From: martin@martinorr.name (Martin Orr) Date: Thu, 25 Sep 2008 13:19:02 +0100 Subject: [refpolicy] services_amavis.patch In-Reply-To: <200809251719.10269.russell@coker.com.au> References: <48DAA876.2030804@redhat.com> <200809251719.10269.russell@coker.com.au> Message-ID: <48DB81B6.6060906@martinorr.name> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 25/09/08 08:19, Russell Coker wrote: > On Thursday 25 September 2008 06:52, Daniel J Walsh wrote: >> http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_amavis.patch >> >> Add initrc script support > > How much success are people having with the policy that has Amavis and ClamAV > in different domains? Well I run amavis and clamav in separate domains (with Courier as MTA, so that may be different from using exim/postfix), and the only extra rule I need for clamav is: read_files_pattern(clamd_t, courier_spool_t, courier_spool_t) (I have a bunch more rules for amavisd to talk to Courier, but then my Courier policy is entirely home-grown.) > The CentOS servers that I run have Amavis and ClamAV running unconfined > because getting the policy to work was too difficult (the two daemons > interact with each other a lot, trying to keep them separate is a lost > cause). How do they interact with each other beyond communicating by a socket and clamd reading amavis spool files? And people might want to use clamav to scan things other than mail, or to use a commercial AV scanner with amavis (of course in the latter case, they would have to write policy for the AV scanner themselves). Best wishes, -- Martin Orr