On Mon, 2008-06-09 at 16:25 +0100, Paul Howarth wrote:
> Hi,
>
> attached is a patch based on local policy I'm using on Fedora 9 to
> support two "milter" mail filter daemons in conjunction with
> sendmail,
> namely spamass-milter and milter-regex (I maintain the packages for
> both
> of these in Fedora).
>
> I've taken the view that most milter applications will have similar
> requirements and so I've created a milter_template interface that
> contains most of what's needed, and then added the specifics that are
> needed on top of the generic stuff for each application.
>
> However, as I'm by no means an selinux expert, there are a number of
> things I'm unsure about:
>
> 1. In a situation where sendmail is the running MTA on a system, what
> is
> the difference between sendmail_t and system_mail_t?
>
> 2. MTAs other than sendmail (postfix comes to mind) can also use
> milters, but as I don't have any boxes running postfix, I don't know
> what I'd need to add to postfix policy to support milters.
>
> 3. Fedora 9 has an interface spamassassin_domtrans_spamc that I used
> in
> my local policy. It doesn't appear to be present in refpolicy; what
> would be the right thing to use for a daemon calling spamc?
>
> 4. I cribbed the milter_port_t stuff from the only example I could
> find,
> and it's probably wrong. What would be the correct way of defining
> this?
>
> 5. Does the use of a template for these applications a sane way to do
> it?
>
> Paul.
>
>
>
>
>
>
>
> plain text
> document
> attachment
> (milters.patch)
>
> Index: policy/modules/services/milters.te
> ===================================================================
> --- policy/modules/services/milters.te (revision 0)
> +++ policy/modules/services/milters.te (revision 0)
> @@ -0,0 +1,44 @@
> +policy_module(milters,0.0.7)
> +
> +require {
> + attribute port_type;
> +}
> +
> +type milter_port_t, port_type;
This declaration would move to corenetwork
> +#============= milter-regex policy ==============
> +milter_template(regex)
As I mentioned before, it doesn't look like a template is needed, unless
you think there will be many more milter domains. Then put all the
declarations in a section.
> +# Config is in /etc/mail/milter-regex.conf
> +mta_read_config(milter_regex_t)
> +
> +# The milter creates a socket in /var/spool/milter-regex/
> +# for communication with sendmail
> +files_search_spool(milter_regex_t)
> +manage_sock_files_pattern(milter_regex_t,milter_regex_spool_t,milter_regex_spool_t)
If the /var/sool/milter-regex directory can be created by the milter,
then there should be a files_spool_filetrans(). If you think templates
are warranted, then it would seem that this should go into the template
> +
> +# It removes any existing socket (not owned by root) whilst running
> as root
> +# and then calls setgid() and setuid() to drop privileges
> +allow milter_regex_t self:capability { setuid setgid dac_override };
> +
> +
> +#============= spamass-milter policy ==============
> +milter_template(spamass)
> +
> +# The milter creates a socket in /var/run/spamass-milter/
> +# for communication with sendmail
> +manage_files_pattern(milter_spamass_t,milter_spamass_var_run_t,milter_spamass_var_run_t)
> +manage_sock_files_pattern(milter_spamass_t,milter_spamass_var_run_t,milter_spamass_var_run_t)
> +
> +# The main job of the milter is to pipe spam through spamc and act on
> the result
> +#
> +# The spamassassin_domtrans_spamc interface in Fedora 9 ???
> +#spamassassin_domtrans_spamc(milter_spamass_t)
> +
> +# When used with -b or -B options, the milter invokes sendmail to
> send mail
> +# to a spamtrap address, using popen()
> +corecmd_exec_shell(milter_spamass_t)
> +corecmd_read_bin_symlinks(milter_spamass_t)
> +corecmd_search_bin(milter_spamass_t)
> +kernel_read_system_state(milter_spamass_t)
> +mta_send_mail(milter_spamass_t)
Similar comments as the previous domain.
> --- policy/modules/services/sendmail.te (revision 2710)
> +++ policy/modules/services/sendmail.te (working copy)
> @@ -112,6 +112,14 @@
> ')
>
> optional_policy(`
> + milter_regex_stream_connect(sendmail_t)
> +')
> +
> +optional_policy(`
> + milter_spamass_stream_connect(sendmail_t)
> +')
Perhaps this should be a single milter_stream_connect_all(), since it
seems like sendmail would want to connect to all milters.
> --- policy/modules/services/milters.fc (revision 0)
> +++ policy/modules/services/milters.fc (revision 0)
> @@ -0,0 +1,14 @@
> +#================= contexts for milter-regex =================
> +
> +/usr/sbin/milter-regex -- gen_context(system_u:object_r:milter_regex_exec_t,s0)
> +
> +/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:milter_regex_spool_t,s0)
> +
> +#================= contexts for spamass-milter =================
> +
> +/usr/sbin/spamass-milter -- gen_context(system_u:object_r:milter_spamass_exec_t,s0)
> +
> +/var/run/spamass-milter
> \.pid -- gen_context(system_u:object_r:milter_spamass_var_run_t,s0)
> +/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:milter_spamass_var_run_t,s0)
The comments don't really add anything here IMO.
> +template(`milter_template',`
[...]
> + # This type is for pidfiles etc.
> + type milter_$1_var_run_t;
> + files_type(milter_$1_var_run_t);
> +
> + # This type is for spool/cache data etc.
> + type milter_$1_cache_t;
> + files_type(milter_$1_cache_t);
> +
> + # This type is for spool/cache data etc.
> + type milter_$1_spool_t;
> + files_type(milter_$1_spool_t);
> +
> + # This type is for state data etc.
> + type milter_$1_var_lib_t;
> + files_type(milter_$1_var_lib_t);
Most of these types aren't used, so they should be dropped.
> +interface(`milter_spamass_stream_connect',`
> + gen_require(`
> + type milter_spamass_var_run_t, milter_spamass_t;
> + ')
> + stream_connect_pattern($1,milter_spamass_var_run_t,milter_spamass_var_run_t,milter_spamass_t)
> +')
> +
Missing a files_search_spool(). Interface name needs to be fixed [1].
> +interface(`milter_spamass_rw_stream_sockets',`
> + gen_require(`
> + type milter_spamass_t;
> + ')
> +
> + allow $1 milter_spamass_t:unix_stream_socket { read write };
> +')
Interface naming fix.
> +interface(`milter_regex_stream_connect',`
> + gen_require(`
> + type milter_regex_spool_t, milter_regex_t;
> + ')
> + stream_connect_pattern($1,milter_regex_spool_t,milter_regex_spool_t,milter_regex_t)
> +')
Also missing a files_search_spool() and interface naming fix.
[1] http://oss.tresys.com/projects/refpolicy/wiki/InterfaceNaming
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
