On Mon, 2009-08-03 at 10:13 +0200, Daniel Fazekas wrote:
On Aug 3, 2009, at 02:20, Scott Radvan wrote:
> spamassassin_can_network seems to be a good Boolean to explain, show
> the denial and then show the work-around for.
> This Boolean is off by default, which as far as I can tell would
> stop spamassassin from launching as a daemon listening on the
> machine's actual IP/interface.
I thought spamassassin_can_network was for allowing SpamAssassin to
access various online services, such as Razor2 or Pyzor, for more
accurate spam detection.
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
basically it allow spamassassin_t to connect to any tcp port and
sendrecv udp.
# set tunable if you have spamassassin do DNS lookups
tunable_policy(`spamassassin_can_network',`
allow spamassassin_t self:tcp_socket create_stream_socket_perms;
allow spamassassin_t self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled(spamassassin_t)
corenet_all_recvfrom_netlabel(spamassassin_t)
corenet_tcp_sendrecv_generic_if(spamassassin_t)
corenet_udp_sendrecv_generic_if(spamassassin_t)
corenet_tcp_sendrecv_generic_node(spamassassin_t)
corenet_udp_sendrecv_generic_node(spamassassin_t)
corenet_tcp_sendrecv_all_ports(spamassassin_t)
corenet_udp_sendrecv_all_ports(spamassassin_t)
corenet_tcp_connect_all_ports(spamassassin_t)
corenet_sendrecv_all_client_packets(spamassassin_t)
corenet_udp_bind_generic_node(spamassassin_t)
sysnet_read_config(spamassassin_t)
')
hth