On Friday 23 December 2005 22:47, Russell Coker <russell(a)coker.com.au> wrote:
On Thursday 22 December 2005 03:53, "Nicolas Mailhot"
> On Mer 21 décembre 2005 17:18, Russell Coker wrote:
> > The problem here is that there is no policy for greylist-milter (or any
> > other
> > milter for that matter).
> amavis+postfix has been included in default selinux policy for quite a
> long time. I'm pretty sure the policy applies to sendmail+amavis too.
I should have thought of Amavis, I wrote a good chunk of the Amavis policy.
You are correct that it SHOULD work with Sendmail, I designed it such that
it would work with Sendmail and Qmail but I've never tested it with
anything other than Postfix.
I'll use the mta_filter_t domain that Alexey suggests and make Amavis such
a filter as well.
I've attached a first cut at the policy for the mta_filter_t, I still have
other things to do but I believe that the policy in this patch is only an
improvement over the current situation and is therefore worth merging. This
replaces the postgrey.te and postgrey.fc files as postgrey will run in the
same domain (but my patch doesn't remove those files). Note that the
ifdef(`distro_mandriva' does not imply that you would run SE Linux on
Mandriva (much more work would need to be done for that), merely that if you
want to force Mandriva packages to work on Fedora then you need to have the
policy support the directories that they choose. Mandriva seems to be the
only distribution with Postgrey RPMs.
I haven't yet got Amavis working on my test machine so the Amavis policy isn't
merged. Amavis requires some extra work because it has the daemon to get new
virus definitions (freshclam). My plan is that the daemon to get new virus
definitions will run in a separate domain and write to files that are
read-only for the mta_filter_t domain. Of course if freshclam is cracked
then you could end up with a virus definition that marks every message as
being a virus (which would be really bad), but gives it a little extra
isolation from the mail server domains. Among other things I plan to have a
boolean to determine whether the mta_filter_t domain can do TCP/UDP
networking, preventing the filter from making connections to the outside
world could be very useful.
Incidentally if someone wants to package Postgrey and Amavis for Fedora Extras
then that would be really good.
PS Alexy, I'm not sure if you want to get involved in SE Linux policy
development to the level of testing this patch out. If not then just wait a
week or so and this will become a standard policy feature.
PPS Happy holidays everyone!
My NSA Security Enhanced Linux packages
Bonnie++ hard drive benchmark
Postal SMTP/POP benchmark
My home page