selinux-policy/policy/modules/services/milter.if

## <summary>Milter mail filters</summary>

########################################
## <summary>
##	Create a set of derived types for various
##	mail filter applications using the milter interface.
## </summary>
## <param name="milter_name">
##	<summary>
##	The name to be used for deriving type names.
##	</summary>
## </param>
#
template(`milter_template',`
	# attributes common to all milters
	gen_require(`
		attribute milter_data_type, milter_domains;
	')

	type $1_milter_t, milter_domains;
	type $1_milter_exec_t;
	init_daemon_domain($1_milter_t, $1_milter_exec_t)
	role system_r types $1_milter_t;

	# Type for the milter data (e.g. the socket used to communicate with the MTA)
	type $1_milter_data_t, milter_data_type;
	files_type($1_milter_data_t)

	allow $1_milter_t self:fifo_file rw_fifo_file_perms;

	# Allow communication with MTA over a unix-domain socket
	# Note: usage with TCP sockets requires additional policy
	manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)

	# Create other data files and directories in the data directory
	manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)

	files_read_etc_files($1_milter_t)

	kernel_dontaudit_read_system_state($1_milter_t)

	miscfiles_read_localization($1_milter_t)

	logging_send_syslog_msg($1_milter_t)
')

########################################
## <summary>
##	MTA communication with milter sockets
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`milter_stream_connect_all',`
	gen_require(`
		attribute milter_data_type, milter_domains;
	')

	files_search_pids($1)
	stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains)
')

########################################
## <summary>
##	Allow getattr of milter sockets
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`milter_getattr_all_sockets',`
	gen_require(`
		attribute milter_data_type;
	')

	getattr_sock_files_pattern($1, milter_data_type, milter_data_type)
')

########################################
## <summary>
##	Allow setattr of milter dirs
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`milter_setattr_all_dirs',`
	gen_require(`
		attribute milter_data_type;
	')

	setattr_dirs_pattern($1, milter_data_type, milter_data_type)
')

########################################
## <summary>
##	Manage spamassassin milter state
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`milter_manage_spamass_state',`
	gen_require(`
		type spamass_milter_state_t;
	')

	files_search_var_lib($1)
	manage_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
	manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
	manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
')

#######################################
## <summary>
##	Delete dkim-milter PID files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`milter_delete_dkim_pid_files',`
	gen_require(`
		type dkim_milter_data_t;
	')

	files_search_pids($1)
	delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
')