}active/ r,
|
/{var/spool/postfix/,}active/ r,
|
||||||
/{var/spool/postfix/,}active/[0-9A-F]/ r,
|
/{var/spool/postfix/,}active/[0-9A-F]/ r,
|
||||||
|
|||||||
@@ -12,10 +12,10 @@
|
|||||||
|
|
||||||
#include <tunables/global>
|
#include <tunables/global>
|
||||||
|
|
||||||
profile postfix-oqmgr /usr/lib/postfix/{sbin/,}oqmgr {
|
profile postfix-oqmgr /usr/lib/postfix/{bin/,sbin/,}oqmgr {
|
||||||
#include <abstractions/base>
|
#include <abstractions/base>
|
||||||
#include <abstractions/nameservice>
|
#include <abstractions/nameservice>
|
||||||
#include <abstractions/postfix-common>
|
#include <abstractions/postfix-common>
|
||||||
|
|
||||||
/usr/lib/postfix/{sbin/,}oqmgr rmix,
|
/usr/lib/postfix/{bin/,sbin/,}oqmgr mrix,
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -11,12 +11,12 @@
|
|||||||
|
|
||||||
#include <tunables/global>
|
#include <tunables/global>
|
||||||
|
|
||||||
profile postfix-pickup /usr/lib/postfix/{sbin/,}pickup {
|
profile postfix-pickup /usr/lib/postfix/{bin/,sbin/,}pickup {
|
||||||
#include <abstractions/base>
|
#include <abstractions/base>
|
||||||
#include <abstractions/nameservice>
|
#include <abstractions/nameservice>
|
||||||
#include <abstractions/postfix-common>
|
#include <abstractions/postfix-common>
|
||||||
|
|
||||||
/usr/lib/postfix/{sbin/,}pickup rmix,
|
/usr/lib/postfix/{bin/,sbin/,}pickup mrix,
|
||||||
|
|
||||||
/{var/spool/postfix/,}public/cleanup rw,
|
/{var/spool/postfix/,}public/cleanup rw,
|
||||||
/{var/spool/postfix/,}public/pickup r,
|
/{var/spool/postfix/,}public/pickup r,
|
||||||
|
|||||||
@@ -12,12 +12,12 @@
|
|||||||
|
|
||||||
#include <tunables/global>
|
#include <tunables/global>
|
||||||
|
|
||||||
profile postfix-pipe /usr/lib/postfix/{sbin/,}pipe {
|
profile postfix-pipe /usr/lib/postfix/{bin/,sbin/,}pipe {
|
||||||
#include <abstractions/base>
|
#include <abstractions/base>
|
||||||
#include <abstractions/nameservice>
|
#include <abstractions/nameservice>
|
||||||
#include <abstractions/postfix-common>
|
#include <abstractions/postfix-common>
|
||||||
|
|
||||||
/usr/lib/postfix/{sbin/,}pipe rmix,
|
/usr/lib/postfix/{bin/,sbin/,}pipe mrix,
|
||||||
|
|
||||||
/var/spool/postfix/active/* rwk,
|
/var/spool/postfix/active/* rwk,
|
||||||
/var/spool/postfix/private/bounce w,
|
/var/spool/postfix/private/bounce w,
|
||||||
|
|||||||
@@ -10,8 +10,8 @@
|
|||||||
|
|
||||||
#include <tunables/global>
|
#include <tunables/global>
|
||||||
|
|
||||||
profile postfix-postscreen /usr/lib/postfix/{sbin/,}postscreen {
|
profile postfix-postscreen /usr/lib/postfix/{bin/,sbin/,}postscreen {
|
||||||
#include <abstractions/base>
|
#include <abstractions/base>
|
||||||
|
|
||||||
/usr/lib/postfix/{sbin/,}postscreen rmix,
|
/usr/lib/postfix/{bin/,sbin/,}postscreen mrix,
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -2,6 +2,7 @@
|
|||||||
#
|
#
|
||||||
# Copyright (C) 2002-2006 Novell/SUSE
|
# Copyright (C) 2002-2006 Novell/SUSE
|
||||||
# Copyright (C) 2018 Canonical, Ltd.
|
# Copyright (C) 2018 Canonical, Ltd.
|
||||||
|
# Copyright (C) 2019 Christian Boltz
|
||||||
#
|
#
|
||||||
