# ------------------------------------------------------------------
#
#    Copyright (C) 2002-2006 Novell/SUSE
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

#include <tunables/global>

profile postfix-master /usr/lib/postfix/{bin/,sbin/}master {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/openssl>
  #include <abstractions/ssl_keys>
  #include <abstractions/postfix-common>

  capability net_bind_service,
  capability kill,
  capability dac_read_search,

  signal send set=term peer=postfix-*,

  /etc/postfix/master.cf                         r,
  owner /etc/postfix/dh_1024.pem                 r,
  owner /etc/postfix/dh_512.pem                  r,

  /{var/spool/postfix/,}pid/unix.retry           wk,
  /{var/spool/postfix/,}pid/unix.dnsblog         wk,

  /usr/lib/postfix/{bin/,sbin/}anvil             Px,
  /usr/lib/postfix/{bin/,sbin/}bounce            Px,
  /usr/lib/postfix/{bin/,sbin/}cleanup           Px,
  /usr/lib/postfix/{bin/,sbin/}dnsblog           Px,
  /usr/lib/postfix/{bin/,sbin/}error             Px,
  /usr/lib/postfix/{bin/,sbin/}flush             Px,
  /usr/lib/postfix/{bin/,sbin/}local             Px,
  /usr/lib/postfix/{bin/,sbin/}lmtp              Px,
  /usr/lib/postfix/{bin/,sbin/}master            rmix,
  /usr/lib/postfix/{bin/,sbin/}nqmgr             Px,
  /usr/lib/postfix/{bin/,sbin/}proxymap          Px,
  /usr/lib/postfix/{bin/,sbin/}pickup            Px,
  /usr/lib/postfix/{bin/,sbin/}pipe              Px,
  /usr/lib/postfix/{bin/,sbin/}postscreen        Px,
  /usr/lib/postfix/{bin/,sbin/}qmgr              Px,
  /usr/lib/postfix/{bin/,sbin/}scache            Px,
  /usr/lib/postfix/{bin/,sbin/}showq             Px,
  /usr/lib/postfix/{bin/,sbin/}smtp              Px,
  /usr/lib/postfix/{bin/,sbin/}smtpd             Px,
  /usr/lib/postfix/{bin/,sbin/}tlsmgr            Px,
  /usr/lib/postfix/{bin/,sbin/}tlsproxy          Px,
  /usr/lib/postfix/{bin/,sbin/}trivial-rewrite   Px,

  /proc/filesystems                              r,
  /proc/sys/kernel/ngroups_max                   r,

  /sys/devices/system/cpu/online                 r,

  owner /var/lib/postfix/master.lock             rwk,
  owner /var/lib/postfix/postscreen_cache.lmdb   rwk,
  owner /var/spool/postfix/pid/master.pid        rwk,
  owner /var/spool/postfix/private/*             wl,
  owner /var/spool/postfix/private/tlsmgr        rwl,
  owner /var/spool/postfix/public/{cleanup,cleanup-srs,flush,pickup,postlog,qmgr,showq,tlsmgr} rwl,
  owner /var/spool/postfix/active/*              rwk,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/postfix-master>
}
