On Fri, 2008-02-29 at 09:16 -0500, Daniel J Walsh wrote:
Always add a user specify front end to your policy.
D'oh! That fixed it. Thanks.
This policy seems reasonable but most likely clamav-milter is going
to
/usr/bin to execute something. So you might end up needing either
corecmd_exec_bin(clamd_t)
Or some transition to another domain.
If you have an idea what app it is looking for, we can correct the policy.
How can I find out what it's looking for? As a test, I just added the
policy:
module myclamav 1.0;
require {
type bin_t;
type clamd_t;
class dir search;
}
#============= clamd_t ==============
allow clamd_t bin_t:dir search;
so if I understand this, you expect that I should later today get an AVC
that clamav is trying to execute something that is bin_t? Assuming
that's the case, I'll see what is there when I get home from work later
and I'll post that. But if there's something else I can do to find out,
let me know.
Thanks
Eddie