From: dwalsh@redhat.com (Daniel J Walsh)
Date: Mon, 25 Aug 2008 13:18:37 -0400
Subject: [refpolicy] [patch 33/35] mailscanner policy addition
In-Reply-To: <1219327608.16398.63.camel@gorn.columbia.tresys.com>
References: <20080804123456.679565839@hardeman.nu>	<20080804123739.984442576@hardeman.nu>
	<1219327608.16398.63.camel@gorn.columbia.tresys.com>
Message-ID: <48B2E96D.50805@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Christopher J. PeBenito wrote:
> On Mon, 2008-08-04 at 14:35 +0200, david at hardeman.nu wrote:
>> plain text document attachment
>> (policy_modules_services_mailscanner.patch)
>> Adds a new mailscanner module from the RH patchset
> 
> This seems like an incomplete module, since it only has one file type
> and no domain.
> 
>> Index: refpolicy/policy/modules/services/mailscanner.fc
>> ===================================================================
>> --- /dev/null	1970-01-01 00:00:00.000000000 +0000
>> +++ refpolicy/policy/modules/services/mailscanner.fc	2008-08-03 22:09:51.000000000 +0200
>> @@ -0,0 +1,2 @@
>> +/var/spool/MailScanner(/.*)?	gen_context(system_u:object_r:mailscanner_spool_t,s0)
>> +
>> Index: refpolicy/policy/modules/services/mailscanner.if
>> ===================================================================
>> --- /dev/null	1970-01-01 00:00:00.000000000 +0000
>> +++ refpolicy/policy/modules/services/mailscanner.if	2008-08-03 22:09:51.000000000 +0200
>> @@ -0,0 +1,59 @@
>> +## <summary>Anti-Virus and Anti-Spam Filter</summary>
>> +
>> +########################################
>> +## <summary>
>> +##	Search mailscanner spool directories.
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed access.
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`mailscanner_search_spool',`
>> +	gen_require(`
>> +		type mailscanner_spool_t;
>> +	')
>> +
>> +	files_search_spool($1)
>> +	allow $1 mailscanner_spool_t:dir search_dir_perms;
>> +')
>> +
>> +########################################
>> +## <summary>
>> +##	read mailscanner spool files.
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed access.
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`mailscanner_read_spool',`
>> +	gen_require(`
>> +		type mailscanner_spool_t;
>> +	')
>> +
>> +	files_search_spool($1)
>> +	read_files_pattern($1,mailscanner_spool_t,mailscanner_spool_t)
>> +')
>> +
>> +########################################
>> +## <summary>
>> +##	Create, read, write, and delete
>> +##	mailscanner spool files.
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed access.
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`mailscanner_manage_spool',`
>> +	gen_require(`
>> +		type mailscanner_spool_t;
>> +	')
>> +
>> +	files_search_spool($1)
>> +	manage_files_pattern($1,mailscanner_spool_t,mailscanner_spool_t)
>> +')
>> Index: refpolicy/policy/modules/services/mailscanner.te
>> ===================================================================
>> --- /dev/null	1970-01-01 00:00:00.000000000 +0000
>> +++ refpolicy/policy/modules/services/mailscanner.te	2008-08-03 22:09:51.000000000 +0200
>> @@ -0,0 +1,5 @@
>> +
>> +policy_module(mailscanner,1.0.0)
>> +
>> +type mailscanner_spool_t;
>> +files_type(mailscanner_spool_t)
>>
This domain was added to just define a context and interfaces for
mailscanner_spool_t so other domains could use it. I have never used
mailscanner and have no idea how to set this up.  I guess we could label
/var/spool/MailScanner with a clamscan_spool_t and add the interfaces to
there.  The only domain that uses mailscan_spool is

	mailscanner_read_spool(procmail_t)
	mailscanner_manage_spool(clamscan_t)