[refpolicy] Milter Mail Filters

Christopher J. PeBenito cpebenito at tresys.com
Wed Oct 8 14:22:25 CDT 2008


Moving to refpolicy list.

On Wed, 2008-10-08 at 14:05 +0100, Paul Howarth wrote:
> Christopher J. PeBenito wrote:
> > On Mon, 2008-09-22 at 13:27 +0100, Paul Howarth wrote:
> >> Updated patch: sendmail, when run as "newaliases", tries to getattr() 
> >> milter sockets as well as the directories they live in, so I changed
> >> the 
> >> milter_getattr_all_data_dirs interface to milter_getattr_all_sockets.
> >>
> >> I also moved the call to this interface in mta.te out from the middle
> >> of 
> >> a bunch of postfix-related lines.
> >>
> >> Paul.
> > 
> > I think my last two comments are
> > 
> > * you can't require milter_port_t.  It doesn't seem like a generic port
> > type would be useful anyway, otherwise there would be a port defined.
> 
> So I should change "allow milter_$1_t milter_port_t:tcp_socket 
> name_bind;" to "corenet_tcp_bind_generic_port($1_milter_t)"?

No.  I don't see how it makes sense to have a port type common to all
milters.

> I can do that but I don't understand why milter_port_t should be any 
> different than say stunnel_port_t, which also doesn't have a default 
> port defined, and would be used in a similar way, i.e. an admin would 
> set up an application to use a specific port (a milter running over tcp 
> needs to have a port specified, just a tunnel set up using stunnel does 
> - they don't just bind to random generic ports).

This is not comparable, as there is only one stunnel domain, whereas
there are several milter domains.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



More information about the refpolicy mailing list