The attached patch updates the (unused) clamav policy to work with the
changes in the FC strict/1.23.10-2 policy. It also fixes an access
problem with the clamd socket.
David
Index: domains/program/unused/clamav.te
===================================================================
RCS file: /home/cvs/starfury/etc/selinux/strict/src/policy/domains/program/unused/clamav.te,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 clamav.te
--- domains/program/unused/clamav.te 6 Apr 2005 22:35:54 -0000 1.1.1.2
+++ domains/program/unused/clamav.te 13 Apr 2005 23:14:11 -0000
@@ -29,6 +29,7 @@
read_sysctl(freshclam_t)
can_network_client_tcp(freshclam_t, http_port_t);
+allow freshclam_t http_port_t:tcp_socket name_connect;
can_resolve(freshclam_t)
can_ypbind(freshclam_t)
@@ -64,6 +65,9 @@
logdir_domain(freshclam)
allow initrc_t freshclam_log_t:file append;
+# Pid files for freshclam
+allow initrc_t clamd_var_run_t:file { create setattr };
+
system_crond_entry(freshclam_exec_t, freshclam_t)
domain_auto_trans(logrotate_t, freshclam_exec_t, freshclam_t)
Index: macros/program/clamav_macros.te
===================================================================
RCS file: /home/cvs/starfury/etc/selinux/strict/src/policy/macros/program/clamav_macros.te,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 clamav_macros.te
--- macros/program/clamav_macros.te 6 Apr 2005 22:33:28 -0000 1.1.1.1
+++ macros/program/clamav_macros.te 6 Apr 2005 23:44:18 -0000
@@ -12,6 +12,7 @@
define(`can_clamd_connect',`
allow $1_t clamd_var_run_t:dir search;
allow $1_t clamd_var_run_t:sock_file write;
+allow $1_t clamd_sock_t:sock_file write;
can_unix_connect($1_t, clamd_t)
')
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
