From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 24 Nov 2008 10:17:32 -0500
Subject: [refpolicy] Milter Mail Filters
In-Reply-To: <492ABB5D.5000001@city-fan.org>
References: <49218846.7060305@city-fan.org> <1227535903.29210.22.camel@gorn>
	<492ABB5D.5000001@city-fan.org>
Message-ID: <1227539855.29210.27.camel@gorn>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 2008-11-24 at 14:34 +0000, Paul Howarth wrote:
> Christopher J. PeBenito wrote:
> > On Mon, 2008-11-17 at 10:05 -0500, Paul Howarth wrote:
> >> Updated patch attached with TCP socket support removed.
> > 
> > Last question
> > 
> >> Index: policy/modules/services/mta.te
> >> ===================================================================
> >> --- policy/modules/services/mta.te      (revision 2878)
> >> +++ policy/modules/services/mta.te      (working copy)
> >> @@ -116,6 +116,9 @@
> >>  
> >>         domain_use_interactive_fds(system_mail_t)
> >>  
> >> +       # newaliases runs as system_mail_t when the sendmail
> initscript does a restart
> >> +       milter_getattr_all_sockets(system_mail_t)
> >> +
> >>         # postfix needs this for newaliases
> >>         files_getattr_tmp_dirs(system_mail_t)
> > 
> > Why is this bit in the optional_policy for postfix instead of its
> own
> > optional_policy at the top level?
> 
> Not intentional. I saw the similar entry for postfix and put the
> extra 
> line near it, not realizing the significance of the multiple 
> optional_policy blocks.
> 
> Revised patch attached.

Merged, with a couple tweaks.

> 
> 
> 
> 
> 
> 
> differences
> between files
> attachment
> (milters.patch)
> 
> Index: policy/modules/services/sendmail.te
> ===================================================================
> --- policy/modules/services/sendmail.te (revision 2882)
> +++ policy/modules/services/sendmail.te (working copy)
> @@ -109,6 +109,10 @@
>  ')
>  
>  optional_policy(`
> +       milter_stream_connect_all(sendmail_t)
> +')
> +
> +optional_policy(`
>         postfix_exec_master(sendmail_t)
>         postfix_read_config(sendmail_t)
>         postfix_search_spool(sendmail_t)
> Index: policy/modules/services/mta.te
> ===================================================================
> --- policy/modules/services/mta.te      (revision 2882)
> +++ policy/modules/services/mta.te      (working copy)
> @@ -103,6 +103,11 @@
>  ')
>  
>  optional_policy(`
> +       # newaliases runs as system_mail_t when the sendmail
> initscript does a restart
> +       milter_getattr_all_sockets(system_mail_t)
> +')
> +
> +optional_policy(`
>         nagios_read_tmp_files(system_mail_t)
>  ')
>  
> Index: policy/modules/services/milter.te
> ===================================================================
> --- policy/modules/services/milter.te   (revision 0)
> +++ policy/modules/services/milter.te   (revision 0)
> @@ -0,0 +1,54 @@
> +policy_module(milter,0.3.1)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +# attributes common to all milters
> +attribute milter_domains;
> +attribute milter_data_type;
> +
> +# currently-supported milters are milter-regex and spamass-milter
> +milter_template(regex)
> +milter_template(spamass)
> +
> +########################################
> +#
> +# milter-regex local policy
> +#   filter emails using regular expressions
> +#   http://www.benzedrine.cx/milter-regex.html
> +#
> +
> +# Look up username for dropping privs
> +auth_use_nsswitch(regex_milter_t)
> +
> +# Config is in /etc/mail/milter-regex.conf
> +mta_read_config(regex_milter_t)
> +
> +# The milter's socket directory lives under /var/spool
> +files_search_spool(regex_milter_t)
> +
> +# It removes any existing socket (not owned by root) whilst running
> as root
> +# and then calls setgid() and setuid() to drop privileges
> +allow regex_milter_t self:capability { setuid setgid dac_override };
> +
> +
> +########################################
> +#
> +# spamass-milter local policy
> +#   pipe emails through SpamAssassin
> +#   http://savannah.nongnu.org/projects/spamass-milt/
> +#
> +
> +# The main job of the milter is to pipe spam through spamc and act on
> the result
> +spamassassin_domtrans_spamc(spamass_milter_t)
> +
> +# When used with -b or -B options, the milter invokes sendmail to
> send mail
> +# to a spamtrap address, using popen()
> +corecmd_exec_shell(spamass_milter_t)
> +corecmd_read_bin_symlinks(spamass_milter_t)
> +corecmd_search_bin(spamass_milter_t)
> +kernel_read_system_state(spamass_milter_t)
> +mta_send_mail(spamass_milter_t)
> +
> Index: policy/modules/services/spamassassin.fc
> ===================================================================
> --- policy/modules/services/spamassassin.fc     (revision 2882)
> +++ policy/modules/services/spamassassin.fc     (working copy)
