On 07/21/2009 12:18 AM, Edward Kuns wrote: > Just in the past few days I've received seven of this AVC complaint, and > I haven't seen any of this complaint before that. On 11 July, I updated > selinux to 3.6.12-62.fc11. I currently have clamav-0.95.1-2.fc11.i586, > installed on 1 July. I am not aware of anything that changed on or just > before the 17th. Any ideas? > > Here's the sealert: > > Thanks > > Eddie > > > Summary: > > SELinux is preventing clamd.scan (system_cronjob_t) "write" crond_t. > > Detailed Description: > > SELinux denied access requested by clamd.scan. It is not expected that > this > access is required by clamd.scan and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration > of the > application is causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. > Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:system_cronjob_t:s0 > Target Context system_u:system_r:crond_t:s0-s0:c0.c1023 > Target Objects pipe [ fifo_file ] > Source clamd.scan > Source Path /bin/bash > Port <Unknown> > Host kilroy.chi.il.us > Source RPM Packages bash-4.0-6.fc11 > Target RPM Packages > Policy RPM selinux-policy-3.6.12-62.fc11 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name kilroy.chi.il.us > Platform Linux kilroy.chi.il.us > 2.6.29.5-191.fc11.i686.PAE > #1 SMP Tue Jun 16 23:19:53 EDT 2009 i686 > i686 > Alert Count 7 > First Seen Fri Jul 17 10:36:13 2009 > Last Seen Mon Jul 20 16:36:12 2009 > Local ID 39c625f5-4b31-49f2-bb14-57835e8afc61 > Line Numbers > > Raw Audit Messages > > node=kilroy.chi.il.us type=AVC msg=audit(1248125772.619:80082): avc: > denied { write } for pid=3642 comm="clamd.scan" path="pipe:[8230868]" > dev=pipefs ino=8230868 scontext=system_u:system_r:system_cronjob_t:s0 > tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file > > node=kilroy.chi.il.us type=SYSCALL msg=audit(1248125772.619:80082): > arch=40000003 syscall=11 success=yes exit=0 a0=9ef08f0 a1=9ef0910 > a2=9eeecb8 a3=9ef0910 items=0 ppid=509 pid=3642 auid=0 uid=0 gid=0 > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2000 > comm="clamd.scan" exe="/bin/bash" > subj=system_u:system_r:system_cronjob_t:s0 key=(null) > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list This looks like a MCS constraint problem. And looking at current selinux policy it should be fixed. Can you upgrade to the latest selinux policy in testing? yum upgrade --enablerepo=updates-testing selinux-policy-targeted -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
