fc5 policy patch

fc5 policy patch

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 1049 bytes --]

Attached is a patch against policy 2.2.38-1.fc5, the most significant thing it 
does is to get Amavis and Clamav working.

I notice that Dan has just sent a patch against the rawhide policy to the list 
with a slightly different set of Amavis changes.  Without reviewing them 
carefully it seems to me that Dan's patch won't make a default fedora-extras 
anti-virus system work.  Some of the things that are done with the 
fedora-extras packages aren't optimal in regard to SE Linux (such as the 
locations of some of the PID files and socket files).

My patch makes the anti-virus setup basically work.  Due to the complexity of 
the system there is a possibility of corner cases that I've missed, but the 
only way we will discover that is to get this policy released and have people 
try it.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: rjc-fc5.patch --]
[-- Type: text/x-diff, Size: 7453 bytes --]

diff -ru serefpolicy-2.2.38.orig/policy/modules/services/amavis.fc serefpolicy-2.2.38/policy/modules/services/amavis.fc
--- serefpolicy-2.2.38.orig/policy/modules/services/amavis.fc	2006-05-08 23:54:01.000000000 +1000
+++ serefpolicy-2.2.38/policy/modules/services/amavis.fc	2006-05-19 23:36:05.000000000 +1000
@@ -7,5 +7,7 @@
 /var/amavis(/.*)?			gen_context(system_u:object_r:amavis_var_lib_t,s0)
 /var/lib/amavis(/.*)?			gen_context(system_u:object_r:amavis_var_lib_t,s0)
 /var/log/amavisd\.log		--	gen_context(system_u:object_r:amavis_var_log_t,s0)
-/var/run/amavis(/.*)?			gen_context(system_u:object_r:amavis_var_run_t,s0)
+/var/run/amavis(d)?/amavisd.lock --	gen_context(system_u:object_r:amavis_var_run_t,s0)
+/var/spool/amavisd/amavisd.sock -s	gen_context(system_u:object_r:amavis_var_run_t,s0)
 /var/virusmails(/.*)?			gen_context(system_u:object_r:amavis_quarantine_t,s0)
+/var/spool/amavisd(/.*)?		gen_context(system_u:object_r:amavis_spool_t,s0)
diff -ru serefpolicy-2.2.38.orig/policy/modules/services/amavis.if serefpolicy-2.2.38/policy/modules/services/amavis.if
--- serefpolicy-2.2.38.orig/policy/modules/services/amavis.if	2006-05-08 23:54:01.000000000 +1000
+++ serefpolicy-2.2.38/policy/modules/services/amavis.if	2006-05-19 23:37:42.000000000 +1000
@@ -47,6 +47,49 @@
 
 ########################################
 ## <summary>
+##	Create socket files under the amavis spool
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="socket_type">
+##	<summary>
+##	Type for socket file
+##	</summary>
+## </param>
+#
+interface(`amavis_spool_create_socket',`
+	gen_require(`
+		type amavis_spool_t;
+	')
+
+	allow $1 amavis_spool_t:dir rw_dir_perms;
+	allow $1 $2:sock_file manage_file_perms;
+	type_transition $1 amavis_spool_t:sock_file $2;
+')
+
+########################################
+## <summary>
+##	Read amavis spool files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`amavis_read_spool_file',`
+	gen_require(`
+		type amavis_spool_t;
+	')
+
+	allow $1 amavis_spool_t:file { getattr read };
+')
+
+########################################
+## <summary>
 ##	Read amavis lib files.
 ## </summary>
 ## <param name="domain">
diff -ru serefpolicy-2.2.38.orig/policy/modules/services/amavis.te serefpolicy-2.2.38/policy/modules/services/amavis.te
--- serefpolicy-2.2.38.orig/policy/modules/services/amavis.te	2006-05-08 23:54:02.000000000 +1000
+++ serefpolicy-2.2.38/policy/modules/services/amavis.te	2006-05-19 22:38:35.000000000 +1000
@@ -31,6 +31,9 @@
 type amavis_tmp_t;
 files_tmp_file(amavis_tmp_t)
 
+type amavis_spool_t;
+files_type(amavis_spool_t)
+
 # virus quarantine
 type amavis_quarantine_t;
 files_type(amavis_quarantine_t)
@@ -70,6 +73,12 @@
 files_var_filetrans(amavis_t,amavis_var_lib_t,{ file dir sock_file })
 files_var_lib_filetrans(amavis_t,amavis_var_lib_t,file)
 
