From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 36175138010 for ; Mon, 15 Oct 2012 18:48:36 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id B9BE1E04C2; Mon, 15 Oct 2012 18:46:38 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id C6CEFE045E for ; Mon, 15 Oct 2012 18:46:37 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 84DA533D78C for ; Mon, 15 Oct 2012 18:46:36 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 53BD1E544E for ; Mon, 15 Oct 2012 18:46:34 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1350325989.983a0f9b84912ee4ad5bec16a69030b3269404ac.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/munin.fc policy/modules/contrib/munin.if policy/modules/contrib/munin.te policy/modules/contrib/postfix.if X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 983a0f9b84912ee4ad5bec16a69030b3269404ac X-VCS-Branch: master Date: Mon, 15 Oct 2012 18:46:34 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: d8752d16-b67e-4643-9270-f45b462c2c12 X-Archives-Hash: 6ff05c07bbc066200c8044cf6ce741b9 commit: 983a0f9b84912ee4ad5bec16a69030b3269404ac Author: Dominick Grift gmail com> AuthorDate: Sun Oct 14 11:53:07 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Mon Oct 15 18:33:09 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=983a0f9b Changes to the munin policy module and relevant dependencies Ported from Fedora with changes Signed-off-by: Dominick Grift gmail.com> --- policy/modules/contrib/munin.fc | 12 +++- policy/modules/contrib/munin.if | 71 +++++++-------- policy/modules/contrib/munin.te | 168 ++++++++++++++++++++++++++----------- policy/modules/contrib/postfix.if | 20 +++++ 4 files changed, 181 insertions(+), 90 deletions(-) diff --git a/policy/modules/contrib/munin.fc b/policy/modules/contrib/munin.fc index d955fb4..8c2ecad 100644 --- a/policy/modules/contrib/munin.fc +++ b/policy/modules/contrib/munin.fc @@ -1,8 +1,11 @@ /etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0) + /etc/rc\.d/init\.d/munin-node -- gen_context(system_u:object_r:munin_initrc_exec_t,s0) /usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) + /usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) + /usr/share/munin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) /usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0) @@ -38,6 +41,8 @@ /usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) /usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/selinux_avcstat -- gen_context(system_u:object_r:selinux_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/acpi -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/cpu.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/forks -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) @@ -47,6 +52,7 @@ /usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/load -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/memory -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/munin_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) @@ -59,7 +65,11 @@ /usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) +/var/lib/munin/plugin-state(/.*)? gen_context(system_u:object_r:munin_plugin_state_t,s0) + /var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) -/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) + +/var/run/munin.* gen_context(system_u:object_r:munin_var_run_t,s0) + /var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) /var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) diff --git a/policy/modules/contrib/munin.if b/policy/modules/contrib/munin.if index c358d8f..258f91b 100644 --- a/policy/modules/contrib/munin.if +++ b/policy/modules/contrib/munin.if @@ -1,52 +1,48 @@ -## Munin network-wide load graphing (formerly LRRD) +## Munin network-wide load graphing. -######################################## +####################################### ## -## Create a set of derived types for various -## munin plugins, +## The template to define a munin plugin domain. ## -## +## ## -## The name to be used for deriving type names. +## Domain prefix to be used. ## ## # template(`munin_plugin_template',` gen_require(` - type munin_t, munin_exec_t, munin_etc_t; + attribute munin_plugin_domain; + type munin_t; ') + ######################################## + # + # Declarations + # + type $1_munin_plugin_t; type $1_munin_plugin_exec_t; typealias $1_munin_plugin_t alias munin_$1_plugin_t; typealias $1_munin_plugin_exec_t alias munin_$1_plugin_exec_t; - application_domain($1_munin_plugin_t, $1_munin_plugin_exec_t) + domain_type($1_munin_plugin_t) + domain_entry_file($1_munin_plugin_t, $1_munin_plugin_exec_t) role system_r types $1_munin_plugin_t; type $1_munin_plugin_tmp_t; typealias $1_munin_plugin_tmp_t alias munin_$1_plugin_tmp_t; files_tmp_file($1_munin_plugin_tmp_t) - allow $1_munin_plugin_t self:fifo_file rw_fifo_file_perms; + ######################################## + # + # Policy + # + + domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t) manage_files_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t) manage_dirs_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t) files_tmp_filetrans($1_munin_plugin_t, $1_munin_plugin_tmp_t, { dir file }) - - # automatic transition rules from munin domain - # to specific munin plugin domain - domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t) - - allow $1_munin_plugin_t munin_exec_t:file read_file_perms; - allow $1_munin_plugin_t munin_t:tcp_socket rw_socket_perms; - - read_lnk_files_pattern($1_munin_plugin_t, munin_etc_t, munin_etc_t) - - kernel_read_system_state($1_munin_plugin_t) - - corecmd_exec_bin($1_munin_plugin_t) - - miscfiles_read_localization($1_munin_plugin_t) ') ######################################## @@ -65,14 +61,13 @@ interface(`munin_stream_connect',` type munin_var_run_t, munin_t; ') - allow $1 munin_t:unix_stream_socket connectto; - allow $1 munin_var_run_t:sock_file { getattr write }; files_search_pids($1) + stream_connect_pattern($1, munin_var_run_t, munin_var_run_t, munin_t) ') ####################################### ## -## Read munin configuration files. +## Read munin configuration content. ## ## ## @@ -86,15 +81,15 @@ interface(`munin_read_config',` type munin_etc_t; ') + files_search_etc($1) allow $1 munin_etc_t:dir list_dir_perms; allow $1 munin_etc_t:file read_file_perms; - allow $1 munin_etc_t:lnk_file { getattr read }; - files_search_etc($1) + allow $1 munin_etc_t:lnk_file read_lnk_file_perms; ') ####################################### ## -## Append to the munin log. +## Append munin log files. ## ## ## @@ -153,8 +148,8 @@ interface(`munin_dontaudit_search_lib',` ######################################## ## -## All of the rules required to administrate -## an munin environment +## All of the rules required to +## administrate an munin environment. ## ## ## @@ -163,21 +158,21 @@ interface(`munin_dontaudit_search_lib',` ## ## ## -## The role to be allowed to manage the munin domain. +## Role allowed access. ## ## ## # interface(`munin_admin',` gen_require(` + attribute munin_plugin_domain; type munin_t, munin_etc_t, munin_tmp_t; type munin_log_t, munin_var_lib_t, munin_var_run_t; - type httpd_munin_content_t; - type munin_initrc_exec_t; + type httpd_munin_content_t, munin_plugin_state_t, munin_initrc_exec_t; ') - allow $1 munin_t:process { ptrace signal_perms }; - ps_process_pattern($1, munin_t) + allow $1 { munin_plugin_domain munin_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { munin_plugin_domain munin_t }) init_labeled_script_domtrans($1, munin_initrc_exec_t) domain_system_change_exemption($1) @@ -194,7 +189,7 @@ interface(`munin_admin',` admin_pattern($1, munin_etc_t) files_list_var_lib($1) - admin_pattern($1, munin_var_lib_t) + admin_pattern($1, { munin_var_lib_t munin_plugin_state_t }) files_list_pids($1) admin_pattern($1, munin_var_run_t) diff --git a/policy/modules/contrib/munin.te b/policy/modules/contrib/munin.te index f17583b..4f784a8 100644 --- a/policy/modules/contrib/munin.te +++ b/policy/modules/contrib/munin.te @@ -1,10 +1,12 @@ -policy_module(munin, 1.8.0) +policy_module(munin, 1.8.1) ######################################## # # Declarations # +attribute munin_plugin_domain; + type munin_t alias lrrd_t; type munin_exec_t alias lrrd_exec_t; init_daemon_domain(munin_t, munin_exec_t) @@ -24,40 +26,78 @@ files_tmp_file(munin_tmp_t) type munin_var_lib_t alias lrrd_var_lib_t; files_type(munin_var_lib_t) +type munin_plugin_state_t; +files_type(munin_plugin_state_t) + type munin_var_run_t alias lrrd_var_run_t; files_pid_file(munin_var_run_t) munin_plugin_template(disk) - munin_plugin_template(mail) - +munin_plugin_template(selinux) munin_plugin_template(services) - munin_plugin_template(system) +################################ +# +# Common munin plugin local policy +# + +allow munin_plugin_domain self:fifo_file rw_fifo_file_perms; + +allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms; + +read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t) + +allow munin_plugin_domain munin_exec_t:file