Bug 483849 - Include milter policy from upstream in F-9 and F-10
Include milter policy from upstream in F-9 and F-10
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
9
All Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 446975 447247 452248 455820
  Show dependency treegraph
 
Reported: 2009-02-03 16:52 EST by Paul Howarth
Modified: 2009-05-20 06:39 EDT (History)
5 users (show)

See Also:
Fixed In Version: 3.3.1-131.fc9
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-05-20 06:39:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch adding milter module to F-9 policy (9.86 KB, patch)
2009-02-03 16:53 EST, Paul Howarth
no flags Details | Diff
Patch adding milter module to F-10 policy (10.32 KB, patch)
2009-02-03 16:53 EST, Paul Howarth
no flags Details | Diff

  None (edit)
Description Paul Howarth 2009-02-03 16:52:03 EST
Basically the problem is that spamass-milter doesn't work properly with SELinux in enforcing mode (see Bug #446975 and Bug #447247; the fix suggested here will also help with Bug #452248).

I have written new policy for spamass-milter and also milter-regex and these are now in upstream reference policy and back downstream in Rawhide already.

I shall attach patches against today's CVS for selinux-policy F-9 and F-10 that add the milter module to policy. I'm particularly keen to get F-10 policy fixed because I can't override some of the context types specified in selinux-policy using a local policy module like I could in F-9 (which would complain about multiple different specifications but still allow it and work).

Dan has been involved in discussions regarding this for some time and was close to merging it earlier - see https://bugzilla.redhat.com/show_bug.cgi?id=452248#c13

I've built and tested the resulting patched packages (hence the odd release tags which I'm sure you'll change) and look forward to getting this into Fedora at long, long, last.
Comment 1 Paul Howarth 2009-02-03 16:53:02 EST
Created attachment 330785 [details]
Patch adding milter module to F-9 policy
Comment 2 Paul Howarth 2009-02-03 16:53:44 EST
Created attachment 330786 [details]
Patch adding milter module to F-10 policy
Comment 3 Daniel Walsh 2009-02-03 17:14:55 EST
Niroslav, lets take this policy in and update F9 and F10.
Comment 4 Miroslav Grepl 2009-02-05 07:43:31 EST
Fixed in selinux-policy-3.5.13-44.fc10 and selinux-policy-3.3.1-121.fc9. Today submitted for testing.
Comment 5 Paul Howarth 2009-02-12 09:48:26 EST
Thanks, this is working for me so far.

However, I don't understand why the milter_read_data and milter_manage_data (which has the wrong summary in the interface file by the way) interfaces were added. Why does spamc_t need to manage milter data?
Comment 6 Miroslav Grepl 2009-02-12 10:20:12 EST
Paul,

you are right. I will fix it. Thanks your notice.
Comment 7 Paul Howarth 2009-04-23 10:29:47 EDT
Current state of play:

devel/F-11 : awaiting pull of milter module version 1.0.1 from upstream.

F-10/F-9 : OK except that upstream now uses interface name milter_manage_spamass_state rather than milter_spamass_manage_state.

Nearly there - thanks for the work so far!
Comment 8 Miroslav Grepl 2009-04-23 10:38:37 EDT
I will fix interface name in F9/F10.
Comment 9 Paul Howarth 2009-05-20 06:39:43 EDT
All seems well now, in F-9, F-10, F-11, and devel. Thanks everyone.

Note You need to log in before you can comment on or make changes to this bug.