Re: Updates to amavisd [patch]

On Friday 15 April 2005 07:35, David Hampton <hampton-rh@rainbolthampton.net> wrote:
> The attached patch updates the (unused) amavisd policy to work with the
> changes in the FC strict/1.23.10-2 policy. It also fixes the access
> needed by tmpreaper to delete files from the caught spam/virus
> directory.

+allow initrc_t amavisd_etc_t:file read; Generally it's a bad idea to grant read access without getattr.

@@ -120,6 +122,6 @@

 # Tmp reaper
 ifdef(`tmpreaper.te', `
-allow tmpreaper_t amavisd_quarantine_t:dir { read search getattr setattr unlink
 };

-allow tmpreaper_t amavisd_quarantine_t:file getattr;
+allow tmpreaper_t amavisd_quarantine_t:dir create_dir_perms;
+allow tmpreaper_t amavisd_quarantine_t:file link_file_perms;

tmpreaper_t shouldn't be creating directories. For the file access { getattr unlink } should be sufficient.

The following should do:
allow tmpreaper_t amavisd_quarantine_t:dir { rw_dir_perms unlink }; allow tmpreaper_t amavisd_quarantine_t:file { getattr unlink };

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.