Re: [refpolicy] new policy for dkim-filter

From: Stefan Schulze Frielinghaus <stefan@seekline.net>
To: Paul Howarth <paul@city-fan.org>
Cc: selinux@tycho.nsa.gov, "Christopher J. PeBenito" <cpebenito@tresys.com>
Subject: Re: [refpolicy] new policy for dkim-filter
Date: Fri, 11 Sep 2009 10:20:31 +0200	[thread overview]
Message-ID: <1252657231.2491.18.camel@vogon.seekline.net> (raw)
In-Reply-To: <1252655581.2491.12.camel@vogon.seekline.net>

[-- Attachment #1: Type: text/plain, Size: 2092 bytes --]

On Fri, 2009-09-11 at 09:53 +0200, Stefan Schulze Frielinghaus wrote:
> On Thu, 2009-09-10 at 23:27 +0100, Paul Howarth wrote:
> > On Thu, 10 Sep 2009 23:50:48 +0200
> > Stefan Schulze Frielinghaus <stefan@seekline.net> wrote:
> > 
> > > On Thu, 2009-09-10 at 22:39 +0200, Stefan Schulze Frielinghaus wrote:
> > > > On Thu, 2009-09-10 at 21:04 +0100, Paul Howarth wrote:
> > > > > On Thu, 10 Sep 2009 21:40:56 +0200
> > > > > Stefan Schulze Frielinghaus <stefan@seekline.net> wrote:
> > > > > 
> > > > > > Attached is a new policy for the dkim-filter application.
> > > > > > 
> > > > > > Chris, is the policy OK/ready for merge?
> > > > > 
> > > > > I think it would be better to merge it with the milter policy.
> > > > > That would then need no changes to the sendmail policy and the
> > > > > milter should work with postfix too.
> > > > 
> > > > Oh sure, milter_template() is far better for this. I wasn't aware of
> > > > such a template. I will have a look at it and send a corrected
> > > > version.
> > > 
> > > And here we are. Since the milter_template() is pretty straight
> > > forward I guess we are done now. Thanks again for the tip.
> > > 
> > > DKIM-Filter runs fine for me with the new milter policy.
> > 
> > Given that the upstream project is called dkim-milter (albeit the
> > milter part is called dkimfilter), I think the dkimfilter_milter_*
> > types would be better named as just dkim_milter_*.
> 
> I was unsure about that. The upstream project is called dkim-milter
> indeed but they seem to distinguish between the library and the filter.
> Here is a quote from the README:
> 
> "This package consists of a library that implements the DKIM service and
> a milter-based filter application that can plug in to the sendmail
> MTA ..."
> 
> So in a strict sense they provide a library and a filter. Nevertheless I
> changed it.
> 
> Attached is a new diff with dkim_milter_* types.

Argl, forgot to change "dkim_private_key_t" to
"dkim_milter_private_key_t". Seriously this should be the last commit :D

Tested attached policy again on CentOS 5.3 with strict policy.

[-- Attachment #2: milter.diff --]
[-- Type: text/x-patch, Size: 2983 bytes --]

diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc
index 55a3e2f..d4494bc 100644
--- a/policy/modules/services/milter.fc
+++ b/policy/modules/services/milter.fc
@@ -1,10 +1,14 @@
+/usr/sbin/dkim-filter		--	gen_context(system_u:object_r:dkim_milter_exec_t,s0)
 /usr/sbin/milter-greylist	--	gen_context(system_u:object_r:greylist_milter_exec_t,s0)
-/usr/sbin/milter-regex				--	gen_context(system_u:object_r:regex_milter_exec_t,s0)
+/usr/sbin/milter-regex		--	gen_context(system_u:object_r:regex_milter_exec_t,s0)
 /usr/sbin/spamass-milter	--	gen_context(system_u:object_r:spamass_milter_exec_t,s0)
 
+/var/db/dkim(/.*)?			gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+
 /var/lib/milter-greylist(/.*)?		gen_context(system_u:object_r:greylist_milter_data_t,s0)
 /var/lib/spamass-milter(/.*)?		gen_context(system_u:object_r:spamass_milter_state_t,s0)
 
+/var/run/dkim-filter(/.*)?		gen_context(system_u:object_r:dkim_milter_data_t,s0)
 /var/run/milter-greylist(/.*)?		gen_context(system_u:object_r:greylist_milter_data_t,s0)
 /var/run/milter-greylist\.pid	--	gen_context(system_u:object_r:greylist_milter_data_t,s0)
 /var/run/spamass-milter(/.*)?		gen_context(system_u:object_r:spamass_milter_data_t,s0)
diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te
index ff7cebc..88be485 100644
--- a/policy/modules/services/milter.te
+++ b/policy/modules/services/milter.te
@@ -1,5 +1,5 @@
 
-policy_module(milter, 1.1.0)
+policy_module(milter, 1.2.0)
 
 ########################################
 #
@@ -10,11 +10,16 @@ policy_module(milter, 1.1.0)
 attribute milter_domains;
 attribute milter_data_type;
 
-# currently-supported milters are milter-greylist, milter-regex and spamass-milter
+# currently-supported milters are dkim-filter, milter-greylist, milter-regex and spamass-milter
+milter_template(dkim)
 milter_template(greylist)
 milter_template(regex)
 milter_template(spamass)
 
+# Type for the private key of dkim-filter
+type dkim_milter_private_key_t;
+files_type(dkim_milter_private_key_t)
+
 # Type for the spamass-milter home directory, under which spamassassin will
 # store system-wide preferences, bayes databases etc. if not configured to
 # use per-user configuration
@@ -23,6 +28,25 @@ files_type(spamass_milter_state_t)
 
 ########################################
 #
+# dkim local policy
+#   DomainKeys Identified Mail sender authentication
+#   http://sourceforge.net/projects/dkim-milter/
+#
+
+allow dkim_milter_t self:capability { setgid setuid };
+
+read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
+
+files_read_etc_files(dkim_milter_t)
+
+kernel_read_kernel_sysctls(dkim_milter_t)
+
+sysnet_dns_name_resolve(dkim_milter_t)
+
+dev_read_urand(dkim_milter_t)
+
+########################################
+#
 # milter-greylist local policy
 #   ensure smtp clients retry mail like real MTAs and not spamware
 #   http://hcpnet.free.fr/milter-greylist/
