Arthur Dent wrote: > On Wed, Aug 06, 2008 at 09:34:03AM -0400, Daniel J Walsh wrote: >> Arthur Dent wrote: >>> On Wed, Jul 30, 2008 at 03:33:14PM -0400, Daniel J Walsh wrote: > > >> Adding the following policy to clamscan >> >> mta_send_mail(clamscan_t) >> corenet_all_recvfrom_unlabeled(clamscan_t) >> corenet_all_recvfrom_netlabel(clamscan_t) >> corenet_tcp_sendrecv_all_if(clamscan_t) >> corenet_tcp_sendrecv_all_nodes(clamscan_t) >> corenet_tcp_sendrecv_all_ports(clamscan_t) >> corenet_tcp_sendrecv_clamd_port(clamscan_t) >> corenet_tcp_connect_clamd_port(clamscan_t) >> >> Shoudl fix. >> >> Updated in selinux-policy-3.3.1-85.fc9 > > Hi Daniel, > > Thank you very much for taking the time to help me on this. > > This is the first chance I've had to test your policy. With setenforce > set to 0 and just the above lines in my clamd policy I got 11 (eleven) > AVC denials for the first inbound email. > > I have put all 11 AVCs (full) here: > > http://pastebin.com/m3126be9d > > > Running audit2allow on those says I should also have the following > policies: > > require { > type clamscan_t; > type procmail_log_t; > type clamd_t; > class tcp_socket { write create connect }; > class file append; > } > require { > type clamscan_t; > type procmail_log_t; > type clamd_t; > class tcp_socket { write create connect }; > class file append; > } > > #============= clamd_t ============== > corenet_tcp_bind_generic_port(clamd_t) > > #============= clamscan_t ============== > allow clamscan_t procmail_log_t:file append; > allow clamscan_t self:tcp_socket { write create connect }; > corenet_tcp_connect_generic_port(clamscan_t) > mta_read_queue(clamscan_t) > procmail_rw_tmp_files(clamscan_t) > > What do you think? > > Thanks again... > > AD > > p.s. > > On Fri Aug 08 yum updated my system with selinux-policy-3.3.1-82.fc9.noarch. > You say that much of the above is in 3.3.1-85. Typically how long is the > gap between you releasing the policy and it getting into the repos for > we mortals? > > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Usually I release about once per week. 85 should be in testing tonight. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
