From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 08 Oct 2008 15:22:25 -0400 Subject: [refpolicy] Milter Mail Filters In-Reply-To: <48ECB037.2070203@city-fan.org> References: <484D4B53.5020006@city-fan.org> <1216385922.21191.125.camel@gorn> <48982587.30605@city-fan.org> <1220621188.28287.79.camel@gorn.columbia.tresys.com> <48C6A124.7090707@city-fan.org> <48D78F39.3040801@city-fan.org> <1223302377.2165.5.camel@gorn> <48ECB037.2070203@city-fan.org> Message-ID: <1223493745.2165.113.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Moving to refpolicy list. On Wed, 2008-10-08 at 14:05 +0100, Paul Howarth wrote: > Christopher J. PeBenito wrote: > > On Mon, 2008-09-22 at 13:27 +0100, Paul Howarth wrote: > >> Updated patch: sendmail, when run as "newaliases", tries to getattr() > >> milter sockets as well as the directories they live in, so I changed > >> the > >> milter_getattr_all_data_dirs interface to milter_getattr_all_sockets. > >> > >> I also moved the call to this interface in mta.te out from the middle > >> of > >> a bunch of postfix-related lines. > >> > >> Paul. > > > > I think my last two comments are > > > > * you can't require milter_port_t. It doesn't seem like a generic port > > type would be useful anyway, otherwise there would be a port defined. > > So I should change "allow milter_$1_t milter_port_t:tcp_socket > name_bind;" to "corenet_tcp_bind_generic_port($1_milter_t)"? No. I don't see how it makes sense to have a port type common to all milters. > I can do that but I don't understand why milter_port_t should be any > different than say stunnel_port_t, which also doesn't have a default > port defined, and would be used in a similar way, i.e. an admin would > set up an application to use a specific port (a milter running over tcp > needs to have a port specified, just a tunnel set up using stunnel does > - they don't just bind to random generic ports). This is not comparable, as there is only one stunnel domain, whereas there are several milter domains. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150