Re: Clamd getting out of hand...

Arthur Dent <selinux.list@xxxxxxxxxxxxxxxxxxx> · Wed, 30 Jul 2008 18:41:10 +0100

On Wed, Jul 30, 2008 at 06:29:23PM +0100, Arthur Dent wrote:
> 
> My current policy (now up to version 14!) looks like this (below),

Ooopps. Forgot to include that...

Here it is:
##########################################
# cat myclamd.te
policy_module(myclamd, 1.1.14)
require {
        type clamscan_t;
        type clamd_t;
        class tcp_socket { write create connect };
	type var_run_t;
        type user_home_t;
        class sock_file { write unlink create };
        class file append;
	type unlabeled_t;
        class association recvfrom;
	type procmail_log_t;

}

#============= clamd_t ==============
allow clamd_t var_run_t:sock_file { unlink create };
corenet_tcp_bind_generic_port(clamd_t)
#corenet_tcp_bind_mail_port(clamd_t)
#corenet_tcp_bind_msnp_port(clamd_t)
#corenet_tcp_bind_asterisk_port(clamd_t)
userdom_read_generic_user_home_content_files(clamd_t)

#============= clamscan_t ==============
allow clamscan_t self:tcp_socket { write create connect };
allow clamscan_t user_home_t:file append;
allow clamscan_t var_run_t:sock_file write;
corenet_tcp_connect_generic_port(clamscan_t)
corenet_sendrecv_unlabeled_packets(clamscan_t)
mta_read_queue(clamscan_t)
procmail_rw_tmp_files(clamscan_t)
userdom_read_generic_user_home_content_files(clamscan_t)
allow clamscan_t unlabeled_t:association recvfrom;
sendmail_rw_pipes(clamscan_t)
allow clamscan_t procmail_log_t:file append;
##########################################

Thanks again!

AD
Attachment:
pgpsbMzY5C3jv.pgp

Description: PGP signature
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list