# This program is free software; you can redistribute it and/or
|
# This program is free software; you can redistribute it and/or
|
||||||
# modify it under the terms of version 2 of the GNU General Public
|
# modify it under the terms of version 2 of the GNU General Public
|
||||||
@@ -11,11 +12,13 @@
|
|||||||
|
|
||||||
#include <tunables/global>
|
#include <tunables/global>
|
||||||
|
|
||||||
profile postfix-proxymap /usr/lib/postfix/{sbin/,}proxymap {
|
profile postfix-proxymap /usr/lib/postfix/{bin/,sbin/,}proxymap {
|
||||||
#include <abstractions/base>
|
#include <abstractions/base>
|
||||||
#include <abstractions/nameservice>
|
#include <abstractions/nameservice>
|
||||||
|
#include <abstractions/openssl>
|
||||||
#include <abstractions/postfix-common>
|
#include <abstractions/postfix-common>
|
||||||
|
|
||||||
/usr/lib/postfix/{sbin/,}proxymap rmix,
|
/etc/my.cnf r,
|
||||||
|
/usr/lib/postfix/{bin/,sbin/,}proxymap mrix,
|
||||||
/{var/spool/postfix/,}private/proxymap rw,
|
/{var/spool/postfix/,}private/proxymap rw,
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -11,12 +11,12 @@
|
|||||||
|
|
||||||
#include <tunables/global>
|
#include <tunables/global>
|
||||||
|
|
||||||
profile postfix-qmgr /usr/lib/postfix/{sbin/,}qmgr {
|
profile postfix-qmgr /usr/lib/postfix/{bin/,sbin/,}qmgr {
|
||||||
#include <abstractions/base>
|
#include <abstractions/base>
|
||||||
#include <abstractions/nameservice>
|
#include <abstractions/nameservice>
|
||||||
#include <abstractions/postfix-common>
|
#include <abstractions/postfix-common>
|
||||||
|
|
||||||
/usr/lib/postfix/{sbin/,}qmgr rmix,
|
/usr/lib/postfix/{bin/,sbin/,}qmgr mrix,
|
||||||
|
|
||||||
/{var/spool/postfix/,}active/ r,
|
/{var/spool/postfix/,}active/ r,
|
||||||
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* rwl,
|
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* rwl,
|
||||||
@@ -27,9 +27,11 @@ profile postfix-qmgr /usr/lib/postfix/{sbin/,}qmgr {
|
|||||||
/{var/spool/postfix/,}defer/[0-9A-F]/[0-9A-F]/* rwl,
|
/{var/spool/postfix/,}defer/[0-9A-F]/[0-9A-F]/* rwl,
|
||||||
/{var/spool/postfix/,}defer/[0-9A-F]/[0-9A-F]/ rwl,
|
/{var/spool/postfix/,}defer/[0-9A-F]/[0-9A-F]/ rwl,
|
||||||
/{var/spool/postfix/,}defer/[0-9A-F]/ rwl,
|
/{var/spool/postfix/,}defer/[0-9A-F]/ rwl,
|
||||||
|
/{var/spool/postfix/,}defer/[0-9A-F]/* w,
|
||||||
/{var/spool/postfix/,}deferred/ r,
|
/{var/spool/postfix/,}deferred/ r,
|
||||||
/{var/spool/postfix/,}deferred/[0-9A-F]/[0-9A-F]/* rwl,
|
/{var/spool/postfix/,}deferred/[0-9A-F]/[0-9A-F]/* rwl,
|
||||||
/{var/spool/postfix/,}deferred/[0-9A-F]/[0-9A-F]/ rwl,
|
/{var/spool/postfix/,}deferred/[0-9A-F]/[0-9A-F]/ rwl,
|
||||||
|
/{var/spool/postfix/,}deferred/[0-9A-F]/* rw,
|
||||||
/{var/spool/postfix/,}deferred/[0-9A-F]/ rwl,
|
/{var/spool/postfix/,}deferred/[0-9A-F]/ rwl,
|
||||||
/{var/spool/postfix/,}incoming/ r,
|
/{var/spool/postfix/,}incoming/ r,
|
||||||
/{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/* rwl,
|
/{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/* rwl,
|
||||||
|
|||||||
@@ -11,10 +11,10 @@
|
|||||||
|
|
||||||
#include <tunables/global>
