On Tue, Aug 12, 2008 at 03:31:59PM -0400, Daniel J Walsh wrote: > Arthur Dent wrote: > > On Wed, Aug 06, 2008 at 09:34:03AM -0400, Daniel J Walsh wrote: > >> Arthur Dent wrote: > >>> On Wed, Jul 30, 2008 at 03:33:14PM -0400, Daniel J Walsh wrote: > > > > > >> Adding the following policy to clamscan > >> > >> mta_send_mail(clamscan_t) > >> corenet_all_recvfrom_unlabeled(clamscan_t) > >> corenet_all_recvfrom_netlabel(clamscan_t) > >> corenet_tcp_sendrecv_all_if(clamscan_t) > >> corenet_tcp_sendrecv_all_nodes(clamscan_t) > >> corenet_tcp_sendrecv_all_ports(clamscan_t) > >> corenet_tcp_sendrecv_clamd_port(clamscan_t) > >> corenet_tcp_connect_clamd_port(clamscan_t) > >> > >> Shoudl fix. > >> > >> Updated in selinux-policy-3.3.1-85.fc9 > > > > Hi Daniel, > > > > Thank you very much for taking the time to help me on this. > > > > This is the first chance I've had to test your policy. With setenforce > > set to 0 and just the above lines in my clamd policy I got 11 (eleven) > > AVC denials for the first inbound email. > > > > I have put all 11 AVCs (full) here: > > > > http://pastebin.com/m3126be9d > > > > > > Running audit2allow on those says I should also have the following > > policies: > > > > require { > > type clamscan_t; > > type procmail_log_t; > > type clamd_t; > > class tcp_socket { write create connect }; > > class file append; > > } > > require { > > type clamscan_t; > > type procmail_log_t; > > type clamd_t; > > class tcp_socket { write create connect }; > > class file append; > > } > > > > #============= clamd_t ============== > > corenet_tcp_bind_generic_port(clamd_t) > > > What port is it binding do? > > #============= clamscan_t ============== > > allow clamscan_t procmail_log_t:file append; > Sounds ok > > allow clamscan_t self:tcp_socket { write create connect }; > allow clamscan_t self:tcp_socket create_stream_socket_perms; > > corenet_tcp_connect_generic_port(clamscan_t) > What port is it connecting to? > > mta_read_queue(clamscan_t) > > procmail_rw_tmp_files(clamscan_t) > Ok > > > > What do you think? Daniel, thanks for your input. Much appreciated. I'm not sure I understand the inner workings of clamd, nor do I really know the difference between binding to a port and connecting to a port. I therefore list the only entries I can see in clamd.conf that relate vaguely to "ports": # # TCP port address. # Default: no TCPSocket 3310 # # TCP address. # By default we bind to INADDR_ANY, probably not wise. # Enable the following to provide some degree of protection # from the outside world. # Default: no TCPAddr 127.0.0.1 # and # # Limit port range. # Default: 1024 StreamMinPort 30000 # Default: 2048 StreamMaxPort 32000 # If you think I should change these clamd settings or modify by clamd selinux policy please let me know. Thanks again... AD
Attachment:
pgpzktdimwsgd.pgp
Description: PGP signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
