From: srivasta@golden-gryphon.com (Manoj Srivastava)
Date: Wed, 01 Jul 2009 10:58:26 -0500
Subject: [refpolicy] Initial DKIM Milter policy from Russell Coker
Message-ID: <87vdmciee5.fsf@anzu.internal.golden-gryphon.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
Hi,
This is from Russell Cokers policy for Debian systems.
manoj
diff --git a/policy/modules/services/dkim.fc b/policy/modules/services/dkim.fc
new file mode 100644
index 0000000..a4d7846
--- /dev/null
+++ b/policy/modules/services/dkim.fc
@@ -0,0 +1,6 @@
+/etc/dkim(/.*)? gen_context(system_u:object_r:dkim_etc_t,s0)
+/etc/dkim-filter.conf -- gen_context(system_u:object_r:dkim_etc_t,s0)
+
+/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_exec_t,s0)
+
+/var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_var_run_t,s0)
diff --git a/policy/modules/services/dkim.if b/policy/modules/services/dkim.if
new file mode 100644
index 0000000..4ff2c40
--- /dev/null
+++ b/policy/modules/services/dkim.if
@@ -0,0 +1,20 @@
+## DKIM Milter - add and validate public key signatures on email
+
+########################################
+##
+## Connect to dkim-milter.
+##
+##
+##
+## Domain allowed to connect.
+##
+##
+#
+interface(`dkim_stream_connect',`
+ gen_require(`
+ type dkim_t, dkim_var_run_t;
+ ')
+
+ stream_connect_pattern($1,dkim_var_run_t,dkim_var_run_t,dkim_t)
+')
+
diff --git a/policy/modules/services/dkim.te b/policy/modules/services/dkim.te
new file mode 100644
index 0000000..62c9a64
--- /dev/null
+++ b/policy/modules/services/dkim.te
@@ -0,0 +1,64 @@
+
+policy_module(dkim,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+# Main dkim domain
+type dkim_t;
+type dkim_exec_t;
+init_daemon_domain(dkim_t, dkim_exec_t)
+
+# configuration files
+type dkim_etc_t;
+files_type(dkim_etc_t)
+
+# pid files
+type dkim_var_run_t;
+files_pid_file(dkim_var_run_t)
+manage_files_pattern(dkim_t, dkim_var_run_t, dkim_var_run_t)
+
+########################################
+#
+# dkim local policy
+#
+
+allow dkim_t self:capability { setgid setuid };
+allow dkim_t self:fifo_file rw_fifo_file_perms;
+allow dkim_t self:unix_stream_socket create_stream_socket_perms;
+allow dkim_t self:tcp_socket { listen accept };
+files_search_tmp(dkim_t)
+
+# configuration files
+allow dkim_t dkim_etc_t:dir list_dir_perms;
+read_files_pattern(dkim_t,dkim_etc_t,dkim_etc_t)
+read_lnk_files_pattern(dkim_t,dkim_etc_t,dkim_etc_t)
+
+manage_sock_files_pattern(dkim_t,dkim_var_run_t,dkim_var_run_t)
+
+corenet_all_recvfrom_unlabeled(dkim_t)
+corenet_all_recvfrom_netlabel(dkim_t)
+corenet_tcp_sendrecv_all_if(dkim_t)
+corenet_tcp_sendrecv_all_nodes(dkim_t)
+corenet_tcp_sendrecv_all_ports(dkim_t)
+corenet_tcp_bind_all_nodes(dkim_t)
+
+dev_read_rand(dkim_t)
+dev_read_urand(dkim_t)
+
+files_read_etc_files(dkim_t)
+
+libs_use_ld_so(dkim_t)
+libs_use_shared_libs(dkim_t)
+
+logging_send_syslog_msg(dkim_t)
+
+miscfiles_read_localization(dkim_t)
+
+sysnet_dns_name_resolve(dkim_t)
+
+kernel_read_system_state(dkim_t)
+kernel_read_sysctl(dkim_t)
+kernel_read_kernel_sysctls(dkim_t)
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 12aed73..d2f0a27 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -245,6 +262,10 @@ allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
corecmd_exec_bin(postfix_cleanup_t)
+# for milters - may be a bug in postfix
+allow postfix_cleanup_t postfix_smtpd_t:fd use;
+allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket { getattr read write };
+
########################################
#
# Postfix local local policy
@@ -554,6 +575,15 @@ optional_policy(`
')
optional_policy(`
+ clamav_stream_connect(postfix_smtpd_t)
+')
+
+optional_policy(`
+ dkim_stream_connect(postfix_smtpd_t)
+ dkim_stream_connect(postfix_cleanup_t)
+')
+
+optional_policy(`
sasl_connect(postfix_smtpd_t)
')
--
Someone will try to honk your nose today.
Manoj Srivastava
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C