From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 24 Nov 2008 12:47:39 -0500
Subject: [refpolicy] Milter Mail Filters
In-Reply-To: <492AD144.5030205@city-fan.org>
References: <49218846.7060305@city-fan.org> <1227535903.29210.22.camel@gorn>
	<492ABB5D.5000001@city-fan.org> <1227539855.29210.27.camel@gorn>
	<492AD144.5030205@city-fan.org>
Message-ID: <1227548862.29210.34.camel@gorn>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 2008-11-24 at 16:07 +0000, Paul Howarth wrote:
> Christopher J. PeBenito wrote:
> > On Mon, 2008-11-24 at 14:34 +0000, Paul Howarth wrote:
> >> Revised patch attached.
> > 
> > Merged, with a couple tweaks.
> 
> The tweaks seem quite significant:
> 
> $ diff milter.if.pgh milter.if
> 21d20
> < 	domain_type($1_milter_t)

redundant due to init_daemon_domain()

> 39,41d37
> < 	# Things that all(?) milters will need to do
> < 	libs_use_ld_so($1_milter_t)
> < 	libs_use_shared_libs($1_milter_t)

All domains now have these rules (see line 109 of domain.te).

> 43d38
> < 	init_use_fds($1_milter_t)

Its actually the fd for the console, which isn't necessary to be
inherited, nor would we want used by services.  Its dontaudited by
init_daemon_domain().

> Are these four interface calls omitted deliberately?

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150