From mboxrd@z Thu Jan  1 00:00:00 1970
From: Luke Kenneth Casson Leighton <lkcl@lkcl.net>
Date: Thu, 02 Sep 2004 20:05:40 +0000
Subject: Re: Lomac questions [was Re: [OT] SELinux vs. other systems]
Message-Id: <20040902200540.GL5745@lkcl.net>
List-Id: <linux-hotplug.vger.kernel.org>
References: <20040830173744.GD10151@lbsd.net> <20040831160750.GM11456@lkcl.net> <20040831164635.GK10151@lbsd.net> <20040831191809.GC4375@lkcl.net> <20040831224447.GA4964@austin.ibm.com> <1094048975.11084.9.camel@nexus.verbum.private> <20040901172542.GH4964@austin.ibm.com> <1094141429.17265.281.camel@moss-spartans.epoch.ncsc.mil> <20040902172907.GB9645@austin.ibm.com>
In-Reply-To: <20040902172907.GB9645@austin.ibm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: Linas Vepstas <linas@austin.ibm.com>
Cc: Stephen Smalley <sds@epoch.ncsc.mil>, "Fedora SELinux support list for users & developers." <fedora-selinux-list@redhat.com>, Colin Walters <walters@verbum.org>, linux-hotplug-devel@lists.sourceforge.net, SELinux <SELinux@tycho.nsa.gov>, Bill Nottingham <notting@redhat.com>, Nigel Kukard <nkukard@lbsd.net>, harald@redhat.com

On Thu, Sep 02, 2004 at 12:29:07PM -0500, Linas Vepstas wrote:

> Is the 'broken-ness' the fact that grandma failed to run an anti-virus
> scanner and verify checksums, yada yada, before elevating the
> priveldge on the downloaded software?

 [this is all with the strict policy 1.14 mostly sortof btw]

 i've installed clamav, spamassassin, razor and pyzor.

 oh, and freshclam.

 i then found a little script called clamassassin [google], i then
 searched [google] for some advice on how to set up kmail filters.

 kmail, the clamassassin script and spamc all run under the user
 context.

 the user context is given the right to bind to servers.

 spamd and clamd both run as servers: they have their own
 policies that restrict their operation to what is known
 that they presently do, but they are allowed to listen to
 incoming requests [from spamc and the clamassassin script
 respectively.]

 selinux doesn't in the _slightest_ bit get in the way.


 the only thing that i did find is that razor is a complete pain.

 it endeavours to write log files into /root/razor.log, /tmp/razor.log,
 /razor.log, it's a pain, and selinux is _exactly_ the sort of thing
 that can detect - and stop! - this behaviour.

 pyzor appears to be a lot less haphazard.

 also nobody else appears to have tried to run freshclam [automatic
 update script] before now, so i had to hack the clamav.te policy
 a bit to get it to run.

 l.



-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idP47&alloc_id808&op=click
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel