| 1 |
Here I am not sure... |
| 2 |
|
| 3 |
exim has some problems, amavis has various problems & clamav has some problems. |
| 4 |
|
| 5 |
Exim produces: |
| 6 |
---8<--- |
| 7 |
|
| 8 |
module exim-nb 1.0; |
| 9 |
|
| 10 |
require { |
| 11 |
type amavisd_recv_port_t; |
| 12 |
type initrc_t; |
| 13 |
type exim_t; |
| 14 |
class tcp_socket name_connect; |
| 15 |
class unix_stream_socket connectto; |
| 16 |
} |
| 17 |
|
| 18 |
#============= exim_t ============== |
| 19 |
allow exim_t amavisd_recv_port_t:tcp_socket name_connect; |
| 20 |
allow exim_t initrc_t:unix_stream_socket connectto; |
| 21 |
---8<--- |
| 22 |
|
| 23 |
ClamAV: |
| 24 |
---8<--- |
| 25 |
module clam 1.0; |
| 26 |
|
| 27 |
require { |
| 28 |
type net_conf_t; |
| 29 |
type amavis_t; |
| 30 |
type default_t; |
| 31 |
type node_t; |
| 32 |
type clamd_port_t; |
| 33 |
type amavis_var_lib_t; |
| 34 |
type clamscan_t; |
| 35 |
class tcp_socket { name_connect node_bind }; |
| 36 |
class dir { getattr read open }; |
| 37 |
class file { read getattr open }; |
| 38 |
} |
| 39 |
|
| 40 |
#============= amavis_t ============== |
| 41 |
allow amavis_t clamd_port_t:tcp_socket name_connect; |
| 42 |
|
| 43 |
#============= clamscan_t ============== |
| 44 |
allow clamscan_t amavis_var_lib_t:dir { read getattr open }; |
| 45 |
allow clamscan_t amavis_var_lib_t:file { read open }; |
| 46 |
allow clamscan_t default_t:dir { read getattr open }; |
| 47 |
allow clamscan_t default_t:file { read open }; |
| 48 |
allow clamscan_t net_conf_t:file { read getattr open }; |
| 49 |
allow clamscan_t node_t:tcp_socket node_bind; |
| 50 |
---8<--- |
| 51 |
|
| 52 |
For amavis I still have to investigate, but after the previous 'fixes' i am not realy sure how to tackle this kind of cross product issues.. |
Archives