Hi,
This is from Russell Cokers policy for Debian systems.
manoj
diff --git a/policy/modules/services/dkim.fc b/policy/modules/services/dkim.fc
new file mode 100644
index 0000000..a4d7846
--- /dev/null
+++ b/policy/modules/services/dkim.fc
@@ -0,0 +1,6 @@
+/etc/dkim(/.*)? gen_context(system_u:object_r:dkim_etc_t,s0)
+/etc/dkim-filter.conf -- gen_context(system_u:object_r:dkim_etc_t,s0)
+
+/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_exec_t,s0)
+
+/var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_var_run_t,s0)
diff --git a/policy/modules/services/dkim.if b/policy/modules/services/dkim.if
new file mode 100644
index 0000000..4ff2c40
--- /dev/null
+++ b/policy/modules/services/dkim.if
@@ -0,0 +1,20 @@
+## <summary>DKIM Milter - add and validate public key signatures on email</summary>
+
+########################################
+## <summary>
+## Connect to dkim-milter.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to connect.
+## </summary>
+## </param>
+#
+interface(`dkim_stream_connect',`
+ gen_require(`
+ type dkim_t, dkim_var_run_t;
+ ')
+
+ stream_connect_pattern($1,dkim_var_run_t,dkim_var_run_t,dkim_t)
+')
+
diff --git a/policy/modules/services/dkim.te b/policy/modules/services/dkim.te
new file mode 100644
index 0000000..62c9a64
--- /dev/null
+++ b/policy/modules/services/dkim.te
@@ -0,0 +1,64 @@
+
+policy_module(dkim,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+# Main dkim domain
+type dkim_t;
+type dkim_exec_t;
+init_daemon_domain(dkim_t, dkim_exec_t)
+
+# configuration files
+type dkim_etc_t;
+files_type(dkim_etc_t)
+
+# pid files
+type dkim_var_run_t;
+files_pid_file(dkim_var_run_t)
+manage_files_pattern(dkim_t, dkim_var_run_t, dkim_var_run_t)
+
+########################################
+#
+# dkim local policy
+#
+
+allow dkim_t self:capability { setgid setuid };
+allow dkim_t self:fifo_file rw_fifo_file_perms;
+allow dkim_t self:unix_stream_socket create_stream_socket_perms;
+allow dkim_t self:tcp_socket { listen accept };
+files_search_tmp(dkim_t)
+
+# configuration files
+allow dkim_t dkim_etc_t:dir list_dir_perms;
+read_files_pattern(dkim_t,dkim_etc_t,dkim_etc_t)
+read_lnk_files_pattern(dkim_t,dkim_etc_t,dkim_etc_t)
+
+manage_sock_files_pattern(dkim_t,dkim_var_run_t,dkim_var_run_t)
+
+corenet_all_recvfrom_unlabeled(dkim_t)
+corenet_all_recvfrom_netlabel(dkim_t)
+corenet_tcp_sendrecv_all_if(dkim_t)
+corenet_tcp_sendrecv_all_nodes(dkim_t)
+corenet_tcp_sendrecv_all_ports(dkim_t)
+corenet_tcp_bind_all_nodes(dkim_t)
+
+dev_read_rand(dkim_t)
+dev_read_urand(dkim_t)
+
+files_read_etc_files(dkim_t)
+
+libs_use_ld_so(dkim_t)
+libs_use_shared_libs(dkim_t)
+
+logging_send_syslog_msg(dkim_t)
+
+miscfiles_read_localization(dkim_t)
+
+sysnet_dns_name_resolve(dkim_t)
+
+kernel_read_system_state(dkim_t)
+kernel_read_sysctl(dkim_t)
+kernel_read_kernel_sysctls(dkim_t)
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 12aed73..d2f0a27 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -245,6 +262,10 @@ allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
corecmd_exec_bin(postfix_cleanup_t)
+# for milters - may be a bug in postfix
+allow postfix_cleanup_t postfix_smtpd_t:fd use;
+allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket { getattr read write };
+
########################################
#
# Postfix local local policy
@@ -554,6 +575,15 @@ optional_policy(`
')
optional_policy(`
+ clamav_stream_connect(postfix_smtpd_t)
+')
+
+optional_policy(`
+ dkim_stream_connect(postfix_smtpd_t)
+ dkim_stream_connect(postfix_cleanup_t)
+')
+
+optional_policy(`
sasl_connect(postfix_smtpd_t)
')
--
Someone will try to honk your nose today.
Manoj Srivastava <[email protected]> <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
On Wed, 2009-07-01 at 10:58 -0500, Manoj Srivastava wrote:
> Hi,
>
> This is from Russell Cokers policy for Debian systems.
We have a milter policy. Can this be updated to leverage
milter_template()?
