I am getting numerous AVCs from selinixtrobleshoot when clamd and
amavisd try to operate even with selinux in Permissive mode the actions
are still prevented.
I did a touch /.autorelabel before reporting this. The problem still occurs.
An example:
Summary
SELinux is preventing /usr/bin/clamscan (clamscan_t) "read" to <Unknown>
(amavis_spool_t).
Detailed Description
SELinux denied access requested by /usr/bin/clamscan. It is not expected
that this access is required by /usr/bin/clamscan and this access
may signal
an intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional
access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for <Unknown>, restorecon -v
<Unknown> If this does not work, there is currently no automatic way to
allow this access. Instead, you can generate a local policy module
to allow
this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Additional Information
Source Context system_u:system_r:clamscan_t
Target Context system_u:object_r:amavis_spool_t
Target Objects None [ dir ]
Affected RPM Packages clamav-0.91.2-3.fc8 [application]
Policy RPM selinux-policy-3.0.8-56.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.catchall_file
Host Name joe
Platform Linux joe 2.6.23.1-49.fc8 #1
SMP Thu Nov 8 21:41:26 EST 2007 i686 i686
Alert Count 7
First Seen Sat 01 Dec 2007 02:13:33 AM EST
Last Seen Sat 01 Dec 2007 02:23:33 AM EST
Local ID d41e6d82-4a90-48ee-a554-3c557f6cfe61
Line Numbers
Raw Audit Messages
avc: denied { read } for comm=clamscan dev=dm-0 egid=490 euid=495
exe=/usr/bin/clamscan exit=6 fsgid=490 fsuid=495 gid=490 items=0
name=clamav-
f1269664cac0bef43a67b3a6dbae41b8 pid=2785
scontext=system_u:system_r:clamscan_t:s0 sgid=490
subj=system_u:system_r:clamscan_t:s0 suid=495 tclass=dir
tcontext=system_u:object_r:amavis_spool_t:s0 tty=(none) uid=495
There are others, but selinux should only log the AVCs in Permissive.
Right? But the selinux system is actually doing denials. The email
system will not work since the emails cannot be virus checked. Glad this
is a test installation.
There was a problem in Fedora Core 6 with Postfix, amavisd, and clamd as
I remember it, but it would run in Permissive.
I will post all the the AVCs later, but I thought this was important.
Regards,
John
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
