On Tue, 2006-06-20 at 16:59 +0100, Paul Howarth wrote:
Marc Schwartz (via MN) wrote:
> On Tue, 2006-06-20 at 16:12 +0100, Paul Howarth wrote:
<snip>
>> Try this one:
>>
>> policy_module(myclamscan, 0.2.0)
>>
>> require {
>> type clamscan_t;
>> type postfix_local_t;
>> type procmail_tmp_t;
>> };
>>
>> # temp files
>> # Included in selinux-policy-2.2.43-4
>> #type clamscan_tmp_t;
>> #files_tmp_file(clamscan_tmp_t)
>>
>> # Allow clamscan to create and use temp files and dirs
>> # Included in selinux-policy-2.2.43-4
>> #allow clamscan_t clamscan_tmp_t:dir create_dir_perms;
>> #allow clamscan_t clamscan_tmp_t:file create_file_perms;
>> #files_type(clamscan_tmp_t)
>> #files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
>>
>> # Allow clamscan to read and write temp files created by procmail
>> # (needed for clamassassin)
>> allow clamscan_t procmail_tmp_t:file rw_file_perms;
>>
>> # Allow clamscan output to be piped back into the
>> # postfix local delivery process
>> allow clamscan_t postfix_local_t:fd use;
>> allow clamscan_t postfix_local_t:fifo_file write;
>
> OK. Done.
>
> Also, just to confirm that you are explicitly changing the policy name
> from myclam to myclamscan?
Yes; I was helping someone else out on fedora-list and I renamed some
things to avoid confusing myself.
No problem. Just wanted to be sure.
<snip>
> BTW, I am now getting the following messages with avclist, since
the
> loading of the updated policies today:
>
> type=AVC msg=audit(1150817767.142:753): avc: denied { getattr } for pid=2268
comm="spamd" name="pyzor" dev=hdc7 ino=3140757
scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0
tclass=file
> type=SYSCALL msg=audit(1150817767.142:753): arch=40000003 syscall=195 success=no
exit=-13 a0=a22fb98 a1=92360c8 a2=4891eff4 a3=a22fb98 items=1 pid=2268 auid=4294967295
uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd"
exe="/usr/bin/perl"type=AVC_PATH msg=audit(1150817767.142:753):
path="/usr/bin/pyzor"
> type=CWD msg=audit(1150817767.142:753): cwd="/"
> type=PATH msg=audit(1150817767.142:753): item=0 name="/usr/bin/pyzor"
flags=1 inode=3140757 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
> type=AVC msg=audit(1150817767.142:754): avc: denied { getattr } for pid=2268
comm="spamd" name="pyzor" dev=hdc7 ino=3140757
scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0
tclass=file
> type=SYSCALL msg=audit(1150817767.142:754): arch=40000003 syscall=195 success=no
exit=-13 a0=a22fb98 a1=92360c8 a2=4891eff4 a3=a22fb98 items=1 pid=2268 auid=4294967295
uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd"
exe="/usr/bin/perl"type=AVC_PATH msg=audit(1150817767.142:754):
path="/usr/bin/pyzor"
> type=CWD msg=audit(1150817767.142:754): cwd="/"
> type=PATH msg=audit(1150817767.142:754): item=0 name="/usr/bin/pyzor"
flags=1 inode=3140757 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
Is pyzor working though?
Maybe these can be dontaudit-ed if that's the case.
As Murphy's Law would dictate, no spam with pyzor hits since updating
the policies. The two or three that I have had so far, have no hits on
any of the remote tests.
As soon as I can confirm, I will post back.
Thanks,
Marc