[refpolicy] Policy for milter-greylist

[refpolicy] Policy for milter-greylist

[Paul Howarth]

Patch attached. I'm using this myself and policy is already added in Fedora.

Paul.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: milter-greylist.patch
Type: text/x-patch
Size: 2556 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090603/2547a367/attachment.bin 

[refpolicy] Policy for milter-greylist

[Christopher J. PeBenito]

On Wed, 2009-06-03 at 11:42 +0100, Paul Howarth wrote:
> Patch attached. I'm using this myself and policy is already added in
> Fedora.

Merged.

> Index: policy/modules/services/milter.te
> ===================================================================
> --- policy/modules/services/milter.te   (revision 2991)
> +++ policy/modules/services/milter.te   (working copy)
> @@ -10,7 +10,8 @@
>  attribute milter_domains;
>  attribute milter_data_type;
>  
> -# currently-supported milters are milter-regex and spamass-milter
> +# currently-supported milters are milter-greylist, milter-regex and
> spamass-milter
> +milter_template(greylist)
>  milter_template(regex)
>  milter_template(spamass)
>  
> @@ -22,6 +23,35 @@
>  
>  ########################################
>  #
> +# milter-greylist local policy
> +#   ensure smtp clients retry mail like real MTAs and not spamware
> +#   http://hcpnet.free.fr/milter-greylist/
> +#
> +
> +# Look up username for dropping privs
> +auth_use_nsswitch(greylist_milter_t)
> +
> +# It creates a pid file /var/run/milter-greylist.pid
> +files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
> +
> +# It removes any existing socket (not owned by root) whilst running
> as root,
> +# fixes permissions, renices itself and then calls setgid() and
> setuid() to
> +# drop privileges
> +kernel_read_kernel_sysctls(greylist_milter_t)
> +allow greylist_milter_t self:capability { chown dac_override setgid
> setuid sys_nice };
> +allow greylist_milter_t self:process { setsched getsched };
> +
> +# Allow the milter to read a GeoIP database in /usr/share
> +files_read_usr_files(greylist_milter_t)
> +
> +# The milter runs from /var/lib/milter-greylist and maintains files
> there
> +files_search_var_lib(greylist_milter_t);
> +
> +# Config is in /etc/mail/greylist.conf
> +mta_read_config(greylist_milter_t)
> +
> +########################################
> +#
>  # milter-regex local policy
>  #   filter emails using regular expressions
>  #   http://www.benzedrine.cx/milter-regex.html
> Index: policy/modules/services/milter.fc
> ===================================================================
> --- policy/modules/services/milter.fc   (revision 2991)
> +++ policy/modules/services/milter.fc   (working copy)
> @@ -1,3 +1,9 @@
> +/usr/sbin/milter-greylist                      --      gen_context(system_u:object_r:greylist_milter_exec_t,s0)
> +
> +/var/lib/milter-greylist(/.*)?                         gen_context(system_u:object_r:greylist_milter_data_t,s0)
> +/var/run/milter-greylist(/.*)?                         gen_context(system_u:object_r:greylist_milter_data_t,s0)
> +/var/run/milter-greylist
> \.pid                  --      gen_context(system_u:object_r:greylist_milter_data_t,s0)
> +
>  /usr/sbin/milter-regex                         --      gen_context(system_u:object_r:regex_milter_exec_t,s0)
>  /var/spool/milter-regex(/.*)?                          gen_context(system_u:object_r:regex_milter_data_t,s0)
>  
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150