Clamd getting out of hand...

Wed Jul 30 19:31:49 UTC 2008

Arthur Dent wrote:
> On Wed, Jul 30, 2008 at 06:29:23PM +0100, Arthur Dent wrote:
>> My current policy (now up to version 14!) looks like this (below),
> 
> Ooopps. Forgot to include that...
> 
> Here it is:
> ##########################################
> # cat myclamd.te
> policy_module(myclamd, 1.1.14)
> require {
>         type clamscan_t;
>         type clamd_t;
>         class tcp_socket { write create connect };
> 	type var_run_t;
>         type user_home_t;
>         class sock_file { write unlink create };
>         class file append;
> 	type unlabeled_t;
>         class association recvfrom;
> 	type procmail_log_t;
> 
> }
> 
> #============= clamd_t ==============
> allow clamd_t var_run_t:sock_file { unlink create };
> corenet_tcp_bind_generic_port(clamd_t)
> #corenet_tcp_bind_mail_port(clamd_t)
> #corenet_tcp_bind_msnp_port(clamd_t)
> #corenet_tcp_bind_asterisk_port(clamd_t)
> userdom_read_generic_user_home_content_files(clamd_t)
> 
> #============= clamscan_t ==============
> allow clamscan_t self:tcp_socket { write create connect };
> allow clamscan_t user_home_t:file append;
> allow clamscan_t var_run_t:sock_file write;
> corenet_tcp_connect_generic_port(clamscan_t)
> corenet_sendrecv_unlabeled_packets(clamscan_t)
> mta_read_queue(clamscan_t)
> procmail_rw_tmp_files(clamscan_t)
> userdom_read_generic_user_home_content_files(clamscan_t)
> allow clamscan_t unlabeled_t:association recvfrom;
> sendmail_rw_pipes(clamscan_t)
> allow clamscan_t procmail_log_t:file append;
> ##########################################
> 
> Thanks again!
> 
> AD
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
If you change the labeling on /var/run/clamd to clamd_var_run_t

chcon -R -t clamd_var_run_t /var/run/clamd

It should eliminate a couple of allow rules on /var/run above.