+# Spool Files
+files_search_spool(amavis_t)
+allow amavis_t amavis_spool_t:dir manage_dir_perms;
+allow amavis_t amavis_spool_t:file manage_file_perms;
+type_transition amavis_t amavis_spool_t:sock_file amavis_var_run_t;
+
 # log files
 allow amavis_t amavis_var_log_t:file create_file_perms;
 allow amavis_t amavis_var_log_t:sock_file create_file_perms;
@@ -85,6 +94,11 @@
 # amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
 kernel_dontaudit_list_proc(amavis_t)
 
+# dontaudit terminal access
+ifdef(`targeted_policy',`
+	term_dontaudit_use_generic_ptys(amavis_t)
+')
+
 # find perl
 corecmd_exec_bin(amavis_t)
 corecmd_search_sbin(amavis_t)
diff -ru serefpolicy-2.2.38.orig/policy/modules/services/clamav.fc serefpolicy-2.2.38/policy/modules/services/clamav.fc
--- serefpolicy-2.2.38.orig/policy/modules/services/clamav.fc	2006-05-19 20:04:12.000000000 +1000
+++ serefpolicy-2.2.38/policy/modules/services/clamav.fc	2006-05-19 22:51:51.000000000 +1000
@@ -8,6 +8,7 @@
 
 /var/run/clamav(/.*)?			gen_context(system_u:object_r:clamd_var_run_t,s0)
 /var/run/clamav/clamd.ctl	-s	gen_context(system_u:object_r:clamd_sock_t,s0)
+/var/run/amavis(d)?/clamd.pid	--	gen_context(system_u:object_r:clamd_var_run_t,s0)
 /var/lib/clamav(/.*)?			gen_context(system_u:object_r:clamd_var_lib_t,s0)
 /var/log/clamav			-d	gen_context(system_u:object_r:clamd_var_log_t,s0)
 /var/log/clamav/clamav.*	--	gen_context(system_u:object_r:clamd_var_log_t,s0)
diff -ru serefpolicy-2.2.38.orig/policy/modules/services/clamav.te serefpolicy-2.2.38/policy/modules/services/clamav.te
--- serefpolicy-2.2.38.orig/policy/modules/services/clamav.te	2006-05-19 20:04:12.000000000 +1000
+++ serefpolicy-2.2.38/policy/modules/services/clamav.te	2006-05-19 23:03:22.000000000 +1000
@@ -52,6 +52,7 @@
 # clamd local policy
 #
 
+logging_send_syslog_msg(clamd_t)
 allow clamd_t self:capability { kill setgid setuid dac_override };
 allow clamd_t self:fifo_file rw_file_perms;
 allow clamd_t self:unix_stream_socket create_stream_socket_perms;
@@ -63,6 +64,13 @@
 allow clamd_t clamd_etc_t:file r_file_perms;
 allow clamd_t clamd_etc_t:lnk_file { getattr read };
 
+# Spool Files
+files_search_spool(clamd_t)
+optional_policy(`
+	amavis_spool_create_socket(clamd_t, clamd_var_run_t)
+	amavis_read_spool_file(clamd_t)
+')
+
 # socket file
 allow clamd_t clamd_sock_t:file manage_file_perms;
 allow clamd_t clamd_sock_t:sock_file manage_file_perms;
@@ -95,6 +103,11 @@
 
 kernel_dontaudit_list_proc(clamd_t)
 
+# dontaudit terminal access
+ifdef(`targeted_policy',`
+	term_dontaudit_use_generic_ptys(clamd_t)
+')
+
 corenet_tcp_sendrecv_all_if(clamd_t)
 corenet_tcp_sendrecv_all_nodes(clamd_t)
 corenet_tcp_sendrecv_all_ports(clamd_t)
diff -ru serefpolicy-2.2.38.orig/policy/modules/services/dovecot.te serefpolicy-2.2.38/policy/modules/services/dovecot.te
--- serefpolicy-2.2.38.orig/policy/modules/services/dovecot.te	2006-05-08 23:54:01.000000000 +1000
+++ serefpolicy-2.2.38/policy/modules/services/dovecot.te	2006-05-19 20:07:03.000000000 +1000
@@ -80,6 +80,7 @@
 corenet_tcp_bind_pop_port(dovecot_t)
 corenet_tcp_connect_all_ports(dovecot_t)
 corenet_tcp_connect_postgresql_port(dovecot_t)
+allow dovecot_t self:netlink_route_socket r_netlink_socket_perms;
 