|
#include <tunables/global>
|
||||||
|
|
||||||
profile postfix-qmqpd /usr/lib/postfix/{sbin/,}qmqpd {
|
profile postfix-qmqpd /usr/lib/postfix/{bin/,sbin/,}qmqpd {
|
||||||
#include <abstractions/base>
|
#include <abstractions/base>
|
||||||
#include <abstractions/nameservice>
|
#include <abstractions/nameservice>
|
||||||
#include <abstractions/postfix-common>
|
#include <abstractions/postfix-common>
|
||||||
|
|
||||||
/usr/lib/postfix/{sbin/,}qmqpd rmix,
|
/usr/lib/postfix/{bin/,sbin/,}qmqpd mrix,
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -13,10 +13,10 @@
|
|||||||
|
|
||||||
#include <tunables/global>
|
#include <tunables/global>
|
||||||
|
|
||||||
profile postfix-scache /usr/lib/postfix/{sbin/,}scache {
|
profile postfix-scache /usr/lib/postfix/{bin/,sbin/,}scache {
|
||||||
#include <abstractions/base>
|
#include <abstractions/base>
|
||||||
#include <abstractions/nameservice>
|
#include <abstractions/nameservice>
|
||||||
#include <abstractions/postfix-common>
|
#include <abstractions/postfix-common>
|
||||||
|
|
||||||
/usr/lib/postfix/{sbin/,}scache rmix,
|
/usr/lib/postfix/{bin/,sbin/,}scache mrix,
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -11,12 +11,12 @@
|
|||||||
|
|
||||||
#include <tunables/global>
|
#include <tunables/global>
|
||||||
|
|
||||||
profile postfix-showq /usr/lib/postfix/{sbin/,}showq {
|
profile postfix-showq /usr/lib/postfix/{bin/,sbin/,}showq {
|
||||||
#include <abstractions/base>
|
#include <abstractions/base>
|
||||||
#include <abstractions/nameservice>
|
#include <abstractions/nameservice>
|
||||||
#include <abstractions/postfix-common>
|
#include <abstractions/postfix-common>
|
||||||
|
|
||||||
/usr/lib/postfix/{sbin/,}showq rmix,
|
/usr/lib/postfix/{bin/,sbin/,}showq mrix,
|
||||||
|
|
||||||
/{var/spool/postfix/,}active/ r,
|
/{var/spool/postfix/,}active/ r,
|
||||||
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* r,
|
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* r,
|
||||||
@@ -40,5 +40,7 @@ profile postfix-showq /usr/lib/postfix/{sbin/,}showq {
|
|||||||
/{var/spool/postfix/,}incoming/[0-9A-F]/ r,
|
/{var/spool/postfix/,}incoming/[0-9A-F]/ r,
|
||||||
/{var/spool/postfix/,}maildrop/ r,
|
/{var/spool/postfix/,}maildrop/ r,
|
||||||
/{var/spool/postfix/,}maildrop/[0-9A-F]/ r,
|
/{var/spool/postfix/,}maildrop/[0-9A-F]/ r,
|
||||||
/{var/spool/postfix/,}pid/unix.showq rw,
|
/{var/spool/postfix/,}pid/unix.showq rwk,
|
||||||
|
owner /{var/spool/postfix,}/defer/[0-9A-F]/[0-9A-F]* r,
|
||||||
|
owner /{var/spool/postfix,}/deferred/[0-9A-F]/[0-9A-F]* r,
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -2,6 +2,7 @@
|
|||||||
#
|
#
|
||||||
# Copyright (C) 2002-2006 Novell/SUSE
|
# Copyright (C) 2002-2006 Novell/SUSE
|
||||||
# Copyright (C) 2018 Canonical, Ltd.
|
# Copyright (C) 2018 Canonical, Ltd.
|
||||||
|
# Copyright (C) 2019 Christian Boltz
|
||||||
#
|
#
|
||||||
# This program is free software; you can redistribute it and/or
|
# This program is free software; you can redistribute it and/or
|
||||||
# modify it under the terms of version 2 of the GNU General Public
|
