Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/contrib/milter.te
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/contrib/milter.te')
-rw-r--r--policy/modules/contrib/milter.te96
1 files changed, 96 insertions, 0 deletions
diff --git a/policy/modules/contrib/milter.te b/policy/modules/contrib/milter.te
new file mode 100644
index 00000000..26101cbb
--- /dev/null
+++ b/policy/modules/contrib/milter.te
@@ -0,0 +1,96 @@
+policy_module(milter, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+# attributes common to all milters
+attribute milter_domains;
+attribute milter_data_type;
+
+# currently-supported milters are milter-greylist, milter-regex and spamass-milter
+milter_template(greylist)
+milter_template(regex)
+milter_template(spamass)
+
+# Type for the spamass-milter home directory, under which spamassassin will
+# store system-wide preferences, bayes databases etc. if not configured to
+# use per-user configuration
+type spamass_milter_state_t;
+files_type(spamass_milter_state_t)
+
+########################################
+#
+# milter-greylist local policy
+# ensure smtp clients retry mail like real MTAs and not spamware
+# http://hcpnet.free.fr/milter-greylist/
+#
+
+# It removes any existing socket (not owned by root) whilst running as root,
+# fixes permissions, renices itself and then calls setgid() and setuid() to
+# drop privileges
+allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
+allow greylist_milter_t self:process { setsched getsched };
+
+# It creates a pid file /var/run/milter-greylist.pid
+files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
+
+kernel_read_kernel_sysctls(greylist_milter_t)
+
+# Allow the milter to read a GeoIP database in /usr/share
+files_read_usr_files(greylist_milter_t)
+# The milter runs from /var/lib/milter-greylist and maintains files there
+files_search_var_lib(greylist_milter_t)
+
+# Look up username for dropping privs
+auth_use_nsswitch(greylist_milter_t)
+
+# Config is in /etc/mail/greylist.conf
+mta_read_config(greylist_milter_t)
+
+########################################
+#
+# milter-regex local policy
+# filter emails using regular expressions
+# http://www.benzedrine.cx/milter-regex.html
+#
+
+# It removes any existing socket (not owned by root) whilst running as root
+# and then calls setgid() and setuid() to drop privileges
+allow regex_milter_t self:capability { setuid setgid dac_override };
+
+# The milter's socket directory lives under /var/spool
+files_search_spool(regex_milter_t)
+
+# Look up username for dropping privs
+auth_use_nsswitch(regex_milter_t)
+
+# Config is in /etc/mail/milter-regex.conf
+mta_read_config(regex_milter_t)
+
+########################################
+#
+# spamass-milter local policy
+# pipe emails through SpamAssassin
+# http://savannah.nongnu.org/projects/spamass-milt/
+#
+
+# The milter runs from /var/lib/spamass-milter
+allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
+files_search_var_lib(spamass_milter_t)
+
+kernel_read_system_state(spamass_milter_t)
+
+# When used with -b or -B options, the milter invokes sendmail to send mail
+# to a spamtrap address, using popen()
+corecmd_exec_shell(spamass_milter_t)
+corecmd_read_bin_symlinks(spamass_milter_t)
+corecmd_search_bin(spamass_milter_t)
+
+mta_send_mail(spamass_milter_t)
+
+# The main job of the milter is to pipe spam through spamc and act on the result
+optional_policy(`
+ spamassassin_domtrans_client(spamass_milter_t)
+')