Partitions Mounted by fstab

Arthur Dent selinux.list at troodos.demon.co.uk
Thu Mar 6 14:45:01 UTC 2008 

On Thu, Mar 06, 2008 at 08:43:26AM -0500, Stephen Smalley wrote:
> 
> > 
> > Been thinking (always dangerous!) about this...
> > 
> > Here's my latest effort. This time I've tried using audit2allow. The
> > output is Greek to me.
> > Is this safe to use?
> > Will it address all the issues?
> > 
> > Thanks for any advice...
> > 
> > ##########################################
> > # cat myclamd.te
> > policy_module(myclamd, 1.1)
> > require {
> >         type clamscan_t;
> >         type clamd_t;
> >         class tcp_socket { write create connect };
> > }
> > 
> > #============= clamd_t ==============
> > corenet_tcp_bind_generic_port(clamd_t)
> > 
> > #============= clamscan_t ==============
> > allow clamscan_t self:tcp_socket { write create connect };
> > corenet_tcp_connect_generic_port(clamscan_t)
> > mta_read_queue(clamscan_t)
> > procmail_rw_tmp_files(clamscan_t)
> > userdom_read_generic_user_home_content_files(clamscan_t)
> > ##########################################
> 
> This seems consistent with the denials you reported.
> Ideally we'd identify specific types for the ports to which it is
> binding and connecting and only give access to those ports rather than
> opening up generic port access.  That would be done via semanage port,
> similar to the semanage fcontext commands you ran earlier.  But if you
> primarily just want your system to work right now, you can use the above
> module, and wait on the upstream policy to catch up.  Reporting the avc
> denials from audit.log to this list or to the upstream selinux list will
> generally ensure that they get addressed in the future.

Hi Stephen,

Yes, I know it's a bit off-topic for this list (well totally OT really)
but why does clamd bind to a different port each time? Is that normal
behaviour for clamd or have I got something borked in my setup?

Anyway it works (I think)!

Thanks very much for all the help and support so far. Now that I have
discovered audit2allow there's no stopping me!...

I have no idea what most of the things are for, but if I'm careful about
watching where the denials take place, is it usually safe to trust
audit2allow to create policies for me?

After much watching and tail -f ing of logs, here is what I have ended
up with...


##########################################
# cat myclamd.te
policy_module(myclamd, 1.2)
require {
        type clamscan_t;
        type clamd_t;
        class tcp_socket { write create connect };
        type var_run_t;
        type user_home_t;
        class sock_file write;
        class file append;

}

#============= clamd_t ==============
corenet_tcp_bind_generic_port(clamd_t)

#============= clamscan_t ==============
allow clamscan_t self:tcp_socket { write create connect };
allow clamscan_t user_home_t:file append;
allow clamscan_t var_run_t:sock_file write;
corenet_tcp_connect_generic_port(clamscan_t)
mta_read_queue(clamscan_t)
procmail_rw_tmp_files(clamscan_t)
userdom_read_generic_user_home_content_files(clamscan_t)
##########################################


It's still Greek to me. I hope I haven't compromised my system in any way...

I have just typed "setenforce 1" - Yay! (Expect to hear back from me
with tales of woe when it won't work anymore!...

Thanks again


Mark

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20080306/05b52b00/attachment.sig>

More information about the fedora-selinux-list mailing list