I've added support to the (unused) amavis policy to allow interaction with additional mail filters, and added a new type specifically for quarantined spam and viruses. I also tweaked the network access to limit ports that can be used by amavisd. I'd appreciate any feedback on these changes or tips on how to write better policies. Thanks.
David
P.S. These diffs are based on the files from the selinux-policy-strict- sources-1.22.1-2 rpm.
Merged into the SELinux policy CVS tree at sourceforge.
On Wed, 2005-03-16 at 08:18 -0500, David Hampton wrote:
I've added support to the (unused) amavis policy to allow interaction with additional mail filters, and added a new type specifically for quarantined spam and viruses. I also tweaked the network access to limit ports that can be used by amavisd. I'd appreciate any feedback on these changes or tips on how to write better policies. Thanks.
David
P.S. These diffs are based on the files from the selinux-policy-strict- sources-1.22.1-2 rpm.
On Thursday 17 March 2005 00:18, David Hampton hampton-rh@rainbolthampton.net wrote:
I've added support to the (unused) amavis policy to allow interaction with additional mail filters, and added a new type specifically for quarantined spam and viruses. I also tweaked the network access to limit ports that can be used by amavisd. I'd appreciate any feedback on these changes or tips on how to write better policies. Thanks.
+# Tmp reaper +ifdef(`tmpreaper.te', ` +allow tmpreaper_t amavisd_quarantine_t:dir { read search getattr setattr unlink }; +allow tmpreaper_t amavisd_quarantine_t:file getattr; +')
tmpreaper_t should not need setattr access to the directory.
To perform any useful function tmpreaper_t will need read/write access to the directory and unlink access to the file such as the following:
allow tmpreaper_t amavisd_quarantine_t:dir { rw_dir_perms unlink }; allow tmpreaper_t amavisd_quarantine_t:file { getattr unlink };
Russell Coker wrote:
On Thursday 17 March 2005 00:18, David Hampton hampton-rh@rainbolthampton.net wrote:
I've added support to the (unused) amavis policy to allow interaction with additional mail filters, and added a new type specifically for quarantined spam and viruses. I also tweaked the network access to limit ports that can be used by amavisd. I'd appreciate any feedback on these changes or tips on how to write better policies. Thanks.
+# Tmp reaper +ifdef(`tmpreaper.te', ` +allow tmpreaper_t amavisd_quarantine_t:dir { read search getattr setattr unlink }; +allow tmpreaper_t amavisd_quarantine_t:file getattr; +')
tmpreaper_t should not need setattr access to the directory.
To perform any useful function tmpreaper_t will need read/write access to the directory and unlink access to the file such as the following:
allow tmpreaper_t amavisd_quarantine_t:dir { rw_dir_perms unlink }; allow tmpreaper_t amavisd_quarantine_t:file { getattr unlink };
Why not add the attribute tmpfile to amavisd_quarantine_t and you get this for free.
Dan
On Friday 22 April 2005 21:08, Daniel J Walsh dwalsh@redhat.com wrote:
allow tmpreaper_t amavisd_quarantine_t:dir { rw_dir_perms unlink }; allow tmpreaper_t amavisd_quarantine_t:file { getattr unlink };
Why not add the attribute tmpfile to amavisd_quarantine_t and you get this for free.
True. tmpfile does grant access to the initrc_t domain, but that shouldn't be a problem in this case (and I can imagine a start script for amavis wanting to do such things).
selinux@lists.fedoraproject.org