I've added support to the (unused) clamav policy to allow listening for service requests on a TCP socket, and for interacting with amavis. I also made some tweaks that tighten up the network access allowed by freshclam, split the freshclam and spamd log files into two different types, and make the clamd control socket a unique type. Thanks.
David
P.S. These diffs are based on the files from the selinux-policy-strict- sources-1.22.1-2 rpm.
Cool. I am having to package up a clamav for our Fedora Core 3 boxes.. and this was worrying me how to work this.
On Wed, 16 Mar 2005 08:17:51 -0500, David Hampton hampton-rh@rainbolthampton.net wrote:
I've added support to the (unused) clamav policy to allow listening for service requests on a TCP socket, and for interacting with amavis. I also made some tweaks that tighten up the network access allowed by freshclam, split the freshclam and spamd log files into two different types, and make the clamd control socket a unique type. Thanks.
David
P.S. These diffs are based on the files from the selinux-policy-strict- sources-1.22.1-2 rpm.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Merged into the SELinux policy CVS tree at sourceforge.
On Wed, 2005-03-16 at 08:17 -0500, David Hampton wrote:
I've added support to the (unused) clamav policy to allow listening for service requests on a TCP socket, and for interacting with amavis. I also made some tweaks that tighten up the network access allowed by freshclam, split the freshclam and spamd log files into two different types, and make the clamd control socket a unique type. Thanks.
David
P.S. These diffs are based on the files from the selinux-policy-strict- sources-1.22.1-2 rpm.
On Thursday 17 March 2005 00:17, David Hampton hampton-rh@rainbolthampton.net wrote:
I've added support to the (unused) clamav policy to allow listening for service requests on a TCP socket, and for interacting with amavis. I also made some tweaks that tighten up the network access allowed by freshclam, split the freshclam and spamd log files into two different types, and make the clamd control socket a unique type. Thanks.
+can_network_client_tcp(freshclam_t, http_port_t);
This should be replaced by web_client_domain (the policy for which may need to be adjusted). Among other things the above policy doesn't work for http_cache_port_t.
On Thursday 17 March 2005 00:17, David Hampton hampton-rh@rainbolthampton.net wrote:
I've added support to the (unused) clamav policy to allow listening for service requests on a TCP socket, and for interacting with amavis. I also made some tweaks that tighten up the network access allowed by freshclam, split the freshclam and spamd log files into two different types, and make the clamd control socket a unique type. Thanks.
Another thing, please don't add new _sock_t types. Among other things you didn't give it the pidfile attribute to mark it as something that init scripts can unlink.
selinux@lists.fedoraproject.org