read_file_perms; + +manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t) + +kernel_read_system_state(munin_plugin_domain) + +corenet_all_recvfrom_unlabeled(munin_plugin_domain) +corenet_all_recvfrom_netlabel(munin_plugin_domain) +corenet_tcp_sendrecv_generic_if(munin_plugin_domain) +corenet_tcp_sendrecv_generic_node(munin_plugin_domain) + +corecmd_exec_bin(munin_plugin_domain) +corecmd_exec_shell(munin_plugin_domain) + +files_read_etc_files(munin_plugin_domain) +files_read_usr_files(munin_plugin_domain) +files_search_var_lib(munin_plugin_domain) + +fs_getattr_all_fs(munin_plugin_domain) + +miscfiles_read_localization(munin_plugin_domain) + +optional_policy(` + nscd_socket_use(munin_plugin_domain) +') + ######################################## # # Local policy # -allow munin_t self:capability { chown dac_override setgid setuid }; +allow munin_t self:capability { chown dac_override kill setgid setuid sys_rawio }; dontaudit munin_t self:capability sys_tty_config; allow munin_t self:process { getsched setsched signal_perms }; -allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow munin_t self:unix_dgram_socket { create_socket_perms sendto }; -allow munin_t self:tcp_socket create_stream_socket_perms; -allow munin_t self:udp_socket create_socket_perms; +allow munin_t self:unix_stream_socket { accept connectto listen }; +allow munin_t self:unix_dgram_socket sendto; +allow munin_t self:tcp_socket { accept listen }; allow munin_t self:fifo_file manage_fifo_file_perms; -allow munin_t munin_etc_t:dir list_dir_perms; -read_files_pattern(munin_t, munin_etc_t, munin_etc_t) -read_lnk_files_pattern(munin_t, munin_etc_t, munin_etc_t) -files_search_etc(munin_t) +allow munin_t munin_plugin_domain:process signal_perms; -can_exec(munin_t, munin_exec_t) +allow munin_t munin_etc_t:dir list_dir_perms; +allow munin_t munin_etc_t:file read_file_perms; +allow munin_t munin_etc_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(munin_t, munin_log_t, munin_log_t) -manage_files_pattern(munin_t, munin_log_t, munin_log_t) +append_files_pattern(munin_t, munin_log_t, munin_log_t) +create_files_pattern(munin_t, munin_log_t, munin_log_t) +setattr_files_pattern(munin_t, munin_log_t, munin_log_t) logging_log_filetrans(munin_t, munin_log_t, { file dir }) manage_dirs_pattern(munin_t, munin_tmp_t, munin_tmp_t) @@ -65,15 +105,18 @@ manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t) manage_sock_files_pattern(munin_t, munin_tmp_t, munin_tmp_t) files_tmp_filetrans(munin_t, munin_tmp_t, { file dir sock_file }) -# Allow access to the munin databases manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) -files_search_var_lib(munin_t) +read_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t) + +manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t) manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) manage_sock_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) -files_pid_filetrans(munin_t, munin_var_run_t, file) +files_pid_filetrans(munin_t, munin_var_run_t, { dir file }) + +can_exec(munin_t, munin_exec_t) kernel_read_system_state(munin_t) kernel_read_network_state(munin_t) @@ -85,15 +128,18 @@ corecmd_exec_shell(munin_t) corenet_all_recvfrom_unlabeled(munin_t) corenet_all_recvfrom_netlabel(munin_t) corenet_tcp_sendrecv_generic_if(munin_t) -corenet_udp_sendrecv_generic_if(munin_t) corenet_tcp_sendrecv_generic_node(munin_t) -corenet_udp_sendrecv_generic_node(munin_t) -corenet_tcp_sendrecv_all_ports(munin_t) -corenet_udp_sendrecv_all_ports(munin_t) corenet_tcp_bind_generic_node(munin_t) + +corenet_sendrecv_munin_server_packets(munin_t) corenet_tcp_bind_munin_port(munin_t) +corenet_sendrecv_munin_client_packets(munin_t) corenet_tcp_connect_munin_port(munin_t) +corenet_tcp_sendrecv_munin_port(munin_t) + +corenet_sendrecv_http_client_packets(munin_t) corenet_tcp_connect_http_port(munin_t) +corenet_tcp_sendrecv_http_port(munin_t) dev_read_sysfs(munin_t) dev_read_urand(munin_t) @@ -101,7 +147,6 @@ dev_read_urand(munin_t) domain_use_interactive_fds(munin_t) domain_read_all_domains_state(munin_t) -files_read_etc_files(munin_t) files_read_etc_runtime_files(munin_t) files_read_usr_files(munin_t) files_list_spool(munin_t) @@ -116,6 +161,7 @@ logging_read_all_logs(munin_t) miscfiles_read_fonts(munin_t) miscfiles_read_localization(munin_t) +miscfiles_setattr_fonts_cache_dirs(munin_t) sysnet_exec_ifconfig(munin_t) @@ -143,9 +189,10 @@ optional_policy(` ') optional_policy(` + mta_list_queue(munin_t) mta_read_config(munin_t) - mta_send_mail(munin_t) mta_read_queue(munin_t) + mta_send_mail(munin_t) ') optional_policy(` @@ -159,6 +206,7 @@ optional_policy(` optional_policy(` postfix_list_spool(munin_t) + postfix_getattr_all_spool_files(munin_t) ') optional_policy(` @@ -179,25 +227,24 @@ optional_policy(` ################################### # -# local policy for disk plugins +# Disk local policy # +allow disk_munin_plugin_t self:capability { sys_admin sys_rawio }; allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) -corecmd_exec_shell(disk_munin_plugin_t) - +corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t) corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t) +corenet_tcp_sendrecv_hddtemp_port(disk_munin_plugin_t) -files_read_etc_files(disk_munin_plugin_t) -files_read_etc_runtime_files(disk_munin_plugin_t) - -fs_getattr_all_fs(disk_munin_plugin_t) - +dev_getattr_lvm_control(disk_munin_plugin_t) dev_read_sysfs(disk_munin_plugin_t) dev_read_urand(disk_munin_plugin_t) +files_read_etc_runtime_files(disk_munin_plugin_t) + storage_getattr_fixed_disk_dev(disk_munin_plugin_t) sysnet_read_config(disk_munin_plugin_t) @@ -212,7 +259,7 @@ optional_policy(` #################################### # -# local policy for mail plugins +# Mail local policy # allow mail_munin_plugin_t self:capability dac_override; @@ -221,17 +268,21 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) dev_read_urand(mail_munin_plugin_t) -files_read_etc_files(mail_munin_plugin_t) - -fs_getattr_all_fs(mail_munin_plugin_t) - logging_read_generic_logs(mail_munin_plugin_t) -mta_read_config(mail_munin_plugin_t) -mta_send_mail(mail_munin_plugin_t) -mta_read_queue(mail_munin_plugin_t) +optional_policy(` + mta_list_queue(mail_munin_plugin_t) + mta_read_config(mail_munin_plugin_t) + mta_read_queue(mail_munin_plugin_t) + mta_send_mail(mail_munin_plugin_t) +') optional_policy(` + nscd_socket_use(mail_munin_plugin_t) +') + +optional_policy(` + postfix_getattr_all_spool_files(mail_munin_plugin_t) postfix_read_config(mail_munin_plugin_t) postfix_list_spool(mail_munin_plugin_t) ') @@ -240,28 +291,36 @@ optional_policy(` sendmail_read_log(mail_munin_plugin_t) ') +################################## +# +# Selinux local policy +# + +selinux_get_enforce_mode(selinux_munin_plugin_t) + ################################### # -# local policy for service plugins +# Service local policy # +allow services_munin_plugin_t self:shm create_sem_perms; +allow services_munin_plugin_t self:sem create_sem_perms; allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms; allow services_munin_plugin_t self:udp_socket create_socket_perms; allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; +corenet_sendrecv_all_client_packets(services_munin_plugin_t) corenet_tcp_connect_all_ports(services_munin_plugin_t) corenet_tcp_connect_http_port(services_munin_plugin_t) +corenet_tcp_sendrecv_all_ports(services_munin_plugin_t) dev_read_urand(services_munin_plugin_t) dev_read_rand(services_munin_plugin_t) -fs_getattr_all_fs(services_munin_plugin_t) - -files_read_etc_files(services_munin_plugin_t) - sysnet_read_config(services_munin_plugin_t) optional_policy(` + cups_read_config(services_munin_plugin_t) cups_stream_connect(services_munin_plugin_t) ') @@ -279,6 +338,10 @@ optional_policy(` ') optional_policy(` + nscd_socket_use(services_munin_plugin_t) +') + +optional_policy(` postgresql_stream_connect(services_munin_plugin_t) ') @@ -286,30 +349,33 @@ optional_policy(` snmp_read_snmp_var_lib_files(services_munin_plugin_t) ') +optional_policy(` + varnishd_read_lib_files(services_munin_plugin_t) +') + ################################## # -# local policy for system plugins +# System local policy # allow system_munin_plugin_t self:udp_socket create_socket_perms; rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) +allow system_munin_plugin_t munin_log_t:file read_file_perms; + kernel_read_network_state(system_munin_plugin_t) kernel_read_all_sysctls(system_munin_plugin_t) -corecmd_exec_shell(system_munin_plugin_t) - -fs_getattr_all_fs(system_munin_plugin_t) - dev_read_sysfs(system_munin_plugin_t) dev_read_urand(system_munin_plugin_t) domain_read_all_domains_state(system_munin_plugin_t) -# needed by users plugin init_read_utmp(system_munin_plugin_t) sysnet_exec_ifconfig(system_munin_plugin_t) term_getattr_unallocated_ttys(system_munin_plugin_t) +term_getattr_all_ttys(system_munin_plugin_t) +term_getattr_all_ptys(system_munin_plugin_t) diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if index 2ab9765..36ba866 100644 --- a/policy/modules/contrib/postfix.if +++ b/policy/modules/contrib/postfix.if @@ -601,6 +601,26 @@ interface(`postfix_domtrans_smtp',` ######################################## ## +## Get attributes of postfix all mail +## spool files. +## +## +## +## Domain allowed access. +## +## +# +interface(`postfix_getattr_all_spool_files',` + gen_require(` + attribute postfix_spool_type; + ') + + files_search_spool($1) + getattr_files_pattern($1, postfix_spool_type, postfix_spool_type) +') + +######################################## +## ## Search postfix mail spool directories. ## ##