 dev_read_sysfs(dovecot_t)
 dev_read_urand(dovecot_t)
diff -ru serefpolicy-2.2.38.orig/policy/modules/system/selinuxutil.te serefpolicy-2.2.38/policy/modules/system/selinuxutil.te
--- serefpolicy-2.2.38.orig/policy/modules/system/selinuxutil.te	2006-05-19 20:04:12.000000000 +1000
+++ serefpolicy-2.2.38/policy/modules/system/selinuxutil.te	2006-05-19 21:37:07.000000000 +1000
@@ -546,6 +546,8 @@
 files_read_usr_files(semanage_t)
 files_list_pids(semanage_t)
 
+miscfiles_read_localization(semanage_t)
+
 mls_file_write_down(semanage_t)
 mls_rangetrans_target(semanage_t)
 mls_file_read_up(semanage_t)
diff -ru serefpolicy-2.2.38.orig/policy/support/misc_macros.spt serefpolicy-2.2.38/policy/support/misc_macros.spt
--- serefpolicy-2.2.38.orig/policy/support/misc_macros.spt	2006-05-08 23:54:02.000000000 +1000
+++ serefpolicy-2.2.38/policy/support/misc_macros.spt	2006-05-19 20:15:07.000000000 +1000
@@ -37,7 +37,7 @@
 #
 # gen_context(context,mls_sensitivity,[mcs_categories])
 #
-define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')') dnl
+define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')')dnl
 
 ########################################
 #

Re: fc5 policy patch

[Russell Coker]

On Saturday 20 May 2006 00:05, Russell Coker <russell@coker.com.au> wrote:
> My patch makes the anti-virus setup basically work.  Due to the complexity
> of the system there is a possibility of corner cases that I've missed, but
> the only way we will discover that is to get this policy released and have
> people try it.

Naturally immediately after I posted that message I discovered such a corner 
case, mail is apparently written to /var/lib/clamav by procmail and the 
policy does not permit that.  Determining the correct solution to this will 
take a bit of time (hopefully I'll have it done before my client starts work 
on Monday).

My previous patch is still worth including, it makes clamav usable on FC5, the 
update to allow storing the virus messages (or whatever it is that procmail 
is doing) can come later.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: fc5 policy patch

[Daniel J Walsh]

Russell Coker wrote:
> Attached is a patch against policy 2.2.38-1.fc5, the most significant thing it 
> does is to get Amavis and Clamav working.
>
> I notice that Dan has just sent a patch against the rawhide policy to the list 
> with a slightly different set of Amavis changes.  Without reviewing them 
> carefully it seems to me that Dan's patch won't make a default fedora-extras 
> anti-virus system work.  Some of the things that are done with the 
> fedora-extras packages aren't optimal in regard to SE Linux (such as the 
> locations of some of the PID files and socket files).
>
> My patch makes the anti-virus setup basically work.  Due to the complexity of 
> the system there is a possibility of corner cases that I've missed, but the 
> only way we will discover that is to get this policy released and have people 
> try it.
>   
See questions in the patch.
>   
> ------------------------------------------------------------------------
>
> diff -ru serefpolicy-2.2.38.orig/policy/modules/services/amavis.fc serefpolicy-2.2.38/policy/modules/services/amavis.fc
> --- serefpolicy-2.2.38.orig/policy/modules/services/amavis.fc	2006-05-08 23:54:01.000000000 +1000
> +++ serefpolicy-2.2.38/policy/modules/services/amavis.fc	2006-05-19 23:36:05.000000000 +1000
> @@ -7,5 +7,7 @@
>  /var/amavis(/.*)?			gen_context(system_u:object_r:amavis_var_lib_t,s0)
>  /var/lib/amavis(/.*)?			gen_context(system_u:object_r:amavis_var_lib_t,s0)
>  /var/log/amavisd\.log		--	gen_context(system_u:object_r:amavis_var_log_t,s0)
> -/var/run/amavis(/.*)?			gen_context(system_u:object_r:amavis_var_run_t,s0)
> +/var/run/amavis(d)?/amavisd.lock --	gen_context(system_u:object_r:amavis_var_run_t,s0)
>   
Why would you make this change?  Why not

