From 0cf1d560188fd4152f53dff552b4b718de68c08d Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Apr 21 2009 20:40:45 +0000 Subject: trunk: Milter state directory patch from Paul Howarth. --- diff --git a/Changelog b/Changelog index 2233075..3fae533 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- Milter state directory patch from Paul Howarth. - Add MLS constrains for ingress/egress and secmark from Paul Moore. - Drop write permission from fs_read_rpc_sockets(). - Remove unused udev_runtime_t type. diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc index 4634dba..8528050 100644 --- a/policy/modules/services/milter.fc +++ b/policy/modules/services/milter.fc @@ -2,5 +2,7 @@ /var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0) /usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0) + +/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0) /var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) /var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0) diff --git a/policy/modules/services/milter.if b/policy/modules/services/milter.if index 1155cb7..55d25cd 100644 --- a/policy/modules/services/milter.if +++ b/policy/modules/services/milter.if @@ -77,3 +77,24 @@ interface(`milter_getattr_all_sockets',` getattr_dirs_pattern($1, milter_data_type, milter_data_type) getattr_sock_files_pattern($1, milter_data_type, milter_data_type) ') + +######################################## +## +## Manage spamassassin milter state +## +## +## +## Domain allowed access. +## +## +# +interface(`milter_manage_spamass_state',` + gen_require(` + type spamass_milter_state_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t) + manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t) + manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t) +') diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te index 908cb61..cedcf41 100644 --- a/policy/modules/services/milter.te +++ b/policy/modules/services/milter.te @@ -1,5 +1,5 @@ -policy_module(milter, 1.0.0) +policy_module(milter, 1.0.1) ######################################## # @@ -14,6 +14,12 @@ attribute milter_data_type; milter_template(regex) milter_template(spamass) +# Type for the spamass-milter home directory, under which spamassassin will +# store system-wide preferences, bayes databases etc. if not configured to +# use per-user configuration +type spamass_milter_state_t; +files_type(spamass_milter_state_t) + ######################################## # # milter-regex local policy @@ -41,6 +47,10 @@ mta_read_config(regex_milter_t) # http://savannah.nongnu.org/projects/spamass-milt/ # +# The milter runs from /var/lib/spamass-milter +allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms; +files_search_var_lib(spamass_milter_t) + kernel_read_system_state(spamass_milter_t) # When used with -b or -B options, the milter invokes sendmail to send mail diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te index 622b4b2..50b62dd 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te @@ -1,5 +1,5 @@ -policy_module(spamassassin, 2.1.2) +policy_module(spamassassin, 2.1.3) ######################################## # @@ -280,6 +280,11 @@ optional_policy(` ') optional_policy(` + # Needed for pyzor/razor called from spamd + milter_manage_spamass_state(spamc_t) +') + +optional_policy(` nis_use_ypbind(spamc_t) ') @@ -419,6 +424,10 @@ optional_policy(` ') optional_policy(` + milter_manage_spamass_state(spamd_t) +') + +optional_policy(` mysql_search_db(spamd_t) mysql_stream_connect(spamd_t) ')