From c9c0d846de2488c9f98ec1bceaecb709af713889 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Jun 2009 14:36:35 +0000 Subject: [PATCH] trunk: Greylist milter from Paul Howarth. --- Changelog | 1 + policy/modules/services/milter.fc | 15 +++++++++----- policy/modules/services/milter.te | 34 +++++++++++++++++++++++++++++-- 3 files changed, 43 insertions(+), 7 deletions(-) diff --git a/Changelog b/Changelog index 2e911137a..6a80952e5 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- Greylist milter from Paul Howarth. - Crack db access for su to handle password expiration, from Brandon Whalen. - Misc fixes for unix_update from Brandon Whalen. - Add x_device permissions for XI2 functions, from Eamon Walsh. diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc index 85280508b..55a3e2f8a 100644 --- a/policy/modules/services/milter.fc +++ b/policy/modules/services/milter.fc @@ -1,8 +1,13 @@ +/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) /usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0) -/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0) +/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0) -/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0) +/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) +/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0) -/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0) -/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) -/var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0) +/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) +/var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0) +/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) +/var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0) + +/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0) diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te index cedcf4108..755da96ba 100644 --- a/policy/modules/services/milter.te +++ b/policy/modules/services/milter.te @@ -1,5 +1,5 @@ -policy_module(milter, 1.0.1) +policy_module(milter, 1.0.2) ######################################## # @@ -10,7 +10,8 @@ policy_module(milter, 1.0.1) attribute milter_domains; attribute milter_data_type; -# currently-supported milters are milter-regex and spamass-milter +# currently-supported milters are milter-greylist, milter-regex and spamass-milter +milter_template(greylist) milter_template(regex) milter_template(spamass) @@ -20,6 +21,35 @@ milter_template(spamass) type spamass_milter_state_t; files_type(spamass_milter_state_t) +######################################## +# +# milter-greylist local policy +# ensure smtp clients retry mail like real MTAs and not spamware +# http://hcpnet.free.fr/milter-greylist/ +# + +# It removes any existing socket (not owned by root) whilst running as root, +# fixes permissions, renices itself and then calls setgid() and setuid() to +# drop privileges +allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice }; +allow greylist_milter_t self:process { setsched getsched }; + +# It creates a pid file /var/run/milter-greylist.pid +files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file) + +kernel_read_kernel_sysctls(greylist_milter_t) + +# Allow the milter to read a GeoIP database in /usr/share +files_read_usr_files(greylist_milter_t) +# The milter runs from /var/lib/milter-greylist and maintains files there +files_search_var_lib(greylist_milter_t); + +# Look up username for dropping privs +auth_use_nsswitch(greylist_milter_t) + +# Config is in /etc/mail/greylist.conf +mta_read_config(greylist_milter_t) + ######################################## # # milter-regex local policy