-/var/run/amavisi(d)?(/.*)?			gen_context(system_u:object_r:amavis_var_run_t,s0)


> +/var/spool/amavisd/amavisd.sock -s	gen_context(system_u:object_r:amavis_var_run_t,s0)
>  /var/virusmails(/.*)?			gen_context(system_u:object_r:amavis_quarantine_t,s0)
> +/var/spool/amavisd(/.*)?		gen_context(system_u:object_r:amavis_spool_t,s0)
> diff -ru serefpolicy-2.2.38.orig/policy/modules/services/amavis.if serefpolicy-2.2.38/policy/modules/services/amavis.if
> --- serefpolicy-2.2.38.orig/policy/modules/services/amavis.if	2006-05-08 23:54:01.000000000 +1000
> +++ serefpolicy-2.2.38/policy/modules/services/amavis.if	2006-05-19 23:37:42.000000000 +1000
> @@ -47,6 +47,49 @@
>  
>  ########################################
>  ## <summary>
> +##	Create socket files under the amavis spool
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="socket_type">
> +##	<summary>
> +##	Type for socket file
> +##	</summary>
> +## </param>
> +#
> +interface(`amavis_spool_create_socket',`
> +	gen_require(`
> +		type amavis_spool_t;
> +	')
> +
> +	allow $1 amavis_spool_t:dir rw_dir_perms;
> +	allow $1 $2:sock_file manage_file_perms;
> +	type_transition $1 amavis_spool_t:sock_file $2;
> +')
> +
> +########################################
> +## <summary>
> +##	Read amavis spool files
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`amavis_read_spool_file',`
> +	gen_require(`
> +		type amavis_spool_t;
> +	')
> +
> +	allow $1 amavis_spool_t:file { getattr read };
> +')
> +
> +########################################
> +## <summary>
>  ##	Read amavis lib files.
>  ## </summary>
>  ## <param name="domain">
> diff -ru serefpolicy-2.2.38.orig/policy/modules/services/amavis.te serefpolicy-2.2.38/policy/modules/services/amavis.te
> --- serefpolicy-2.2.38.orig/policy/modules/services/amavis.te	2006-05-08 23:54:02.000000000 +1000
> +++ serefpolicy-2.2.38/policy/modules/services/amavis.te	2006-05-19 22:38:35.000000000 +1000
> @@ -31,6 +31,9 @@
>  type amavis_tmp_t;
>  files_tmp_file(amavis_tmp_t)
>  
> +type amavis_spool_t;
> +files_type(amavis_spool_t)
> +
>  # virus quarantine
>  type amavis_quarantine_t;
>  files_type(amavis_quarantine_t)
> @@ -70,6 +73,12 @@
>  files_var_filetrans(amavis_t,amavis_var_lib_t,{ file dir sock_file })
>  files_var_lib_filetrans(amavis_t,amavis_var_lib_t,file)
>  
> +# Spool Files
> +files_search_spool(amavis_t)
> +allow amavis_t amavis_spool_t:dir manage_dir_perms;
> +allow amavis_t amavis_spool_t:file manage_file_perms;
> +type_transition amavis_t amavis_spool_t:sock_file amavis_var_run_t;
> +
>  # log files
>  allow amavis_t amavis_var_log_t:file create_file_perms;
>  allow amavis_t amavis_var_log_t:sock_file create_file_perms;
> @@ -85,6 +94,11 @@
>  # amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
>  kernel_dontaudit_list_proc(amavis_t)
>  
> +# dontaudit terminal access
> +ifdef(`targeted_policy',`
> +	term_dontaudit_use_generic_ptys(amavis_t)
> +')
> +
>  # find perl
>  corecmd_exec_bin(amavis_t)
>  corecmd_search_sbin(amavis_t)
> diff -ru serefpolicy-2.2.38.orig/policy/modules/services/clamav.fc serefpolicy-2.2.38/policy/modules/services/clamav.fc
> --- serefpolicy-2.2.38.orig/policy/modules/services/clamav.fc	2006-05-19 20:04:12.000000000 +1000
> +++ serefpolicy-2.2.38/policy/modules/services/clamav.fc	2006-05-19 22:51:51.000000000 +1000
> @@ -8,6 +8,7 @@
>  
>  /var/run/clamav(/.*)?			gen_context(system_u:object_r:clamd_var_run_t,s0)
>  /var/run/clamav/clamd.ctl	-s	gen_context(system_u:object_r:clamd_sock_t,s0)
