trunk: add milter module from Paul Howarth.
This commit is contained in:
parent
b3b607eb43
commit
b9e5238a24
@ -7,6 +7,8 @@
|
||||
- Remove hierarchy from portage module as it is not a good example of
|
||||
hieararchy.
|
||||
- Remove enableaudit target from modular build as semodule -DB supplants it.
|
||||
- Added modules:
|
||||
milter (Paul Howarth)
|
||||
|
||||
* Tue Oct 14 2008 Chris PeBenito <selinux@tresys.com> - 20081014
|
||||
- Debian update for NetworkManager/wpa_supplicant from Martin Orr.
|
||||
|
6
policy/modules/services/milter.fc
Normal file
6
policy/modules/services/milter.fc
Normal file
@ -0,0 +1,6 @@
|
||||
/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
|
||||
/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
|
||||
|
||||
/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
|
||||
/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
|
||||
/var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
|
79
policy/modules/services/milter.if
Normal file
79
policy/modules/services/milter.if
Normal file
@ -0,0 +1,79 @@
|
||||
## <summary>Milter mail filters</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create a set of derived types for various
|
||||
## mail filter applications using the milter interface.
|
||||
## </summary>
|
||||
## <param name="milter_name">
|
||||
## <summary>
|
||||
## The name to be used for deriving type names.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`milter_template',`
|
||||
# attributes common to all milters
|
||||
gen_require(`
|
||||
attribute milter_data_type, milter_domains;
|
||||
')
|
||||
|
||||
type $1_milter_t, milter_domains;
|
||||
type $1_milter_exec_t;
|
||||
init_daemon_domain($1_milter_t, $1_milter_exec_t)
|
||||
role system_r types $1_milter_t;
|
||||
|
||||
# Type for the milter data (e.g. the socket used to communicate with the MTA)
|
||||
type $1_milter_data_t, milter_data_type;
|
||||
files_type($1_milter_data_t);
|
||||
|
||||
allow $1_milter_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
# Allow communication with MTA over a unix-domain socket
|
||||
# Note: usage with TCP sockets requires additional policy
|
||||
manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
|
||||
|
||||
# Create other data files and directories in the data directory
|
||||
manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
|
||||
|
||||
miscfiles_read_localization($1_milter_t)
|
||||
|
||||
logging_send_syslog_msg($1_milter_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## MTA communication with milter sockets
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`milter_stream_connect_all',`
|
||||
gen_require(`
|
||||
attribute milter_data_type, milter_domains;
|
||||
')
|
||||
|
||||
getattr_dirs_pattern($1, milter_data_type, milter_data_type)
|
||||
stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow getattr of milter sockets
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`milter_getattr_all_sockets',`
|
||||
gen_require(`
|
||||
attribute milter_data_type;
|
||||
')
|
||||
|
||||
getattr_dirs_pattern($1, milter_data_type, milter_data_type)
|
||||
getattr_sock_files_pattern($1, milter_data_type, milter_data_type)
|
||||
')
|
55
policy/modules/services/milter.te
Normal file
55
policy/modules/services/milter.te
Normal file
@ -0,0 +1,55 @@
|
||||
|
||||
policy_module(milter, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
# attributes common to all milters
|
||||
attribute milter_domains;
|
||||
attribute milter_data_type;
|
||||
|
||||
# currently-supported milters are milter-regex and spamass-milter
|
||||
milter_template(regex)
|
||||
milter_template(spamass)
|
||||
|
||||
########################################
|
||||
#
|
||||
# milter-regex local policy
|
||||
# filter emails using regular expressions
|
||||
# http://www.benzedrine.cx/milter-regex.html
|
||||
#
|
||||
|
||||
# It removes any existing socket (not owned by root) whilst running as root
|
||||
# and then calls setgid() and setuid() to drop privileges
|
||||
allow regex_milter_t self:capability { setuid setgid dac_override };
|
||||
|
||||
# The milter's socket directory lives under /var/spool
|
||||
files_search_spool(regex_milter_t)
|
||||
|
||||
# Look up username for dropping privs
|
||||
auth_use_nsswitch(regex_milter_t)
|
||||
|
||||
# Config is in /etc/mail/milter-regex.conf
|
||||
mta_read_config(regex_milter_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# spamass-milter local policy
|
||||
# pipe emails through SpamAssassin
|
||||
# http://savannah.nongnu.org/projects/spamass-milt/
|
||||
#
|
||||
|
||||
kernel_read_system_state(spamass_milter_t)
|
||||
|
||||
# When used with -b or -B options, the milter invokes sendmail to send mail
|
||||
# to a spamtrap address, using popen()
|
||||
corecmd_exec_shell(spamass_milter_t)
|
||||
corecmd_read_bin_symlinks(spamass_milter_t)
|
||||
corecmd_search_bin(spamass_milter_t)
|
||||
|
||||
mta_send_mail(spamass_milter_t)
|
||||
|
||||
# The main job of the milter is to pipe spam through spamc and act on the result
|
||||
spamassassin_domtrans_client(spamass_milter_t)
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(mta, 2.0.0)
|
||||
policy_module(mta, 2.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -102,6 +102,11 @@ optional_policy(`
|
||||
logwatch_read_tmp_files(system_mail_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
# newaliases runs as system_mail_t when the sendmail initscript does a restart
|
||||
milter_getattr_all_sockets(system_mail_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nagios_read_tmp_files(system_mail_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(postfix, 1.9.1)
|
||||
policy_module(postfix, 1.9.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -519,6 +519,10 @@ optional_policy(`
|
||||
cyrus_stream_connect(postfix_smtp_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
milter_stream_connect_all(postfix_smtp_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Postfix smtpd local policy
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(sendmail, 1.8.1)
|
||||
policy_module(sendmail, 1.8.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -108,6 +108,10 @@ optional_policy(`
|
||||
clamav_search_lib(sendmail_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
milter_stream_connect_all(sendmail_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
postfix_exec_master(sendmail_t)
|
||||
postfix_read_config(sendmail_t)
|
||||
|
@ -10,7 +10,6 @@ HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,
|
||||
/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
|
||||
|
||||
/var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
|
||||
/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
|
||||
|
||||
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
|
||||
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(spamassassin, 2.0.0)
|
||||
policy_module(spamassassin, 2.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
Loading…
Reference in New Issue
Block a user