Commit 869f98a2 authored by Christian Boltz's avatar Christian Boltz

Merge branch 'postfix-profiles' into 'master'

Postfix profile updates

See merge request !284Acked-by: Christian Boltz's avatarChristian Boltz <apparmor@cboltz.de>
parents 6fd0990b 4c85a7ec
Pipeline #38517471 passed with stages
in 11 minutes and 25 seconds
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2015 Canonical, Ltd.
# Copyright (C) 2015-2018 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
......@@ -16,9 +16,9 @@
capability sys_chroot,
# postfix's master can send us signals
signal receive peer=/usr/lib/postfix/master,
signal receive peer=postfix-master,
unix (send, receive) peer=(label=/usr/lib/postfix/master),
unix (send, receive) peer=(label=postfix-master),
/etc/mailname r,
/etc/postfix/*.cf r,
......@@ -33,3 +33,5 @@
/var/spool/postfix/etc/* r,
/var/spool/postfix/lib/lib*.so* mr,
/var/spool/postfix/lib/@{multiarch}/lib*.so* mr,
/etc/postfix/dynamicmaps.cf.d/ r,
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2018 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
......@@ -10,18 +11,14 @@
#include <tunables/global>
/usr/lib/postfix/anvil {
profile postfix-anvil /usr/lib/postfix/{sbin/,}anvil {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
capability setgid,
capability setuid,
/usr/lib/postfix/anvil rmix,
/usr/lib/postfix/{sbin/,}anvil rmix,
/etc/postfix/main.cf r,
/{var/spool/postfix/,}private/anvil rw,
/{var/spool/postfix/,}pid/unix.anvil rw,
@{PROC}/net/if_inet6 r,
/{var/spool/postfix/,}pid/unix.anvil rwk,
}
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2018 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
......@@ -10,15 +11,12 @@
#include <tunables/global>
/usr/lib/postfix/bounce {
profile postfix-bounce /usr/lib/postfix/{sbin/,}bounce {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
capability setgid,
capability setuid,
/usr/lib/postfix/bounce rmix,
/usr/lib/postfix/{sbin/,}bounce rmix,
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* rwl,
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/ rwl,
......@@ -36,10 +34,8 @@
/{var/spool/postfix/,}trace/[0-9A-F]/[0-9A-F]/ rwl,
/{var/spool/postfix/,}trace/[0-9A-F]/ rwl,
/{var/spool/postfix/,}public/cleanup w,
/{var/spool/postfix/,}pid/unix.bounce rw,
/{var/spool/postfix/,}pid/unix.defer rw,
/{var/spool/postfix/,}pid/unix.trace rw,
/etc/postfix/main.cf r,
@{PROC}/net/if_inet6 r,
/{var/spool/postfix/,}pid/unix.bounce rwk,
/{var/spool/postfix/,}pid/unix.defer rwk,
/{var/spool/postfix/,}pid/unix.trace rwk,
}
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2018 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
......@@ -10,23 +11,27 @@
#include <tunables/global>
/usr/lib/postfix/cleanup {
profile postfix-cleanup /usr/lib/postfix/{sbin/,}cleanup {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
capability net_bind_service,
/usr/lib/postfix/cleanup rmix,
/usr/lib/postfix/{sbin/,}cleanup rmix,
/{var/spool/postfix/,}incoming/[0-9]*.[0-9]* rwl,
/{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/* rwl,
