# ------------------------------------------------------------------
#
#    Copyright (C) 2002-2006 Novell/SUSE
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

#include <tunables/global>

profile postfix-smtpd /usr/lib/postfix/{bin/,sbin/}smtpd flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/openssl>
  #include <abstractions/postfix-common>
  #include <abstractions/ssl_keys>

  capability dac_read_search,
  capability setgid,
  capability setuid,

  /usr/lib/postfix/{bin/,sbin/}smtpd                     mr,

  /usr/sbin/postdrop                             Px,

  /dev/urandom                                   r,
  /etc/aliases.db                                r,
  /etc/mtab                                      r,
  /etc/fstab                                     r,
  /etc/postfix/*.db                              r,
  /etc/postfix/{ssl/,}*.pem                      r,
  /etc/postfix/smtpd_scache.dir                  r,
  /etc/postfix/smtpd_scache.pag                  rw,
  /etc/postfix/main.cf                           r,
  /etc/postfix/prng_exch                         rw,

  /usr/lib64/sasl2/                              mr,
  /usr/lib64/sasl2/*                             mr,
  /usr/lib/sasl2/                                mr,
  /usr/lib/sasl2/*                               mr,

  owner /var/spool/postfix/pid/inet.*            rwk,
  owner /var/spool/postfix/private/anvil         w,
  owner /var/spool/postfix/private/proxymap      w,
  owner /var/spool/postfix/private/rewrite       w,
  owner /var/spool/postfix/private/tlsmgr        w,
  owner /var/spool/postfix/public/cleanup        w,

  /var/spool/postfix/pid/inet.*                  wk,
  /var/spool/postfix/pid/pass.smtpd              rwk,

  /{,var/}run/sasl2/mux                          w,

  @{PROC}/net/if_inet6                           r,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/postfix-smtpd>
}
