[Mimedefang] SELinux labeling

[Kenneth Porter]

--On Tuesday, June 09, 2009 10:15 AM -0500 Stephen L Johnson 
<stephen.johnson at arkansas.gov> wrote:

> If I understand you question, you can run the clamd process as the
> 'defang' user. It's easy enough for me because I maintain my own
> customized (for my site) ClamAV rpm package. Another option is to add
> the users the processes (clamd, spamd, etc) run under to the 'defang'
> group and change permissions on the MD directory to allow the proper
> access.

I'll give that a try, but SELinux doesn't work by owner/mode permissions. 
Instead, you "label" files and programs (using the chcon utility). The 
machine has a policy comprising a list of triplets: program/action/object. 
For a program (eg. clamd/mimedefang) to apply an action (eg. read file) to 
an object (eg. the directories and file in MD's path), a matching triplet 
must be in the policy. (The policy is a binary object in the kernel, 
compiled from a text description.)

So there has to be a suitable policy (packages can load sub-policies) and 
the files they access have to be labeled accordingly.

You can use "ls -Z" to see the labels on files.