-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Arthur Dent wrote: > On Tue, Aug 12, 2008 at 03:31:59PM -0400, Daniel J Walsh wrote: >> Arthur Dent wrote: >>> On Wed, Aug 06, 2008 at 09:34:03AM -0400, Daniel J Walsh wrote: >>>> Arthur Dent wrote: >>>>> On Wed, Jul 30, 2008 at 03:33:14PM -0400, Daniel J Walsh wrote: >>> >>>> Adding the following policy to clamscan >>>> >>>> mta_send_mail(clamscan_t) >>>> corenet_all_recvfrom_unlabeled(clamscan_t) >>>> corenet_all_recvfrom_netlabel(clamscan_t) >>>> corenet_tcp_sendrecv_all_if(clamscan_t) >>>> corenet_tcp_sendrecv_all_nodes(clamscan_t) >>>> corenet_tcp_sendrecv_all_ports(clamscan_t) >>>> corenet_tcp_sendrecv_clamd_port(clamscan_t) >>>> corenet_tcp_connect_clamd_port(clamscan_t) >>>> >>>> Shoudl fix. >>>> >>>> Updated in selinux-policy-3.3.1-85.fc9 >>> Hi Daniel, >>> >>> Thank you very much for taking the time to help me on this. >>> >>> This is the first chance I've had to test your policy. With setenforce >>> set to 0 and just the above lines in my clamd policy I got 11 (eleven) >>> AVC denials for the first inbound email. >>> >>> I have put all 11 AVCs (full) here: >>> >>> http://pastebin.com/m3126be9d >>> >>> >>> Running audit2allow on those says I should also have the following >>> policies: >>> >>> require { >>> type clamscan_t; >>> type procmail_log_t; >>> type clamd_t; >>> class tcp_socket { write create connect }; >>> class file append; >>> } >>> require { >>> type clamscan_t; >>> type procmail_log_t; >>> type clamd_t; >>> class tcp_socket { write create connect }; >>> class file append; >>> } >>> >>> #============= clamd_t ============== >>> corenet_tcp_bind_generic_port(clamd_t) >>> >> What port is it binding do? >>> #============= clamscan_t ============== >>> allow clamscan_t procmail_log_t:file append; >> Sounds ok >>> allow clamscan_t self:tcp_socket { write create connect }; >> allow clamscan_t self:tcp_socket create_stream_socket_perms; >>> corenet_tcp_connect_generic_port(clamscan_t) >> What port is it connecting to? >>> mta_read_queue(clamscan_t) >>> procmail_rw_tmp_files(clamscan_t) >> Ok >>> What do you think? > > Daniel, thanks for your input. Much appreciated. > > I'm not sure I understand the inner workings of clamd, nor do I really > know the difference between binding to a port and connecting to a port. > I therefore list the only entries I can see in clamd.conf that relate > vaguely to "ports": > > # > # TCP port address. > # Default: no > TCPSocket 3310 > # > # TCP address. > # By default we bind to INADDR_ANY, probably not wise. > # Enable the following to provide some degree of protection > # from the outside world. > # Default: no > TCPAddr 127.0.0.1 > # > > and > > # > # Limit port range. > # Default: 1024 > StreamMinPort 30000 > # Default: 2048 > StreamMaxPort 32000 > # > > If you think I should change these clamd settings or modify by clamd > selinux policy please let me know. > > Thanks again... > > AD > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list After a little more investigation, I will allow clamd to bind and connect to unreserved_ports which should fix the problem. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkijMzQACgkQrlYvE4MpobOmUgCgtyPGApKW1HFUxI6qW3uZf88p KKYAoM5CMpBMHkpmawMPDP/5+AHjmJ5h =J5jZ -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