/{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/ rwl,
/{var/spool/postfix/,}incoming/[0-9A-F]/ rwl,
/{var/spool/postfix/,}private/{rewrite,bounce} w,
/{var/spool/postfix/,}public/qmgr w,
/{var/spool/postfix/,}incoming/[0-9A-F]* rw,
/{var/spool/postfix/,}private/bounce w,
/{var/spool/postfix/,}private/rewrite rw,
/{var/spool/postfix/,}public/qmgr rw,
/{var/spool/postfix/,}hold/[0-9A-F]* w,
/{var/spool/postfix/,}pid/unix.cleanup rw,
/{var/spool/postfix/,}public/cleanup rw,
/{var/spool/postfix/,}pid/unix.cleanup rwk,
/etc/{m,fs}tab r,
/etc/postfix/* r,
}
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2018 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
......@@ -11,8 +12,8 @@
#include <tunables/global>
/usr/lib/postfix/discard {
profile postfix-discard /usr/lib/postfix/{sbin/,}discard {
#include <abstractions/base>
/usr/lib/postfix/discard rmix,
/usr/lib/postfix/{sbin/,}discard rmix,
}
# ------------------------------------------------------------------
#
# Copyright (C) 2018 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim:syntax=apparmor
#include <tunables/global>
profile postfix-dnsblog /usr/lib/postfix/{sbin/,}dnsblog {
#include <abstractions/base>
/usr/lib/postfix/{sbin/,}dnsblog rmix,
/var/spool/postfix/private/dnsblog rw,
}
......@@ -2,6 +2,7 @@
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2017 Christian Boltz
# Copyright (C) 2018 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
......@@ -11,13 +12,13 @@
#include <tunables/global>
/usr/lib/postfix/error {
profile postfix-error /usr/lib/postfix/{sbin/,}error {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
@{PROC}/sys/kernel/ngroups_max r,
/usr/lib/postfix/error mrix,
/usr/lib/postfix/{sbin/,}error rmix,
owner /var/spool/postfix/active/* rwk,
/var/spool/postfix/pid/unix.error rwk,
/var/spool/postfix/pid/unix.retry rwk,
......
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2018 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
......@@ -10,15 +11,12 @@
#include <tunables/global>
/usr/lib/postfix/flush {
profile postfix-flush /usr/lib/postfix/{sbin/,}flush {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
capability setgid,
capability setuid,
/usr/lib/postfix/flush rmix,
/usr/lib/postfix/{sbin/,}flush rmix,
/{var/spool/postfix/,}deferred/ r,
/{var/spool/postfix/,}deferred/[0-9A-F]/[0-9A-F]/* rwl,
......@@ -35,8 +33,6 @@
/{var/spool/postfix/,}public/qmgr w,
/{var/spool/postfix/,}pid/unix.flush rw,
/etc/mtab r,
/etc/postfix/main.cf r,
/etc/postfix/virtual.db r,
@{HOME}/.forward r,
......
......@@ -2,6 +2,7 @@
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2017 Christian Boltz
# Copyright (C) 2018 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
......@@ -11,12 +12,13 @@
#include <tunables/global>
/usr/lib/postfix/lmtp {
profile postfix-lmtp /usr/lib/postfix/{sbin/,}lmtp {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
/usr/lib/postfix/lmtp mrix,
/usr/lib/postfix/{sbin/,}lmtp rmix,
/var/spool/postfix/active/* rwk,
/var/spool/postfix/pid/unix.lmtp rwk,
......
