[refpolicy] Best approach for adding inet socket support for milters?

Paul Howarth paul at city-fan.org
Mon Sep 12 09:37:39 CDT 2011


I'd like to revisit adding TCP/inet socket support for milters. In my 
original submission of the milter policy, I had a milter_port_t but 
didn't assign any port numbers to the type, as there's no well-known 
standard port for this functionality, with sysadmins expected to 
allocate a spare port of their own choice for this purpose. This 
approach was based on the stunnel policy, which has a similar requirement.

The milter_port_t never made it into refpolicy so currently milters 
based on the milter template are restricted to using unix domain sockets 
in the absence of local policy for inet sockets.

This is a problem for a couple of reasons:

1. Much documentation for milters includes instructions for 
configuration using inet sockets rather than unix domain dockets; anyone 
following those instructions will have SELinux problems when using 
milters supported by refpolicy.

2. The Postfix MTA uses a different security model than sendmail, and is 
set up to connect to milters using group writeable unix sockets. 
However, sendmail considers group writeable unix sockets to be "unsafe" 
and won't use them by default. So it's difficult to specify an "out of 
the box" milter configuration that supports both MTAs using unix domain 
sockets, so the Postfix milter users are more inclined to use inet sockets.

So what I'd like to know is what is the best approach to having inet 
socket support for milters in refpolicy?

If I run a milter with inet sockets in permissive mode and run the AVCs 
through audit2allow -R, I get something like:

corenet_tcp_bind_generic_port(foo_milter_t)
corenet_tcp_connect_generic_port(foo_milter_t)
allow foo_milter_t self:tcp_socket { accept listen };

That would allow milters to connect to any port, which I don't think is 
good, even with a boolean to prevent this being the default policy. 
However, the clamav policy (not based on the milter template) seems to 
use this approach.

I'd rather return to my original suggestion of having a milter_port_t be 
supported out of the box and then let admins use semanage to define any 
ports they wanted to use as milter_port_t.

Or is there a better approach that I've not though of?

Paul.


More information about the refpolicy mailing list