On Thu, 2008-03-06 at 15:53 +0000, Arthur Dent wrote:
> On Thu, Mar 06, 2008 at 03:46:28PM +0000, Arthur Dent wrote:
> > >
> > > What file in your home directory is clamscan appending to?
> > > Maybe we can put it into a distinct type and protect the rest of your
> > > files?
> > >
> > Not sure... clamd is used by clamassassin which is called by procmail.
> >
> > Procmail has local configurations set in various "rc" files in
> > ~/Procmail/ in my home directory. But only procmail would require (read)
> > access to those. Then procmail writes to its log which is
> > ~/Procmail/pmlog (also rotated by logrotate).
> >
> > I'll try commenting out that line and see what happens...
> >
> And here's what happens...
>
> Summary:
>
> SELinux is preventing the clamdscan from using potentially mislabeled
> files
> (/home/mark/Procmail/pmlog).
>
> Detailed Description:
>
> SELinux has denied clamdscan access to potentially mislabeled file(s)
> (/home/mark/Procmail/pmlog). This means that SELinux will not allow
> clamdscan to
> use these files. It is common for users to edit files in their home
> directory or
> tmp directories and then move (mv) them to system directories. The
> problem is
> that the files end up with the wrong file context which confined
> applications
> are not allowed to access.
>
> Allowing Access:
>
> If you want clamdscan to access this files, you need to relabel them
> using
> restorecon -v '/home/mark/Procmail/pmlog'. You might want to relabel the
> entire
> directory using restorecon -R -v '/home/mark/Procmail'.
>
> Additional Information:
>
> Source Context system_u:system_r:clamscan_t:s0
> Target Context system_u:object_r:user_home_t:s0
> Target Objects /home/mark/Procmail/pmlog [ file ]
> Source clamdscan
> Source Path /usr/bin/clamdscan
> Port <Unknown>
> Host mydomain.org.uk
> Source RPM Packages clamav-0.92.1-1.fc8
> Target RPM Packages
> Policy RPM selinux-policy-3.0.8-87.fc8
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name home_tmp_bad_labels
> Host Name mydomain.org.uk
> Platform Linux mydomain.org.uk 2.6.23.15-137.fc8 #1
> SMP Sun
> Feb 10 17:48:34 EST 2008 i686 i686
> Alert Count 1
> First Seen Thu Mar 6 15:48:08 2008
> Last Seen Thu Mar 6 15:48:08 2008
> Local ID 1a0e8006-5ae4-41dc-90e3-419c7c32c2b0
> Line Numbers
>
> Raw Audit Messages
>
> host=mydomain.org.uk type=AVC msg=audit(1204818488.711:155): avc:
> denied { append } for pid=3820 comm="clamdscan"
> path="/home/mark/Procmail/pmlog" dev=sda12 ino=1426472
> scontext=system_u:system_r:clamscan_t:s0
> tcontext=system_u:object_r:user_home_t:s0 tclass=file
>
> host=mydomain.org.uk type=SYSCALL msg=audit(1204818488.711:155):
> arch=40000003 syscall=11 success=yes exit=0 a0=933c210 a1=933aa28
> a2=93381b0 a3=40 items=0 ppid=3816 pid=3820 auid=4294967295 uid=0 gid=12
> euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none)
> comm="clamdscan" exe="/usr/bin/clamdscan"
> subj=system_u:system_r:clamscan_t:s0 key=(null)
Ok, so it is just appending to a log file there, possibly via an
inherited descriptor from the caller.
You could possibly put a different type on ~/Procmail and only give
permissions to that type, but offhand I don't see an existing type that
would fit for that purpose, so you'd have to define a new one. Likely
more work than you want to deal with right now.
The good news is that it only requires append access, so it cannot
overwrite an existing file's contents even if you allow the above.
--
Stephen Smalley
National Security Agency
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
