trunk: add milter module from Paul Howarth.

Changelog

@@ -7,6 +7,8 @@
 - Remove hierarchy from portage module as it is not a good example of
   hieararchy.
 - Remove enableaudit target from modular build as semodule -DB supplants it.
+- Added modules:
+	milter (Paul Howarth)
 
 * Tue Oct 14 2008 Chris PeBenito <selinux@tresys.com> - 20081014
 - Debian update for NetworkManager/wpa_supplicant from Martin Orr.

policy/modules/services/milter.fc

@@ -0,0 +1,6 @@
+/usr/sbin/milter-regex				--	gen_context(system_u:object_r:regex_milter_exec_t,s0)
+/var/spool/milter-regex(/.*)?				gen_context(system_u:object_r:regex_milter_data_t,s0)
+
+/usr/sbin/spamass-milter			--	gen_context(system_u:object_r:spamass_milter_exec_t,s0)
+/var/run/spamass-milter(/.*)?				gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/run/spamass-milter\.pid			--	gen_context(system_u:object_r:spamass_milter_data_t,s0)

policy/modules/services/milter.if

@@ -0,0 +1,79 @@
+## <summary>Milter mail filters</summary>
+
+########################################
+## <summary>
+##	Create a set of derived types for various
+##	mail filter applications using the milter interface.
+## </summary>
+## <param name="milter_name">
+##	<summary>
+##	The name to be used for deriving type names.
+##	</summary>
+## </param>
+#
+template(`milter_template',`
+	# attributes common to all milters
+	gen_require(`
+		attribute milter_data_type, milter_domains;
+	')
+
+	type $1_milter_t, milter_domains;
+	type $1_milter_exec_t;
+	init_daemon_domain($1_milter_t, $1_milter_exec_t)
+	role system_r types $1_milter_t;
+
+	# Type for the milter data (e.g. the socket used to communicate with the MTA)
+	type $1_milter_data_t, milter_data_type;
+	files_type($1_milter_data_t);
+
+	allow $1_milter_t self:fifo_file rw_fifo_file_perms;
+
+	# Allow communication with MTA over a unix-domain socket
+	# Note: usage with TCP sockets requires additional policy
+	manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
+
+	# Create other data files and directories in the data directory
+	manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
+
+	miscfiles_read_localization($1_milter_t)
+
+	logging_send_syslog_msg($1_milter_t)
+')
+
+########################################
+## <summary>
+##	MTA communication with milter sockets
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`milter_stream_connect_all',`
+	gen_require(`
+		attribute milter_data_type, milter_domains;
+	')
+
+	getattr_dirs_pattern($1, milter_data_type, milter_data_type)
+	stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains)
+')
+
+########################################
+## <summary>
+##	Allow getattr of milter sockets
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`milter_getattr_all_sockets',`
+	gen_require(`
+		attribute milter_data_type;
+	')
+
+	getattr_dirs_pattern($1, milter_data_type, milter_data_type)
+	getattr_sock_files_pattern($1, milter_data_type, milter_data_type)
+')

policy/modules/services/milter.te

@@ -0,0 +1,55 @@
+
+policy_module(milter, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+# attributes common to all milters
+attribute milter_domains;
+attribute milter_data_type;
+
+# currently-supported milters are milter-regex and spamass-milter
+milter_template(regex)
+milter_template(spamass)
+
+########################################
+#
+# milter-regex local policy
+#   filter emails using regular expressions
+#   http://www.benzedrine.cx/milter-regex.html
+#
+
+# It removes any existing socket (not owned by root) whilst running as root
+# and then calls setgid() and setuid() to drop privileges
+allow regex_milter_t self:capability { setuid setgid dac_override };
+
+# The milter's socket directory lives under /var/spool
+files_search_spool(regex_milter_t)
+
+# Look up username for dropping privs
+auth_use_nsswitch(regex_milter_t)
+
+# Config is in /etc/mail/milter-regex.conf
+mta_read_config(regex_milter_t)
+
+########################################
+#
+# spamass-milter local policy
+#   pipe emails through SpamAssassin
+#   http://savannah.nongnu.org/projects/spamass-milt/
+#
+
+kernel_read_system_state(spamass_milter_t)
+
+# When used with -b or -B options, the milter invokes sendmail to send mail
+# to a spamtrap address, using popen()
+corecmd_exec_shell(spamass_milter_t)
+corecmd_read_bin_symlinks(spamass_milter_t)
+corecmd_search_bin(spamass_milter_t)
+
+mta_send_mail(spamass_milter_t)
+
+# The main job of the milter is to pipe spam through spamc and act on the result
+spamassassin_domtrans_client(spamass_milter_t)

policy/modules/services/mta.te

@@ -1,5 +1,5 @@
 
-policy_module(mta, 2.0.0)
+policy_module(mta, 2.0.1)
 
 ########################################
 #
@@ -102,6 +102,11 @@ optional_policy(`
 	logwatch_read_tmp_files(system_mail_t)
 ')
 
+optional_policy(`
+	# newaliases runs as system_mail_t when the sendmail initscript does a restart
+	milter_getattr_all_sockets(system_mail_t)
+')
+
 optional_policy(`
 	nagios_read_tmp_files(system_mail_t)
 ')

policy/modules/services/postfix.te

@@ -1,5 +1,5 @@
 
-policy_module(postfix, 1.9.1)
+policy_module(postfix, 1.9.2)
 
 ########################################
 #
@@ -519,6 +519,10 @@ optional_policy(`
 	cyrus_stream_connect(postfix_smtp_t)
 ')
 
+optional_policy(`
+	milter_stream_connect_all(postfix_smtp_t)
+')
+
 ########################################
 #
 # Postfix smtpd local policy

policy/modules/services/sendmail.te

@@ -1,5 +1,5 @@
 
-policy_module(sendmail, 1.8.1)
+policy_module(sendmail, 1.8.2)
 
 ########################################
 #
@@ -108,6 +108,10 @@ optional_policy(`
 	clamav_search_lib(sendmail_t)
 ')
 
+optional_policy(`
+	milter_stream_connect_all(sendmail_t)
+')
+
 optional_policy(`
 	postfix_exec_master(sendmail_t)
 	postfix_read_config(sendmail_t)

policy/modules/services/spamassassin.fc

@@ -10,7 +10,6 @@ HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamassassin_home_t,
 /var/lib/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_lib_t,s0)
 
 /var/run/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
-/var/run/spamass-milter(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
 
 /var/spool/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_spool_t,s0)
 /var/spool/spamd(/.*)?		gen_context(system_u:object_r:spamd_spool_t,s0)

policy/modules/services/spamassassin.te

@@ -1,5 +1,5 @@
 
-policy_module(spamassassin, 2.0.0)
+policy_module(spamassassin, 2.0.1)
 
 ########################################
 #