[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: Clamd getting out of hand...
- From: Daniel J Walsh <dwalsh redhat com>
- To: Arthur Dent <selinux list troodos demon co uk>, fedora-selinux-list redhat com
- Cc:
- Subject: Re: Clamd getting out of hand...
- Date: Wed, 30 Jul 2008 11:24:47 -0400
Arthur Dent wrote:
> Hello All,
>
> I have been using SELinux in enforcing mode on my F8 box for some time
> now. I had to go through a bit of pain to get clamassassin working with
> clamd to scan my emails but it worked OK.
>
> This weekend I upgraded to F9 and have now had about a gazillion AVC
> denials related to clamd.
>
> I have therefore been forced to use audit2allow to add to the already
> pretty cumbersome local policy I had with F8.
>
> I list the policy below. All of the entries are as a result of some
> denial and subsequent audit2allow policy generation.
>
> My question is basically - can one of you gurus tell me if all this
> stuff is still necessary? Is there a policy in the works that might
> avoid all this?
>
> Thanks in advance
>
> AD
>
>
> ##########################################
> # cat myclamd.te
> policy_module(myclamd, 1.1.11)
> require {
> type clamscan_t;
> type clamd_t;
> class tcp_socket { write create connect };
> type var_run_t;
> type user_home_t;
> class sock_file { write unlink create };
> class file append;
> type unlabeled_t;
> class association recvfrom;
>
> }
>
> #============= clamd_t ==============
> allow clamd_t var_run_t:sock_file { unlink create };
Looks like a labeling problem.
> corenet_tcp_bind_generic_port(clamd_t)
What port did it bind to?
> userdom_read_generic_user_home_content_files(clamd_t)
>
> #============= clamscan_t ==============
> allow clamscan_t self:tcp_socket { write create connect };
> allow clamscan_t user_home_t:file append;
Labeling?
> allow clamscan_t var_run_t:sock_file write;
> corenet_tcp_connect_generic_port(clamscan_t)
> corenet_sendrecv_unlabeled_packets(clamscan_t)
> mta_read_queue(clamscan_t)
> procmail_rw_tmp_files(clamscan_t)
> userdom_read_generic_user_home_content_files(clamscan_t)
> allow clamscan_t unlabeled_t:association recvfrom;
> ##########################################
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list redhat com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Please attach the avc's used to create this policy?
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]