From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 14 Jul 2009 09:31:04 -0400
Subject: [refpolicy] Initial DKIM Milter policy from Russell Coker
In-Reply-To: <87vdmciee5.fsf@anzu.internal.golden-gryphon.com>
References: <87vdmciee5.fsf@anzu.internal.golden-gryphon.com>
Message-ID: <1247578267.31521.54.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 2009-07-01 at 10:58 -0500, Manoj Srivastava wrote:
> Hi,
> 
>         This is from Russell Cokers policy for Debian systems.

We have a milter policy.  Can this be updated to leverage
milter_template()?

> diff --git a/policy/modules/services/dkim.fc b/policy/modules/services/dkim.fc
> new file mode 100644
> index 0000000..a4d7846
> --- /dev/null
> +++ b/policy/modules/services/dkim.fc
> @@ -0,0 +1,6 @@
> +/etc/dkim(/.*)?			gen_context(system_u:object_r:dkim_etc_t,s0)
> +/etc/dkim-filter.conf	--	gen_context(system_u:object_r:dkim_etc_t,s0)
> +
> +/usr/sbin/dkim-filter	--	gen_context(system_u:object_r:dkim_exec_t,s0)
> +
> +/var/run/dkim-filter(/.*)? 	gen_context(system_u:object_r:dkim_var_run_t,s0)
> diff --git a/policy/modules/services/dkim.if b/policy/modules/services/dkim.if
> new file mode 100644
> index 0000000..4ff2c40
> --- /dev/null
> +++ b/policy/modules/services/dkim.if
> @@ -0,0 +1,20 @@
> +## <summary>DKIM Milter - add and validate public key signatures on email</summary>
> +
> +########################################
> +## <summary>
> +##	Connect to dkim-milter.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to connect.
> +##	</summary>
> +## </param>
> +#
> +interface(`dkim_stream_connect',`
> +	gen_require(`
> +		type dkim_t, dkim_var_run_t;
> +	')
> +
> +	stream_connect_pattern($1,dkim_var_run_t,dkim_var_run_t,dkim_t)
> +')
> +
> diff --git a/policy/modules/services/dkim.te b/policy/modules/services/dkim.te
> new file mode 100644
> index 0000000..62c9a64
> --- /dev/null
> +++ b/policy/modules/services/dkim.te
> @@ -0,0 +1,64 @@
> +
> +policy_module(dkim,1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +# Main dkim domain
> +type dkim_t;
> +type dkim_exec_t;
> +init_daemon_domain(dkim_t, dkim_exec_t)
> +
> +# configuration files
> +type dkim_etc_t;
> +files_type(dkim_etc_t)
> +
> +# pid files
> +type dkim_var_run_t;
> +files_pid_file(dkim_var_run_t)
> +manage_files_pattern(dkim_t, dkim_var_run_t, dkim_var_run_t)
> +
> +########################################
> +#
> +# dkim local policy
> +#
> +
> +allow dkim_t self:capability { setgid setuid };
> +allow dkim_t self:fifo_file rw_fifo_file_perms;
> +allow dkim_t self:unix_stream_socket create_stream_socket_perms;
> +allow dkim_t self:tcp_socket { listen accept };
> +files_search_tmp(dkim_t)
> +
> +# configuration files
> +allow dkim_t dkim_etc_t:dir list_dir_perms;
> +read_files_pattern(dkim_t,dkim_etc_t,dkim_etc_t)
> +read_lnk_files_pattern(dkim_t,dkim_etc_t,dkim_etc_t)
> +
> +manage_sock_files_pattern(dkim_t,dkim_var_run_t,dkim_var_run_t)
> +
> +corenet_all_recvfrom_unlabeled(dkim_t)
> +corenet_all_recvfrom_netlabel(dkim_t)
> +corenet_tcp_sendrecv_all_if(dkim_t)
> +corenet_tcp_sendrecv_all_nodes(dkim_t)
> +corenet_tcp_sendrecv_all_ports(dkim_t)
> +corenet_tcp_bind_all_nodes(dkim_t)
> +
> +dev_read_rand(dkim_t)
> +dev_read_urand(dkim_t)
> +
> +files_read_etc_files(dkim_t)
> +
> +libs_use_ld_so(dkim_t)
> +libs_use_shared_libs(dkim_t)
> +
> +logging_send_syslog_msg(dkim_t)
> +
> +miscfiles_read_localization(dkim_t)
> +
> +sysnet_dns_name_resolve(dkim_t)
> +
> +kernel_read_system_state(dkim_t)
> +kernel_read_sysctl(dkim_t)
> +kernel_read_kernel_sysctls(dkim_t)
> diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
> index 12aed73..d2f0a27 100644
> --- a/policy/modules/services/postfix.te
> +++ b/policy/modules/services/postfix.te
> @@ -245,6 +262,10 @@ allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
>  
>  corecmd_exec_bin(postfix_cleanup_t)
>  
> +# for milters - may be a bug in postfix
> +allow postfix_cleanup_t postfix_smtpd_t:fd use;
> +allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket { getattr read write };
> +
>  ########################################
>  #
>  # Postfix local local policy
> @@ -554,6 +575,15 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	clamav_stream_connect(postfix_smtpd_t)
> +')
> +
> +optional_policy(`
> +	dkim_stream_connect(postfix_smtpd_t)
> +	dkim_stream_connect(postfix_cleanup_t)
> +')
> +
> +optional_policy(`
>  	sasl_connect(postfix_smtpd_t)
>  ')
>  
> 
> -- 
> Someone will try to honk your nose today.
> Manoj Srivastava <srivasta@acm.org> <http://www.golden-gryphon.com/>  
> 1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150