postfix, procmail and SELinux - No Go
Stephen Smalley
sds at tycho.nsa.gov
Tue Jun 20 13:37:06 UTC 2006
On Tue, 2006-06-20 at 08:26 -0500, Marc Schwartz wrote:
> Also, note that now I am getting an error when trying to install the
> myclam.pp module:
>
> # semodule -i myclam.pp
> libsepol.scope_copy_callback: myclam: Duplicate declaration in module:
> type/attribute clamscan_tmp_t
> libsemanage.semanage_link_sandbox: Link packages failed
> semodule: Failed!
>
>
> So I presume that there is an update in the version 1.0.1 of the new
> clamav module that conflicts with the declarations in our new module?
Yes, clamscan_tmp_t is defined in the clamav module now, so your
definition can go away. Unlike allow rules, which are just unioned
together (thus, no harm in duplicates), duplicate type declarations are
treated as an error.
> The current myclam.te is:
>
> # cat myclam.te
> ####### myclam.te #######
> policy_module(myclam, 0.1.2)
>
> require {
> type clamscan_t;
> type procmail_tmp_t;
> type postfix_local_t;
> };
>
> # temp files
> type clamscan_tmp_t;
> files_tmp_file(clamscan_tmp_t)
>
> # Allow clamscan to create and use temp files and dirs
> allow clamscan_t clamscan_tmp_t:dir create_dir_perms;
> allow clamscan_t clamscan_tmp_t:file create_file_perms;
> files_type(clamscan_tmp_t)
> files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
>
> # Allow clamscan to read and write temp files created by procmail
> # (needed for clamassassin)
> allow clamscan_t procmail_tmp_t:file rw_file_perms;
>
> # Allow clamscan output to be piped back into the
> # postfix local delivery process
> allow clamscan_t postfix_local_t:fd use;
> allow clamscan_t postfix_local_t:fifo_file write;
>
>
> Marc
>
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list