2009-06-03 10:42:32

by paul

[permalink] [raw]
Subject: [refpolicy] Policy for milter-greylist

Patch attached. I'm using this myself and policy is already added in Fedora.

Paul.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: milter-greylist.patch
Type: text/x-patch
Size: 2556 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090603/2547a367/attachment.bin


2009-06-18 14:37:33

by cpebenito

[permalink] [raw]
Subject: [refpolicy] Policy for milter-greylist

On Wed, 2009-06-03 at 11:42 +0100, Paul Howarth wrote:
> Patch attached. I'm using this myself and policy is already added in
> Fedora.

Merged.

> Index: policy/modules/services/milter.te
> ===================================================================
> --- policy/modules/services/milter.te (revision 2991)
> +++ policy/modules/services/milter.te (working copy)
> @@ -10,7 +10,8 @@
> attribute milter_domains;
> attribute milter_data_type;
>
> -# currently-supported milters are milter-regex and spamass-milter
> +# currently-supported milters are milter-greylist, milter-regex and
> spamass-milter
> +milter_template(greylist)
> milter_template(regex)
> milter_template(spamass)
>
> @@ -22,6 +23,35 @@
>
> ########################################
> #
> +# milter-greylist local policy
> +# ensure smtp clients retry mail like real MTAs and not spamware
> +# http://hcpnet.free.fr/milter-greylist/
> +#
> +
> +# Look up username for dropping privs
> +auth_use_nsswitch(greylist_milter_t)
> +
> +# It creates a pid file /var/run/milter-greylist.pid
> +files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
> +
> +# It removes any existing socket (not owned by root) whilst running
> as root,
> +# fixes permissions, renices itself and then calls setgid() and
> setuid() to
> +# drop privileges
> +kernel_read_kernel_sysctls(greylist_milter_t)
> +allow greylist_milter_t self:capability { chown dac_override setgid
> setuid sys_nice };
> +allow greylist_milter_t self:process { setsched getsched };
> +
> +# Allow the milter to read a GeoIP database in /usr/share
> +files_read_usr_files(greylist_milter_t)
> +
> +# The milter runs from /var/lib/milter-greylist and maintains files
> there
> +files_search_var_lib(greylist_milter_t);
> +
> +# Config is in /etc/mail/greylist.conf
> +mta_read_config(greylist_milter_t)
> +
> +########################################
> +#
> # milter-regex local policy
> # filter emails using regular expressions
> # http://www.benzedrine.cx/milter-regex.html
> Index: policy/modules/services/milter.fc
> ===================================================================
> --- policy/modules/services/milter.fc (revision 2991)
> +++ policy/modules/services/milter.fc (working copy)
> @@ -1,3 +1,9 @@
> +/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
> +
> +/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
> +/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
> +/var/run/milter-greylist
> \.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
> +
> /usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
> /var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
>
>
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150