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2018 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
......@@ -10,7 +11,7 @@
#include <tunables/global>
/usr/lib/postfix/local {
profile postfix-local /usr/lib/postfix/{sbin/,}local {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/nameservice>
......@@ -23,20 +24,24 @@
/var/mailman/mail/wrapper Px,
/usr/bin/mlmmj-recieve Px,
/usr/lib/postfix/local rmix,
/usr/lib/postfix/{sbin/,}local rmix,
/{usr/,}bin/bash mixr,
/{usr/,}bin/date mixr,
/dev/tty rw,
/etc/{postfix/,}aliases.db r,
/etc/{postfix/,}aliases.db rk,
# mailman on SuSE is configed to have its own alias file
/var/lib/mailman/data/aliases.db r,
/var/lib/mailman/data/aliases.db rk,
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* rw,
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/ rw,
/{var/spool/postfix/,}active/[0-9A-F]/ rw,
/{var/spool/postfix/,}pid/unix.local rw,
/{var/spool/postfix/,}private/{bounce,defer,flush,lmtp,rewrite} rw,
/{var/spool/postfix/,}active/[0-9A-F]* rwk,
/{var/spool/postfix/,}pid/unix.local rwk,
/{var/spool/postfix/,}private/{bounce,defer,flush,lmtp,local,rewrite} rw,
/{var/spool/postfix/,}public/{cleanup,flush} rw,
/etc/postfix/virtual.db r,
/etc/postfix/lists.db r,
# deliver mail
/var/mail/* wk,
}
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2018 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
......@@ -10,7 +11,7 @@
#include <tunables/global>
/usr/lib/postfix/master {
profile postfix-master /usr/lib/postfix/{sbin/,}master {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
......@@ -18,6 +19,12 @@
capability net_bind_service,
capability kill,
capability dac_override,
capability dac_read_search,
signal send peer=postfix-*,
signal peer=@{profile_name},
unix (send receive) type=stream peer=(label=postfix-*),
/etc/postfix/master.cf r,
/{var/spool/postfix/,}pid/master.pid rwk,
......@@ -25,22 +32,21 @@
/{var/spool/postfix/,}private/tlsmgr rwl,
/{var/spool/postfix/,}public/{cleanup,flush,pickup,qmgr,showq,tlsmgr} rwl,
/usr/lib/postfix/anvil Px,
/usr/lib/postfix/bounce Px,
/usr/lib/postfix/cleanup Px,
/usr/lib/postfix/flush Px,
/usr/lib/postfix/local Px,
/usr/lib/postfix/master rmix,
/usr/lib/postfix/nqmgr Px,
/usr/lib/postfix/proxymap Px,
/usr/lib/postfix/pickup Px,
/usr/lib/postfix/pipe Px,
/usr/lib/postfix/qmgr Px,
/usr/lib/postfix/scache Px,
/usr/lib/postfix/showq Px,
/usr/lib/postfix/smtp Px,
/usr/lib/postfix/smtpd Px,
/usr/lib/postfix/tlsmgr Px,
/usr/lib/postfix/trivial-rewrite Px,
/usr/lib/postfix/master rmix,
/usr/lib/postfix/{sbin/,}anvil Px,
/usr/lib/postfix/{sbin/,}bounce Px,
/usr/lib/postfix/{sbin/,}cleanup Px,
/usr/lib/postfix/{sbin/,}flush Px,
/usr/lib/postfix/{sbin/,}local Px,
/usr/lib/postfix/{sbin/,}master rmix,
/usr/lib/postfix/{sbin/,}nqmgr Px,
/usr/lib/postfix/{sbin/,}proxymap Px,
/usr/lib/postfix/{sbin/,}pickup Px,
/usr/lib/postfix/{sbin/,}pipe Px,
/usr/lib/postfix/{sbin/,}qmgr Px,
/usr/lib/postfix/{sbin/,}scache Px,
/usr/lib/postfix/{sbin/,}showq Px,
/usr/lib/postfix/{sbin/,}smtp Px,
/usr/lib/postfix/{sbin/,}smtpd Px,
/usr/lib/postfix/{sbin/,}tlsmgr Px,
/usr/lib/postfix/{sbin/,}trivial-rewrite Px,
}
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2018 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
......@@ -10,12 +11,12 @@
#include <tunables/global>
/usr/lib/postfix/nqmgr {
profile postfix-nqmgr /usr/lib/postfix/{sbin/,}nqmgr {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
/usr/lib/postfix/nqmgr rmix,
/usr/lib/postfix/{sbin/,}nqmgr rmix,
/{var/spool/postfix/,}active/ r,
/{var/spool/postfix/,}active/[0-9A-F]/ r,
......@@ -42,5 +43,4 @@
/{var/spool/postfix/,}private/local w,
/{var/spool/postfix/,}public/flush w,
/{var/spool/postfix/,}public/qmgr r,
/etc/postfix/main.cf r,
}
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2018 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
......@@ -11,10 +12,10 @@
#include <tunables/global>
/usr/lib/postfix/oqmgr {
profile postfix-oqmgr /usr/lib/postfix/{sbin/,}oqmgr {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
/usr/lib/postfix/oqmgr rmix,
/usr/lib/postfix/{sbin/,}oqmgr rmix,
}
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2018 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
......@@ -10,14 +11,14 @@
#include <tunables/global>
/usr/lib/postfix/pickup {
profile postfix-pickup /usr/lib/postfix/{sbin/,}pickup {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
/usr/lib/postfix/pickup rmix,
/usr/lib/postfix/{sbin/,}pickup rmix,
/{var/spool/postfix/,}public/cleanup w,
/{var/spool/postfix/,}public/cleanup rw,
/{var/spool/postfix/,}public/pickup r,
/{var/spool/postfix/,}maildrop/ r,
/{var/spool/postfix/,}maildrop/* rwl,
......
