Here I have a couple of changes to the milter policy that reduce what
milters (well, spamass-milter in particular) are able to do.
Firstly, I noticed a while back that I was getting AVCs from
milter-regex and milter-greylist trying to read /proc/cpuinfo at program
start-up. I couldn't figure out what was causing that to happen
(probably part of some system call or maybe in libmilter) but this
access being denied didn't seem to cause any problems. I also saw that
the spamass-milter policy allowed this access. A few weeks ago I updated
my local policy to dontaudit this instead of allowing it and don't
appear to be suffering any problems as a result, so I propose to
dontaudit it in the milter template.
Secondly, the fix for CVE-2010-1132 in spamass-milter was just pushed to
stable for all supported Fedora and EPEL releases. This was unsanitized
input being passed in an argument to popen() and hence a shell. Upstream
proposed a patch for this several weeks ago that replaced the popen()
call with execve() via a wrapper called popenv(), which avoids the use
of a shell for this functionality. This fix hasn't been committed to
upstream CVS yet but I have tested it extensively myself and this fix
has been incorporated into the Fedora and Debian spamass-milter
packages. So for Fedora and Debian, the following policy rules are no
longer needed:
corecmd_exec_shell(spamass_milter_t)
corecmd_search_bin(spamass_milter_t)
These changes are all included in the attached patch against Rawhide policy.
Paul.