-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Edward Kuns wrote: > On Fri, 2008-02-29 at 09:16 -0500, Daniel J Walsh wrote: >> Always add a user specify front end to your policy. > > D'oh! That fixed it. Thanks. > > >> This policy seems reasonable but most likely clamav-milter is going to >> /usr/bin to execute something. So you might end up needing either >> >> corecmd_exec_bin(clamd_t) >> >> Or some transition to another domain. >> >> If you have an idea what app it is looking for, we can correct the policy. > > How can I find out what it's looking for? As a test, I just added the > policy: > > module myclamav 1.0; > > require { > type bin_t; > type clamd_t; > class dir search; > } > > #============= clamd_t ============== > allow clamd_t bin_t:dir search; > > so if I understand this, you expect that I should later today get an AVC > that clamav is trying to execute something that is bin_t? Assuming > that's the case, I'll see what is there when I get home from work later > and I'll post that. But if there's something else I can do to find out, > let me know. > > Thanks > > Eddie > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Nope, that is the best you can do. You could put your machine in permissive mode to get all of the AVC's but that could be dangerous. We hope to have permissive domains eventually, were we could allow clamd_t only to do it's thing, but we don't have it yet. THanks for your help diagnosing this. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkfIGRMACgkQrlYvE4MpobMiBwCePpuERf+k4vRKPlwEMtOgzg0l yB0AoLHFBaLJcEodsF1oYFWjGydP0Mzx =6YRg -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list