-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Edward Kuns wrote: > A couple times a day (23 times in 10 days), I get the following AVC: > > Summary > SELinux is preventing /usr/sbin/clamav-milter (clamd_t) "search" to > <Unknown> (bin_t). > > Detailed Description > SELinux denied access requested by /usr/sbin/clamav-milter. It is > not > expected that this access is required by /usr/sbin/clamav-milter and > this > access may signal an intrusion attempt. It is also possible that the > specific version or configuration of the application is causing it > to > require additional access. > > Allowing Access > Sometimes labeling problems can cause SELinux denials. You could > try to > restore the default system file context for <Unknown>, restorecon -v > <Unknown> If this does not work, there is currently no automatic way > to > allow this access. Instead, you can generate a local policy module > to allow > this access - see > http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 > Or you can disable SELinux protection altogether. Disabling SELinux > protection is not recommended. Please file a > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this > package. > > Additional Information > > Source Context system_u:system_r:clamd_t:s0 > Target Context system_u:object_r:bin_t:s0 > Target Objects None [ dir ] > Affected RPM Packages clamav-milter-0.92.1-1.fc8 [application] > Policy RPM selinux-policy-3.0.8-84.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name plugins.catchall_file > Host Name kilroy.chi.il.us > Platform Linux kilroy.chi.il.us 2.6.23.15-137.fc8 > #1 SMP > Sun Feb 10 17:48:34 EST 2008 i686 i686 > Alert Count 23 > First Seen Wed 20 Feb 2008 12:25:16 PM CST > Last Seen Thu 28 Feb 2008 09:11:28 PM CST > Local ID 7eb02331-c2e4-4c65-a413-d283fbb7ca6f > Line Numbers > > Raw Audit Messages > > avc: denied { search } for comm=clamav-milter dev=dm-0 egid=486 euid=492 > exe=/usr/sbin/clamav-milter exit=-13 fsgid=486 fsuid=492 gid=486 items=0 > name=bin pid=13663 scontext=system_u:system_r:clamd_t:s0 sgid=486 > subj=system_u:system_r:clamd_t:s0 suid=492 tclass=dir > tcontext=system_u:object_r:bin_t:s0 tty=(none) uid=492 > > > > I assume that we want to allow clamav to scan anything on the system, > yes? If I follow the advice from an earlier Email and try the > following: > > grep clamav /var/log/audit/audit.log | audit2allow -M clamav > > I get a file that contains: > > > module clamav 1.0; > > require { > type bin_t; > type clamd_t; > class dir search; > } > > #============= clamd_t ============== > allow clamd_t bin_t:dir search; > > > Is this something that should be part of standard policy? Hmm, I try to > install the above policy and get a complaint: > > # semodule -i clamav.pp > libsepol.print_missing_requirements: clamav's global requirements were > not met: type/attribute clamd_t > libsemanage.semanage_link_sandbox: Link packages failed > semodule: Failed! > > > Any thoughts? > > Thanks > > Eddie > Always add a user specify front end to your policy. grep clamav /var/log/audit/audit.log | audit2allow -M MYclamav semodule -i MYclamav.pp Otherwise you are trying to replace the clamav.pp installed as part of selinux-policy. This policy seems reasonable but most likely clamav-milter is going to /usr/bin to execute something. So you might end up needing either corecmd_exec_bin(clamd_t) Or some transition to another domain. If you have an idea what app it is looking for, we can correct the policy. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkfIE8IACgkQrlYvE4MpobPhwgCfcgcKhHGGDf6gg7fmb5dq7cpD 7RoAnRNSgbnK0tU/MCTywypjOmHQQ33b =n80j -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
