trunk: Milter state directory patch from Paul Howarth.

Changelog

@@ -1,3 +1,4 @@
+- Milter state directory patch from Paul Howarth.
 - Add MLS constrains for ingress/egress and secmark from Paul Moore.
 - Drop write permission from fs_read_rpc_sockets().
 - Remove unused udev_runtime_t type.

policy/modules/services/milter.fc

@@ -2,5 +2,7 @@
 /var/spool/milter-regex(/.*)?				gen_context(system_u:object_r:regex_milter_data_t,s0)
 
 /usr/sbin/spamass-milter			--	gen_context(system_u:object_r:spamass_milter_exec_t,s0)
+
+/var/lib/spamass-milter(/.*)?				gen_context(system_u:object_r:spamass_milter_state_t,s0)
 /var/run/spamass-milter(/.*)?				gen_context(system_u:object_r:spamass_milter_data_t,s0)
 /var/run/spamass-milter\.pid			--	gen_context(system_u:object_r:spamass_milter_data_t,s0)

policy/modules/services/milter.if

@@ -77,3 +77,24 @@ interface(`milter_getattr_all_sockets',`
 	getattr_dirs_pattern($1, milter_data_type, milter_data_type)
 	getattr_sock_files_pattern($1, milter_data_type, milter_data_type)
 ')
+
+########################################
+## <summary>
+##	Manage spamassassin milter state
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`milter_manage_spamass_state',`
+	gen_require(`
+		type spamass_milter_state_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
+	manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
+	manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
+')

policy/modules/services/milter.te

@@ -1,5 +1,5 @@
 
-policy_module(milter, 1.0.0)
+policy_module(milter, 1.0.1)
 
 ########################################
 #
@@ -14,6 +14,12 @@ attribute milter_data_type;
 milter_template(regex)
 milter_template(spamass)
 
+# Type for the spamass-milter home directory, under which spamassassin will
+# store system-wide preferences, bayes databases etc. if not configured to
+# use per-user configuration
+type spamass_milter_state_t;
+files_type(spamass_milter_state_t)
+
 ########################################
 #
 # milter-regex local policy
@@ -41,6 +47,10 @@ mta_read_config(regex_milter_t)
 #   http://savannah.nongnu.org/projects/spamass-milt/
 #
 
+# The milter runs from /var/lib/spamass-milter
+allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
+files_search_var_lib(spamass_milter_t)
+
 kernel_read_system_state(spamass_milter_t)
 
 # When used with -b or -B options, the milter invokes sendmail to send mail

policy/modules/services/spamassassin.te

@@ -1,5 +1,5 @@
 
-policy_module(spamassassin, 2.1.2)
+policy_module(spamassassin, 2.1.3)
 
 ########################################
 #
@@ -279,6 +279,11 @@ optional_policy(`
 	evolution_stream_connect(spamc_t)
 ')
 
+optional_policy(`
+	# Needed for pyzor/razor called from spamd
+	milter_manage_spamass_state(spamc_t)
+')
+
 optional_policy(`
 	nis_use_ypbind(spamc_t)
 ')
@@ -418,6 +423,10 @@ optional_policy(`
 	dcc_stream_connect_dccifd(spamd_t)
 ')
 
+optional_policy(`
+	milter_manage_spamass_state(spamd_t)
+')
+
 optional_policy(`
 	mysql_search_db(spamd_t)
 	mysql_stream_connect(spamd_t)