On 12/04/2014 03:22 PM, James B. Byrne wrote:> On Thu, December 4, 2014 12:29, James B. Byrne wrote: >> Re: SELinux. Do I just build a local policy or is there some boolean setting >> needed to handle this? I could not find one if there is but. . . >> > Anyone see any problem with generating a custom policy consisting of the > following? > > grep avc /var/log/audit/audit.log | audit2allow > > > #============= amavis_t =============> allow amavis_t shell_exec_t:file execute; > allow amavis_t sysfs_t:dir search; > > #============= clamscan_t =============> allow clamscan_t amavis_spool_t:dir read;In the latest rhel6 policies amavas_t and clamscan_t have been merged into antivirus_t? Is you selinux-policy up 2 date?> #============= logwatch_mail_t =============> allow logwatch_mail_t usr_t:lnk_file read; > > #============= postfix_master_t =============> allow postfix_master_t tmp_t:dir read; > > #============= postfix_postdrop_t =============> allow postfix_postdrop_t tmp_t:dir read; > > #============= postfix_showq_t =============> allow postfix_showq_t tmp_t:dir read;Any reason postfix would be listing the contents of /tmp or /var/tmp? Did you put some content into these directories that have something to do with mail?> #============= postfix_smtp_t =============> allow postfix_smtp_t postfix_spool_maildrop_t:file { read write getattr }; > >
On Fri, December 5, 2014 04:53, Daniel J Walsh wrote:> > On 12/04/2014 03:22 PM, James B. Byrne wrote: >> On Thu, December 4, 2014 12:29, James B. Byrne wrote: >>> Re: SELinux. Do I just build a local policy or is there some boolean >>> setting >>> needed to handle this? I could not find one if there is but. . . >>> >> Anyone see any problem with generating a custom policy consisting of the >> following? >> >> grep avc /var/log/audit/audit.log | audit2allow >> >> >> #============= amavis_t =============>> allow amavis_t shell_exec_t:file execute; >> allow amavis_t sysfs_t:dir search; >> >> #============= clamscan_t =============>> allow clamscan_t amavis_spool_t:dir read; > In the latest rhel6 policies amavas_t and clamscan_t have been merged > into antivirus_t? Is you selinux-policy up 2 date?Yes, everything is up-to-date as of the time of report and I have checked again this morning. That system has no unapplied fixes for software provided through the official CentOS-6 repositories. Does this change apply only to 7 or has it been backported? Both amavisd-new and clamav are provided via the epel repository.>> #============= logwatch_mail_t =============>> allow logwatch_mail_t usr_t:lnk_file read; >> >> #============= postfix_master_t =============>> allow postfix_master_t tmp_t:dir read; >> >> #============= postfix_postdrop_t =============>> allow postfix_postdrop_t tmp_t:dir read; >> >> #============= postfix_showq_t =============>> allow postfix_showq_t tmp_t:dir read;> Any reason postfix would be listing the contents of /tmp or /var/tmp? > Did you put some content into these directories that have something to > do with mail?That question I need put to the Postfix mailing list. I see nothing in the spec file that bears on the matter and the tarball was pulled from: ftp://ftp.porcupine.org/mirrors/postfix-release/official/>> #============= postfix_smtp_t =============>> allow postfix_smtp_t postfix_spool_maildrop_t:file { read write getattr }; >> >>-- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
On 12/05/2014 01:24 PM, James B. Byrne wrote:> On Fri, December 5, 2014 04:53, Daniel J Walsh wrote: >> On 12/04/2014 03:22 PM, James B. Byrne wrote: >>> On Thu, December 4, 2014 12:29, James B. Byrne wrote: >>>> Re: SELinux. Do I just build a local policy or is there some boolean >>>> setting >>>> needed to handle this? I could not find one if there is but. . . >>>> >>> Anyone see any problem with generating a custom policy consisting of the >>> following? >>> >>> grep avc /var/log/audit/audit.log | audit2allow >>> >>> >>> #============= amavis_t =============>>> allow amavis_t shell_exec_t:file execute; >>> allow amavis_t sysfs_t:dir search; >>> >>> #============= clamscan_t =============>>> allow clamscan_t amavis_spool_t:dir read; >> In the latest rhel6 policies amavas_t and clamscan_t have been merged >> into antivirus_t? Is you selinux-policy up 2 date? > Yes, everything is up-to-date as of the time of report and I have checked > again this morning. That system has no unapplied fixes for software provided > through the official CentOS-6 repositories. Does this change apply only to 7 > or has it been backported? Both amavisd-new and clamav are provided via the > epel repository.rpm -q selinux-policy selinux-policy-3.7.19-260.el6 is the current policy in development.> >>> #============= logwatch_mail_t =============>>> allow logwatch_mail_t usr_t:lnk_file read; >>> >>> #============= postfix_master_t =============>>> allow postfix_master_t tmp_t:dir read; >>> >>> #============= postfix_postdrop_t =============>>> allow postfix_postdrop_t tmp_t:dir read; >>> >>> #============= postfix_showq_t =============>>> allow postfix_showq_t tmp_t:dir read; >> Any reason postfix would be listing the contents of /tmp or /var/tmp? >> Did you put some content into these directories that have something to >> do with mail? > That question I need put to the Postfix mailing list. I see nothing in the > spec file that bears on the matter and the tarball was pulled from: > > ftp://ftp.porcupine.org/mirrors/postfix-release/official/ > >>> #============= postfix_smtp_t =============>>> allow postfix_smtp_t postfix_spool_maildrop_t:file { read write getattr }; >>> >>> > >