On Mon, 2008-08-04 at 14:35 +0200, david at hardeman.nu wrote:
> plain text document attachment
> (policy_modules_services_mailscanner.patch)
> Adds a new mailscanner module from the RH patchset
This seems like an incomplete module, since it only has one file type
and no domain.
> Index: refpolicy/policy/modules/services/mailscanner.fc
> ===================================================================
> --- /dev/null 1970-01-01 00:00:00.000000000 +0000
> +++ refpolicy/policy/modules/services/mailscanner.fc 2008-08-03 22:09:51.000000000 +0200
> @@ -0,0 +1,2 @@
> +/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:mailscanner_spool_t,s0)
> +
> Index: refpolicy/policy/modules/services/mailscanner.if
> ===================================================================
> --- /dev/null 1970-01-01 00:00:00.000000000 +0000
> +++ refpolicy/policy/modules/services/mailscanner.if 2008-08-03 22:09:51.000000000 +0200
> @@ -0,0 +1,59 @@
> +## <summary>Anti-Virus and Anti-Spam Filter</summary>
> +
> +########################################
> +## <summary>
> +## Search mailscanner spool directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mailscanner_search_spool',`
> + gen_require(`
> + type mailscanner_spool_t;
> + ')
> +
> + files_search_spool($1)
> + allow $1 mailscanner_spool_t:dir search_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +## read mailscanner spool files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mailscanner_read_spool',`
> + gen_require(`
> + type mailscanner_spool_t;
> + ')
> +
> + files_search_spool($1)
> + read_files_pattern($1,mailscanner_spool_t,mailscanner_spool_t)
> +')
> +
> +########################################
> +## <summary>
> +## Create, read, write, and delete
> +## mailscanner spool files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mailscanner_manage_spool',`
> + gen_require(`
> + type mailscanner_spool_t;
> + ')
> +
> + files_search_spool($1)
> + manage_files_pattern($1,mailscanner_spool_t,mailscanner_spool_t)
> +')
> Index: refpolicy/policy/modules/services/mailscanner.te
> ===================================================================
> --- /dev/null 1970-01-01 00:00:00.000000000 +0000
> +++ refpolicy/policy/modules/services/mailscanner.te 2008-08-03 22:09:51.000000000 +0200
> @@ -0,0 +1,5 @@
> +
> +policy_module(mailscanner,1.0.0)
> +
> +type mailscanner_spool_t;
> +files_type(mailscanner_spool_t)
>
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
Christopher J. PeBenito wrote:
> On Mon, 2008-08-04 at 14:35 +0200, david at hardeman.nu wrote:
>> plain text document attachment
>> (policy_modules_services_mailscanner.patch)
>> Adds a new mailscanner module from the RH patchset
>
> This seems like an incomplete module, since it only has one file type
> and no domain.
>
>> Index: refpolicy/policy/modules/services/mailscanner.fc
>> ===================================================================
>> --- /dev/null 1970-01-01 00:00:00.000000000 +0000
>> +++ refpolicy/policy/modules/services/mailscanner.fc 2008-08-03 22:09:51.000000000 +0200
>> @@ -0,0 +1,2 @@
>> +/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:mailscanner_spool_t,s0)
>> +
>> Index: refpolicy/policy/modules/services/mailscanner.if
>> ===================================================================
>> --- /dev/null 1970-01-01 00:00:00.000000000 +0000
>> +++ refpolicy/policy/modules/services/mailscanner.if 2008-08-03 22:09:51.000000000 +0200
>> @@ -0,0 +1,59 @@
>> +## <summary>Anti-Virus and Anti-Spam Filter</summary>
>> +
>> +########################################
>> +## <summary>
>> +## Search mailscanner spool directories.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`mailscanner_search_spool',`
>> + gen_require(`
>> + type mailscanner_spool_t;
>> + ')
>> +
>> + files_search_spool($1)
>> + allow $1 mailscanner_spool_t:dir search_dir_perms;
>> +')
>> +
>> +########################################
>> +## <summary>
>> +## read mailscanner spool files.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`mailscanner_read_spool',`
>> + gen_require(`
>> + type mailscanner_spool_t;
>> + ')
>> +
>> + files_search_spool($1)
>> + read_files_pattern($1,mailscanner_spool_t,mailscanner_spool_t)
>> +')
>> +
>> +########################################
>> +## <summary>
>> +## Create, read, write, and delete
