On Thu, 2009-09-10 at 22:39 +0200, Stefan Schulze Frielinghaus wrote: > On Thu, 2009-09-10 at 21:04 +0100, Paul Howarth wrote: > > On Thu, 10 Sep 2009 21:40:56 +0200 > > Stefan Schulze Frielinghaus <stefan@xxxxxxxxxxxx> wrote: > > > > > Attached is a new policy for the dkim-filter application. > > > > > > Chris, is the policy OK/ready for merge? > > > > I think it would be better to merge it with the milter policy. That > > would then need no changes to the sendmail policy and the milter should > > work with postfix too. > > Oh sure, milter_template() is far better for this. I wasn't aware of > such a template. I will have a look at it and send a corrected version. And here we are. Since the milter_template() is pretty straight forward I guess we are done now. Thanks again for the tip. DKIM-Filter runs fine for me with the new milter policy.
diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc index 55a3e2f..d4494bc 100644 --- a/policy/modules/services/milter.fc +++ b/policy/modules/services/milter.fc @@ -1,10 +1,14 @@ +/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkimfilter_milter_exec_t,s0) /usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) -/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0) +/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0) /usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0) +/var/db/dkim(/.*)? gen_context(system_u:object_r:dkimfilter_private_key_t,s0) + /var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) /var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0) +/var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkimfilter_milter_data_t,s0) /var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) /var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0) /var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te index ff7cebc..88be485 100644 --- a/policy/modules/services/milter.te +++ b/policy/modules/services/milter.te @@ -1,5 +1,5 @@ -policy_module(milter, 1.1.0) +policy_module(milter, 1.2.0) ######################################## # @@ -10,11 +10,16 @@ policy_module(milter, 1.1.0) attribute milter_domains; attribute milter_data_type; -# currently-supported milters are milter-greylist, milter-regex and spamass-milter +# currently-supported milters are dkim-filter, milter-greylist, milter-regex and spamass-milter +milter_template(dkimfilter) milter_template(greylist) milter_template(regex) milter_template(spamass) +# Type for the private key of dkim-filter +type dkimfilter_private_key_t; +files_type(dkimfilter_private_key_t) + # Type for the spamass-milter home directory, under which spamassassin will # store system-wide preferences, bayes databases etc. if not configured to # use per-user configuration @@ -23,6 +28,25 @@ files_type(spamass_milter_state_t) ######################################## # +# dkimfilter local policy +# DomainKeys Identified Mail sender authentication +# http://sourceforge.net/projects/dkim-milter/ +# + +allow dkimfilter_milter_t self:capability { setgid setuid }; + +read_files_pattern(dkimfilter_milter_t, dkimfilter_private_key_t, dkimfilter_private_key_t) + +files_read_etc_files(dkimfilter_milter_t) + +kernel_read_kernel_sysctls(dkimfilter_milter_t) + +sysnet_dns_name_resolve(dkimfilter_milter_t) + +dev_read_urand(dkimfilter_milter_t) + +######################################## +# # milter-greylist local policy # ensure smtp clients retry mail like real MTAs and not spamware # http://hcpnet.free.fr/milter-greylist/
