On Wed, Aug 06, 2008 at 09:34:03AM -0400, Daniel J Walsh wrote: > Arthur Dent wrote: > > On Wed, Jul 30, 2008 at 03:33:14PM -0400, Daniel J Walsh wrote: > Adding the following policy to clamscan > > mta_send_mail(clamscan_t) > corenet_all_recvfrom_unlabeled(clamscan_t) > corenet_all_recvfrom_netlabel(clamscan_t) > corenet_tcp_sendrecv_all_if(clamscan_t) > corenet_tcp_sendrecv_all_nodes(clamscan_t) > corenet_tcp_sendrecv_all_ports(clamscan_t) > corenet_tcp_sendrecv_clamd_port(clamscan_t) > corenet_tcp_connect_clamd_port(clamscan_t) > > Shoudl fix. > > Updated in selinux-policy-3.3.1-85.fc9 Hi Daniel, Thank you very much for taking the time to help me on this. This is the first chance I've had to test your policy. With setenforce set to 0 and just the above lines in my clamd policy I got 11 (eleven) AVC denials for the first inbound email. I have put all 11 AVCs (full) here: http://pastebin.com/m3126be9d Running audit2allow on those says I should also have the following policies: require { type clamscan_t; type procmail_log_t; type clamd_t; class tcp_socket { write create connect }; class file append; } require { type clamscan_t; type procmail_log_t; type clamd_t; class tcp_socket { write create connect }; class file append; } #============= clamd_t ============== corenet_tcp_bind_generic_port(clamd_t) #============= clamscan_t ============== allow clamscan_t procmail_log_t:file append; allow clamscan_t self:tcp_socket { write create connect }; corenet_tcp_connect_generic_port(clamscan_t) mta_read_queue(clamscan_t) procmail_rw_tmp_files(clamscan_t) What do you think? Thanks again... AD p.s. On Fri Aug 08 yum updated my system with selinux-policy-3.3.1-82.fc9.noarch. You say that much of the above is in 3.3.1-85. Typically how long is the gap between you releasing the policy and it getting into the repos for we mortals?
Attachment:
pgppfLjlWIs2F.pgp
Description: PGP signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
