From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] services_amavis.patch
Date: Thu, 25 Sep 2008 16:10:00 -0400 [thread overview]
Message-ID: <48DBF018.909@redhat.com> (raw)
In-Reply-To: <200809251719.10269.russell@coker.com.au>
Russell Coker wrote:
> On Thursday 25 September 2008 06:52, Daniel J Walsh <dwalsh@redhat.com> wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_amavis.patch
>>
>> Add initrc script support
>
> How much success are people having with the policy that has Amavis and ClamAV
> in different domains?
>
> The CentOS servers that I run have Amavis and ClamAV running unconfined
> because getting the policy to work was too difficult (the two daemons
> interact with each other a lot, trying to keep them separate is a lost
> cause).
>
> I've attached the policy that I have written for Debian/Lenny. It runs
> Amavis, ClamAV, and clamav-milter in the same domain. I don't think that
> makes any significant reduction to security but it significantly reduces the
> difficulty in configuring it.
>
> This is the change that I had been suggesting for a few years.
>
I tend to think this is is a good idea to look at some domains and start
to combine them to simplify policy. The pendulum has swung to far
towards least privs and needs to start coming back the other way. Email
handling/spam filtering/virus checking is the worst example of this.
next prev parent reply other threads:[~2008-09-25 20:10 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-24 20:52 [refpolicy] services_amavis.patch Daniel J Walsh
2008-09-25 7:19 ` Russell Coker
2008-09-25 12:19 ` Martin Orr
2008-09-27 0:42 ` Russell Coker
2008-10-01 11:17 ` Martin Orr
2008-10-01 12:31 ` Daniel J Walsh
2008-10-02 2:32 ` Russell Coker
2008-10-06 18:28 ` Christopher J. PeBenito
2008-10-02 12:31 ` Christopher J. PeBenito
2008-10-02 20:29 ` Russell Coker
2008-09-25 20:10 ` Daniel J Walsh [this message]
2008-09-25 21:03 ` Russell Coker
2008-10-06 18:20 ` Christopher J. PeBenito
2008-10-06 20:29 ` Russell Coker
2008-10-08 20:06 ` Christopher J. PeBenito
-- strict thread matches above, loose matches on Subject: below --
2009-11-12 21:11 Daniel J Walsh
2009-12-18 15:48 ` Christopher J. PeBenito
2010-02-23 19:44 Daniel J Walsh
2010-08-26 20:47 Daniel J Walsh
2010-09-15 13:20 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48DBF018.909@redhat.com \
--to=dwalsh@redhat.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.