......@@ -2,6 +2,7 @@
#
# Copyright (C) 2006 Novell/SUSE
# Copyright (C) 2017 Christian Boltz
# Copyright (C) 2018 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
......@@ -11,12 +12,13 @@
#include <tunables/global>
/usr/lib/postfix/pipe {
profile postfix-pipe /usr/lib/postfix/{sbin/,}pipe {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
/usr/lib/postfix/pipe mrix,
/usr/lib/postfix/{sbin/,}pipe rmix,
/var/spool/postfix/active/* rwk,
/var/spool/postfix/private/bounce w,
/var/spool/postfix/private/defer w,
......
# ------------------------------------------------------------------
#
# Copyright (C) 2018 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#include <tunables/global>
profile postfix-postscreen /usr/lib/postfix/{sbin/,}postscreen {
#include <abstractions/base>
/usr/lib/postfix/{sbin/,}postscreen rmix,
}
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2018 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
......@@ -10,16 +11,11 @@
#include <tunables/global>
/usr/lib/postfix/proxymap {
profile postfix-proxymap /usr/lib/postfix/{sbin/,}proxymap {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
capability setgid,
capability setuid,
/usr/lib/postfix/proxymap rmix,
/etc/postfix/main.cf r,
@{PROC}/net/if_inet6 r,
/usr/lib/postfix/{sbin/,}proxymap rmix,
/{var/spool/postfix/,}private/proxymap rw,
}
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2018 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
......@@ -10,16 +11,18 @@
#include <tunables/global>
/usr/lib/postfix/qmgr {
profile postfix-qmgr /usr/lib/postfix/{sbin/,}qmgr {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
/usr/lib/postfix/qmgr rmix,
/usr/lib/postfix/{sbin/,}qmgr rmix,
/{var/spool/postfix/,}active/ r,
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* rwl,
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/ rwl,
/{var/spool/postfix/,}active/[0-9A-F]/ rwl,
/{var/spool/postfix/,}active/[0-9A-F]* rwlk,
/{var/spool/postfix/,}defer/ r,
/{var/spool/postfix/,}defer/[0-9A-F]/[0-9A-F]/* rwl,
/{var/spool/postfix/,}defer/[0-9A-F]/[0-9A-F]/ rwl,
......@@ -32,13 +35,14 @@
/{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/* rwl,
/{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/ rwl,
/{var/spool/postfix/,}incoming/[0-9A-F]/ rwl,
/{var/spool/postfix/,}incoming/[0-9A-F]* rwl,
/{var/spool/postfix/,}public/flush w,
/{var/spool/postfix/,}public/qmgr r,
/{var/spool/postfix/,}private/bounce w,
/{var/spool/postfix/,}private/defer w,
/{var/spool/postfix/,}private/local w,
/{var/spool/postfix/,}private/local rw,
/{var/spool/postfix/,}private/relay w,
/{var/spool/postfix/,}private/rewrite w,
/{var/spool/postfix/,}private/rewrite rw,
/{var/spool/postfix/,}private/smtp w,
/{var/spool/postfix/,}private/trace w,
/{var/spool/postfix/,}private/uucp w,
......
