This is a patch to support a single system-wide spamassassin
configuration using spamass-milter. Current policy only supports a
spamassassin configuration that uses separate per-user config files,
which are stored either in ~/.spamassassin for real users or in some
system-specific directory probably labelled spamassassin_spool_t for
virtual users.
The current Fedora spamass-milter package runs as user sa-milt, having a
home directory of /var/run/spamass-milter. This has proved to be an
unfortunate choice because all files (including the system-wide
spamassassin preferences and bayes databases) get cleared out of that
directory on reboot (http://bugzilla.redhat.com/489995). I therefore
intend to change the home directory of this user to /var/lib/spamass-milter.
This patch provides for appropriate labelling and rules for this
directory to allow spamass-milter and spamassassin to work in this
configuration.
Paul.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: milter-state-dir.patch
Type: text/x-patch
Size: 2963 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090317/093c621f/attachment.bin
Paul Howarth wrote:
> This is a patch to support a single system-wide spamassassin
> configuration using spamass-milter. Current policy only supports a
> spamassassin configuration that uses separate per-user config files,
> which are stored either in ~/.spamassassin for real users or in some
> system-specific directory probably labelled spamassassin_spool_t for
> virtual users.
>
> The current Fedora spamass-milter package runs as user sa-milt, having a
> home directory of /var/run/spamass-milter. This has proved to be an
> unfortunate choice because all files (including the system-wide
> spamassassin preferences and bayes databases) get cleared out of that
> directory on reboot (http://bugzilla.redhat.com/489995). I therefore
> intend to change the home directory of this user to
> /var/lib/spamass-milter.
>
> This patch provides for appropriate labelling and rules for this
> directory to allow spamass-milter and spamassassin to work in this
> configuration.
Attached is an updated version of the patch that:
* renames the spamass_milter_manage_state interface to
milter_spamass_manage_state so as to fit the naming convention better
* adds milter_spamass_manage_state(spamc_t), needed for razor, pyzor
etc. called from spamassassin when installed and used with the milter
Paul.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: milter-state-dir.patch
Type: text/x-patch
Size: 3150 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090402/8ea7bb42/attachment.bin
On Thu, 2009-04-02 at 16:22 +0100, Paul Howarth wrote:
> Paul Howarth wrote:
> > This is a patch to support a single system-wide spamassassin
> > configuration using spamass-milter. Current policy only supports a
> > spamassassin configuration that uses separate per-user config
> files,
> > which are stored either in ~/.spamassassin for real users or in
> some
> > system-specific directory probably labelled spamassassin_spool_t
> for
> > virtual users.
> >
> > The current Fedora spamass-milter package runs as user sa-milt,
> having a
> > home directory of /var/run/spamass-milter. This has proved to be an
> > unfortunate choice because all files (including the system-wide
> > spamassassin preferences and bayes databases) get cleared out of
> that
> > directory on reboot (http://bugzilla.redhat.com/489995). I
> therefore
> > intend to change the home directory of this user to
> > /var/lib/spamass-milter.
> >
> > This patch provides for appropriate labelling and rules for this
> > directory to allow spamass-milter and spamassassin to work in this
> > configuration.
>
> Attached is an updated version of the patch that:
>
> * renames the spamass_milter_manage_state interface to
> milter_spamass_manage_state so as to fit the naming convention better
>
> * adds milter_spamass_manage_state(spamc_t), needed for razor, pyzor
> etc. called from spamassassin when installed and used with the milter
Sorry for the slow response. Two things.
* The interface should be milter_manage_spamass_state().
* Is this needed because of the way that Fedora configures it? (is this
a Fedora-specific change) If so, it should likely be in a
distro_redhat.
>
>
>
>
>
>
> differences
> between files
> attachment
> (milter-state-dir.patch)
>
> Index: policy/modules/services/spamassassin.te
> ===================================================================
> --- policy/modules/services/spamassassin.te (revision 2937)
> +++ policy/modules/services/spamassassin.te (working copy)
> @@ -280,6 +280,11 @@
> ')
>
> optional_policy(`
> + # Needed for pyzor/razor called from spamd
> + milter_spamass_manage_state(spamc_t)
> +')
> +
> +optional_policy(`
> nis_use_ypbind(spamc_t)
> ')
>
> @@ -454,5 +459,9 @@
> ')
>
> optional_policy(`
> + milter_spamass_manage_state(spamd_t)
> +')
> +
> +optional_policy(`
> udev_read_db(spamd_t)
> ')
> Index: policy/modules/services/milter.te
> ===================================================================
> --- policy/modules/services/milter.te (revision 2937)
> +++ policy/modules/services/milter.te (working copy)
> @@ -14,6 +14,12 @@
> milter_template(regex)
> milter_template(spamass)
>
> +# Type for the spamass-milter home directory, under which
> spamassassin will
> +# store system-wide preferences, bayes databases etc. if not
> configured to
> +# use per-user configuration
> +type spamass_milter_state_t;
> +files_type(spamass_milter_state_t);
> +
> ########################################
> #
> # milter-regex local policy
> @@ -41,6 +47,10 @@
> # http://savannah.nongnu.org/projects/spamass-milt/
> #
>
> +# The milter runs from /var/lib/spamass-milter
> +files_search_var_lib(spamass_milter_t);
> +allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
> +
> kernel_read_system_state(spamass_milter_t)
>
> # When used with -b or -B options, the milter invokes sendmail to
