diff options
Diffstat (limited to 'policy/modules/contrib/milter.if')
| -rw-r--r-- | policy/modules/contrib/milter.if | 106 |
1 files changed, 106 insertions, 0 deletions
diff --git a/policy/modules/contrib/milter.if b/policy/modules/contrib/milter.if new file mode 100644 index 00000000..ee72cbed --- /dev/null +++ b/policy/modules/contrib/milter.if @@ -0,0 +1,106 @@ +## <summary>Milter mail filters</summary> + +######################################## +## <summary> +## Create a set of derived types for various +## mail filter applications using the milter interface. +## </summary> +## <param name="milter_name"> +## <summary> +## The name to be used for deriving type names. +## </summary> +## </param> +# +template(`milter_template',` + # attributes common to all milters + gen_require(` + attribute milter_data_type, milter_domains; + ') + + type $1_milter_t, milter_domains; + type $1_milter_exec_t; + init_daemon_domain($1_milter_t, $1_milter_exec_t) + role system_r types $1_milter_t; + + # Type for the milter data (e.g. the socket used to communicate with the MTA) + type $1_milter_data_t, milter_data_type; + files_type($1_milter_data_t) + + allow $1_milter_t self:fifo_file rw_fifo_file_perms; + # Allow communication with MTA over a TCP socket + allow $1_milter_t self:tcp_socket create_stream_socket_perms; + + # Allow communication with MTA over a unix-domain socket + manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) + + # Create other data files and directories in the data directory + manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) + + corenet_tcp_bind_generic_node($1_milter_t) + corenet_tcp_bind_milter_port($1_milter_t) + + files_read_etc_files($1_milter_t) + + miscfiles_read_localization($1_milter_t) + + logging_send_syslog_msg($1_milter_t) +') + +######################################## +## <summary> +## MTA communication with milter sockets +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`milter_stream_connect_all',` + gen_require(` + attribute milter_data_type, milter_domains; + ') + + getattr_dirs_pattern($1, milter_data_type, milter_data_type) + stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains) +') + +######################################## +## <summary> +## Allow getattr of milter sockets +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`milter_getattr_all_sockets',` + gen_require(` + attribute milter_data_type; + ') + + getattr_dirs_pattern($1, milter_data_type, milter_data_type) + getattr_sock_files_pattern($1, milter_data_type, milter_data_type) +') + +######################################## +## <summary> +## Manage spamassassin milter state +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`milter_manage_spamass_state',` + gen_require(` + type spamass_milter_state_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t) + manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t) + manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t) +') |