SELinux Policy for spamass-milter


The spamass-milter packages here are designed to work with my milter SELinux policy, which is included in upstream reference policy, and came into Fedora during the Fedora 11 development cycle. I also raised Bug #483849 to get it backported into the Fedora 9 and 10 selinux-policy packages.

I have subsequently updated the policy to add a new type and interface in order to support the use of the milter with a single site-wide spamassassin configuration and bayes database common to all users (Bug #489995). The patch has been submitted upstream but hasn't been merged at the time of writing. Once it's merged, I'll try to get it backported into Fedora too (this is already happening - see Bug #492550).

The policy files here provide support for spamass-milter in Red Hat Enterprise Linux 5 and compatible distributions, and consist of three modules. For those unfamilar with how to build and install SELinux policy modules, see my guide to building SELinux policy modules.

The policy is split into three modules:

  1. milter - almost unchanged milter policy module from upstream; the only changes are related to interface changes that have happened upstream since Red Hat Enterprise Linux 5
  2. milter-extras - additional rules for other SELinux domains that provide support for MTAs to communicate with milter applications
  3. spamassassin-client - the spamassassin client policy, which provides the system spamc_t domain and an interface to it used by the milter policy; this policy was developed after the release of Red Hat Enterprise Linux 5. However, Red Hat Enterprise Linux 5.3 now includes the client policy so this module is not needed for RHEL 5.3 onwards.

Quick Install Guide

Create a directory /root/selinux.local and copy the policy files from here into that directory. Then build and install the modules (you'll need the make and selinux-policy-devel packages installed first).

# cd /root/selinux.local
# chcon -R -t usr_t .
# ln -s /usr/share/selinux/devel/Makefile .
# make
# semodule -i spamassassin-client.pp milter.pp milter-extras.pp

(don't include spamassassin-client.pp for RHEL 5.3 onwards)

If you have already installed the spamass-milter package, you'll need to fix up the file contexts:

# restorecon -rvF $(rpm -ql spamass-milter)

Paul Howarth <paul@city-fan.org>

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[TXT]milter-extras.te2009-04-22 13:15 796  
[   ]milter.fc2009-03-18 15:58 609  
[TXT]milter.if2009-04-22 13:14 2.7K 
[TXT]milter.te2009-04-23 14:33 1.9K 
[TXT]spamassassin-client.if2009-02-04 12:56 431  
[TXT]spamassassin-client.te2009-04-22 13:39 3.6K