commit: 94b22b5403841d31a3eeb61bab332e81c3afb69d
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat May 16 11:11:10 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat May 16 11:11:10 2015 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=94b22b54
Add postfix operations to postfix_admin
Allow postfix administrator to execute postfix:
~# /usr/sbin/postfix reload
This also requires the administrative domain to have the ability to send
log messages.
policy/modules/contrib/postfix.if | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/policy/modules/contrib/postfix.if
b/policy/modules/contrib/postfix.if
index 8e7d1e7..a7ec448 100644
--- a/policy/modules/contrib/postfix.if
+++ b/policy/modules/contrib/postfix.if
@@ -748,11 +748,18 @@ interface(`postfix_admin',`
ifdef(`distro_gentoo',`
gen_require(`
type postfix_showq_exec_t;
+ type postfix_master_exec_t;
type postfix_postqueue_t;
')
allow postfix_postqueue_t $1:process sigchld;
can_exec($1, postfix_showq_exec_t)
+
+ # Postfix admin must be able to execute postfix main (for
instance for "postfix reload")
+ can_exec($1, postfix_master_exec_t)
+
+ # Allow postfix admin to send message to log files, needed
during operations like "postfix reload"
+ logging_send_syslog_msg($1)
')
')