> +/var/run/amavis(d)?/clamd.pid	--	gen_context(system_u:object_r:clamd_var_run_t,s0)
>   
This looks like a bug?
>  /var/lib/clamav(/.*)?			gen_context(system_u:object_r:clamd_var_lib_t,s0)
>  /var/log/clamav			-d	gen_context(system_u:object_r:clamd_var_log_t,s0)
>  /var/log/clamav/clamav.*	--	gen_context(system_u:object_r:clamd_var_log_t,s0)
> diff -ru serefpolicy-2.2.38.orig/policy/modules/services/clamav.te serefpolicy-2.2.38/policy/modules/services/clamav.te
> --- serefpolicy-2.2.38.orig/policy/modules/services/clamav.te	2006-05-19 20:04:12.000000000 +1000
> +++ serefpolicy-2.2.38/policy/modules/services/clamav.te	2006-05-19 23:03:22.000000000 +1000
> @@ -52,6 +52,7 @@
>  # clamd local policy
>  #
>  
> +logging_send_syslog_msg(clamd_t)
>  allow clamd_t self:capability { kill setgid setuid dac_override };
>  allow clamd_t self:fifo_file rw_file_perms;
>  allow clamd_t self:unix_stream_socket create_stream_socket_perms;
> @@ -63,6 +64,13 @@
>  allow clamd_t clamd_etc_t:file r_file_perms;
>  allow clamd_t clamd_etc_t:lnk_file { getattr read };
>  
> +# Spool Files
> +files_search_spool(clamd_t)
> +optional_policy(`
> +	amavis_spool_create_socket(clamd_t, clamd_var_run_t)
> +	amavis_read_spool_file(clamd_t)
> +')
> +
>  # socket file
>  allow clamd_t clamd_sock_t:file manage_file_perms;
>  allow clamd_t clamd_sock_t:sock_file manage_file_perms;
> @@ -95,6 +103,11 @@
>  
>  kernel_dontaudit_list_proc(clamd_t)
>  
> +# dontaudit terminal access
> +ifdef(`targeted_policy',`
> +	term_dontaudit_use_generic_ptys(clamd_t)
> +')
> +
>  corenet_tcp_sendrecv_all_if(clamd_t)
>  corenet_tcp_sendrecv_all_nodes(clamd_t)
>  corenet_tcp_sendrecv_all_ports(clamd_t)
> diff -ru serefpolicy-2.2.38.orig/policy/modules/services/dovecot.te serefpolicy-2.2.38/policy/modules/services/dovecot.te
> --- serefpolicy-2.2.38.orig/policy/modules/services/dovecot.te	2006-05-08 23:54:01.000000000 +1000
> +++ serefpolicy-2.2.38/policy/modules/services/dovecot.te	2006-05-19 20:07:03.000000000 +1000
> @@ -80,6 +80,7 @@
>  corenet_tcp_bind_pop_port(dovecot_t)
>  corenet_tcp_connect_all_ports(dovecot_t)
>  corenet_tcp_connect_postgresql_port(dovecot_t)
> +allow dovecot_t self:netlink_route_socket r_netlink_socket_perms;
>  
>  dev_read_sysfs(dovecot_t)
>  dev_read_urand(dovecot_t)
> diff -ru serefpolicy-2.2.38.orig/policy/modules/system/selinuxutil.te serefpolicy-2.2.38/policy/modules/system/selinuxutil.te
> --- serefpolicy-2.2.38.orig/policy/modules/system/selinuxutil.te	2006-05-19 20:04:12.000000000 +1000
> +++ serefpolicy-2.2.38/policy/modules/system/selinuxutil.te	2006-05-19 21:37:07.000000000 +1000
> @@ -546,6 +546,8 @@
>  files_read_usr_files(semanage_t)
>  files_list_pids(semanage_t)
>  
> +miscfiles_read_localization(semanage_t)
> +
>  mls_file_write_down(semanage_t)
>  mls_rangetrans_target(semanage_t)
>  mls_file_read_up(semanage_t)
> diff -ru serefpolicy-2.2.38.orig/policy/support/misc_macros.spt serefpolicy-2.2.38/policy/support/misc_macros.spt
> --- serefpolicy-2.2.38.orig/policy/support/misc_macros.spt	2006-05-08 23:54:02.000000000 +1000
> +++ serefpolicy-2.2.38/policy/support/misc_macros.spt	2006-05-19 20:15:07.000000000 +1000
> @@ -37,7 +37,7 @@
>  #
>  # gen_context(context,mls_sensitivity,[mcs_categories])
>  #
> -define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')') dnl
> +define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')')dnl
>  
>  ########################################
>  #
>   


