Arthur Dent wrote: > On Wed, Jul 30, 2008 at 03:33:14PM -0400, Daniel J Walsh wrote: > > >> But do you have the original avc messages used to generate the policy. >> I want to see if we are missing transitions? What port is it >> communicating with etc. > > Apologies for the slow response. RL gets in the way sometimes... > > To recap: > > My mail chain is as follows: > > fetchmail -> procmail > | > -> clamassassin -> spamassassin -> dovecot -> MUA > | > -> clamdscan > | > -> clamd > > I had made several home-made policies to allow clamd to work under F8. > Following an upgrade to F9 I get a whole load more avc denials and have > had to add a bunch of policies to get it to work. > > With SEL in enforcing mode (I know I should have set it to permissive > until I had sorted this out but I though each problem would be the > last..) the recent denials fell into 3 types: > > sending denials > receiving denial > write to pipe denials > > I got several hundred sending denials until I wrote a policy with > audit2allow then I got sever hundred receiving denials until I fixed > that and finally a ton of write-to pipe. If you look at the collection > of raw audit messages (just a sample) that I posted here > > http://pastebin.com/m7b60d46a > > you will see that almost every part of the mail chain seems to be > affected. > > Finding the original avc messages from my F8 install would be hard work, > but I have included 3 (one of each type) from the F9 upgrade. You can > see them here: > > http://pastebin.com/m1fc5a466 > > If you want others (as referred to in the raw avcs) just let me know. > > So, clamd settings can be seen here (entire clamd.conf file) : > http://pastebin.com/m72927397 > A selection of raw avc messages can be seen here: > http://pastebin.com/m7b60d46a > And 3 of the entire avc messages here: > http://pastebin.com/m1fc5a466 > > > I really do thank you for your help... > > AD > > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Adding the following policy to clamscan mta_send_mail(clamscan_t) corenet_all_recvfrom_unlabeled(clamscan_t) corenet_all_recvfrom_netlabel(clamscan_t) corenet_tcp_sendrecv_all_if(clamscan_t) corenet_tcp_sendrecv_all_nodes(clamscan_t) corenet_tcp_sendrecv_all_ports(clamscan_t) corenet_tcp_sendrecv_clamd_port(clamscan_t) corenet_tcp_connect_clamd_port(clamscan_t) Shoudl fix. Updated in selinux-policy-3.3.1-85.fc9 -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
