On Fri, 2008-06-13 at 13:51 +0100, Paul Howarth wrote: > Paul Howarth wrote: > > attached is a patch based on local policy I'm using on Fedora 9 to > > support two "milter" mail filter daemons in conjunction with sendmail, > > namely spamass-milter and milter-regex (I maintain the packages for both > > of these in Fedora). > > > > I've taken the view that most milter applications will have similar > > requirements and so I've created a milter_template interface that > > contains most of what's needed, and then added the specifics that are > > needed on top of the generic stuff for each application. > > > > However, as I'm by no means an selinux expert, there are a number of > > things I'm unsure about: > > > > 1. In a situation where sendmail is the running MTA on a system, what is > > the difference between sendmail_t and system_mail_t? The former is the server process, the latter is the client. In the past sendmail_t was also used in the client sense in too, but we've since stuck with *_mail_t for clients with few exeptions (which I'd prefer to fix). > > 2. MTAs other than sendmail (postfix comes to mind) can also use > > milters, but as I don't have any boxes running postfix, I don't know > > what I'd need to add to postfix policy to support milters. My guess would be postfix_local_t, since that is where the procmail transition is. Someone more familiar with postfix should confirm. > > 3. Fedora 9 has an interface spamassassin_domtrans_spamc that I used in > > my local policy. It doesn't appear to be present in refpolicy; what > > would be the right thing to use for a daemon calling spamc? There isn't currently a system_spamc_t domain, and adding that along with appropriate interfaces would likely be the best choice. Current policies just execute spamc w/o transition, for example procmail, which would likely be ok for now. > > 4. I cribbed the milter_port_t stuff from the only example I could find, > > and it's probably wrong. What would be the correct way of defining this? Adding it to corenetwork. > > 5. Does the use of a template for these applications a sane way to do it? Depends. Based on what I see in your patch, I'd say no. There are only a couple rules, and there are a bunch of types declared that don't have rules. > Should I have raised this somewhere else, or in a different way? I've > had no responses either here or on fedora-selinux-list. The > spamass-milter is currently broken with SELinux enforcing on Fedora 9 > and I'd like to be able to make at least a little progress towards > fixing that. Here is fine. I can only speak for myself about not responding earlier of course, but since there was a policy patch I added it to my queue to review. There are still items in the queue before this :) -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
