public inbox for gentoo-hardened@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-hardened] exim / amavis / Clamav
@ 2011-11-03  0:40 Nico Baggus
  0 siblings, 0 replies; only message in thread
From: Nico Baggus @ 2011-11-03  0:40 UTC (permalink / raw
  To: gentoo-hardened

Here I am not sure...

exim has some problems, amavis has various problems & clamav has some problems.

Exim produces:
---8<---

module exim-nb 1.0;

require {
        type amavisd_recv_port_t;
        type initrc_t;
        type exim_t;
        class tcp_socket name_connect;
        class unix_stream_socket connectto;
}

#============= exim_t ==============
allow exim_t amavisd_recv_port_t:tcp_socket name_connect;
allow exim_t initrc_t:unix_stream_socket connectto;
---8<---

ClamAV:
---8<---
module clam 1.0;

require {
        type net_conf_t;
        type amavis_t;
        type default_t;
        type node_t;
        type clamd_port_t;
        type amavis_var_lib_t;
        type clamscan_t;
        class tcp_socket { name_connect node_bind };
        class dir { getattr read open };
        class file { read getattr open };
}

#============= amavis_t ==============
allow amavis_t clamd_port_t:tcp_socket name_connect;

#============= clamscan_t ==============
allow clamscan_t amavis_var_lib_t:dir { read getattr open };
allow clamscan_t amavis_var_lib_t:file { read open };
allow clamscan_t default_t:dir { read getattr open };
allow clamscan_t default_t:file { read open };
allow clamscan_t net_conf_t:file { read getattr open };
allow clamscan_t node_t:tcp_socket node_bind;
---8<---

For amavis I still have to investigate, but after the previous 'fixes' i am not realy sure how to tackle this kind of cross product issues..



^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2011-11-03  0:41 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-11-03  0:40 [gentoo-hardened] exim / amavis / Clamav Nico Baggus

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox