From: srivasta@golden-gryphon.com (Manoj Srivastava) Date: Wed, 01 Jul 2009 10:58:26 -0500 Subject: [refpolicy] Initial DKIM Milter policy from Russell Coker Message-ID: <87vdmciee5.fsf@anzu.internal.golden-gryphon.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi, This is from Russell Cokers policy for Debian systems. manoj diff --git a/policy/modules/services/dkim.fc b/policy/modules/services/dkim.fc new file mode 100644 index 0000000..a4d7846 --- /dev/null +++ b/policy/modules/services/dkim.fc @@ -0,0 +1,6 @@ +/etc/dkim(/.*)? gen_context(system_u:object_r:dkim_etc_t,s0) +/etc/dkim-filter.conf -- gen_context(system_u:object_r:dkim_etc_t,s0) + +/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_exec_t,s0) + +/var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_var_run_t,s0) diff --git a/policy/modules/services/dkim.if b/policy/modules/services/dkim.if new file mode 100644 index 0000000..4ff2c40 --- /dev/null +++ b/policy/modules/services/dkim.if @@ -0,0 +1,20 @@ +## DKIM Milter - add and validate public key signatures on email + +######################################## +## +## Connect to dkim-milter. +## +## +## +## Domain allowed to connect. +## +## +# +interface(`dkim_stream_connect',` + gen_require(` + type dkim_t, dkim_var_run_t; + ') + + stream_connect_pattern($1,dkim_var_run_t,dkim_var_run_t,dkim_t) +') + diff --git a/policy/modules/services/dkim.te b/policy/modules/services/dkim.te new file mode 100644 index 0000000..62c9a64 --- /dev/null +++ b/policy/modules/services/dkim.te @@ -0,0 +1,64 @@ + +policy_module(dkim,1.0.0) + +######################################## +# +# Declarations +# + +# Main dkim domain +type dkim_t; +type dkim_exec_t; +init_daemon_domain(dkim_t, dkim_exec_t) + +# configuration files +type dkim_etc_t; +files_type(dkim_etc_t) + +# pid files +type dkim_var_run_t; +files_pid_file(dkim_var_run_t) +manage_files_pattern(dkim_t, dkim_var_run_t, dkim_var_run_t) + +######################################## +# +# dkim local policy +# + +allow dkim_t self:capability { setgid setuid }; +allow dkim_t self:fifo_file rw_fifo_file_perms; +allow dkim_t self:unix_stream_socket create_stream_socket_perms; +allow dkim_t self:tcp_socket { listen accept }; +files_search_tmp(dkim_t) + +# configuration files +allow dkim_t dkim_etc_t:dir list_dir_perms; +read_files_pattern(dkim_t,dkim_etc_t,dkim_etc_t) +read_lnk_files_pattern(dkim_t,dkim_etc_t,dkim_etc_t) + +manage_sock_files_pattern(dkim_t,dkim_var_run_t,dkim_var_run_t) + +corenet_all_recvfrom_unlabeled(dkim_t) +corenet_all_recvfrom_netlabel(dkim_t) +corenet_tcp_sendrecv_all_if(dkim_t) +corenet_tcp_sendrecv_all_nodes(dkim_t) +corenet_tcp_sendrecv_all_ports(dkim_t) +corenet_tcp_bind_all_nodes(dkim_t) + +dev_read_rand(dkim_t) +dev_read_urand(dkim_t) + +files_read_etc_files(dkim_t) + +libs_use_ld_so(dkim_t) +libs_use_shared_libs(dkim_t) + +logging_send_syslog_msg(dkim_t) + +miscfiles_read_localization(dkim_t) + +sysnet_dns_name_resolve(dkim_t) + +kernel_read_system_state(dkim_t) +kernel_read_sysctl(dkim_t) +kernel_read_kernel_sysctls(dkim_t) diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 12aed73..d2f0a27 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -245,6 +262,10 @@ allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms; corecmd_exec_bin(postfix_cleanup_t) +# for milters - may be a bug in postfix +allow postfix_cleanup_t postfix_smtpd_t:fd use; +allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket { getattr read write }; + ######################################## # # Postfix local local policy @@ -554,6 +575,15 @@ optional_policy(` ') optional_policy(` + clamav_stream_connect(postfix_smtpd_t) +') + +optional_policy(` + dkim_stream_connect(postfix_smtpd_t) + dkim_stream_connect(postfix_cleanup_t) +') + +optional_policy(` sasl_connect(postfix_smtpd_t) ') -- Someone will try to honk your nose today. Manoj Srivastava 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C