7.26. Postfix

The following example is for postfix on a Debian GNU/Linux Woody (3.0) system with all capabilities disabled. The CAP_HIDDEN parts are ofcourse optional.
/sbin/lidsconf -A -o /etc/postfix               -j DENY
/sbin/lidsconf -A -o /var/spool/postfix         -j DENY

/sbin/lidsconf -A -s /etc/init.d/postfix \
		  -o /etc/postfix		-j READONLY -i 1
/sbin/lidsconf -A -s /etc/init.d/postfix \
		  -o /var/spool/postfix		-j WRITE    -i 1
/sbin/lidsconf -A -s /usr/sbin/postfix   \
		  -o /etc/postfix		-j READONLY -i 4
/sbin/lidsconf -A -s /usr/sbin/postfix	 \
		  -o /var/spool/postfix		-j WRITE    -i 4

/sbin/lidsconf -A -s /usr/lib/postfix/master \
		  -o CAP_SETGID			-j GRANT    -i 1
/sbin/lidsconf -A -s /usr/lib/postfix/master \
		  -o CAP_SETUID			-j GRANT    -i 1
/sbin/lidsconf -A -s /usr/lib/postfix/master \
		  -o CAP_HIDDEN	                -j GRANT    -i 1
/sbin/lidsconf -A -s /usr/lib/postfix/master \
		  -o CAP_DAC_OVERRIDE           -j GRANT    -i 1
/sbin/lidsconf -A -s /usr/lib/postfix/master \
		  -o CAP_SYS_CHROOT             -j GRANT    -i 1

/sbin/lidsconf -A -s /usr/lib/postfix/master \
		  -o /etc/aliases.db		-j READONLY -i 1
/sbin/lidsconf -A -s /usr/lib/postfix/master \
		  -o /var/spool/postfix		-j WRITE    -i 1
/sbin/lidsconf -A -s /usr/lib/postfix/master \
		  -o /etc/postfix	        -j READONLY -i 1

/sbin/lidsconf -A -s /usr/sbin/postdrop \
		  -o /etc/postfix		-j READONLY
/sbin/lidsconf -A -s /usr/sbin/postdrop \
		  -o /var/spool/postfix		-j WRITE

/sbin/lidsconf -A -s /usr/sbin/sendmail \
		  -o /etc/postfix		-j READONLY
/sbin/lidsconf -A -s /usr/sbin/sendmail \
		  -o /var/spool/postfix		-j WRITE