From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 21 Apr 2009 16:12:27 -0400
Subject: [refpolicy] milter-state-dir.patch
In-Reply-To: <49D4D840.30704@city-fan.org>
References: <49BFC0E6.6040801@city-fan.org>  <49D4D840.30704@city-fan.org>
Message-ID: <1240344748.19211.775.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Thu, 2009-04-02 at 16:22 +0100, Paul Howarth wrote:
> Paul Howarth wrote:
> > This is a patch to support a single system-wide spamassassin 
> > configuration using spamass-milter. Current policy only supports a 
> > spamassassin configuration that uses separate per-user config
> files, 
> > which are stored either in ~/.spamassassin for real users or in
> some 
> > system-specific directory probably labelled spamassassin_spool_t
> for 
> > virtual users.
> > 
> > The current Fedora spamass-milter package runs as user sa-milt,
> having a 
> > home directory of /var/run/spamass-milter. This has proved to be an 
> > unfortunate choice because all files (including the system-wide 
> > spamassassin preferences and bayes databases) get cleared out of
> that 
> > directory on reboot (http://bugzilla.redhat.com/489995). I
> therefore 
> > intend to change the home directory of this user to 
> > /var/lib/spamass-milter.
> > 
> > This patch provides for appropriate labelling and rules for this 
> > directory to allow spamass-milter and spamassassin to work in this 
> > configuration.
> 
> Attached is an updated version of the patch that:
> 
> * renames the spamass_milter_manage_state interface to 
> milter_spamass_manage_state so as to fit the naming convention better
> 
> * adds milter_spamass_manage_state(spamc_t), needed for razor, pyzor 
> etc. called from spamassassin when installed and used with the milter

Sorry for the slow response.  Two things.

* The interface should be milter_manage_spamass_state().

* Is this needed because of the way that Fedora configures it? (is this
a Fedora-specific change)  If so, it should likely be in a
distro_redhat.

> 
> 
> 
> 
> 
> 
> differences
> between files
> attachment
> (milter-state-dir.patch)
> 
> Index: policy/modules/services/spamassassin.te
> ===================================================================
> --- policy/modules/services/spamassassin.te     (revision 2937)
> +++ policy/modules/services/spamassassin.te     (working copy)
> @@ -280,6 +280,11 @@
>  ')
>  
>  optional_policy(`
> +       # Needed for pyzor/razor called from spamd
> +       milter_spamass_manage_state(spamc_t)
> +')
> +
> +optional_policy(`
>         nis_use_ypbind(spamc_t)
>  ')
>  
> @@ -454,5 +459,9 @@
>  ')
>  
>  optional_policy(`
> +       milter_spamass_manage_state(spamd_t)
> +')
> +
> +optional_policy(`
>         udev_read_db(spamd_t)
>  ')
> Index: policy/modules/services/milter.te
> ===================================================================
> --- policy/modules/services/milter.te   (revision 2937)
> +++ policy/modules/services/milter.te   (working copy)
> @@ -14,6 +14,12 @@
>  milter_template(regex)
>  milter_template(spamass)
>  
> +# Type for the spamass-milter home directory, under which
> spamassassin will
> +# store system-wide preferences, bayes databases etc. if not
> configured to
> +# use per-user configuration
> +type spamass_milter_state_t;
> +files_type(spamass_milter_state_t);
> +
>  ########################################
>  #
>  # milter-regex local policy
> @@ -41,6 +47,10 @@
>  #   http://savannah.nongnu.org/projects/spamass-milt/
>  #
>  
> +# The milter runs from /var/lib/spamass-milter
> +files_search_var_lib(spamass_milter_t);
> +allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
> +
>  kernel_read_system_state(spamass_milter_t)
>  
>  # When used with -b or -B options, the milter invokes sendmail to
> send mail
> Index: policy/modules/services/milter.fc
> ===================================================================
> --- policy/modules/services/milter.fc   (revision 2937)
> +++ policy/modules/services/milter.fc   (working copy)
> @@ -2,5 +2,6 @@
>  /var/spool/milter-regex(/.*)?                          gen_context(system_u:object_r:regex_milter_data_t,s0)
>  
>  /usr/sbin/spamass-milter                       --      gen_context(system_u:object_r:spamass_milter_exec_t,s0)
> +/var/lib/spamass-milter(/.*)?                          gen_context(system_u:object_r:spamass_milter_state_t,s0)
>  /var/run/spamass-milter(/.*)?                          gen_context(system_u:object_r:spamass_milter_data_t,s0)
>  /var/run/spamass-milter
> \.pid                   --      gen_context(system_u:object_r:spamass_milter_data_t,s0)
> Index: policy/modules/services/milter.if
> ===================================================================
> --- policy/modules/services/milter.if   (revision 2937)
> +++ policy/modules/services/milter.if   (working copy)
> @@ -77,3 +77,24 @@
>         getattr_dirs_pattern($1, milter_data_type, milter_data_type)
>         getattr_sock_files_pattern($1, milter_data_type,
> milter_data_type)
>  ')
> +
> +########################################
> +## <summary>
> +##     Manage spamassassin milter state
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +#
> +interface(`milter_spamass_manage_state',`
> +       gen_require(`
> +               type spamass_milter_state_t;
> +       ')
> +
> +       files_search_var_lib($1)
> +       manage_files_pattern($1, spamass_milter_state_t,
> spamass_milter_state_t)
> +       manage_dirs_pattern($1, spamass_milter_state_t,
> spamass_milter_state_t)
> +       manage_lnk_files_pattern($1, spamass_milter_state_t,
> spamass_milter_state_t)
> +')
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150