Re: Clamd - again...

Dominick Grift <domg472@xxxxxxxxx> · Mon, 23 Aug 2010 13:20:38 +0200

On 08/23/2010 01:12 PM, Arthur Dent wrote:
> On Mon, 2010-08-23 at 13:01 +0200, Dominick Grift wrote:
>> On 08/23/2010 12:57 PM, Arthur Dent wrote:
>>> On Mon, 2010-08-23 at 12:31 +0200, Dominick Grift wrote:
>>>> On 08/23/2010 12:20 PM, Arthur Dent wrote:
>>>>> On Mon, 2010-08-23 at 10:56 +0200, Dominick Grift wrote:
>>>>>> On 08/23/2010 10:47 AM, Arthur Dent wrote:
>>>>>>> On Mon, 2010-08-23 at 10:42 +0200, Dominick Grift wrote:
>>>>>>>> On 08/23/2010 10:40 AM, Arthur Dent wrote:
>>>>>>>>> On Mon, 2010-08-23 at 10:29 +0200, Dominick Grift wrote:
>>>>>>>>>> On 08/23/2010 10:09 AM, Arthur Dent wrote:
>>>>>>>>>>> On Sun, 2010-08-22 at 22:44 +0100, Arthur Dent wrote:
>>>>>>>>>>>> On Sun, 2010-08-22 at 23:07 +0200, Dominick Grift wrote:
>>>>>>>>>>>>> On 08/22/2010 08:24 PM, Arthur Dent wrote:
>>>>>>>>>>>>
>>>>
>>>> Looks like clamd again/or still runs in the init script domain.
>>>> Therefore clamdscan cannot connect to it
>>>>
>>>> ps -auxZ | grep initrc_t
>>>
>>> # ps -auxZ | grep initrc_t
>>> Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.8/FAQ
>>> system_u:system_r:initrc_t:s0   ddclient  1141  0.0  0.1   9148  1824 ?        S    Aug21   0:02 ddclient - sleeping for 20 seconds
>>> unconfined_u:system_r:initrc_t:s0 clamav 19801  0.2 27.6 309276 279772 ?       Ssl  Aug22   4:01 /usr/local/sbin/clamd
>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 25217 0.0  0.0 4312 728 pts/0 S+ 11:55   0:00 grep initrc_t
>>
>> So clamd runs in the wrong domain:
>>
>> try:
>>
>> matchpathcon /usr/local/sbin/clamd
>> chcon -t clamd_exec_t /usr/local/sbin/clamd
>> service clamd restart
> 
> Not quite sure what went wrong here...
> 

Well now clamd runs in the proper domain but it is denied to read
generic files in /usr/share.

Basically likely another side effect of using a custom package.

Here is how to allow it:

mkdir ~/myclamd; cd ~/myclamd;
echo "policy_module(myclamd, 1.0.0)" > myclamd.te;
echo "gen_require(\`" >> myclamd.te;
echo "type clamd_t;" >> myclamd.te;
echo "')" >> myclamd.te;
echo "files_read_usr_files(clamd_t)" >> myclamd.te;

make -f /usr/share/selinux/devel/Makefile myclamd.pp
sudo semodule -i myclamd.pp

But expect more issues after this

> # matchpathcon /usr/local/sbin/clamd
> /usr/local/sbin/clamd	system_u:object_r:bin_t:s0
> # chcon -t clamd_exec_t /usr/local/sbin/clamd
> # service clamd restart
> Stopping clamd:                                            [  OK  ]
> Starting clamd:                                            [FAILED]
> 
> # ausearch -m avc -ts recent
> 
> ----
> time->Mon Aug 23 12:08:19 2010
> type=SYSCALL msg=audit(1282561699.384:43466): arch=40000003 syscall=33
> success=no exit=-13 a0=8c94b80 a1=4 a2=168ed30 a3=8c94b80 items=0
> ppid=25311 pid=25312 auid=4294967295 uid=503 gid=503 euid=503 suid=503
> fsuid=503 egid=503 sgid=503 fsgid=503 tty=(none) ses=4294967295
> comm="clamd" exe="/usr/local/sbin/clamd"
> subj=unconfined_u:system_r:clamd_t:s0 key=(null)
> type=AVC msg=audit(1282561699.384:43466): avc:  denied  { read } for
> pid=25312 comm="clamd" name="daily.cld" dev=sda6 ino=272876
> scontext=unconfined_u:system_r:clamd_t:s0
> tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
> ----
> time->Mon Aug 23 12:08:19 2010
> type=SYSCALL msg=audit(1282561699.384:43467): arch=40000003 syscall=5
> success=no exit=-13 a0=8c94c38 a1=0 a2=1b6 a3=154d519 items=0 ppid=25311
> pid=25312 auid=4294967295 uid=503 gid=503 euid=503 suid=503 fsuid=503
> egid=503 sgid=503 fsgid=503 tty=(none) ses=4294967295 comm="clamd"
> exe="/usr/local/sbin/clamd" subj=unconfined_u:system_r:clamd_t:s0
> key=(null)
> type=AVC msg=audit(1282561699.384:43467): avc:  denied  { read } for
> pid=25312 comm="clamd" name="phish.ndb" dev=sda6 ino=263326
> scontext=unconfined_u:system_r:clamd_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=file
> ----
> time->Mon Aug 23 12:08:19 2010
> type=SYSCALL msg=audit(1282561699.384:43465): arch=40000003 syscall=33
> success=no exit=-13 a0=8c94b80 a1=4 a2=168ed30 a3=8c94b80 items=0
> ppid=25311 pid=25312 auid=4294967295 uid=503 gid=503 euid=503 suid=503
> fsuid=503 egid=503 sgid=503 fsgid=503 tty=(none) ses=4294967295
> comm="clamd" exe="/usr/local/sbin/clamd"
> subj=unconfined_u:system_r:clamd_t:s0 key=(null)
> type=AVC msg=audit(1282561699.384:43465): avc:  denied  { read } for
> pid=25312 comm="clamd" name="daily.cld" dev=sda6 ino=272876
> scontext=unconfined_u:system_r:clamd_t:s0
> tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
> ----
> time->Mon Aug 23 12:08:19 2010
> type=SYSCALL msg=audit(1282561699.384:43468): arch=40000003 syscall=33
> success=no exit=-13 a0=8c94c38 a1=4 a2=168ed30 a3=0 items=0 ppid=25311
> pid=25312 auid=4294967295 uid=503 gid=503 euid=503 suid=503 fsuid=503
> egid=503 sgid=503 fsgid=503 tty=(none) ses=4294967295 comm="clamd"
> exe="/usr/local/sbin/clamd" subj=unconfined_u:system_r:clamd_t:s0
> key=(null)
> type=AVC msg=audit(1282561699.384:43468): avc:  denied  { read } for
> pid=25312 comm="clamd" name="phish.ndb" dev=sda6 ino=263326
> scontext=unconfined_u:system_r:clamd_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=file
> 
> 
> 
> 
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux

Attachment:
signature.asc

Description: OpenPGP digital signature
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux