On Mon, 2009-08-03 at 10:13 +0200, Daniel Fazekas wrote: > On Aug 3, 2009, at 02:20, Scott Radvan wrote: > > > spamassassin_can_network seems to be a good Boolean to explain, show > > the denial and then show the work-around for. > > This Boolean is off by default, which as far as I can tell would > > stop spamassassin from launching as a daemon listening on the > > machine's actual IP/interface. > > I thought spamassassin_can_network was for allowing SpamAssassin to > access various online services, such as Razor2 or Pyzor, for more > accurate spam detection. > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list basically it allow spamassassin_t to connect to any tcp port and sendrecv udp. # set tunable if you have spamassassin do DNS lookups tunable_policy(`spamassassin_can_network',` allow spamassassin_t self:tcp_socket create_stream_socket_perms; allow spamassassin_t self:udp_socket create_socket_perms; corenet_all_recvfrom_unlabeled(spamassassin_t) corenet_all_recvfrom_netlabel(spamassassin_t) corenet_tcp_sendrecv_generic_if(spamassassin_t) corenet_udp_sendrecv_generic_if(spamassassin_t) corenet_tcp_sendrecv_generic_node(spamassassin_t) corenet_udp_sendrecv_generic_node(spamassassin_t) corenet_tcp_sendrecv_all_ports(spamassassin_t) corenet_udp_sendrecv_all_ports(spamassassin_t) corenet_tcp_connect_all_ports(spamassassin_t) corenet_sendrecv_all_client_packets(spamassassin_t) corenet_udp_bind_generic_node(spamassassin_t) sysnet_read_config(spamassassin_t) ') hth
Attachment:
signature.asc
Description: This is a digitally signed message part
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list