[selinux-policy: 2130/3172] trunk: Greylist milter from Paul Howarth.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:08:59 UTC 2010 

commit c9c0d846de2488c9f98ec1bceaecb709af713889
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Jun 18 14:36:35 2009 +0000

    trunk: Greylist milter from Paul Howarth.

 Changelog                         |    1 +
 policy/modules/services/milter.fc |   15 ++++++++++-----
 policy/modules/services/milter.te |   34 ++++++++++++++++++++++++++++++++--
 3 files changed, 43 insertions(+), 7 deletions(-)
---
diff --git a/Changelog b/Changelog
index 2e91113..6a80952 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Greylist milter from Paul Howarth.
 - Crack db access for su to handle password expiration, from Brandon Whalen.
 - Misc fixes for unix_update from Brandon Whalen.
 - Add x_device permissions for XI2 functions, from Eamon Walsh.
diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc
index 8528050..55a3e2f 100644
--- a/policy/modules/services/milter.fc
+++ b/policy/modules/services/milter.fc
@@ -1,8 +1,13 @@
+/usr/sbin/milter-greylist	--	gen_context(system_u:object_r:greylist_milter_exec_t,s0)
 /usr/sbin/milter-regex				--	gen_context(system_u:object_r:regex_milter_exec_t,s0)
-/var/spool/milter-regex(/.*)?				gen_context(system_u:object_r:regex_milter_data_t,s0)
+/usr/sbin/spamass-milter	--	gen_context(system_u:object_r:spamass_milter_exec_t,s0)
 
-/usr/sbin/spamass-milter			--	gen_context(system_u:object_r:spamass_milter_exec_t,s0)
+/var/lib/milter-greylist(/.*)?		gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/lib/spamass-milter(/.*)?		gen_context(system_u:object_r:spamass_milter_state_t,s0)
 
-/var/lib/spamass-milter(/.*)?				gen_context(system_u:object_r:spamass_milter_state_t,s0)
-/var/run/spamass-milter(/.*)?				gen_context(system_u:object_r:spamass_milter_data_t,s0)
-/var/run/spamass-milter\.pid			--	gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/run/milter-greylist(/.*)?		gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/run/milter-greylist\.pid	--	gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/run/spamass-milter(/.*)?		gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/run/spamass-milter\.pid	--	gen_context(system_u:object_r:spamass_milter_data_t,s0)
+
+/var/spool/milter-regex(/.*)?		gen_context(system_u:object_r:regex_milter_data_t,s0)
diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te
index cedcf41..755da96 100644
--- a/policy/modules/services/milter.te
+++ b/policy/modules/services/milter.te
@@ -1,5 +1,5 @@
 
-policy_module(milter, 1.0.1)
+policy_module(milter, 1.0.2)
 
 ########################################
 #
@@ -10,7 +10,8 @@ policy_module(milter, 1.0.1)
 attribute milter_domains;
 attribute milter_data_type;
 
-# currently-supported milters are milter-regex and spamass-milter
+# currently-supported milters are milter-greylist, milter-regex and spamass-milter
+milter_template(greylist)
 milter_template(regex)
 milter_template(spamass)
 
@@ -22,6 +23,35 @@ files_type(spamass_milter_state_t)
 
 ########################################
 #
+# milter-greylist local policy
+#   ensure smtp clients retry mail like real MTAs and not spamware
+#   http://hcpnet.free.fr/milter-greylist/
+#
+
+# It removes any existing socket (not owned by root) whilst running as root,
+# fixes permissions, renices itself and then calls setgid() and setuid() to
+# drop privileges
+allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
+allow greylist_milter_t self:process { setsched getsched };
+
+# It creates a pid file /var/run/milter-greylist.pid
+files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
+
+kernel_read_kernel_sysctls(greylist_milter_t)
+
+# Allow the milter to read a GeoIP database in /usr/share
+files_read_usr_files(greylist_milter_t)
+# The milter runs from /var/lib/milter-greylist and maintains files there
+files_search_var_lib(greylist_milter_t);
+
+# Look up username for dropping privs
+auth_use_nsswitch(greylist_milter_t)
+
+# Config is in /etc/mail/greylist.conf
+mta_read_config(greylist_milter_t)
+
+########################################
+#
 # milter-regex local policy
 #   filter emails using regular expressions
 #   http://www.benzedrine.cx/milter-regex.html

More information about the scm-commits mailing list