On Friday 15 April 2005 07:35, David Hampton <hampton-rh@xxxxxxxxxxxxxxxxxxx>
wrote:
> The attached patch updates the (unused) amavisd policy to work with the
> changes in the FC strict/1.23.10-2 policy. It also fixes the access
> needed by tmpreaper to delete files from the caught spam/virus
> directory.
+allow initrc_t amavisd_etc_t:file read;
Generally it's a bad idea to grant read access without getattr.
@@ -120,6 +122,6 @@
# Tmp reaper
ifdef(`tmpreaper.te', `
-allow tmpreaper_t amavisd_quarantine_t:dir { read search getattr setattr
unlink
};
-allow tmpreaper_t amavisd_quarantine_t:file getattr;
+allow tmpreaper_t amavisd_quarantine_t:dir create_dir_perms;
+allow tmpreaper_t amavisd_quarantine_t:file link_file_perms;
')
tmpreaper_t shouldn't be creating directories. For the file access { getattr
unlink } should be sufficient.
The following should do:
allow tmpreaper_t amavisd_quarantine_t:dir { rw_dir_perms unlink };
allow tmpreaper_t amavisd_quarantine_t:file { getattr unlink };
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
