From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 18 Jun 2009 10:37:33 -0400 Subject: [refpolicy] Policy for milter-greylist In-Reply-To: <4A265398.5040105@city-fan.org> References: <4A265398.5040105@city-fan.org> Message-ID: <1245335855.4230.595.camel@gorn> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2009-06-03 at 11:42 +0100, Paul Howarth wrote: > Patch attached. I'm using this myself and policy is already added in > Fedora. Merged. > Index: policy/modules/services/milter.te > =================================================================== > --- policy/modules/services/milter.te (revision 2991) > +++ policy/modules/services/milter.te (working copy) > @@ -10,7 +10,8 @@ > attribute milter_domains; > attribute milter_data_type; > > -# currently-supported milters are milter-regex and spamass-milter > +# currently-supported milters are milter-greylist, milter-regex and > spamass-milter > +milter_template(greylist) > milter_template(regex) > milter_template(spamass) > > @@ -22,6 +23,35 @@ > > ######################################## > # > +# milter-greylist local policy > +# ensure smtp clients retry mail like real MTAs and not spamware > +# http://hcpnet.free.fr/milter-greylist/ > +# > + > +# Look up username for dropping privs > +auth_use_nsswitch(greylist_milter_t) > + > +# It creates a pid file /var/run/milter-greylist.pid > +files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file) > + > +# It removes any existing socket (not owned by root) whilst running > as root, > +# fixes permissions, renices itself and then calls setgid() and > setuid() to > +# drop privileges > +kernel_read_kernel_sysctls(greylist_milter_t) > +allow greylist_milter_t self:capability { chown dac_override setgid > setuid sys_nice }; > +allow greylist_milter_t self:process { setsched getsched }; > + > +# Allow the milter to read a GeoIP database in /usr/share > +files_read_usr_files(greylist_milter_t) > + > +# The milter runs from /var/lib/milter-greylist and maintains files > there > +files_search_var_lib(greylist_milter_t); > + > +# Config is in /etc/mail/greylist.conf > +mta_read_config(greylist_milter_t) > + > +######################################## > +# > # milter-regex local policy > # filter emails using regular expressions > # http://www.benzedrine.cx/milter-regex.html > Index: policy/modules/services/milter.fc > =================================================================== > --- policy/modules/services/milter.fc (revision 2991) > +++ policy/modules/services/milter.fc (working copy) > @@ -1,3 +1,9 @@ > +/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) > + > +/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) > +/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) > +/var/run/milter-greylist > \.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0) > + > /usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0) > /var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0) > > -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150