On 12/04/2014 03:22 PM, James B. Byrne wrote:
> On Thu, December 4, 2014 12:29, James B. Byrne wrote:
>> Re: SELinux. Do I just build a local policy or is there some boolean setting
>> needed to handle this? I could not find one if there is but. . .
>>
> Anyone see any problem with generating a custom policy consisting of the
> following?
>
> grep avc /var/log/audit/audit.log | audit2allow
>
>
> #============= amavis_t ==============
> allow amavis_t shell_exec_t:file execute;
> allow amavis_t sysfs_t:dir search;
>
> #============= clamscan_t ==============
> allow clamscan_t amavis_spool_t:dir read;
In the latest rhel6 policies amavas_t and clamscan_t have been merged
into antivirus_t? Is you selinux-policy up 2 date?
> #============= logwatch_mail_t ==============
> allow logwatch_mail_t usr_t:lnk_file read;
>
> #============= postfix_master_t ==============
> allow postfix_master_t tmp_t:dir read;
>
> #============= postfix_postdrop_t ==============
> allow postfix_postdrop_t tmp_t:dir read;
>
> #============= postfix_showq_t ==============
> allow postfix_showq_t tmp_t:dir read;
Any reason postfix would be listing the contents of /tmp or /var/tmp?
Did you put some content into these directories that have something to
do with mail?
> #============= postfix_smtp_t ==============
> allow postfix_smtp_t postfix_spool_maildrop_t:file { read write getattr };
>
>