SELinux refpolicy module

[Devin Carraway]

I've written an selinux repolicy module for Exim:

	http://devin.com/debian/exim-selinux/

This was written for the current Exim structure of having a large binary which
gets re-execed at various times to change privileges.  I know there was some
discussion here and elsewhere about providing wrappers or hardlinks which
could be labelled for use with policy more specific to stages of mail
handling, but wanted to get a usable policy that could work with the current
Exim structure, and if possible be workable with Etch.

For this monolithic approach, the exim daemon (exim_t) is allowed to do
everything Exim does at all stages -- connect to other SMTP servers, edit the
spool, read/write user homedirs, etc.  It should help provide protection
against compromise of the rest of the system, but doesn't do much to protect
the mail spools or the contents of homedirs.

Integration with clamav, mailman, spamassassin, various SASL/auth services and
mysql/postgresql databases should all work.  I tested the first three under
what I believe to be fairly typical configurations and wrote policy which I
think will cover most needs, but there are lots of ways they can be integrated
with Exim and I may not have addressed them all (and some would require local
policy edits, for which I've provided interfaces.)

I'd welcome review or feedback if you have any.  Writing policy requires some
familiarity with the refpolicy interface and selinux nuances, but reading it
is relatively straightforward, and I'd be happy to explain anything unclear.

Thanks,

Devin

-- 
Devin  \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20070908/a08bfeec/attachment.pgp