[CentOS] Postfix avc (SELinux)
James B. Byrne
byrnejb at harte-lyne.ca
Fri Dec 5 18:24:06 UTC 2014
On Fri, December 5, 2014 04:53, Daniel J Walsh wrote:
>
> On 12/04/2014 03:22 PM, James B. Byrne wrote:
>> On Thu, December 4, 2014 12:29, James B. Byrne wrote:
>>> Re: SELinux. Do I just build a local policy or is there some boolean
>>> setting
>>> needed to handle this? I could not find one if there is but. . .
>>>
>> Anyone see any problem with generating a custom policy consisting of the
>> following?
>>
>> grep avc /var/log/audit/audit.log | audit2allow
>>
>>
>> #============= amavis_t ==============
>> allow amavis_t shell_exec_t:file execute;
>> allow amavis_t sysfs_t:dir search;
>>
>> #============= clamscan_t ==============
>> allow clamscan_t amavis_spool_t:dir read;
> In the latest rhel6 policies amavas_t and clamscan_t have been merged
> into antivirus_t? Is you selinux-policy up 2 date?
Yes, everything is up-to-date as of the time of report and I have checked
again this morning. That system has no unapplied fixes for software provided
through the official CentOS-6 repositories. Does this change apply only to 7
or has it been backported? Both amavisd-new and clamav are provided via the
epel repository.
>> #============= logwatch_mail_t ==============
>> allow logwatch_mail_t usr_t:lnk_file read;
>>
>> #============= postfix_master_t ==============
>> allow postfix_master_t tmp_t:dir read;
>>
>> #============= postfix_postdrop_t ==============
>> allow postfix_postdrop_t tmp_t:dir read;
>>
>> #============= postfix_showq_t ==============
>> allow postfix_showq_t tmp_t:dir read;
> Any reason postfix would be listing the contents of /tmp or /var/tmp?
> Did you put some content into these directories that have something to
> do with mail?
That question I need put to the Postfix mailing list. I see nothing in the
spec file that bears on the matter and the tarball was pulled from:
ftp://ftp.porcupine.org/mirrors/postfix-release/official/
>> #============= postfix_smtp_t ==============
>> allow postfix_smtp_t postfix_spool_maildrop_t:file { read write getattr };
>>
>>
--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
More information about the CentOS
mailing list