On Fri, 2009-09-11 at 09:53 +0200, Stefan Schulze Frielinghaus wrote: > On Thu, 2009-09-10 at 23:27 +0100, Paul Howarth wrote: > > On Thu, 10 Sep 2009 23:50:48 +0200 > > Stefan Schulze Frielinghaus <stefan@xxxxxxxxxxxx> wrote: > > > > > On Thu, 2009-09-10 at 22:39 +0200, Stefan Schulze Frielinghaus wrote: > > > > On Thu, 2009-09-10 at 21:04 +0100, Paul Howarth wrote: > > > > > On Thu, 10 Sep 2009 21:40:56 +0200 > > > > > Stefan Schulze Frielinghaus <stefan@xxxxxxxxxxxx> wrote: > > > > > > > > > > > Attached is a new policy for the dkim-filter application. > > > > > > > > > > > > Chris, is the policy OK/ready for merge? > > > > > > > > > > I think it would be better to merge it with the milter policy. > > > > > That would then need no changes to the sendmail policy and the > > > > > milter should work with postfix too. > > > > > > > > Oh sure, milter_template() is far better for this. I wasn't aware of > > > > such a template. I will have a look at it and send a corrected > > > > version. > > > > > > And here we are. Since the milter_template() is pretty straight > > > forward I guess we are done now. Thanks again for the tip. > > > > > > DKIM-Filter runs fine for me with the new milter policy. > > > > Given that the upstream project is called dkim-milter (albeit the > > milter part is called dkimfilter), I think the dkimfilter_milter_* > > types would be better named as just dkim_milter_*. > > I was unsure about that. The upstream project is called dkim-milter > indeed but they seem to distinguish between the library and the filter. > Here is a quote from the README: > > "This package consists of a library that implements the DKIM service and > a milter-based filter application that can plug in to the sendmail > MTA ..." > > So in a strict sense they provide a library and a filter. Nevertheless I > changed it. > > Attached is a new diff with dkim_milter_* types. Argl, forgot to change "dkim_private_key_t" to "dkim_milter_private_key_t". Seriously this should be the last commit :D Tested attached policy again on CentOS 5.3 with strict policy.
diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc index 55a3e2f..d4494bc 100644 --- a/policy/modules/services/milter.fc +++ b/policy/modules/services/milter.fc @@ -1,10 +1,14 @@ +/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) /usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) -/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0) +/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0) /usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0) +/var/db/dkim(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) + /var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) /var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0) +/var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) /var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) /var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0) /var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te index ff7cebc..88be485 100644 --- a/policy/modules/services/milter.te +++ b/policy/modules/services/milter.te @@ -1,5 +1,5 @@ -policy_module(milter, 1.1.0) +policy_module(milter, 1.2.0) ######################################## # @@ -10,11 +10,16 @@ policy_module(milter, 1.1.0) attribute milter_domains; attribute milter_data_type; -# currently-supported milters are milter-greylist, milter-regex and spamass-milter +# currently-supported milters are dkim-filter, milter-greylist, milter-regex and spamass-milter +milter_template(dkim) milter_template(greylist) milter_template(regex) milter_template(spamass) +# Type for the private key of dkim-filter +type dkim_milter_private_key_t; +files_type(dkim_milter_private_key_t) + # Type for the spamass-milter home directory, under which spamassassin will # store system-wide preferences, bayes databases etc. if not configured to # use per-user configuration @@ -23,6 +28,25 @@ files_type(spamass_milter_state_t) ######################################## # +# dkim local policy +# DomainKeys Identified Mail sender authentication +# http://sourceforge.net/projects/dkim-milter/ +# + +allow dkim_milter_t self:capability { setgid setuid }; + +read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t) + +files_read_etc_files(dkim_milter_t) + +kernel_read_kernel_sysctls(dkim_milter_t) + +sysnet_dns_name_resolve(dkim_milter_t) + +dev_read_urand(dkim_milter_t) + +######################################## +# # milter-greylist local policy # ensure smtp clients retry mail like real MTAs and not spamware # http://hcpnet.free.fr/milter-greylist/