# modify it under the terms of version 2 of the GNU General Public
|
||||||
@@ -11,7 +12,7 @@
|
|||||||
|
|
||||||
#include <tunables/global>
|
#include <tunables/global>
|
||||||
|
|
||||||
profile postfix-smtp /usr/lib/postfix/{sbin/,}smtp {
|
profile postfix-smtp /usr/lib/postfix/{bin/,sbin/,}smtp {
|
||||||
#include <abstractions/base>
|
#include <abstractions/base>
|
||||||
#include <abstractions/nameservice>
|
#include <abstractions/nameservice>
|
||||||
#include <abstractions/postfix-common>
|
#include <abstractions/postfix-common>
|
||||||
@@ -21,10 +22,11 @@ profile postfix-smtp /usr/lib/postfix/{sbin/,}smtp {
|
|||||||
capability dac_read_search,
|
capability dac_read_search,
|
||||||
capability net_bind_service,
|
capability net_bind_service,
|
||||||
|
|
||||||
/usr/lib/postfix/{sbin/,}smtp rmix,
|
/usr/lib/postfix/{bin/,sbin/,}smtp mrix,
|
||||||
|
|
||||||
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* rwl,
|
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* rwl,
|
||||||
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/ rwl,
|
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/ rwl,
|
||||||
|
/{var/spool/postfix/,}active/[0-9A-F]/* rwk,
|
||||||
/{var/spool/postfix/,}active/[0-9A-F]/ rwl,
|
/{var/spool/postfix/,}active/[0-9A-F]/ rwl,
|
||||||
/{var/spool/postfix/,}private/anvil w,
|
/{var/spool/postfix/,}private/anvil w,
|
||||||
/{var/spool/postfix/,}private/bounce w,
|
/{var/spool/postfix/,}private/bounce w,
|
||||||
@@ -34,7 +36,7 @@ profile postfix-smtp /usr/lib/postfix/{sbin/,}smtp {
|
|||||||
/{var/spool/postfix/,}private/tlsmgr w,
|
/{var/spool/postfix/,}private/tlsmgr w,
|
||||||
/{var/spool/postfix/,}private/trace w,
|
/{var/spool/postfix/,}private/trace w,
|
||||||
/{var/spool/postfix/,}public/flush w,
|
/{var/spool/postfix/,}public/flush w,
|
||||||
/{var/spool/postfix/,}pid/unix.smtp rw,
|
/{var/spool/postfix/,}pid/unix.smtp rwk,
|
||||||
/{var/spool/postfix/,}pid/unix.relay rw,
|
/{var/spool/postfix/,}pid/unix.relay rw,
|
||||||
/etc/postfix/{ssl/,}*.pem r,
|
/etc/postfix/{ssl/,}*.pem r,
|
||||||
/etc/postfix/prng_exch rw,
|
/etc/postfix/prng_exch rw,
|
||||||
|
|||||||
@@ -2,6 +2,7 @@
|
|||||||
#
|
#
|
||||||
# Copyright (C) 2002-2006 Novell/SUSE
|
# Copyright (C) 2002-2006 Novell/SUSE
|
||||||
# Copyright (C) 2018 Canonical, Ltd.
|
# Copyright (C) 2018 Canonical, Ltd.
|
||||||
|
# Copyright (C) 2019 Christian Boltz
|
||||||
#
|
#
|
||||||
# This program is free software; you can redistribute it and/or
|
# This program is free software; you can redistribute it and/or
|
||||||
# modify it under the terms of version 2 of the GNU General Public
|
# modify it under the terms of version 2 of the GNU General Public
|
||||||
@@ -11,7 +12,7 @@
|
|||||||
|
|
||||||
#include <tunables/global>
|
#include <tunables/global>
|
||||||
|
|
||||||
profile postfix-smtpd /usr/lib/postfix/{sbin/,}smtpd {
|
profile postfix-smtpd /usr/lib/postfix/{bin/,sbin/,}smtpd {
|
||||||
#include <abstractions/base>
|
#include <abstractions/base>
|
||||||
#include <abstractions/nameservice>
|
#include <abstractions/nameservice>
|
||||||
