Clamd getting out of hand...
Daniel J Walsh
dwalsh at redhat.com
Wed Jul 30 19:31:49 UTC 2008
Arthur Dent wrote:
> On Wed, Jul 30, 2008 at 06:29:23PM +0100, Arthur Dent wrote:
>> My current policy (now up to version 14!) looks like this (below),
>
> Ooopps. Forgot to include that...
>
> Here it is:
> ##########################################
> # cat myclamd.te
> policy_module(myclamd, 1.1.14)
> require {
> type clamscan_t;
> type clamd_t;
> class tcp_socket { write create connect };
> type var_run_t;
> type user_home_t;
> class sock_file { write unlink create };
> class file append;
> type unlabeled_t;
> class association recvfrom;
> type procmail_log_t;
>
> }
>
> #============= clamd_t ==============
> allow clamd_t var_run_t:sock_file { unlink create };
> corenet_tcp_bind_generic_port(clamd_t)
> #corenet_tcp_bind_mail_port(clamd_t)
> #corenet_tcp_bind_msnp_port(clamd_t)
> #corenet_tcp_bind_asterisk_port(clamd_t)
> userdom_read_generic_user_home_content_files(clamd_t)
>
> #============= clamscan_t ==============
> allow clamscan_t self:tcp_socket { write create connect };
> allow clamscan_t user_home_t:file append;
> allow clamscan_t var_run_t:sock_file write;
> corenet_tcp_connect_generic_port(clamscan_t)
> corenet_sendrecv_unlabeled_packets(clamscan_t)
> mta_read_queue(clamscan_t)
> procmail_rw_tmp_files(clamscan_t)
> userdom_read_generic_user_home_content_files(clamscan_t)
> allow clamscan_t unlabeled_t:association recvfrom;
> sendmail_rw_pipes(clamscan_t)
> allow clamscan_t procmail_log_t:file append;
> ##########################################
>
> Thanks again!
>
> AD
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
If you change the labeling on /var/run/clamd to clamd_var_run_t
chcon -R -t clamd_var_run_t /var/run/clamd
It should eliminate a couple of allow rules on /var/run above.
More information about the fedora-selinux-list
mailing list