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: fc5 policy patch

[Russell Coker]

On Saturday 20 May 2006 01:06, Daniel J Walsh <dwalsh@redhat.com> wrote:
> Russell Coker wrote:
> > Attached is a patch against policy 2.2.38-1.fc5, the most significant
> > thing it does is to get Amavis and Clamav working.
> >
> > I notice that Dan has just sent a patch against the rawhide policy to the
> > list with a slightly different set of Amavis changes.  Without reviewing
> > them carefully it seems to me that Dan's patch won't make a default
> > fedora-extras anti-virus system work.  Some of the things that are done
> > with the fedora-extras packages aren't optimal in regard to SE Linux
> > (such as the locations of some of the PID files and socket files).
> >
> > My patch makes the anti-virus setup basically work.  Due to the
> > complexity of the system there is a possibility of corner cases that I've
> > missed, but the only way we will discover that is to get this policy
> > released and have people try it.
>
> See questions in the patch.
>
> > ------------------------------------------------------------------------
> >
> > diff -ru serefpolicy-2.2.38.orig/policy/modules/services/amavis.fc
> > serefpolicy-2.2.38/policy/modules/services/amavis.fc ---
> > serefpolicy-2.2.38.orig/policy/modules/services/amavis.fc	2006-05-08
> > 23:54:01.000000000 +1000 +++
> > serefpolicy-2.2.38/policy/modules/services/amavis.fc	2006-05-19
> > 23:36:05.000000000 +1000 @@ -7,5 +7,7 @@
> >  /var/amavis(/.*)?			gen_context(system_u:object_r:amavis_var_lib_t,s0)
> > 
> > /var/lib/amavis(/.*)?			gen_context(system_u:object_r:amavis_var_lib_t,s0
> >)
> > /var/log/amavisd\.log		--	gen_context(system_u:object_r:amavis_var_log_t,
> >s0)
> > -/var/run/amavis(/.*)?			gen_context(system_u:object_r:amavis_var_run_t,s
> >0) +/var/run/amavis(d)?/amavisd.lock
> > --	gen_context(system_u:object_r:amavis_var_run_t,s0)
>
> Why would you make this change?  Why not
>
> -/var/run/amavisi(d)?(/.*)?			gen_context(system_u:object_r:amavis_var_run_
>t,s0)

As mentioned above the Fedora Extras packages are doing some sub-optimal 
things, one of these is having the clamd.amavisd program use 
the /var/run/amavisd directory for it's pid file.  Allowing clamd_t to write 
to a directory of type amavis_var_run_t seems to provide little benefit and 
some extra pain, and we have Unix permissions to provide some protection on 
access to that directory.

> > /var/run/clamav(/.*)?			gen_context(system_u:object_r:clamd_var_run_t,s0)
> > /var/run/clamav/clamd.ctl	-s	gen_context(system_u:object_r:clamd_sock_t,s
> >0)
> > +/var/run/amavis(d)?/clamd.pid	--	gen_context(system_u:object_r:clamd_var
> >_run_t,s0)
>
> This looks like a bug?

That is of course a matter of opinion.  The Unix-only people would say that 
two processes in the same UID should share the same directory, it's only for 
SE Linux that we would want a different directory.


Policy evolves, and we will revisit these issues at some future time.  
Packages change too, the Amavis and Clamav packages will hopefully change a 
few things in this regard.  But in the mean time the policy as I provided 
works reasonably well.

I guess that one thing we might consider is merging the clamd_t and amavis_t 
domains, the people who wrote them seem to think that they don't need to be 
protected from each other...

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.