Re: selinux preventing clamd and amavisd even in Permissive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



John Dennis wrote:
There are others, but selinux should only log the AVCs in Permissive. Right? But the selinux system is actually doing denials.

Just for clarification, setroubleshoot will still report a denial in permissive mode because it is logged as a denial by the audit system, however the action should still be permitted.
I am aware of that. The problem is the action IS being denied even in Permissive mode.

There is an open bug report requesting the text in the setroubleshoot message to be modified when the system is in permissive mode to say "SELinux would have denied" instead of denied. We're going to be fixing that, it's not quite as trivial as it seems because all the messages have been translated into other languages so you can't just do a simple string substitution and retain correct grammar in another language, but we will be fixing this one way or another.

In theory if you're spam filtering is not working it shouldn't be because SELinux is actually denying anything because you're in permissive mode. I would first look elsewhere. I'm not saying it's impossible it's SELinux, but because you're in permissive mode it's very unlikely.
Again, I truly believe it is selinux.

For example, clamd tries to open a socket in /var/spool/amavisd. On my Fedora 7 system I get:
root@gei ~]# l -Z /var/spool/amavisd/
drwx------  amavis amavis system_u:object_r:amavis_spool_t ./
drwxr-xr-x  root   root   system_u:object_r:var_spool_t    ../
srwxr-x---  amavis amavis system_u:object_r:amavis_var_run_t amavisd.sock=
srwxrwxrwx  amavis amavis system_u:object_r:clamd_var_run_t clamd.sock=
drwx------  amavis amavis system_u:object_r:amavis_spool_t db/
drwx------  amavis amavis system_u:object_r:amavis_spool_t quarantine/
drwxr-x---  amavis amavis system_u:object_r:amavis_spool_t .razor/
drwx------  amavis amavis system_u:object_r:amavis_spool_t .spamassassin/
drwx------  amavis amavis system_u:object_r:amavis_spool_t tmp/
[root@gei ~]# uname -a
Linux gei 2.6.23.1-21.fc7 #1 SMP Thu Nov 1 21:09:24 EDT 2007 i686 i686 i386 GNU/Linux
[root@gei ~]# getenforce
Enforcing
[root@gei ~]#   
On the Fedora 8 system, I get:
[root@joe ~]# getenforce
Permissive
[root@joe ~]# l -Z /var/spool/amavisd/
drwx------  amavis amavis system_u:object_r:amavis_spool_t ./
drwxr-xr-x  root   root   system_u:object_r:var_spool_t    ../
srwxr-x---  amavis amavis system_u:object_r:amavis_var_run_t amavisd.sock=
drwx------  amavis amavis system_u:object_r:amavis_spool_t db/
drwx------  amavis amavis system_u:object_r:amavis_spool_t quarantine/
drwxr-x---  amavis amavis system_u:object_r:amavis_spool_t .razor/
drwx------  amavis amavis system_u:object_r:amavis_spool_t .spamassassin/
drwx------  amavis amavis system_u:object_r:amavis_spool_t tmp/
[root@joe ~]# uname -a
Linux joe 2.6.23.1-49.fc8 #1 SMP Thu Nov 8 21:41:26 EST 2007 i686 i686 i386 GNU/Linux

Notice that there is no socket created by clamd even in permissive mode. The following is from the maillog:
Dec  1 11:49:45 joe postfix/smtp[8576]: 2523B38687C: to=<root@xxxxxxxxxxx>, orig_to=<root>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=2, delay=34207, delays=34175/23/0/9, dsn=4.5.0, status=deferred (host 127.0.0.1[127.0.0.1] said: 451-4.5.0 Error in processing, id=08570-02-2, virus_scan FAILED: virus_scan: ALL VIRUS SCANNERS FAILED: ClamAV-clamd av-scanner FAILED: CODE(0x80de630) Too many retries to talk to /var/spool/amavisd/clamd.sock (Can't connect to UNIX socket /var/spool/amavisd/clamd.sock: No such file or directory) at (eval 55) line 310. at (eval 55) line 511.; ClamAV-clamscan av-scanner FAILED: /usr/bin/clamscan unexpected exit 50, output="LibClamAV Error: cli_loaddb(): No supported database files found in /var/lib/clamav/ 451-4.5.0 daily.inc 451 4.5.0 ERROR: Not supported data format" at (eval 55) line 511. (in reply to end of DATA command))
Notice it cannot connect to the socket because it does not exist. That confirms that the creation of the socket is being denied in my opinion.

That is why I didn't bother with the rest of the AVCs yet, since I probably don't have them all without being able to successfully run in Permissive mode to collect them for startup and shutdown.

Regards,
John
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux