[ZendTo] SElinux and mod_security

[John Cooper]

Finally fixed the last two issues, both SELinux related. I was missing httpd_ssi_exec but this caused more AVCs which needed to be added to my local policy. The corrupted "reply-to" address on the picked up email is now fixed.


setsebool -P httpd_can_sendmail 1
setsebool -P httpd_enable_cgi 1
setsebool -P httpd_ssi_exec 1
cat postgreylocal.te

module postgreylocal 1.4;

require {
    type httpd_sys_script_t;
    type clamscan_exec_t;
    type clamd_var_run_t;
    type httpd_sys_rw_content_t;
    type clamd_t;
    type httpd_t;
    type default_t;
    type clamscan_t;
    class file { getattr read open };
    class process sigchld;
    class unix_stream_socket { connectto read write };
    class fifo_file write;
    class sock_file write;
    class dir { search getattr };
}

#============= clamd_t ==============
allow clamd_t default_t:dir search;
allow clamd_t httpd_sys_rw_content_t:file { read getattr open };

#============= clamscan_t ==============
allow clamscan_t default_t:dir search;
allow clamscan_t httpd_sys_rw_content_t:file getattr;
allow clamscan_t httpd_t:fifo_file write;
allow clamscan_t httpd_t:process sigchld;
allow clamscan_t httpd_t:unix_stream_socket { read write };

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t default_t:dir search;

#============= httpd_t ==============
allow httpd_t clamd_t:unix_stream_socket connectto;
allow httpd_t clamd_var_run_t:dir search;
allow httpd_t clamd_var_run_t:sock_file write;
allow httpd_t clamscan_exec_t:file { read getattr open };
allow httpd_t default_t:dir { search getattr };
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20111010/ca285b5c/attachment.html