Re: Clamd getting out of hand...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Arthur Dent wrote:
> Hello All,
> 
> I have been using SELinux in enforcing mode on my F8 box for some time
> now. I had to go through a bit of pain to get clamassassin working with
> clamd to scan my emails but it worked OK.
> 
> This weekend I upgraded to F9 and have now had about a gazillion AVC
> denials related to clamd.
> 
> I have therefore been forced to use audit2allow to add to the already
> pretty cumbersome local policy I had with F8.
> 
> I list the policy below. All of the entries are as a result of some
> denial and subsequent audit2allow policy generation.
> 
> My question is basically - can one of you gurus tell me if all this
> stuff is still necessary? Is there a policy in the works that might 
> avoid all this?
> 
> Thanks in advance
> 
> AD
> 
> 
> ##########################################
> # cat myclamd.te
> policy_module(myclamd, 1.1.11)
> require {
>         type clamscan_t;
>         type clamd_t;
>         class tcp_socket { write create connect };
> 	type var_run_t;
>         type user_home_t;
>         class sock_file { write unlink create };
>         class file append;
> 	type unlabeled_t;
>         class association recvfrom;
> 
> }
> 
> #============= clamd_t ==============
> allow clamd_t var_run_t:sock_file { unlink create };
Looks like a labeling problem.
> corenet_tcp_bind_generic_port(clamd_t)
What port did it bind to?
> userdom_read_generic_user_home_content_files(clamd_t)
> 
> #============= clamscan_t ==============
> allow clamscan_t self:tcp_socket { write create connect };
> allow clamscan_t user_home_t:file append;
Labeling?
> allow clamscan_t var_run_t:sock_file write;
> corenet_tcp_connect_generic_port(clamscan_t)
> corenet_sendrecv_unlabeled_packets(clamscan_t)
> mta_read_queue(clamscan_t)
> procmail_rw_tmp_files(clamscan_t)
> userdom_read_generic_user_home_content_files(clamscan_t)
> allow clamscan_t unlabeled_t:association recvfrom;
> ########################################## 
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Please attach the avc's used to create this policy?

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux