Clamd getting out of hand...

Daniel J Walsh dwalsh at redhat.com
Tue Aug 12 20:23:43 UTC 2008


Arthur Dent wrote:
> On Wed, Aug 06, 2008 at 09:34:03AM -0400, Daniel J Walsh wrote:
>> Arthur Dent wrote:
>>> On Wed, Jul 30, 2008 at 03:33:14PM -0400, Daniel J Walsh wrote:
> 
> 
>> Adding the following policy to clamscan
>>
>> mta_send_mail(clamscan_t)
>> corenet_all_recvfrom_unlabeled(clamscan_t)
>> corenet_all_recvfrom_netlabel(clamscan_t)
>> corenet_tcp_sendrecv_all_if(clamscan_t)
>> corenet_tcp_sendrecv_all_nodes(clamscan_t)
>> corenet_tcp_sendrecv_all_ports(clamscan_t)
>> corenet_tcp_sendrecv_clamd_port(clamscan_t)
>> corenet_tcp_connect_clamd_port(clamscan_t)
>>
>> Shoudl fix.
>>
>> Updated in selinux-policy-3.3.1-85.fc9
> 
> Hi Daniel,
> 
> Thank you very much for taking the time to help me on this.
> 
> This is the first chance I've had to test your policy. With setenforce
> set to 0 and just the above lines in my clamd policy I got 11 (eleven)
> AVC denials for the first inbound email.
> 
> I have put all 11 AVCs (full) here:
> 
> http://pastebin.com/m3126be9d
> 
> 
> Running audit2allow on those says I should also have the following
> policies:
> 
> require {
> 	type clamscan_t;
> 	type procmail_log_t;
> 	type clamd_t;
> 	class tcp_socket { write create connect };
> 	class file append;
> }
> require {
> 	type clamscan_t;
> 	type procmail_log_t;
> 	type clamd_t;
> 	class tcp_socket { write create connect };
> 	class file append;
> }
> 
> #============= clamd_t ==============
> corenet_tcp_bind_generic_port(clamd_t)
> 
> #============= clamscan_t ==============
> allow clamscan_t procmail_log_t:file append;
> allow clamscan_t self:tcp_socket { write create connect };
> corenet_tcp_connect_generic_port(clamscan_t)
> mta_read_queue(clamscan_t)
> procmail_rw_tmp_files(clamscan_t)
> 
> What do you think?
> 
> Thanks again...
> 
> AD
> 
> p.s.
> 
> On Fri Aug 08 yum updated my system with selinux-policy-3.3.1-82.fc9.noarch. 
> You say that much of the above is in 3.3.1-85. Typically how long is the
> gap between you releasing the policy and it getting into the repos for
> we mortals?
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Usually I release about once per week.  85 should be in testing tonight.




More information about the fedora-selinux-list mailing list