Clamd getting out of hand...
Arthur Dent
selinux.list at troodos.demon.co.uk
Wed Jul 30 17:41:10 UTC 2008
On Wed, Jul 30, 2008 at 06:29:23PM +0100, Arthur Dent wrote:
>
> My current policy (now up to version 14!) looks like this (below),
Ooopps. Forgot to include that...
Here it is:
##########################################
# cat myclamd.te
policy_module(myclamd, 1.1.14)
require {
type clamscan_t;
type clamd_t;
class tcp_socket { write create connect };
type var_run_t;
type user_home_t;
class sock_file { write unlink create };
class file append;
type unlabeled_t;
class association recvfrom;
type procmail_log_t;
}
#============= clamd_t ==============
allow clamd_t var_run_t:sock_file { unlink create };
corenet_tcp_bind_generic_port(clamd_t)
#corenet_tcp_bind_mail_port(clamd_t)
#corenet_tcp_bind_msnp_port(clamd_t)
#corenet_tcp_bind_asterisk_port(clamd_t)
userdom_read_generic_user_home_content_files(clamd_t)
#============= clamscan_t ==============
allow clamscan_t self:tcp_socket { write create connect };
allow clamscan_t user_home_t:file append;
allow clamscan_t var_run_t:sock_file write;
corenet_tcp_connect_generic_port(clamscan_t)
corenet_sendrecv_unlabeled_packets(clamscan_t)
mta_read_queue(clamscan_t)
procmail_rw_tmp_files(clamscan_t)
userdom_read_generic_user_home_content_files(clamscan_t)
allow clamscan_t unlabeled_t:association recvfrom;
sendmail_rw_pipes(clamscan_t)
allow clamscan_t procmail_log_t:file append;
##########################################
Thanks again!
AD
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20080730/515aab30/attachment.sig>
More information about the fedora-selinux-list
mailing list