> @@ -10,7 +10,6 @@
>  /var/lib/spamassassin(/.*)?    gen_context(system_u:object_r:spamd_var_lib_t,s0)
>  
>  /var/run/spamassassin(/.*)?    gen_context(system_u:object_r:spamd_var_run_t,s0)
> -/var/run/spamass-milter(/.*)?  gen_context(system_u:object_r:spamd_var_run_t,s0)
>  
>  /var/spool/spamassassin(/.*)?  gen_context(system_u:object_r:spamd_spool_t,s0)
>  /var/spool/spamd(/.*)?         gen_context(system_u:object_r:spamd_spool_t,s0)
> Index: policy/modules/services/milter.fc
> ===================================================================
> --- policy/modules/services/milter.fc   (revision 0)
> +++ policy/modules/services/milter.fc   (revision 0)
> @@ -0,0 +1,7 @@
> +/usr/sbin/milter-regex                         --      gen_context(system_u:object_r:regex_milter_exec_t,s0)
> +/var/spool/milter-regex(/.*)?                          gen_context(system_u:object_r:regex_milter_data_t,s0)
> +
> +/usr/sbin/spamass-milter                       --      gen_context(system_u:object_r:spamass_milter_exec_t,s0)
> +/var/run/spamass-milter(/.*)?                          gen_context(system_u:object_r:spamass_milter_data_t,s0)
> +/var/run/spamass-milter
> \.pid                   --      gen_context(system_u:object_r:spamass_milter_data_t,s0)
> +
> Index: policy/modules/services/milter.if
> ===================================================================
> --- policy/modules/services/milter.if   (revision 0)
> +++ policy/modules/services/milter.if   (revision 0)
> @@ -0,0 +1,86 @@
> +## <summary>Milter mail filters</summary>
> +
> +########################################
> +## <summary>
> +##     Create a set of derived types for various
> +##     mail filter applications using the milter interface.
> +## </summary>
> +## <param name="milter_name">
> +##     <summary>
> +##     The name to be used for deriving type names.
> +##     </summary>
> +## </param>
> +#
> +template(`milter_template',`
> +
> +       # attributes common to all milters
> +       gen_require(`
> +               attribute milter_data_type, milter_domains;
> +       ')
> +
> +       # Type that the milter application runs as
> +       type $1_milter_t, milter_domains;
> +       domain_type($1_milter_t)
> +       role system_r types $1_milter_t;
> +
> +       # Type for the executable file
> +       type $1_milter_exec_t;
> +       init_daemon_domain($1_milter_t, $1_milter_exec_t)
> +
> +       # Type for the milter data (e.g. the socket used to
> communicate with the MTA)
> +       type $1_milter_data_t, milter_data_type;
> +       files_type($1_milter_data_t);
> +
> +       # Allow communication with MTA over a unix-domain socket
> +       # Note: usage with TCP sockets requires additional policy
> +       manage_sock_files_pattern($1_milter_t,$1_milter_data_t,
> $1_milter_data_t)
> +
> +       # Create other data files and directories in the data
> directory
> +       manage_files_pattern($1_milter_t,$1_milter_data_t,
> $1_milter_data_t)
> +
> +       # Things that all(?) milters will need to do
> +       libs_use_ld_so($1_milter_t)
> +       libs_use_shared_libs($1_milter_t)
> +       miscfiles_read_localization($1_milter_t)
> +       init_use_fds($1_milter_t)
> +       allow $1_milter_t self:fifo_file rw_fifo_file_perms;
> +       logging_send_syslog_msg($1_milter_t)
> +
> +')
> +
> +########################################
> +## <summary>
> +##     MTA communication with milter sockets
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +#
> +interface(`milter_stream_connect_all',`
> +       gen_require(`
> +               attribute milter_data_type, milter_domains;
> +       ')
> +       getattr_dirs_pattern($1,milter_data_type,milter_data_type)
> +       stream_connect_pattern($1,milter_data_type,milter_data_type,milter_domains)
> +')
> +
> +########################################
> +## <summary>
> +##     Allow getattr of milter sockets
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +#
> +interface(`milter_getattr_all_sockets',`
> +       gen_require(`
> +               attribute milter_data_type;
> +       ')
> +       getattr_dirs_pattern($1,milter_data_type,milter_data_type)
> +       getattr_sock_files_pattern($1,milter_data_type,milter_data_type)
> +')
> +
> Index: policy/modules/services/postfix.te
> ===================================================================
> --- policy/modules/services/postfix.te  (revision 2882)
> +++ policy/modules/services/postfix.te  (working copy)
> @@ -519,6 +519,10 @@
>         cyrus_stream_connect(postfix_smtp_t)
>  ')
>  
> +optional_policy(`
> +       milter_stream_connect_all(postfix_smtp_t)
> +')
> +
>  ########################################
>  #
>  # Postfix smtpd local policy
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150