From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 21 May 2010 09:35:24 -0400 Subject: [refpolicy] [ Implement ClamSMTPd policy. 1/5] Implement advanced content filtering. In-Reply-To: <20100427115253.GA32700@localhost.localdomain> References: <20100427115253.GA32700@localhost.localdomain> Message-ID: <1274448924.8988.7.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 2010-04-27 at 13:52 +0200, Dominick Grift wrote: > Content filtering software can receive and deliver mail via SMTP. > > Content filtering programs receive SMTP mail via localhost port 10025, > and submit SMTP mail back into Postfix via localhost port 10026. > > These ports are refered to as before queue content filter and > after queue content filter ports respectively. > > Declare tcp, 10025, s0 smtp_beforequeue_port_t. > Declare tcp, 10026, s0 smtp_afterqueue_port_t. > > Remove the amavisd_send_port_t declaration. Amavisd_t will be > allowed to tcp connect to smtp_beforequeue_port_t, and will > be allowed to send and receive smtp before queue content filter > client packets instead. I think we should keep the amavis port labeling as is; it has been around a long time. The type name for 10026 should also be less ambiguous; clamsmtp is probably fine. > Signed-off-by: Dominick Grift > --- > :100644 100644 6381618... 30daeea... M policy/modules/kernel/corenetwork.te.in > policy/modules/kernel/corenetwork.te.in | 3 ++- > 1 files changed, 2 insertions(+), 1 deletions(-) > > diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in > index 6381618..30daeea 100644 > --- a/policy/modules/kernel/corenetwork.te.in > +++ b/policy/modules/kernel/corenetwork.te.in > @@ -72,7 +72,6 @@ network_port(afs_vl, udp,7003,s0) > network_port(agentx, udp,705,s0, tcp,705,s0) > network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0) > network_port(amavisd_recv, tcp,10024,s0) > -network_port(amavisd_send, tcp,10025,s0) > network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0) > network_port(apcupsd, tcp,3551,s0, udp,3551,s0) > network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0) > @@ -182,6 +181,8 @@ network_port(sap, tcp,9875,s0, udp,9875,s0) > network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0) > network_port(smbd, tcp,137-139,s0, tcp,445,s0) > network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) > +network_port(smtp_afterqueue, tcp,10026,s0) > +network_port(smtp_beforequeue, tcp,10025,s0) > network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0) > type socks_port_t, port_type; dnl network_port(socks) # no defined portcon > network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0) > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com