[gentoo-hardened] exim / amavis / Clamav

[Nico Baggus]

Here I am not sure...

exim has some problems, amavis has various problems & clamav has some problems.

Exim produces:
---8<---

module exim-nb 1.0;

require {
        type amavisd_recv_port_t;
        type initrc_t;
        type exim_t;
        class tcp_socket name_connect;
        class unix_stream_socket connectto;
}

#============= exim_t ==============
allow exim_t amavisd_recv_port_t:tcp_socket name_connect;
allow exim_t initrc_t:unix_stream_socket connectto;
---8<---

ClamAV:
---8<---
module clam 1.0;

require {
        type net_conf_t;
        type amavis_t;
        type default_t;
        type node_t;
        type clamd_port_t;
        type amavis_var_lib_t;
        type clamscan_t;
        class tcp_socket { name_connect node_bind };
        class dir { getattr read open };
        class file { read getattr open };
}

#============= amavis_t ==============
allow amavis_t clamd_port_t:tcp_socket name_connect;

#============= clamscan_t ==============
allow clamscan_t amavis_var_lib_t:dir { read getattr open };
allow clamscan_t amavis_var_lib_t:file { read open };
allow clamscan_t default_t:dir { read getattr open };
allow clamscan_t default_t:file { read open };
allow clamscan_t net_conf_t:file { read getattr open };
allow clamscan_t node_t:tcp_socket node_bind;
---8<---

For amavis I still have to investigate, but after the previous 'fixes' i am not 
realy sure how to tackle this kind of cross product issues..