-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Edward Kuns wrote:
On Fri, 2008-02-29 at 09:16 -0500, Daniel J Walsh wrote:
Always add a user specify front end to your policy.
D'oh! That fixed it. Thanks.
This policy seems reasonable but most likely clamav-milter is going to /usr/bin to execute something. So you might end up needing either
corecmd_exec_bin(clamd_t)
Or some transition to another domain.
If you have an idea what app it is looking for, we can correct the policy.
How can I find out what it's looking for? As a test, I just added the policy:
module myclamav 1.0;
require { type bin_t; type clamd_t; class dir search; }
#============= clamd_t ============== allow clamd_t bin_t:dir search;
so if I understand this, you expect that I should later today get an AVC that clamav is trying to execute something that is bin_t? Assuming that's the case, I'll see what is there when I get home from work later and I'll post that. But if there's something else I can do to find out, let me know.
Thanks Eddie
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Nope, that is the best you can do. You could put your machine in permissive mode to get all of the AVC's but that could be dangerous. We hope to have permissive domains eventually, were we could allow clamd_t only to do it's thing, but we don't have it yet.
THanks for your help diagnosing this.