From b9e5238a242d909f604a56a7587c10a70d1a68bb Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Nov 24 2008 15:06:58 +0000 Subject: trunk: add milter module from Paul Howarth. --- diff --git a/Changelog b/Changelog index 1699eb7..c359a33 100644 --- a/Changelog +++ b/Changelog @@ -7,6 +7,8 @@ - Remove hierarchy from portage module as it is not a good example of hieararchy. - Remove enableaudit target from modular build as semodule -DB supplants it. +- Added modules: + milter (Paul Howarth) * Tue Oct 14 2008 Chris PeBenito - 20081014 - Debian update for NetworkManager/wpa_supplicant from Martin Orr. diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc new file mode 100644 index 0000000..4634dba --- /dev/null +++ b/policy/modules/services/milter.fc @@ -0,0 +1,6 @@ +/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0) +/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0) + +/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0) +/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) +/var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0) diff --git a/policy/modules/services/milter.if b/policy/modules/services/milter.if new file mode 100644 index 0000000..1155cb7 --- /dev/null +++ b/policy/modules/services/milter.if @@ -0,0 +1,79 @@ +## Milter mail filters + +######################################## +## +## Create a set of derived types for various +## mail filter applications using the milter interface. +## +## +## +## The name to be used for deriving type names. +## +## +# +template(`milter_template',` + # attributes common to all milters + gen_require(` + attribute milter_data_type, milter_domains; + ') + + type $1_milter_t, milter_domains; + type $1_milter_exec_t; + init_daemon_domain($1_milter_t, $1_milter_exec_t) + role system_r types $1_milter_t; + + # Type for the milter data (e.g. the socket used to communicate with the MTA) + type $1_milter_data_t, milter_data_type; + files_type($1_milter_data_t); + + allow $1_milter_t self:fifo_file rw_fifo_file_perms; + + # Allow communication with MTA over a unix-domain socket + # Note: usage with TCP sockets requires additional policy + manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) + + # Create other data files and directories in the data directory + manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) + + miscfiles_read_localization($1_milter_t) + + logging_send_syslog_msg($1_milter_t) +') + +######################################## +## +## MTA communication with milter sockets +## +## +## +## Domain allowed access. +## +## +# +interface(`milter_stream_connect_all',` + gen_require(` + attribute milter_data_type, milter_domains; + ') + + getattr_dirs_pattern($1, milter_data_type, milter_data_type) + stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains) +') + +######################################## +## +## Allow getattr of milter sockets +## +## +## +## Domain allowed access. +## +## +# +interface(`milter_getattr_all_sockets',` + gen_require(` + attribute milter_data_type; + ') + + getattr_dirs_pattern($1, milter_data_type, milter_data_type) + getattr_sock_files_pattern($1, milter_data_type, milter_data_type) +') diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te new file mode 100644 index 0000000..908cb61 --- /dev/null +++ b/policy/modules/services/milter.te @@ -0,0 +1,55 @@ + +policy_module(milter, 1.0.0) + +######################################## +# +# Declarations +# + +# attributes common to all milters +attribute milter_domains; +attribute milter_data_type; + +# currently-supported milters are milter-regex and spamass-milter +milter_template(regex) +milter_template(spamass) + +######################################## +# +# milter-regex local policy +# filter emails using regular expressions +# http://www.benzedrine.cx/milter-regex.html +# + +# It removes any existing socket (not owned by root) whilst running as root +# and then calls setgid() and setuid() to drop privileges +allow regex_milter_t self:capability { setuid setgid dac_override }; + +# The milter's socket directory lives under /var/spool +files_search_spool(regex_milter_t) + +# Look up username for dropping privs +auth_use_nsswitch(regex_milter_t) + +# Config is in /etc/mail/milter-regex.conf +mta_read_config(regex_milter_t) + +######################################## +# +# spamass-milter local policy +# pipe emails through SpamAssassin +# http://savannah.nongnu.org/projects/spamass-milt/ +# + +kernel_read_system_state(spamass_milter_t) + +# When used with -b or -B options, the milter invokes sendmail to send mail +# to a spamtrap address, using popen() +corecmd_exec_shell(spamass_milter_t) +corecmd_read_bin_symlinks(spamass_milter_t) +corecmd_search_bin(spamass_milter_t) + +mta_send_mail(spamass_milter_t) + +# The main job of the milter is to pipe spam through spamc and act on the result +spamassassin_domtrans_client(spamass_milter_t) diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te index 27b9099..8576491 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -1,5 +1,5 @@ -policy_module(mta, 2.0.0) +policy_module(mta, 2.0.1) ######################################## # @@ -103,6 +103,11 @@ optional_policy(` ') optional_policy(` + # newaliases runs as system_mail_t when the sendmail initscript does a restart + milter_getattr_all_sockets(system_mail_t) +') + +optional_policy(` nagios_read_tmp_files(system_mail_t) ') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 89d0abe..8f9f273 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -1,5 +1,5 @@ -policy_module(postfix, 1.9.1) +policy_module(postfix, 1.9.2) ######################################## # @@ -519,6 +519,10 @@ optional_policy(` cyrus_stream_connect(postfix_smtp_t) ') +optional_policy(` + milter_stream_connect_all(postfix_smtp_t) +') + ######################################## # # Postfix smtpd local policy diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te index 9c63d2d..b59f266 100644 --- a/policy/modules/services/sendmail.te +++ b/policy/modules/services/sendmail.te @@ -1,5 +1,5 @@ -policy_module(sendmail, 1.8.1) +policy_module(sendmail, 1.8.2) ######################################## # @@ -109,6 +109,10 @@ optional_policy(` ') optional_policy(` + milter_stream_connect_all(sendmail_t) +') + +optional_policy(` postfix_exec_master(sendmail_t) postfix_read_config(sendmail_t) postfix_search_spool(sendmail_t) diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc index 80cab98..6b3abf9 100644 --- a/policy/modules/services/spamassassin.fc +++ b/policy/modules/services/spamassassin.fc @@ -10,7 +10,6 @@ HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t, /var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) /var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) -/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te index 343136a..9aded00 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te @@ -1,5 +1,5 @@ -policy_module(spamassassin, 2.0.0) +policy_module(spamassassin, 2.0.1) ######################################## #