#include <abstractions/postfix-common>
|
#include <abstractions/postfix-common>
|
||||||
@@ -22,7 +23,7 @@ profile postfix-smtpd /usr/lib/postfix/{sbin/,}smtpd {
|
|||||||
capability dac_override,
|
capability dac_override,
|
||||||
capability dac_read_search,
|
capability dac_read_search,
|
||||||
|
|
||||||
/usr/lib/postfix/{sbin/,}smtpd rmix,
|
/usr/lib/postfix/{bin/,sbin/,}smtpd mrix,
|
||||||
/usr/sbin/postdrop rPx,
|
/usr/sbin/postdrop rPx,
|
||||||
|
|
||||||
/dev/urandom r,
|
/dev/urandom r,
|
||||||
@@ -32,6 +33,7 @@ profile postfix-smtpd /usr/lib/postfix/{sbin/,}smtpd {
|
|||||||
/etc/mtab r,
|
/etc/mtab r,
|
||||||
/etc/fstab r,
|
/etc/fstab r,
|
||||||
/etc/postfix/*.db r,
|
/etc/postfix/*.db r,
|
||||||
|
/etc/postfix/*.regexp r,
|
||||||
/etc/postfix/{ssl/,}*.pem r,
|
/etc/postfix/{ssl/,}*.pem r,
|
||||||
/etc/postfix/smtpd_scache.dir r,
|
/etc/postfix/smtpd_scache.dir r,
|
||||||
/etc/postfix/smtpd_scache.pag rw,
|
/etc/postfix/smtpd_scache.pag rw,
|
||||||
@@ -40,6 +42,7 @@ profile postfix-smtpd /usr/lib/postfix/{sbin/,}smtpd {
|
|||||||
|
|
||||||
/usr/share/ssl/certs/ca-bundle.crt r,
|
/usr/share/ssl/certs/ca-bundle.crt r,
|
||||||
|
|
||||||
|
/{var/spool/postfix/,}incoming/* rw,
|
||||||
/{var/spool/postfix/,}pid/inet.* rwk,
|
/{var/spool/postfix/,}pid/inet.* rwk,
|
||||||
/{var/spool/postfix/,}private/anvil rw,
|
/{var/spool/postfix/,}private/anvil rw,
|
||||||
/{var/spool/postfix/,}private/proxymap rw,
|
/{var/spool/postfix/,}private/proxymap rw,
|
||||||
|
|||||||
@@ -11,10 +11,10 @@
|
|||||||
|
|
||||||
#include <tunables/global>
|
#include <tunables/global>
|
||||||
|
|
||||||
profile postfix-spawn /usr/lib/postfix/{sbin/,}spawn {
|
profile postfix-spawn /usr/lib/postfix/{bin/,sbin/,}spawn {
|
||||||
#include <abstractions/base>
|
#include <abstractions/base>
|
||||||
#include <abstractions/nameservice>
|
#include <abstractions/nameservice>
|
||||||
#include <abstractions/postfix-common>
|
#include <abstractions/postfix-common>
|
||||||
|
|
||||||
/usr/lib/postfix/{sbin/,}spawn rmix,
|
/usr/lib/postfix/{bin/,sbin/,}spawn mrix,
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -12,12 +12,12 @@
|
|||||||
|
|
||||||
#include <tunables/global>
|
#include <tunables/global>
|
||||||
|
|
||||||
profile postfix-tlsmgr /usr/lib/postfix/{sbin/,}tlsmgr {
|
profile postfix-tlsmgr /usr/lib/postfix/{bin/,sbin/,}tlsmgr {
|
||||||
#include <abstractions/base>
|
#include <abstractions/base>
|
||||||
#include <abstractions/nameservice>
|
#include <abstractions/nameservice>
|
||||||
#include <abstractions/postfix-common>
|
#include <abstractions/postfix-common>
|
||||||
|
|
||||||
/usr/lib/postfix/{sbin/,}tlsmgr rmix,
|
/usr/lib/postfix/{bin/,sbin/,}tlsmgr mrix,
|
||||||
|
|
||||||
/var/spool/postfix/dev/urandom r,
|
/var/spool/postfix/dev/urandom r,
|
||||||
/{etc,var/lib}/postfix/prng_exch rwk,
|
/{etc,var/lib}/postfix/prng_exch rwk,
|
||||||
|
|||||||
@@ -2,6 +2,7 @@
|
|||||||
#
|
#
|
||||||
# Copyright (C) 2002-2006 Novell/SUSE
|
# Copyright (C) 2002-2006 Novell/SUSE
|
||||||
# Copyright (C) 2018 Canonical, Ltd.
|
# Copyright (C) 2018 Canonical, Ltd.
|
