[refpolicy] Milter Mail Filters

[Paul Howarth <paul@city-fan.org>]

[-- Attachment #1: Type: text/plain, Size: 1358 bytes --]

Hi,

attached is a patch based on local policy I'm using on Fedora 9 to 
support two "milter" mail filter daemons in conjunction with sendmail, 
namely spamass-milter and milter-regex (I maintain the packages for both 
of these in Fedora).

I've taken the view that most milter applications will have similar 
requirements and so I've created a milter_template interface that 
contains most of what's needed, and then added the specifics that are 
needed on top of the generic stuff for each application.

However, as I'm by no means an selinux expert, there are a number of 
things I'm unsure about:

1. In a situation where sendmail is the running MTA on a system, what is 
the difference between sendmail_t and system_mail_t?

2. MTAs other than sendmail (postfix comes to mind) can also use 
milters, but as I don't have any boxes running postfix, I don't know 
what I'd need to add to postfix policy to support milters.

3. Fedora 9 has an interface spamassassin_domtrans_spamc that I used in 
my local policy. It doesn't appear to be present in refpolicy; what 
would be the right thing to use for a daemon calling spamc?

4. I cribbed the milter_port_t stuff from the only example I could find, 
and it's probably wrong. What would be the correct way of defining this?

5. Does the use of a template for these applications a sane way to do it?

Paul.

[-- Attachment #2: milters.patch --]
[-- Type: text/plain, Size: 7481 bytes --]

Index: policy/modules/services/milters.te
===================================================================
--- policy/modules/services/milters.te	(revision 0)
+++ policy/modules/services/milters.te	(revision 0)
@@ -0,0 +1,44 @@
+policy_module(milters,0.0.7)
+
+require {
+	attribute port_type;
+}
+
+type milter_port_t, port_type;
+
+#============= milter-regex policy ==============
+milter_template(regex)
+
+# Config is in /etc/mail/milter-regex.conf
+mta_read_config(milter_regex_t)
+
+# The milter creates a socket in /var/spool/milter-regex/
+# for communication with sendmail
+files_search_spool(milter_regex_t)
+manage_sock_files_pattern(milter_regex_t,milter_regex_spool_t,milter_regex_spool_t)
+
+# It removes any existing socket (not owned by root) whilst running as root
+# and then calls setgid() and setuid() to drop privileges
+allow milter_regex_t self:capability { setuid setgid dac_override };
+
+
+#============= spamass-milter policy ==============
+milter_template(spamass)
+
+# The milter creates a socket in /var/run/spamass-milter/
+# for communication with sendmail
+manage_files_pattern(milter_spamass_t,milter_spamass_var_run_t,milter_spamass_var_run_t)
+manage_sock_files_pattern(milter_spamass_t,milter_spamass_var_run_t,milter_spamass_var_run_t)
+
+# The main job of the milter is to pipe spam through spamc and act on the result
+#
+# The spamassassin_domtrans_spamc interface in Fedora 9 ???
+#spamassassin_domtrans_spamc(milter_spamass_t)
+
+# When used with -b or -B options, the milter invokes sendmail to send mail
+# to a spamtrap address, using popen()
+corecmd_exec_shell(milter_spamass_t)
+corecmd_read_bin_symlinks(milter_spamass_t)
+corecmd_search_bin(milter_spamass_t)
+kernel_read_system_state(milter_spamass_t)
+mta_send_mail(milter_spamass_t)
Index: policy/modules/services/sendmail.te
===================================================================
--- policy/modules/services/sendmail.te	(revision 2710)
+++ policy/modules/services/sendmail.te	(working copy)
@@ -112,6 +112,14 @@
 ')
 