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2018 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
......@@ -10,10 +11,10 @@
#include <tunables/global>
/usr/lib/postfix/qmqpd {
profile postfix-qmqpd /usr/lib/postfix/{sbin/,}qmqpd {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
/usr/lib/postfix/qmqpd rmix,
/usr/lib/postfix/{sbin/,}qmqpd rmix,
}
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2018 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
......@@ -12,12 +13,10 @@
#include <tunables/global>
/usr/lib/postfix/scache {
profile postfix-scache /usr/lib/postfix/{sbin/,}scache {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
/usr/lib/postfix/scache rmix,
/{,var/}run/nscd/group r,
/usr/lib/postfix/{sbin/,}scache rmix,
}
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2018 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
......@@ -10,12 +11,12 @@
#include <tunables/global>
/usr/lib/postfix/showq {
profile postfix-showq /usr/lib/postfix/{sbin/,}showq {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
/usr/lib/postfix/showq rmix,
/usr/lib/postfix/{sbin/,}showq rmix,
/{var/spool/postfix/,}active/ r,
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* r,
......
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2018 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
......@@ -10,7 +11,7 @@
#include <tunables/global>
/usr/lib/postfix/smtp {
profile postfix-smtp /usr/lib/postfix/{sbin/,}smtp {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
......@@ -20,7 +21,7 @@
capability dac_read_search,
capability net_bind_service,
/usr/lib/postfix/smtp rmix,
/usr/lib/postfix/{sbin/,}smtp rmix,
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* rwl,
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/ rwl,
......
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2018 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
......@@ -10,24 +11,24 @@
#include <tunables/global>
/usr/lib/postfix/smtpd {
profile postfix-smtpd /usr/lib/postfix/{sbin/,}smtpd {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
#include <abstractions/openssl>
#include <abstractions/ssl_certs>
#include <abstractions/ssl_keys>
capability dac_override,
capability dac_read_search,
capability setgid,
capability setuid,
/usr/lib/postfix/smtpd rmix,
/usr/lib/postfix/{sbin/,}smtpd rmix,
/usr/sbin/postdrop rPx,
/dev/urandom r,
/etc/aliases.db r,
/etc/aliases.db rk,
# mailman on SuSE is configured to have its own alias db
/var/lib/mailman/data/aliases.db r,
/var/lib/mailman/data/aliases.db rk,
/etc/mtab r,
/etc/fstab r,
/etc/postfix/*.db r,
......@@ -37,21 +38,14 @@
/etc/postfix/main.cf r,
/etc/postfix/prng_exch rw,
/usr/lib64/sasl2/ mr,
/usr/lib64/sasl2/* mr,
/usr/lib/sasl2/ mr,
/usr/lib/sasl2/* mr,
/usr/share/ssl/certs/ca-bundle.crt r,
/{var/spool/postfix/,}pid/inet.* rw,
/{var/spool/postfix/,}private/anvil w,
/{var/spool/postfix/,}private/proxymap w,
/{var/spool/postfix/,}private/rewrite w,
/{var/spool/postfix/,}private/tlsmgr w,
/{var/spool/postfix/,}public/cleanup w,
/{var/spool/postfix/,}pid/inet.* rwk,
/{var/spool/postfix/,}private/anvil rw,
/{var/spool/postfix/,}private/proxymap rw,
/{var/spool/postfix/,}private/rewrite rw,
/{var/spool/postfix/,}private/tlsmgr rw,
/{var/spool/postfix/,}public/cleanup rw,
/{,var/}run/sasl2/mux w,
@{PROC}/net/if_inet6 r,
}
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2018 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
......@@ -10,10 +11,10 @@
#include <tunables/global>
/usr/lib/postfix/verify {
profile postfix-spawn /usr/lib/postfix/{sbin/,}spawn {
#include <abstractions/base>
#include <abstractions/nameservice>