From: dwalsh@redhat.com (Daniel J Walsh)
Date: Thu, 25 Sep 2008 16:10:00 -0400
Subject: [refpolicy] services_amavis.patch
In-Reply-To: <200809251719.10269.russell@coker.com.au>
References: <48DAA876.2030804@redhat.com>
	<200809251719.10269.russell@coker.com.au>
Message-ID: <48DBF018.909@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Russell Coker wrote:
> On Thursday 25 September 2008 06:52, Daniel J Walsh <dwalsh@redhat.com> wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_amavis.patch
>>
>> Add initrc script support
> 
> How much success are people having with the policy that has Amavis and ClamAV 
> in different domains?
> 
> The CentOS servers that I run have Amavis and ClamAV running unconfined 
> because getting the policy to work was too difficult (the two daemons 
> interact with each other a lot, trying to keep them separate is a lost 
> cause).
> 
> I've attached the policy that I have written for Debian/Lenny.  It runs 
> Amavis, ClamAV, and clamav-milter in the same domain.  I don't think that 
> makes any significant reduction to security but it significantly reduces the 
> difficulty in configuring it.
> 
> This is the change that I had been suggesting for a few years.
> 
I tend to think this is is a good idea to look at some domains and start
to combine them to simplify policy.   The pendulum has swung to far
towards least privs and needs to start coming back the other way.  Email
handling/spam filtering/virus checking is the worst example of this.