1spamc_selinux(8) SELinux Policy spamc spamc_selinux(8)
2
6 spamc_selinux - Security Enhanced Linux Policy for the spamc processes
7
9 Security-Enhanced Linux secures the spamc processes via flexible manda‐
10 tory access control.
11 The spamc processes execute with the spamc_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15 For example:
17 ps -eZ | grep spamc_t
19
23 The spamc_t SELinux type can be entered via the spamc_exec_t file type.
24 The default entrypoint paths for the spamc_t domain are the following:
26 /usr/bin/razor.*, /usr/bin/spamc, /usr/bin/pyzor, /usr/bin/sa-learn,
28 /usr/bin/spamassassin
29
31 SELinux defines process types (domains) for each process running on the
32 system
33 You can see the context of a process using the -Z option to ps
35 Policy governs the access confined processes have to files. SELinux
37 spamc policy is very flexible allowing users to setup their spamc pro‐
38 cesses in as secure a method as possible.
39 The following process types are defined for spamc:
41 spamc_t
43 Note: semanage permissive -a spamc_t can be used to make the process
45 type spamc_t permissive. SELinux does not deny access to permissive
46 process types, but the AVC (SELinux denials) messages are still gener‐
47 ated.
48
51 SELinux policy is customizable based on least access required. spamc
52 policy is extremely flexible and has several booleans that allow you to
53 manipulate the policy and run spamc with the tightest access possible.
54 If you want to allow all domains to use other domains file descriptors,
58 you must turn on the allow_domain_fd_use boolean. Enabled by default.
59 setsebool -P allow_domain_fd_use 1
61 If you want to allow confined applications to run with kerberos, you
65 must turn on the allow_kerberos boolean. Enabled by default.
66 setsebool -P allow_kerberos 1
68 If you want to allow sysadm to debug or ptrace all processes, you must
72 turn on the allow_ptrace boolean. Disabled by default.
73 setsebool -P allow_ptrace 1
75 If you want to allow system to run with NIS, you must turn on the
79 allow_ypbind boolean. Disabled by default.
80 setsebool -P allow_ypbind 1
82 If you want to allow all domains to have the kernel load modules, you
86 must turn on the domain_kernel_load_modules boolean. Disabled by
87 default.
88 setsebool -P domain_kernel_load_modules 1
90 If you want to allow all domains to execute in fips_mode, you must turn
94 on the fips_mode boolean. Enabled by default.
95 setsebool -P fips_mode 1
97 If you want to enable reading of urandom for all domains, you must turn
101 on the global_ssp boolean. Disabled by default.
102 setsebool -P global_ssp 1
104 If you want to allow http daemon to check spam, you must turn on the
108 httpd_can_check_spam boolean. Disabled by default.
109 setsebool -P httpd_can_check_spam 1
111 If you want to allow http daemon to send mail, you must turn on the
115 httpd_can_sendmail boolean. Disabled by default.
116 setsebool -P httpd_can_sendmail 1
118 If you want to allow confined applications to use nscd shared memory,
122 you must turn on the nscd_use_shm boolean. Enabled by default.
123 setsebool -P nscd_use_shm 1
125 If you want to allow user spamassassin clients to use the network, you
129 must turn on the spamassassin_can_network boolean. Disabled by default.
130 setsebool -P spamassassin_can_network 1
132 If you want to support NFS home directories, you must turn on the
136 use_nfs_home_dirs boolean. Disabled by default.
137 setsebool -P use_nfs_home_dirs 1
139 If you want to support SAMBA home directories, you must turn on the
143 use_samba_home_dirs boolean. Disabled by default.
144 setsebool -P use_samba_home_dirs 1
146
150 The SELinux process type spamc_t can manage files labeled with the fol‐
151 lowing file types. The paths listed are the default paths for these
152 file types. Note the processes UID still need to have DAC permissions.
153 antivirus_db_t
155 /var/clamav(/.*)?
157 /var/amavis(/.*)?
158 /var/lib/clamd.*
159 /var/lib/amavis(/.*)?
160 /var/lib/clamav(/.*)?
161 /var/virusmails(/.*)?
162 /var/opt/f-secure(/.*)?
163 /var/spool/amavisd(/.*)?
