On Fri, 2009-09-11 at 08:30 -0400, Chris PeBenito wrote:
> On Fri, 2009-09-11 at 10:20 +0200, Stefan Schulze Frielinghaus wrote:
> > > > > > > On Thu, 10 Sep 2009 21:40:56 +0200
> > > > > > > Stefan Schulze Frielinghaus <stefan@xxxxxxxxxxxx> wrote:
> > > > > > >
> > > > > > > > Attached is a new policy for the dkim-filter application.
> > > > > > > >
> > > > > > > > Chris, is the policy OK/ready for merge?
>
> > Tested attached policy again on CentOS 5.3 with strict policy.
>
> It looks ok. However I'm starting to get concerned about the milter
> module getting big. If you want, say the spamassassin milter, you add
> the milter module... but then you get rules for a several other milters
> too.
Attached is a milter version which behaves like the apache_template(). I
only took care of the dkim-milter but in general this would only mean
some reorganization of all modules ... nothing more. Any cons about
that?
If this would be the right way then we could also talk about the
milter_template() naming convention:
type $1_milter_t
The apache_template generates slightly different type names:
type httpd_$1_script_t
What about changing $1_milter_t to milter_$1_t?
/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
/var/db/dkim(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
/var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
policy_module(dkim-milter, 1.0.0)
########################################
#
# Declarations
#
milter_template(dkim)
# Type for the private key of dkim-filter
type dkim_milter_private_key_t;
files_type(dkim_milter_private_key_t)
########################################
#
# Local policy
#
allow dkim_milter_t self:capability { setgid setuid };
read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
files_read_etc_files(dkim_milter_t)
kernel_read_kernel_sysctls(dkim_milter_t)
sysnet_dns_name_resolve(dkim_milter_t)
dev_read_urand(dkim_milter_t)
## <summary>Milter mail filters</summary>
########################################
## <summary>
## Create a set of derived types for various
## mail filter applications using the milter interface.
## </summary>
## <param name="milter_name">
## <summary>
## The name to be used for deriving type names.
## </summary>
## </param>
#
template(`milter_template',`
# attributes common to all milters
gen_require(`
attribute milter_data_type, milter_domains;
')
type $1_milter_t, milter_domains;
type $1_milter_exec_t;
init_daemon_domain($1_milter_t, $1_milter_exec_t)
role system_r types $1_milter_t;
# Type for the milter data (e.g. the socket used to communicate with the MTA)
type $1_milter_data_t, milter_data_type;
files_type($1_milter_data_t)
allow $1_milter_t self:fifo_file rw_fifo_file_perms;
# Allow communication with MTA over a unix-domain socket
# Note: usage with TCP sockets requires additional policy
manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
# Create other data files and directories in the data directory
manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
miscfiles_read_localization($1_milter_t)
logging_send_syslog_msg($1_milter_t)
')
########################################
## <summary>
## MTA communication with milter sockets
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`milter_stream_connect_all',`
gen_require(`
attribute milter_data_type, milter_domains;
')
getattr_dirs_pattern($1, milter_data_type, milter_data_type)
stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains)
')
########################################
## <summary>
## Allow getattr of milter sockets
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`milter_getattr_all_sockets',`
gen_require(`
attribute milter_data_type;
')
getattr_dirs_pattern($1, milter_data_type, milter_data_type)
getattr_sock_files_pattern($1, milter_data_type, milter_data_type)
')
policy_module(milter, 1.2.0)
########################################
#
# Declarations
#
# attributes common to all milters
attribute milter_domains;
attribute milter_data_type;
