psss / rpms / selinux-policy

Forked from rpms/selinux-policy 5 years ago
Clone
Source Code
GIT

Blame milter.te

f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f7 f8 f9 master master-docker master_contrib private-master-atomic-policy private-master-migrate-to-var-lib-selinux requires tests
  1.   88fcbee47526d19193cfa16591a035950a236dac
  2.   milter.te
Blob History Raw
Chris PeBenito bbc40b5 
policy_module(milter, 1.4.0)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
########################################
Chris PeBenito 9401ae1 
#
Chris PeBenito 9401ae1 
# Declarations
Chris PeBenito 9401ae1 
#
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
# attributes common to all milters
Chris PeBenito 9401ae1 
attribute milter_domains;
Chris PeBenito 9401ae1 
attribute milter_data_type;
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
# currently-supported milters are milter-greylist, milter-regex and spamass-milter
Chris PeBenito 9401ae1 
milter_template(greylist)
Chris PeBenito 9401ae1 
milter_template(regex)
Chris PeBenito 9401ae1 
milter_template(spamass)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
# Type for the spamass-milter home directory, under which spamassassin will
Chris PeBenito 9401ae1 
# store system-wide preferences, bayes databases etc. if not configured to
Chris PeBenito 9401ae1 
# use per-user configuration
Chris PeBenito 9401ae1 
type spamass_milter_state_t;
Chris PeBenito 9401ae1 
files_type(spamass_milter_state_t)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
########################################
Chris PeBenito 9401ae1 
#
Chris PeBenito 9401ae1 
# milter-greylist local policy
Chris PeBenito 9401ae1 
#   ensure smtp clients retry mail like real MTAs and not spamware
Chris PeBenito 9401ae1 
#   http://hcpnet.free.fr/milter-greylist/
Chris PeBenito 9401ae1 
#
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
# It removes any existing socket (not owned by root) whilst running as root,
Chris PeBenito 9401ae1 
# fixes permissions, renices itself and then calls setgid() and setuid() to
Chris PeBenito 9401ae1 
# drop privileges
Chris PeBenito 9401ae1 
allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
Chris PeBenito 9401ae1 
allow greylist_milter_t self:process { setsched getsched };
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
# It creates a pid file /var/run/milter-greylist.pid
Chris PeBenito 9401ae1 
files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
kernel_read_kernel_sysctls(greylist_milter_t)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
# Allow the milter to read a GeoIP database in /usr/share
Chris PeBenito 9401ae1 
files_read_usr_files(greylist_milter_t)
Chris PeBenito 9401ae1 
# The milter runs from /var/lib/milter-greylist and maintains files there
Chris PeBenito 9401ae1 
files_search_var_lib(greylist_milter_t)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
# Look up username for dropping privs
Chris PeBenito 9401ae1 
auth_use_nsswitch(greylist_milter_t)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
# Config is in /etc/mail/greylist.conf
Chris PeBenito 9401ae1 
mta_read_config(greylist_milter_t)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
########################################
Chris PeBenito 9401ae1 
#
Chris PeBenito 9401ae1 
# milter-regex local policy
Chris PeBenito 9401ae1 
#   filter emails using regular expressions
Chris PeBenito 9401ae1 
#   http://www.benzedrine.cx/milter-regex.html
Chris PeBenito 9401ae1 
#
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
# It removes any existing socket (not owned by root) whilst running as root
Chris PeBenito 9401ae1 
# and then calls setgid() and setuid() to drop privileges
Chris PeBenito 9401ae1 
allow regex_milter_t self:capability { setuid setgid dac_override };
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
# The milter's socket directory lives under /var/spool
Chris PeBenito 9401ae1 
files_search_spool(regex_milter_t)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
# Look up username for dropping privs
Chris PeBenito 9401ae1 
auth_use_nsswitch(regex_milter_t)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
# Config is in /etc/mail/milter-regex.conf
Chris PeBenito 9401ae1 
mta_read_config(regex_milter_t)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
########################################
Chris PeBenito 9401ae1 
#
Chris PeBenito 9401ae1 
# spamass-milter local policy
Chris PeBenito 9401ae1 
#   pipe emails through SpamAssassin
Chris PeBenito 9401ae1 
#   http://savannah.nongnu.org/projects/spamass-milt/
Chris PeBenito 9401ae1 
#
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
# The milter runs from /var/lib/spamass-milter
Chris PeBenito 9401ae1 
allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
Chris PeBenito 9401ae1 
files_search_var_lib(spamass_milter_t)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
kernel_read_system_state(spamass_milter_t)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
# When used with -b or -B options, the milter invokes sendmail to send mail
Chris PeBenito 9401ae1 
# to a spamtrap address, using popen()
Chris PeBenito 9401ae1 
corecmd_exec_shell(spamass_milter_t)
Chris PeBenito 9401ae1 
corecmd_read_bin_symlinks(spamass_milter_t)
Chris PeBenito 9401ae1 
corecmd_search_bin(spamass_milter_t)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
mta_send_mail(spamass_milter_t)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
# The main job of the milter is to pipe spam through spamc and act on the result
Chris PeBenito 9401ae1 
optional_policy(`
Chris PeBenito 9401ae1 
	spamassassin_domtrans_client(spamass_milter_t)
Chris PeBenito 9401ae1 
')
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.