From: paul@city-fan.org (Paul Howarth)
Date: Mon, 24 Nov 2008 16:07:32 +0000
Subject: [refpolicy] Milter Mail Filters
In-Reply-To: <1227539855.29210.27.camel@gorn>
References: <49218846.7060305@city-fan.org> <1227535903.29210.22.camel@gorn>	
	<492ABB5D.5000001@city-fan.org> <1227539855.29210.27.camel@gorn>
Message-ID: <492AD144.5030205@city-fan.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Christopher J. PeBenito wrote:
> On Mon, 2008-11-24 at 14:34 +0000, Paul Howarth wrote:
>> Christopher J. PeBenito wrote:
>>> On Mon, 2008-11-17 at 10:05 -0500, Paul Howarth wrote:
>>>> Updated patch attached with TCP socket support removed.
>>> Last question
>>>
>>>> Index: policy/modules/services/mta.te
>>>> ===================================================================
>>>> --- policy/modules/services/mta.te      (revision 2878)
>>>> +++ policy/modules/services/mta.te      (working copy)
>>>> @@ -116,6 +116,9 @@
>>>>  
>>>>         domain_use_interactive_fds(system_mail_t)
>>>>  
>>>> +       # newaliases runs as system_mail_t when the sendmail
>> initscript does a restart
>>>> +       milter_getattr_all_sockets(system_mail_t)
>>>> +
>>>>         # postfix needs this for newaliases
>>>>         files_getattr_tmp_dirs(system_mail_t)
>>> Why is this bit in the optional_policy for postfix instead of its
>> own
>>> optional_policy at the top level?
>> Not intentional. I saw the similar entry for postfix and put the
>> extra 
>> line near it, not realizing the significance of the multiple 
>> optional_policy blocks.
>>
>> Revised patch attached.
> 
> Merged, with a couple tweaks.

The tweaks seem quite significant:

$ diff milter.if.pgh milter.if
21d20
< 	domain_type($1_milter_t)
39,41d37
< 	# Things that all(?) milters will need to do
< 	libs_use_ld_so($1_milter_t)
< 	libs_use_shared_libs($1_milter_t)
43d38
< 	init_use_fds($1_milter_t)


Are these four interface calls omitted deliberately?

Paul.