> send mail
> Index: policy/modules/services/milter.fc
> ===================================================================
> --- policy/modules/services/milter.fc (revision 2937)
> +++ policy/modules/services/milter.fc (working copy)
> @@ -2,5 +2,6 @@
> /var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
>
> /usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
> +/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
> /var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
> /var/run/spamass-milter
> \.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
> Index: policy/modules/services/milter.if
> ===================================================================
> --- policy/modules/services/milter.if (revision 2937)
> +++ policy/modules/services/milter.if (working copy)
> @@ -77,3 +77,24 @@
> getattr_dirs_pattern($1, milter_data_type, milter_data_type)
> getattr_sock_files_pattern($1, milter_data_type,
> milter_data_type)
> ')
> +
> +########################################
> +## <summary>
> +## Manage spamassassin milter state
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`milter_spamass_manage_state',`
> + gen_require(`
> + type spamass_milter_state_t;
> + ')
> +
> + files_search_var_lib($1)
> + manage_files_pattern($1, spamass_milter_state_t,
> spamass_milter_state_t)
> + manage_dirs_pattern($1, spamass_milter_state_t,
> spamass_milter_state_t)
> + manage_lnk_files_pattern($1, spamass_milter_state_t,
> spamass_milter_state_t)
> +')
>
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
On Tue, 21 Apr 2009 16:12:27 -0400
"Christopher J. PeBenito" <[email protected]> wrote:
> On Thu, 2009-04-02 at 16:22 +0100, Paul Howarth wrote:
> > Paul Howarth wrote:
> > > This is a patch to support a single system-wide spamassassin
> > > configuration using spamass-milter. Current policy only supports
> > > a spamassassin configuration that uses separate per-user config
> > files,
> > > which are stored either in ~/.spamassassin for real users or in
> > some
> > > system-specific directory probably labelled spamassassin_spool_t
> > for
> > > virtual users.
> > >
> > > The current Fedora spamass-milter package runs as user sa-milt,
> > having a
> > > home directory of /var/run/spamass-milter. This has proved to be
> > > an unfortunate choice because all files (including the
> > > system-wide spamassassin preferences and bayes databases) get
> > > cleared out of
> > that
> > > directory on reboot (http://bugzilla.redhat.com/489995). I
> > therefore
> > > intend to change the home directory of this user to
> > > /var/lib/spamass-milter.
> > >
> > > This patch provides for appropriate labelling and rules for this
> > > directory to allow spamass-milter and spamassassin to work in
> > > this configuration.
> >
> > Attached is an updated version of the patch that:
> >
> > * renames the spamass_milter_manage_state interface to
> > milter_spamass_manage_state so as to fit the naming convention
> > better
> >
> > * adds milter_spamass_manage_state(spamc_t), needed for razor,
> > pyzor etc. called from spamassassin when installed and used with
> > the milter
>
> Sorry for the slow response. Two things.
>
> * The interface should be milter_manage_spamass_state().
OK: do you want me to resubmit the patch or can you do the rename
whilst merging.
> * Is this needed because of the way that Fedora configures it? (is
> this a Fedora-specific change) If so, it should likely be in a
> distro_redhat.
No, it's not Fedora-specific. There's a bunch of different ways that
the milter and spamassassin can be configured, and I'd missed this one
originally.
Paul.
On Tue, 2009-04-21 at 21:33 +0100, Paul Howarth wrote:
> On Tue, 21 Apr 2009 16:12:27 -0400
> "Christopher J. PeBenito" <[email protected]> wrote:
>
> > On Thu, 2009-04-02 at 16:22 +0100, Paul Howarth wrote:
> > > Paul Howarth wrote:
> > > > This is a patch to support a single system-wide spamassassin
> > > > configuration using spamass-milter. Current policy only supports
> > > > a spamassassin configuration that uses separate per-user config
> > > files,
> > > > which are stored either in ~/.spamassassin for real users or in
> > > some
> > > > system-specific directory probably labelled spamassassin_spool_t
> > > for
> > > > virtual users.
> > > >
> > > > The current Fedora spamass-milter package runs as user sa-milt,
> > > having a
> > > > home directory of /var/run/spamass-milter. This has proved to be
> > > > an unfortunate choice because all files (including the
> > > > system-wide spamassassin preferences and bayes databases) get
> > > > cleared out of
> > > that
> > > > directory on reboot (http://bugzilla.redhat.com/489995). I
> > > therefore
> > > > intend to change the home directory of this user to
> > > > /var/lib/spamass-milter.
> > > >
> > > > This patch provides for appropriate labelling and rules for this
> > > > directory to allow spamass-milter and spamassassin to work in
> > > > this configuration.
> > >
> > > Attached is an updated version of the patch that:
> > >
> > > * renames the spamass_milter_manage_state interface to
> > > milter_spamass_manage_state so as to fit the naming convention
> > > better
> > >
> > > * adds milter_spamass_manage_state(spamc_t), needed for razor,
> > > pyzor etc. called from spamassassin when installed and used with
> > > the milter
> >
> > Sorry for the slow response. Two things.
> >
> > * The interface should be milter_manage_spamass_state().
>
> OK: do you want me to resubmit the patch or can you do the rename
> whilst merging.
>
> > * Is this needed because of the way that Fedora configures it? (is
> > this a Fedora-specific change) If so, it should likely be in a
> > distro_redhat.
>
> No, it's not Fedora-specific. There's a bunch of different ways that
> the milter and spamassassin can be configured, and I'd missed this one
> originally.
Merged.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150