 optional_policy(`
+	milter_regex_stream_connect(sendmail_t)
+')
+
+optional_policy(`
+	milter_spamass_stream_connect(sendmail_t)
+')
+
+optional_policy(`
 	postfix_exec_master(sendmail_t)
 	postfix_read_config(sendmail_t)
 	postfix_search_spool(sendmail_t)
Index: policy/modules/services/milters.fc
===================================================================
--- policy/modules/services/milters.fc	(revision 0)
+++ policy/modules/services/milters.fc	(revision 0)
@@ -0,0 +1,14 @@
+#================= contexts for milter-regex =================
+
+/usr/sbin/milter-regex		--	gen_context(system_u:object_r:milter_regex_exec_t,s0)
+
+/var/spool/milter-regex(/.*)?		gen_context(system_u:object_r:milter_regex_spool_t,s0)
+
+#================= contexts for spamass-milter =================
+
+/usr/sbin/spamass-milter	--	gen_context(system_u:object_r:milter_spamass_exec_t,s0)
+
+/var/run/spamass-milter\.pid	--	gen_context(system_u:object_r:milter_spamass_var_run_t,s0)
+/var/run/spamass-milter(/.*)?		gen_context(system_u:object_r:milter_spamass_var_run_t,s0)
+
+
Index: policy/modules/services/mta.te
===================================================================
--- policy/modules/services/mta.te	(revision 2710)
+++ policy/modules/services/mta.te	(working copy)
@@ -154,3 +154,7 @@
 		cron_read_system_job_tmp_files(mta_user_agent)
 	')
 ')
+
+optional_policy(`
+	milter_spamass_rw_stream_sockets(system_mail_t)
+')
Index: policy/modules/services/milters.if
===================================================================
--- policy/modules/services/milters.if	(revision 0)
+++ policy/modules/services/milters.if	(revision 0)
@@ -0,0 +1,117 @@
+## <summary>Milter mail filters</summary>
+
+########################################
+## <summary>
+##	Create a set of derived types for various
+##	mail filter applications using the milter interface.
+## </summary>
+## <param name="milter_name">
+##	<summary>
+##	The name to be used for deriving type names.
+##	</summary>
+## </param>
+#
+template(`milter_template',`
+
+	# Type that the milter application runs as
+	type milter_$1_t;
+	domain_type(milter_$1_t)
+	role system_r types milter_$1_t;
+
+	# Type for the executable file
+	type milter_$1_exec_t;
+	init_daemon_domain(milter_$1_t, milter_$1_exec_t)
+
+	# This type is for pidfiles etc.
+	type milter_$1_var_run_t;
+	files_type(milter_$1_var_run_t);
+
+	# This type is for spool/cache data etc.
+	type milter_$1_cache_t;
+	files_type(milter_$1_cache_t);
+
+	# This type is for spool/cache data etc.
+	type milter_$1_spool_t;
+	files_type(milter_$1_spool_t);
+
+	# This type is for state data etc.
+	type milter_$1_var_lib_t;
+	files_type(milter_$1_var_lib_t);
+
+	# Generic rules from policygentool
+	files_read_etc_files(milter_$1_t)
+	libs_use_ld_so(milter_$1_t)
+	libs_use_shared_libs(milter_$1_t)
+	miscfiles_read_localization(milter_$1_t)
+	sysnet_dns_name_resolve(milter_$1_t)
+	init_use_fds(milter_$1_t)
+	init_use_script_ptys(milter_$1_t)
+	domain_use_interactive_fds(milter_$1_t)
+
+	# Allow communication with MTA over a TCP socket
+	# hack since this port has no interfaces since it does not have net_contexts
+	gen_require(`
+		type milter_port_t;
+	')
+	allow milter_$1_t milter_port_t:tcp_socket name_bind;
+	corenet_tcp_bind_generic_node(milter_$1_t)
+	allow milter_$1_t self:tcp_socket { listen accept };
+
+	# Things that most milters will need to do
+	allow milter_$1_t self:fifo_file rw_fifo_file_perms;
+	logging_send_syslog_msg(milter_$1_t)
+
+')
+
+########################################
+## <summary>
+##	MTA communication with spamass-milter socket
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`milter_spamass_stream_connect',`
+	gen_require(`
+		type milter_spamass_var_run_t, milter_spamass_t;
+	')
+	stream_connect_pattern($1,milter_spamass_var_run_t,milter_spamass_var_run_t,milter_spamass_t)
+')
+
+########################################
+## <summary>
+##	Allow read/write unix stream sockets from spamass-milter
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`milter_spamass_rw_stream_sockets',`
+        gen_require(`
+                type milter_spamass_t;
+        ')
+
+	allow $1 milter_spamass_t:unix_stream_socket { read write };
+')
+
+
+########################################
+## <summary>
+##	MTA communication with milter-regex socket
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`milter_regex_stream_connect',`
+	gen_require(`
+		type milter_regex_spool_t, milter_regex_t;
+	')
+	stream_connect_pattern($1,milter_regex_spool_t,milter_regex_spool_t,milter_regex_t)
+')
Index: policy/modules/services/spamassassin.fc
===================================================================
--- policy/modules/services/spamassassin.fc	(revision 2710)
+++ policy/modules/services/spamassassin.fc	(working copy)
@@ -10,7 +10,6 @@
 /var/lib/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_lib_t,s0)
 
 /var/run/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
-/var/run/spamass-milter(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
 
 /var/spool/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_spool_t,s0)
 /var/spool/spamd(/.*)?		gen_context(system_u:object_r:spamd_spool_t,s0)