* postgrey policy
@ 2004-08-03 3:18 Russell Coker
0 siblings, 0 replies; 2+ messages in thread
From: Russell Coker @ 2004-08-03 3:18 UTC (permalink / raw)
To: SE Linux
[-- Attachment #1: Type: text/plain, Size: 593 bytes --]
Attached is policy for the postgrey daemon for grey-listing in Postfix.
Grey-listing means giving a 45x code in response to email the first time a
particular IP address or combination of IP address and email address attempts
to send mail to you. Some minutes later the mail will be received.
Spam machines generally don't re-try so greylisting stops lots of spam, and as
long as the delay is significantly less than 4 hours (usually only a few
minutes) someone who sends legit email will never notice any difference.
--
http://apac.redhat.com/disclaimer
See above URL for disclaimer.
[-- Attachment #2: postgrey.fc --]
[-- Type: text/plain, Size: 276 bytes --]
# postgrey - postfix grey-listing server
/usr/sbin/postgrey -- system_u:object_r:postgrey_exec_t
/var/run/postgrey\.pid -- system_u:object_r:postgrey_var_run_t
/etc/postgrey(/.*)? system_u:object_r:postgrey_etc_t
/var/lib/postgrey(/.*)? system_u:object_r:postgrey_var_lib_t
[-- Attachment #3: postgrey.te --]
[-- Type: text/plain, Size: 703 bytes --]
#DESC postgrey - Postfix Grey-listing server
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: postgrey
daemon_domain(postgrey)
allow postgrey_t urandom_device_t:chr_file { getattr read };
# for perl
allow postgrey_t sbin_t:dir search;
allow postgrey_t usr_t:{ file lnk_file } { getattr read };
dontaudit postgrey_t usr_t:file ioctl;
allow postgrey_t { etc_t etc_runtime_t }:file { getattr read };
etcdir_domain(postgrey)
can_network(postgrey_t)
allow postgrey_t self:unix_stream_socket create_stream_socket_perms;
allow postgrey_t proc_t:file { getattr read };
allow postgrey_t self:capability { chown setuid };
var_lib_domain(postgrey)
allow postgrey_t tmp_t:dir getattr;
^ permalink raw reply [flat|nested] 2+ messages in thread
* postgrey policy
@ 2005-04-18 2:13 Russell Coker
0 siblings, 0 replies; 2+ messages in thread
From: Russell Coker @ 2005-04-18 2:13 UTC (permalink / raw)
To: SE-Linux
[-- Attachment #1: Type: text/plain, Size: 434 bytes --]
The attached patch allows the latest version of postgrey to do what it wants.
It can work without getattr access to { bin_t sbin_t }:dir but there seems no
harm in granting it.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
[-- Attachment #2: diff --]
[-- Type: text/x-diff, Size: 400 bytes --]
--- postgrey.te.old 2005-04-18 12:11:10.000000000 +1000
+++ postgrey.te 2005-04-18 12:12:04.000000000 +1000
@@ -10,7 +10,7 @@
allow postgrey_t urandom_device_t:chr_file { getattr read };
# for perl
-allow postgrey_t sbin_t:dir search;
+allow postgrey_t { bin_t sbin_t }:dir { getattr search };
allow postgrey_t usr_t:{ file lnk_file } { getattr read };
dontaudit postgrey_t usr_t:file ioctl;
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-04-18 2:19 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-08-03 3:18 postgrey policy Russell Coker
-- strict thread matches above, loose matches on Subject: below --
2005-04-18 2:13 Russell Coker
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.