On Thu, Mar 06, 2008 at 10:23:53AM -0500, Stephen Smalley wrote:
>
> > # cat myclamd.te
> > policy_module(myclamd, 1.2)
> > require {
> > type clamscan_t;
> > type clamd_t;
> > class tcp_socket { write create connect };
> > type var_run_t;
> > type user_home_t;
> > class sock_file write;
> > class file append;
> >
> > }
> >
> > #============= clamd_t ==============
> > corenet_tcp_bind_generic_port(clamd_t)
> >
> > #============= clamscan_t ==============
> > allow clamscan_t self:tcp_socket { write create connect };
> > allow clamscan_t user_home_t:file append;
>
> What file in your home directory is clamscan appending to?
> Maybe we can put it into a distinct type and protect the rest of your
> files?
>
Not sure... clamd is used by clamassassin which is called by procmail.
Procmail has local configurations set in various "rc" files in
~/Procmail/ in my home directory. But only procmail would require (read)
access to those. Then procmail writes to its log which is
~/Procmail/pmlog (also rotated by logrotate).
I'll try commenting out that line and see what happens...
Thanks
Mark
Attachment:
pgpBUYinKUNvr.pgp
Description: PGP signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
