From: russell@coker.com.au (Russell Coker)
Date: Thu, 2 Oct 2008 12:32:46 +1000
Subject: [refpolicy] services_amavis.patch
In-Reply-To: <48E35C62.8030609@martinorr.name>
References: <48DAA876.2030804@redhat.com>
	<200809271042.26493.russell@coker.com.au>
	<48E35C62.8030609@martinorr.name>
Message-ID: <200810021232.48495.russell@coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wednesday 01 October 2008 21:17, Martin Orr <martin@martinorr.name> wrote:
> > They can communicate by a socket or by running a program.
>
> Doesn't seem like interacting a lot to me.

There's also the issue of Unix domain sockets and inter-relations between 
paths.

> But I've thought a bit more about why I dislike merging the amavis and
> clamav domains, and my primary concern is that it is confusing to have
> amavisd running as clamav_t.  If I saw a denial with
> comm="amavisd" scontext=system_u:system_r:clamav_t:s0
> then I would assume that there was a missing transition somewhere.
>
> So while I still don't see the value of merging amavis_t and clamav_t when
> separate policy has already been written, I would be a lot happier if the
> merged domain were not called clamav_t.

I'm happy to rename it (but not for Lenny).  What do you suggest?

-- 
russell at coker.com.au
http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development