>> +## mailscanner spool files.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`mailscanner_manage_spool',`
>> + gen_require(`
>> + type mailscanner_spool_t;
>> + ')
>> +
>> + files_search_spool($1)
>> + manage_files_pattern($1,mailscanner_spool_t,mailscanner_spool_t)
>> +')
>> Index: refpolicy/policy/modules/services/mailscanner.te
>> ===================================================================
>> --- /dev/null 1970-01-01 00:00:00.000000000 +0000
>> +++ refpolicy/policy/modules/services/mailscanner.te 2008-08-03 22:09:51.000000000 +0200
>> @@ -0,0 +1,5 @@
>> +
>> +policy_module(mailscanner,1.0.0)
>> +
>> +type mailscanner_spool_t;
>> +files_type(mailscanner_spool_t)
>>
This domain was added to just define a context and interfaces for
mailscanner_spool_t so other domains could use it. I have never used
mailscanner and have no idea how to set this up. I guess we could label
/var/spool/MailScanner with a clamscan_spool_t and add the interfaces to
there. The only domain that uses mailscan_spool is
mailscanner_read_spool(procmail_t)
mailscanner_manage_spool(clamscan_t)
On Mon, 2008-08-25 at 13:18 -0400, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Mon, 2008-08-04 at 14:35 +0200, david at hardeman.nu wrote:
> >> plain text document attachment
> >> (policy_modules_services_mailscanner.patch)
> >> Adds a new mailscanner module from the RH patchset
> >
> > This seems like an incomplete module, since it only has one file type
> > and no domain.
>
> >> Index: refpolicy/policy/modules/services/mailscanner.fc
> >> ===================================================================
> >> --- /dev/null 1970-01-01 00:00:00.000000000 +0000
> >> +++ refpolicy/policy/modules/services/mailscanner.fc 2008-08-03 22:09:51.000000000 +0200
> >> @@ -0,0 +1,2 @@
> >> +/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:mailscanner_spool_t,s0)
[...]
> >> @@ -0,0 +1,5 @@
> >> +
> >> +policy_module(mailscanner,1.0.0)
> >> +
> >> +type mailscanner_spool_t;
> >> +files_type(mailscanner_spool_t)
> >>
> This domain was added to just define a context and interfaces for
> mailscanner_spool_t so other domains could use it. I have never used
> mailscanner and have no idea how to set this up. I guess we could
> label
> /var/spool/MailScanner with a clamscan_spool_t and add the interfaces
> to
> there.
>From what I can figure out from the "What Is MailScanner?" web page,
that seems like the better way. But one thought I also had based on
this:
> The only domain that uses mailscan_spool is
>
> mailscanner_read_spool(procmail_t)
> mailscanner_manage_spool(clamscan_t)
Are we sure its not just mail_spool_t?
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
Christopher J. PeBenito wrote:
> On Mon, 2008-08-25 at 13:18 -0400, Daniel J Walsh wrote:
>> Christopher J. PeBenito wrote:
>>> On Mon, 2008-08-04 at 14:35 +0200, david at hardeman.nu wrote:
>>>> plain text document attachment
>>>> (policy_modules_services_mailscanner.patch)
>>>> Adds a new mailscanner module from the RH patchset
>>> This seems like an incomplete module, since it only has one file type
>>> and no domain.
>>
>>>> Index: refpolicy/policy/modules/services/mailscanner.fc
>>>> ===================================================================
>>>> --- /dev/null 1970-01-01 00:00:00.000000000 +0000
>>>> +++ refpolicy/policy/modules/services/mailscanner.fc 2008-08-03 22:09:51.000000000 +0200
>>>> @@ -0,0 +1,2 @@
>>>> +/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:mailscanner_spool_t,s0)
> [...]
>>>> @@ -0,0 +1,5 @@
>>>> +
>>>> +policy_module(mailscanner,1.0.0)
>>>> +
>>>> +type mailscanner_spool_t;
>>>> +files_type(mailscanner_spool_t)
>>>>
>> This domain was added to just define a context and interfaces for
>> mailscanner_spool_t so other domains could use it. I have never used
>> mailscanner and have no idea how to set this up. I guess we could
>> label
>> /var/spool/MailScanner with a clamscan_spool_t and add the interfaces
>> to
>> there.
>
>>From what I can figure out from the "What Is MailScanner?" web page,
> that seems like the better way. But one thought I also had based on
> this:
>
>> The only domain that uses mailscan_spool is
>>
>> mailscanner_read_spool(procmail_t)
>> mailscanner_manage_spool(clamscan_t)
>
> Are we sure its not just mail_spool_t?
>
I am fine with mail_spool.