[refpolicy] services_amavis.patch
Martin Orr
martin at martinorr.name
Thu Sep 25 07:19:02 CDT 2008
On 25/09/08 08:19, Russell Coker wrote:
> On Thursday 25 September 2008 06:52, Daniel J Walsh <dwalsh at redhat.com> wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_amavis.patch
>>
>> Add initrc script support
>
> How much success are people having with the policy that has Amavis and ClamAV
> in different domains?
Well I run amavis and clamav in separate domains (with Courier as MTA, so
that may be different from using exim/postfix), and the only extra rule I
need for clamav is:
read_files_pattern(clamd_t, courier_spool_t, courier_spool_t)
(I have a bunch more rules for amavisd to talk to Courier, but then my
Courier policy is entirely home-grown.)
> The CentOS servers that I run have Amavis and ClamAV running unconfined
> because getting the policy to work was too difficult (the two daemons
> interact with each other a lot, trying to keep them separate is a lost
> cause).
How do they interact with each other beyond communicating by a socket and
clamd reading amavis spool files?
And people might want to use clamav to scan things other than mail, or to
use a commercial AV scanner with amavis (of course in the latter case, they
would have to write policy for the AV scanner themselves).
Best wishes,
--
Martin Orr
More information about the refpolicy
mailing list