[refpolicy] Best approach for adding inet socket support for milters?
Christopher J. PeBenito
cpebenito at tresys.com
Wed Sep 14 09:23:04 CDT 2011
On 09/12/11 10:37, Paul Howarth wrote:
> I'd like to revisit adding TCP/inet socket support for milters. In my
> original submission of the milter policy, I had a milter_port_t but
> didn't assign any port numbers to the type, as there's no well-known
> standard port for this functionality, with sysadmins expected to
> allocate a spare port of their own choice for this purpose. This
> approach was based on the stunnel policy, which has a similar requirement.
> The milter_port_t never made it into refpolicy so currently milters
> based on the milter template are restricted to using unix domain sockets
> in the absence of local policy for inet sockets.
> This is a problem for a couple of reasons:
> 1. Much documentation for milters includes instructions for
> configuration using inet sockets rather than unix domain dockets; anyone
> following those instructions will have SELinux problems when using
> milters supported by refpolicy.
> 2. The Postfix MTA uses a different security model than sendmail, and is
> set up to connect to milters using group writeable unix sockets.
> However, sendmail considers group writeable unix sockets to be "unsafe"
> and won't use them by default. So it's difficult to specify an "out of
> the box" milter configuration that supports both MTAs using unix domain
> sockets, so the Postfix milter users are more inclined to use inet sockets.
> I'd rather return to my original suggestion of having a milter_port_t be
> supported out of the box and then let admins use semanage to define any
> ports they wanted to use as milter_port_t.
This is fine. I can't remember if I originally rejected this (I'm guessing I did), but I'm fine with it now. We already have examples of this, eg, stunnel. We should look into augmenting the corenetwork infrastructure so that the network_port() macro can handle no defined ports, so that interfaces for the type will be created. I believe this already works for the interface generation, but the te side needs to be tweaked to not emit an incomplete portcon statement.
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
More information about the refpolicy