postfix, procmail and SELinux - No Go

Paul Howarth paul at city-fan.org
Wed Jun 21 07:27:53 UTC 2006


On Tue, 2006-06-20 at 17:35 -0400, Daniel J Walsh wrote:
> Ok if you guys have this all working, I would like to grab your policy 
> modules and merge them so upstream can get them.

It's not ready yet.

Firstly, there are a bunch of things currently allowed by the policy
that we don't yet understand (such as why the postfix master program
wants to read the attributes of one of its own manpages). I'd like to
know what, if anything, breaks if these curious things are not allowed.

Secondly, I think that clamassassin needs its own domain. Currently it
starts running in the procmail domain, makes a temp file of the message
to be scanned (which will be procmail_tmp_t) and then has clamscan scan
the file (so clamscan needs to be able to read procmail_tmp_t files). If
clamassassin had its own domain, the temp file could be written as
clamscan_tmp_t, which would be much better.

Paul.




More information about the fedora-selinux-list mailing list