||||||
|
# Copyright (C) 2019 Christian Boltz
|
||||||
#
|
#
|
||||||
# This program is free software; you can redistribute it and/or
|
# This program is free software; you can redistribute it and/or
|
||||||
# modify it under the terms of version 2 of the GNU General Public
|
# modify it under the terms of version 2 of the GNU General Public
|
||||||
@@ -11,12 +12,14 @@
|
|||||||
|
|
||||||
#include <tunables/global>
|
#include <tunables/global>
|
||||||
|
|
||||||
profile postfix-trivial-rewrite /usr/lib/postfix/{sbin/,}trivial-rewrite {
|
profile postfix-trivial-rewrite /usr/lib/postfix/{bin/,sbin/,}trivial-rewrite {
|
||||||
#include <abstractions/base>
|
#include <abstractions/base>
|
||||||
#include <abstractions/nameservice>
|
#include <abstractions/nameservice>
|
||||||
#include <abstractions/postfix-common>
|
#include <abstractions/postfix-common>
|
||||||
|
|
||||||
/usr/lib/postfix/{sbin/,}trivial-rewrite rmix,
|
capability dac_read_search,
|
||||||
|
|
||||||
|
/usr/lib/postfix/{bin/,sbin/,}trivial-rewrite mrix,
|
||||||
|
|
||||||
/etc/postfix/relocated.db r,
|
/etc/postfix/relocated.db r,
|
||||||
/etc/postfix/transport.db r,
|
/etc/postfix/transport.db r,
|
||||||
|
|||||||
@@ -11,10 +11,10 @@
|
|||||||
|
|
||||||
#include <tunables/global>
|
#include <tunables/global>
|
||||||
|
|
||||||
profile postfix-verify /usr/lib/postfix/{sbin/,}verify {
|
profile postfix-verify /usr/lib/postfix/{bin/,sbin/,}verify {
|
||||||
#include <abstractions/base>
|
#include <abstractions/base>
|
||||||
#include <abstractions/nameservice>
|
#include <abstractions/nameservice>
|
||||||
#include <abstractions/postfix-common>
|
#include <abstractions/postfix-common>
|
||||||
|
|
||||||
/usr/lib/postfix/{sbin/,}verify rmix,
|
/usr/lib/postfix/{bin/,sbin/,}verify mrix,
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -11,12 +11,12 @@
|
|||||||
|
|
||||||
#include <tunables/global>
|
#include <tunables/global>
|
||||||
|
|
||||||
profile postfix-virtual /usr/lib/postfix/{sbin/,}virtual {
|
profile postfix-virtual /usr/lib/postfix/{bin/,sbin/,}virtual {
|
||||||
#include <abstractions/base>
|
#include <abstractions/base>
|
||||||
#include <abstractions/nameservice>
|
#include <abstractions/nameservice>
|
||||||
#include <abstractions/postfix-common>
|
#include <abstractions/postfix-common>
|
||||||
|
|
||||||
/usr/lib/postfix/{sbin/,}virtual rmix,
|
/usr/lib/postfix/{bin/,sbin/,}virtual mrix,
|
||||||
|
|
||||||
/var/spool/postfix/active/* rw,
|
/var/spool/postfix/active/* rw,
|
||||||
/var/spool/postfix/pid/unix.virtual rw,
|
/var/spool/postfix/pid/unix.virtual rw,
|
||||||
|
|||||||
@@ -22,7 +22,7 @@
|
|||||||
|
|
||||||
/etc/postfix r,
|
/etc/postfix r,
|
||||||
/usr/sbin/postqueue rmix,
|
/usr/sbin/postqueue rmix,
|
||||||
/usr/lib/postfix/showq Px,
|
/usr/lib/postfix/{bin/,sbin/,}showq Px,
|
||||||
/var/spool/postfix r,
|
/var/spool/postfix r,
|
||||||
/var/spool/postfix/maildrop r,
|
/var/spool/postfix/maildrop r,
|
||||||
/var/spool/postfix/maildrop/* rwl,
|
/var/spool/postfix/maildrop/* rwl,
|
||||||
|
|||||||
Reference in New Issue
Block a user