Re: SELinux interfering with clamav?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Edward Kuns wrote:
> A couple times a day (23 times in 10 days), I get the following AVC:
> 
> Summary
>     SELinux is preventing /usr/sbin/clamav-milter (clamd_t) "search" to
>     <Unknown> (bin_t).
> 
> Detailed Description
>     SELinux denied access requested by /usr/sbin/clamav-milter. It is
> not
>     expected that this access is required by /usr/sbin/clamav-milter and
> this
>     access may signal an intrusion attempt. It is also possible that the
>     specific version or configuration of the application is causing it
> to
>     require additional access.
> 
> Allowing Access
>     Sometimes labeling problems can cause SELinux denials.  You could
> try to
>     restore the default system file context for <Unknown>, restorecon -v
>     <Unknown> If this does not work, there is currently no automatic way
> to
>     allow this access. Instead,  you can generate a local policy module
> to allow
>     this access - see
> http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
>     Or you can disable SELinux protection altogether. Disabling SELinux
>     protection is not recommended. Please file a
>     http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
> package.
> 
> Additional Information        
> 
> Source Context                system_u:system_r:clamd_t:s0
> Target Context                system_u:object_r:bin_t:s0
> Target Objects                None [ dir ]
> Affected RPM Packages         clamav-milter-0.92.1-1.fc8 [application]
> Policy RPM                    selinux-policy-3.0.8-84.fc8
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   plugins.catchall_file
> Host Name                     kilroy.chi.il.us
> Platform                      Linux kilroy.chi.il.us 2.6.23.15-137.fc8
> #1 SMP
>                               Sun Feb 10 17:48:34 EST 2008 i686 i686
> Alert Count                   23
> First Seen                    Wed 20 Feb 2008 12:25:16 PM CST
> Last Seen                     Thu 28 Feb 2008 09:11:28 PM CST
> Local ID                      7eb02331-c2e4-4c65-a413-d283fbb7ca6f
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> avc: denied { search } for comm=clamav-milter dev=dm-0 egid=486 euid=492
> exe=/usr/sbin/clamav-milter exit=-13 fsgid=486 fsuid=492 gid=486 items=0
> name=bin pid=13663 scontext=system_u:system_r:clamd_t:s0 sgid=486
> subj=system_u:system_r:clamd_t:s0 suid=492 tclass=dir
> tcontext=system_u:object_r:bin_t:s0 tty=(none) uid=492
> 
> 
> 
> I assume that we want to allow clamav to scan anything on the system,
> yes?  If I follow the advice from an earlier Email and try the
> following:
> 
> grep clamav /var/log/audit/audit.log | audit2allow -M clamav
> 
> I get a file that contains:
> 
> 
> module clamav 1.0;
> 
> require {
> 	type bin_t;
> 	type clamd_t;
> 	class dir search;
> }
> 
> #============= clamd_t ==============
> allow clamd_t bin_t:dir search;
> 
> 
> Is this something that should be part of standard policy?  Hmm, I try to
> install the above policy and get a complaint:
> 
> # semodule -i clamav.pp 
> libsepol.print_missing_requirements: clamav's global requirements were
> not met: type/attribute clamd_t
> libsemanage.semanage_link_sandbox: Link packages failed
> semodule:  Failed!
> 
> 
> Any thoughts?
> 
>             Thanks
> 
>                Eddie
> 
Always add a user specify front end to your policy.


grep clamav /var/log/audit/audit.log | audit2allow -M MYclamav
semodule -i MYclamav.pp


Otherwise you are trying to replace the clamav.pp installed as part of
selinux-policy.

This policy seems reasonable but most likely clamav-milter is going to
/usr/bin to execute something. So you might end up needing either

corecmd_exec_bin(clamd_t)

Or some transition to another domain.

If you have an idea what app it is looking for, we can correct the policy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfIE8IACgkQrlYvE4MpobPhwgCfcgcKhHGGDf6gg7fmb5dq7cpD
7RoAnRNSgbnK0tU/MCTywypjOmHQQ33b
=n80j
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux