Clamd getting out of hand...

Arthur Dent selinux.list at troodos.demon.co.uk
Tue Aug 12 16:47:19 UTC 2008 

On Wed, Aug 06, 2008 at 09:34:03AM -0400, Daniel J Walsh wrote:
> Arthur Dent wrote:
> > On Wed, Jul 30, 2008 at 03:33:14PM -0400, Daniel J Walsh wrote:


> Adding the following policy to clamscan
> 
> mta_send_mail(clamscan_t)
> corenet_all_recvfrom_unlabeled(clamscan_t)
> corenet_all_recvfrom_netlabel(clamscan_t)
> corenet_tcp_sendrecv_all_if(clamscan_t)
> corenet_tcp_sendrecv_all_nodes(clamscan_t)
> corenet_tcp_sendrecv_all_ports(clamscan_t)
> corenet_tcp_sendrecv_clamd_port(clamscan_t)
> corenet_tcp_connect_clamd_port(clamscan_t)
> 
> Shoudl fix.
> 
> Updated in selinux-policy-3.3.1-85.fc9

Hi Daniel,

Thank you very much for taking the time to help me on this.

This is the first chance I've had to test your policy. With setenforce
set to 0 and just the above lines in my clamd policy I got 11 (eleven)
AVC denials for the first inbound email.

I have put all 11 AVCs (full) here:

http://pastebin.com/m3126be9d


Running audit2allow on those says I should also have the following
policies:

require {
	type clamscan_t;
	type procmail_log_t;
	type clamd_t;
	class tcp_socket { write create connect };
	class file append;
}
require {
	type clamscan_t;
	type procmail_log_t;
	type clamd_t;
	class tcp_socket { write create connect };
	class file append;
}

#============= clamd_t ==============
corenet_tcp_bind_generic_port(clamd_t)

#============= clamscan_t ==============
allow clamscan_t procmail_log_t:file append;
allow clamscan_t self:tcp_socket { write create connect };
corenet_tcp_connect_generic_port(clamscan_t)
mta_read_queue(clamscan_t)
procmail_rw_tmp_files(clamscan_t)

What do you think?

Thanks again...

AD

p.s.

On Fri Aug 08 yum updated my system with selinux-policy-3.3.1-82.fc9.noarch. 
You say that much of the above is in 3.3.1-85. Typically how long is the
gap between you releasing the policy and it getting into the repos for
we mortals?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20080812/21e648d9/attachment.sig>

More information about the fedora-selinux-list mailing list