164 cifs_t
166 initrc_tmp_t
169 mnt_t
172 /mnt(/[^/]*)
174 /mnt(/[^/]*)?
175 /rhev(/[^/]*)?
176 /media(/[^/]*)
177 /media(/[^/]*)?
178 /etc/rhgb(/.*)?
179 /media/.hal-.*
180 /net
181 /afs
182 /rhev
183 /misc
184 nfs_t
186 spamass_milter_state_t
189 /var/lib/spamass-milter(/.*)?
191 spamc_home_t
193 /root/.razor(/.*)?
195 /root/.pyzor(/.*)?
196 /root/.spamd(/.*)?
197 /root/.spamassassin(/.*)?
198 /home/[^/]*/.razor(/.*)?
199 /home/[^/]*/.pyzor(/.*)?
200 /home/[^/]*/.spamd(/.*)?
201 /home/[^/]*/.spamassassin(/.*)?
202 /home/staff/.razor(/.*)?
203 /home/staff/.pyzor(/.*)?
204 /home/staff/.spamd(/.*)?
205 /home/staff/.spamassassin(/.*)?
206 spamc_tmp_t
208 tmp_t
211 /tmp
213 /usr/tmp
214 /var/tmp
215 /tmp-inst
216 /var/tmp-inst
217 /var/tmp/vi.recover
218
221 SELinux requires files to have an extended attribute to define the file
222 type.
223 You can see the context of a file using the -Z option to ls
225 Policy governs the access confined processes have to these files.
227 SELinux spamc policy is very flexible allowing users to setup their
228 spamc processes in as secure a method as possible.
229 STANDARD FILE CONTEXT
231 SELinux defines the file context types for the spamc, if you wanted to
233 store files with these types in a diffent paths, you need to execute
234 the semanage command to sepecify alternate labeling and then use
235 restorecon to put the labels on disk.
236 semanage fcontext -a -t spamc_tmp_t '/srv/myspamc_content(/.*)?'
238 restorecon -R -v /srv/myspamc_content
239 Note: SELinux often uses regular expressions to specify labels that
241 match multiple files.
242 The following file types are defined for spamc:
244 spamc_exec_t
248 - Set files with the spamc_exec_t type, if you want to transition an
250 executable to the spamc_t domain.
251 Paths:
254 /usr/bin/razor.*, /usr/bin/spamc, /usr/bin/pyzor, /usr/bin/sa-
255 learn, /usr/bin/spamassassin
256 spamc_home_t
259 - Set files with the spamc_home_t type, if you want to store spamc
261 files in the users home directory.
262 Paths:
265 /root/.razor(/.*)?, /root/.pyzor(/.*)?, /root/.spamd(/.*)?,
266 /root/.spamassassin(/.*)?, /home/[^/]*/.razor(/.*)?,
267 /home/[^/]*/.pyzor(/.*)?, /home/[^/]*/.spamd(/.*)?,
268 /home/[^/]*/.spamassassin(/.*)?, /home/staff/.razor(/.*)?,
269 /home/staff/.pyzor(/.*)?, /home/staff/.spamd(/.*)?,
270 /home/staff/.spamassassin(/.*)?
271 spamc_tmp_t
274 - Set files with the spamc_tmp_t type, if you want to store spamc tem‐
276 porary files in the /tmp directories.
277 Note: File context can be temporarily modified with the chcon command.
281 If you want to permanently change the file context you need to use the
282 semanage fcontext command. This will modify the SELinux labeling data‐
283 base. You will need to use restorecon to apply the labels.
284
287 semanage fcontext can also be used to manipulate default file context
288 mappings.
289 semanage permissive can also be used to manipulate whether or not a
291 process type is permissive.
292 semanage module can also be used to enable/disable/install/remove pol‐
294 icy modules.
295 semanage boolean can also be used to manipulate the booleans
297 system-config-selinux is a GUI tool available to customize SELinux pol‐
300 icy settings.
301
304 This manual page was auto-generated using sepolicy manpage .
305
308 selinux(8), spamc(8), semanage(8), restorecon(8), chcon(1) , setse‐
309 bool(8)
310spamc 15-06-03 spamc_selinux(8)