blob: 050c880890d9de976fad5e276e00076d350ae7ee (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
postfix_packages:
- postfix
- postfix-ldap
- cyrus-sasl
- cyrus-sasl-gssapi
- cyrus-sasl-plain
- s-nail
postfix_certificate_path: /etc/pki/tls/certs/postfix2.pem
postfix_certificate_key_path: /etc/pki/tls/private/postfix2.key
postfix_dhparams_path: /etc/pki/tls/misc/dhparams-postfix.pem
postfix_hbac_service: smtp
postfix_hbac_hostgroup: mail_servers
postfix_smtp_ca_file: /etc/pki/tls/certs/ca-bundle.crt
postfix_cipherlist: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
postfix_keytab: /var/lib/gssproxy/clients/postfix.keytab
postfix_selinux_policy_te: |
require {
type postfix_exec_t;
type postfix_smtpd_exec_t;
type postfix_cleanup_t;
type postfix_cleanup_exec_t;
type postfix_master_t;
type postfix_cleanup_t;
type postfix_smtpd_t;
type gssproxy_t;
type gssproxy_var_lib_t;
class file getattr;
class dir search;
class sock_file write;
class unix_stream_socket connectto;
class process noatsecure;
class key { read view write };
}
#============= postfix_smtpd_t ==============
allow postfix_smtpd_t gssproxy_t:unix_stream_socket connectto;
allow postfix_smtpd_t gssproxy_var_lib_t:dir search;
allow postfix_smtpd_t gssproxy_var_lib_t:sock_file write;
allow postfix_smtpd_t postfix_master_t:key { read view write };
#============= postfix_master_t ==============
allow postfix_master_t postfix_smtpd_t:process noatsecure;
allow postfix_master_t postfix_smtpd_t:key { read write };
allow postfix_master_t postfix_cleanup_t:process noatsecure;
allow postfix_master_t gssproxy_t:unix_stream_socket connectto;
allow postfix_master_t gssproxy_var_lib_t:dir search;
allow postfix_master_t gssproxy_var_lib_t:sock_file write;
#============= postfix_cleanup_t ==============
allow postfix_cleanup_t gssproxy_var_lib_t:dir search;
allow postfix_cleanup_t gssproxy_var_lib_t:sock_file write;
allow postfix_cleanup_t gssproxy_t:unix_stream_socket connectto;
allow postfix_cleanup_t postfix_master_t:key read;
allow postfix_cleanup_t postfix_smtpd_t:key read;
#============= gssproxy_t ==============
allow gssproxy_t postfix_cleanup_exec_t:file getattr;
allow gssproxy_t postfix_smtpd_exec_t:file getattr;
allow gssproxy_t postfix_exec_t:file getattr;
|
