postgrey policy

[Russell Coker <rcoker@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 593 bytes --]

Attached is policy for the postgrey daemon for grey-listing in Postfix.

Grey-listing means giving a 45x code in response to email the first time a 
particular IP address or combination of IP address and email address attempts 
to send mail to you.  Some minutes later the mail will be received.

Spam machines generally don't re-try so greylisting stops lots of spam, and as 
long as the delay is significantly less than 4 hours (usually only a few 
minutes) someone who sends legit email will never notice any difference.

-- 
http://apac.redhat.com/disclaimer
See above URL for disclaimer.

[-- Attachment #2: postgrey.fc --]
[-- Type: text/plain, Size: 276 bytes --]

# postgrey - postfix grey-listing server
/usr/sbin/postgrey	--	system_u:object_r:postgrey_exec_t
/var/run/postgrey\.pid	--	system_u:object_r:postgrey_var_run_t
/etc/postgrey(/.*)?		system_u:object_r:postgrey_etc_t
/var/lib/postgrey(/.*)?		system_u:object_r:postgrey_var_lib_t

[-- Attachment #3: postgrey.te --]
[-- Type: text/plain, Size: 703 bytes --]

#DESC postgrey - Postfix Grey-listing server
#
# Author:  Russell Coker <russell@coker.com.au>
# X-Debian-Packages: postgrey

daemon_domain(postgrey)

allow postgrey_t urandom_device_t:chr_file { getattr read };

# for perl
allow postgrey_t sbin_t:dir search;
allow postgrey_t usr_t:{ file lnk_file } { getattr read };
dontaudit postgrey_t usr_t:file ioctl;

allow postgrey_t { etc_t etc_runtime_t }:file { getattr read };
etcdir_domain(postgrey)

can_network(postgrey_t)
allow postgrey_t self:unix_stream_socket create_stream_socket_perms;
allow postgrey_t proc_t:file { getattr read };

allow postgrey_t self:capability { chown setuid };

var_lib_domain(postgrey)

allow postgrey_t tmp_t:dir getattr;