[Mimedefang] SELinux labeling
Kenneth Porter
shiva at sewingwitch.com
Wed Jun 10 17:27:06 EDT 2009
--On Tuesday, June 09, 2009 10:15 AM -0500 Stephen L Johnson
<stephen.johnson at arkansas.gov> wrote:
> If I understand you question, you can run the clamd process as the
> 'defang' user. It's easy enough for me because I maintain my own
> customized (for my site) ClamAV rpm package. Another option is to add
> the users the processes (clamd, spamd, etc) run under to the 'defang'
> group and change permissions on the MD directory to allow the proper
> access.
I'll give that a try, but SELinux doesn't work by owner/mode permissions.
Instead, you "label" files and programs (using the chcon utility). The
machine has a policy comprising a list of triplets: program/action/object.
For a program (eg. clamd/mimedefang) to apply an action (eg. read file) to
an object (eg. the directories and file in MD's path), a matching triplet
must be in the policy. (The policy is a binary object in the kernel,
compiled from a text description.)
So there has to be a suitable policy (packages can load sub-policies) and
the files they access have to be labeled accordingly.
You can use "ls -Z" to see the labels on files.
More information about the MIMEDefang
mailing list