On 08/24/2010 08:55 AM, Arthur Dent wrote: > On Tue, 2010-08-24 at 08:41 +0200, Dominick Grift wrote: >> On 08/24/2010 12:20 AM, Arthur Dent wrote: >>> On Mon, 2010-08-23 at 20:50 +0200, Dominick Grift wrote: >>> >>>> open your ~/myclamd/myclamd.te file and append the following: >>>> >>>> gen_require(` >>>> type clamscan_t; >>>> ') >>>> >>>> procmail_rw_tmp_files(clamscan_t) >>>> mta_read_queue(clamscan_t) >>>> >>>> >>>> Then rebuild be binary representation and reinstall it: >>>> >>>> cd ~/myclamd; >>>> make -f /usr/share/selinux/devel/Makefile myclamd.pp >>>> sudo semodule -i myclamd.pp >>> >>> I'm sorry to be a nuisance Dominick, but I'm afraid there's another >>> problem. >>> >>> Many people, including myself, who use clamd run a program called >>> clamdwatch to monitor the fact that the clamd daemon is alive and well. >>> >>> This basically works by sending the Eicar virus to clamd and if it >>> doesn't get back the expected virus warning it assumes clamd is dead and >>> tries to restart it. >>> >>> I have it running from a cron job: >>> */10 * * * * /root/scripts/clamdwatch -q && ( /usr/bin/killall -9 clamd; rm -fr /var/run/clamd.sock; rm -rf /tmp/clamav-*; /etc/init.d/clamd start 2>&1 ) >>> >>> At the moment, every time this runs it restarts clamd. >>> >>> Here is the associated avc (still with semanage -DB). >> >> i guess you could chcon the file from the cronjob to use a type that >> clamd_t can access. for example append chcon -t clamd_tmp_t /tmp/clamdwatch* >> >> That would be a workaround. >> >> The other approach is to write policy for clamdwatch. >> >> Another approach which is not encouraged is to allow clamd_t access to >> user temporary content. >> >> What package provides this app? and why is it in the admin directory? > > Sorry - It's not an app, it's a script (perl). It comes in the clamav > tarball. I have put it in my /root/scripts/ directory where I keep most > of my scripts run from cron. > > I can send you a copy if that would help? no thanks. Does: /root/scripts/clamdwatch -q && ( /usr/bin/killall -9 clamd; rm -fr /var/run/clamd.sock; rm -rf /tmp/clamav-*; chcon -t /tmp/clamdwatch*; /etc/init.d/clamd start 2>&1 ) make it work? > > Thanks > > Mark > > > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
