On Tue, 2010-08-24 at 08:41 +0200, Dominick Grift wrote: > On 08/24/2010 12:20 AM, Arthur Dent wrote: > > On Mon, 2010-08-23 at 20:50 +0200, Dominick Grift wrote: > > > >> open your ~/myclamd/myclamd.te file and append the following: > >> > >> gen_require(` > >> type clamscan_t; > >> ') > >> > >> procmail_rw_tmp_files(clamscan_t) > >> mta_read_queue(clamscan_t) > >> > >> > >> Then rebuild be binary representation and reinstall it: > >> > >> cd ~/myclamd; > >> make -f /usr/share/selinux/devel/Makefile myclamd.pp > >> sudo semodule -i myclamd.pp > > > > I'm sorry to be a nuisance Dominick, but I'm afraid there's another > > problem. > > > > Many people, including myself, who use clamd run a program called > > clamdwatch to monitor the fact that the clamd daemon is alive and well. > > > > This basically works by sending the Eicar virus to clamd and if it > > doesn't get back the expected virus warning it assumes clamd is dead and > > tries to restart it. > > > > I have it running from a cron job: > > */10 * * * * /root/scripts/clamdwatch -q && ( /usr/bin/killall -9 clamd; rm -fr /var/run/clamd.sock; rm -rf /tmp/clamav-*; /etc/init.d/clamd start 2>&1 ) > > > > At the moment, every time this runs it restarts clamd. > > > > Here is the associated avc (still with semanage -DB). > > i guess you could chcon the file from the cronjob to use a type that > clamd_t can access. for example append chcon -t clamd_tmp_t /tmp/clamdwatch* > > That would be a workaround. > > The other approach is to write policy for clamdwatch. > > Another approach which is not encouraged is to allow clamd_t access to > user temporary content. > > What package provides this app? and why is it in the admin directory? Sorry - It's not an app, it's a script (perl). It comes in the clamav tarball. I have put it in my /root/scripts/ directory where I keep most of my scripts run from cron. I can send you a copy if that would help? Thanks Mark
Attachment:
signature.asc
Description: This is a digitally signed message part
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
