Sebastian Hennebrueder wrote:
> Hello,
> the freshclam daemon tries to download the updated virus definition to
> /var/clamav
>
> The directory has the context
> drwxr-xr-x clamav clamav system_u:object_r:clamd_t clamav
>
A directory should not have a type of clamd_t, This is a processes
type. You probably want to label this clamd_var_lib_t. Then everything
should work.
You must have put this label on in permissive mode.
chcon -t clamd_var_lib_t /var/clamav
will fix the problem. Is this a standard directory for this? My policy
expects you to use /var/lib/clamav? Although I just saw mention of this
directory in debian policy.
> I get the following error message
> type=AVC msg=audit(1222221728.847:3043): avc: denied { write } for
> pid=10192 comm="freshclam" name="clamav" dev=dm-1 ino=522241
> scontext=user_u:system_r:unconfined_t:s0
> tcontext=system_u:object_r:clamd_t:s0 tclass=dir
> type=AVC msg=audit(1222304223.589:82): avc: denied { write } for
> pid=6100 comm="freshclam" name="clamav" dev=dm-1 ino=522241
> scontext=system_u:system_r:crond_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:clamd_t:s0 tclass=dir
> type=AVC msg=audit(1222304223.666:83): avc: denied { write } for
> pid=6100 comm="freshclam" name="clamav" dev=dm-1 ino=522241
> scontext=system_u:system_r:crond_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:clamd_t:s0 tclass=dir
> type=AVC msg=audit(1222308125.673:100): avc: denied { write } for
> pid=7622 comm="freshclam" name="clamav" dev=dm-1 ino=522241
> scontext=user_u:system_r:unconfined_t:s0
> tcontext=system_u:object_r:clamd_t:s0 tclass=dir
> type=AVC msg=audit(1222308125.911:101): avc: denied { write } for
> pid=7622 comm="freshclam" name="clamav" dev=dm-1 ino=522241
> scontext=user_u:system_r:unconfined_t:s0
> tcontext=system_u:object_r:clamd_t:s0 tclass=dir
>
> Using audit2allow I get
> module dummy 1.0;
>
> require {
> type unconfined_t;
> type crond_t;
> type clamd_t;
> class dir write;
> }
>
> #============= crond_t ==============
> allow crond_t clamd_t:dir write;
>
> #============= unconfined_t ==============
> allow unconfined_t clamd_t:dir write;
>
>
> My impression was that unconfined_ access allows a quite wide access but
> some testing showed me that without even root cannot create files in
> that directory.
> type=AVC msg=audit(1222590942.079:771): avc: denied { write } for
> pid=27753 comm="touch" name="clamav" dev=dm-1 ino=522241
> scontext=user_u:system_r:unconfined_t:s0
> tcontext=system_u:object_r:clamd_t:s0 tclass=dir
> type=SYSCALL msg=audit(1222590942.079:771): arch=c000003e syscall=2
> success=no exit=-13 a0=7fffc9188c93 a1=941 a2=1b6 a3=3ff8d4e0ec items=0
> ppid=25482 pid=27753 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts0 ses=96 comm="touch" exe="/bin/touch"
> subj=user_u:system_r:unconfined_t:s0 key=(null)
>
> So my question, can I allow unconfined access and to which extend will
> this open the directory?
>
> Best Regards
>
> Sebastian Hennebrueder
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
