From: russell@coker.com.au (Russell Coker)
Date: Thu, 25 Sep 2008 17:19:08 +1000
Subject: [refpolicy] services_amavis.patch
In-Reply-To: <48DAA876.2030804@redhat.com>
References: <48DAA876.2030804@redhat.com>
Message-ID: <200809251719.10269.russell@coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Thursday 25 September 2008 06:52, Daniel J Walsh <dwalsh@redhat.com> wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_amavis.patch
>
> Add initrc script support

How much success are people having with the policy that has Amavis and ClamAV 
in different domains?

The CentOS servers that I run have Amavis and ClamAV running unconfined 
because getting the policy to work was too difficult (the two daemons 
interact with each other a lot, trying to keep them separate is a lost 
cause).

I've attached the policy that I have written for Debian/Lenny.  It runs 
Amavis, ClamAV, and clamav-milter in the same domain.  I don't think that 
makes any significant reduction to security but it significantly reduces the 
difficulty in configuring it.

This is the change that I had been suggesting for a few years.

-- 
russell at coker.com.au
http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development
-------------- next part --------------
A non-text attachment was scrubbed...
Name: clamav.tgz
Type: application/x-tgz
Size: 2332 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20080925/a67ea51b/attachment.bin