> diff --git a/policy/modules/services/dkim.fc b/policy/modules/services/dkim.fc
> new file mode 100644
> index 0000000..a4d7846
> --- /dev/null
> +++ b/policy/modules/services/dkim.fc
> @@ -0,0 +1,6 @@
> +/etc/dkim(/.*)? gen_context(system_u:object_r:dkim_etc_t,s0)
> +/etc/dkim-filter.conf -- gen_context(system_u:object_r:dkim_etc_t,s0)
> +
> +/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_exec_t,s0)
> +
> +/var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_var_run_t,s0)
> diff --git a/policy/modules/services/dkim.if b/policy/modules/services/dkim.if
> new file mode 100644
> index 0000000..4ff2c40
> --- /dev/null
> +++ b/policy/modules/services/dkim.if
> @@ -0,0 +1,20 @@
> +## <summary>DKIM Milter - add and validate public key signatures on email</summary>
> +
> +########################################
> +## <summary>
> +## Connect to dkim-milter.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to connect.
> +## </summary>
> +## </param>
> +#
> +interface(`dkim_stream_connect',`
> + gen_require(`
> + type dkim_t, dkim_var_run_t;
> + ')
> +
> + stream_connect_pattern($1,dkim_var_run_t,dkim_var_run_t,dkim_t)
> +')
> +
> diff --git a/policy/modules/services/dkim.te b/policy/modules/services/dkim.te
> new file mode 100644
> index 0000000..62c9a64
> --- /dev/null
> +++ b/policy/modules/services/dkim.te
> @@ -0,0 +1,64 @@
> +
> +policy_module(dkim,1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +# Main dkim domain
> +type dkim_t;
> +type dkim_exec_t;
> +init_daemon_domain(dkim_t, dkim_exec_t)
> +
> +# configuration files
> +type dkim_etc_t;
> +files_type(dkim_etc_t)
> +
> +# pid files
> +type dkim_var_run_t;
> +files_pid_file(dkim_var_run_t)
> +manage_files_pattern(dkim_t, dkim_var_run_t, dkim_var_run_t)
> +
> +########################################
> +#
> +# dkim local policy
> +#
> +
> +allow dkim_t self:capability { setgid setuid };
> +allow dkim_t self:fifo_file rw_fifo_file_perms;
> +allow dkim_t self:unix_stream_socket create_stream_socket_perms;
> +allow dkim_t self:tcp_socket { listen accept };
> +files_search_tmp(dkim_t)
> +
> +# configuration files
> +allow dkim_t dkim_etc_t:dir list_dir_perms;
> +read_files_pattern(dkim_t,dkim_etc_t,dkim_etc_t)
> +read_lnk_files_pattern(dkim_t,dkim_etc_t,dkim_etc_t)
> +
> +manage_sock_files_pattern(dkim_t,dkim_var_run_t,dkim_var_run_t)
> +
> +corenet_all_recvfrom_unlabeled(dkim_t)
> +corenet_all_recvfrom_netlabel(dkim_t)
> +corenet_tcp_sendrecv_all_if(dkim_t)
> +corenet_tcp_sendrecv_all_nodes(dkim_t)
> +corenet_tcp_sendrecv_all_ports(dkim_t)
> +corenet_tcp_bind_all_nodes(dkim_t)
> +
> +dev_read_rand(dkim_t)
> +dev_read_urand(dkim_t)
> +
> +files_read_etc_files(dkim_t)
> +
> +libs_use_ld_so(dkim_t)
> +libs_use_shared_libs(dkim_t)
> +
> +logging_send_syslog_msg(dkim_t)
> +
> +miscfiles_read_localization(dkim_t)
> +
> +sysnet_dns_name_resolve(dkim_t)
> +
> +kernel_read_system_state(dkim_t)
> +kernel_read_sysctl(dkim_t)
> +kernel_read_kernel_sysctls(dkim_t)
> diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
> index 12aed73..d2f0a27 100644
> --- a/policy/modules/services/postfix.te
> +++ b/policy/modules/services/postfix.te
> @@ -245,6 +262,10 @@ allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
>
> corecmd_exec_bin(postfix_cleanup_t)
>
> +# for milters - may be a bug in postfix
> +allow postfix_cleanup_t postfix_smtpd_t:fd use;
> +allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket { getattr read write };
> +
> ########################################
> #
> # Postfix local local policy
> @@ -554,6 +575,15 @@ optional_policy(`
> ')
>
> optional_policy(`
> + clamav_stream_connect(postfix_smtpd_t)
> +')
> +
> +optional_policy(`
> + dkim_stream_connect(postfix_smtpd_t)
> + dkim_stream_connect(postfix_cleanup_t)
> +')
> +
> +optional_policy(`
> sasl_connect(postfix_smtpd_t)
> ')
>
>
> --
> Someone will try to honk your nose today.
> Manoj Srivastava <[email protected]> <http://www.golden-gryphon.com/>
> 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150