From Debian package 0.0.20080702-7
0072-Spamassassin-policy-adjustments.patch (part of)
0075-postfix-policy-adjustments-Allow-user_mail_t-to-tran.patch (part of)
Made spamass-milter run in the spamd_t domain, and allow postfix_smtpd_t
to talk to it
spamassassin file contexts are moved to milter.te in 594_spamass_milter_labels
Index: policy/modules/services/postfix.te
===================================================================
--- policy/modules/contrib/postfix.te.orig
+++ policy/modules/contrib/postfix.te
@@ -231,6 +231,10 @@
manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
+# for milters - may be a bug in postfix
+allow postfix_cleanup_t postfix_smtpd_t:fd use;
+allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket { getattr read write };
+
########################################
#
# Postfix cleanup local policy
@@ -630,3 +634,8 @@
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
+
+# for talking to spamass-milter
+optional_policy(`
+ spamassassin_connect_unix_sock(postfix_smtpd_t)
+')
Index: policy/modules/contrib/spamassassin.fc
===================================================================
--- policy/modules/contrib/spamassassin.fc.orig
+++ policy/modules/contrib/spamassassin.fc
@@ -6,6 +6,7 @@
/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamd_exec_t,s0)
/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
@@ -13,3 +14,4 @@
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/postfix/spamass(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
Index: policy/modules/contrib/spamassassin.if
===================================================================
--- policy/modules/contrib/spamassassin.if.orig
+++ policy/modules/contrib/spamassassin.if
@@ -225,3 +225,23 @@
dontaudit $1 spamd_tmp_t:sock_file getattr;
')
+
+########################################
+##
+## Connect to spamd via unix socket
+##
+##
+##
+## Domain to connect
+##
+##
+#
+interface(`spamassassin_connect_unix_sock',`
+ gen_require(`
+ type spamd_t, spamd_var_run_t;
+ ')
+
+ allow $1 spamd_var_run_t:dir search_dir_perms;
+ allow $1 spamd_var_run_t:sock_file write;
+ allow $1 spamd_t:unix_stream_socket connectto;
+')
Index: policy/modules/contrib/spamassassin.te
===================================================================
--- policy/modules/contrib/spamassassin.te.orig
+++ policy/modules/contrib/spamassassin.te
@@ -49,6 +49,7 @@
type spamd_t;
type spamd_exec_t;
init_daemon_domain(spamd_t, spamd_exec_t)
+can_exec(spamd_t, spamc_exec_t)
type spamd_spool_t;
files_type(spamd_spool_t)
@@ -329,6 +330,7 @@
corenet_udp_sendrecv_all_ports(spamd_t)
corenet_tcp_bind_generic_node(spamd_t)
corenet_tcp_bind_spamd_port(spamd_t)
+corenet_tcp_connect_spamd_port(spamd_t)
corenet_tcp_connect_razor_port(spamd_t)
corenet_tcp_connect_smtp_port(spamd_t)
corenet_sendrecv_razor_client_packets(spamd_t)
@@ -417,6 +419,7 @@
optional_policy(`
postfix_read_config(spamd_t)
+ postfix_search_spool(spamd_t)
')
optional_policy(`