Re: Clamd - again...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 2010-08-25 at 21:32 +0200, Dominick Grift wrote:
> On 08/25/2010 08:33 PM, Arthur Dent wrote:
> > On Tue, 2010-08-24 at 11:07 +0200, Dominick Grift wrote:
> >> On 08/24/2010 11:05 AM, Arthur Dent wrote:
> >>> On Tue, 2010-08-24 at 09:18 +0200, Dominick Grift wrote:
> >>>
> >>>>
> >>>> Does:
> >>>> /root/scripts/clamdwatch -q && ( /usr/bin/killall -9 clamd; rm -fr
> >>>> /var/run/clamd.sock; rm -rf /tmp/clamav-*; chcon -t /tmp/clamdwatch*;
> >>>> /etc/init.d/clamd start 2>&1 )
> >>>>
> >>>> make it work?
> >>>
> >>> Hmm... Why doesn't it like that?
> >>>
> >>> chcon: missing operand
> >>> Try `chcon --help' for more information.
> >>> Starting clamd: [  OK  ]
> >>>
> >>
> >> Whoops, its: chcon -t clamd_tmp_t /tmp/clamdwatch*;
> > 
> > OK - I'm not sure this approach is going to work. If I run this cronjob
> > script it returns the following:
> > chcon: cannot access `/tmp/clamdwatch*': No such file or directory
> > Starting clamd: [  OK  ]
> 
> Why is that happening? It looks like clamd started "OK" ?
> fact of the matter is that clamd_t cannot access user_tmp_t files/dir
> so by labelling it clamd_tmp_t , clamd_t should be able to read it.
> 
> How to implement that best can be tested.
> 
> optionally one could (and probably should) confine clamdwatch but that
> would take some work.
> 
> i am of the opinion that by just labelling the offending object manually
> clamd_tmp_t it should work and be an easy fix.

Do you speak perl?

This is an extract of the clamdwatch script:

# "CONFIG" section
#
# $Socket values:
#   = "3310" (as in the tcp port; make sure $ip is correct if you use this)
#   = "/path/to/clamd/socket"
my $Socket = $options{s} || "/var/run/clamd/clamd.sock";
my $log = $options{l} || 0;
my $ip = "127.0.0.1";
my $timeout = $options{t} || 15;
my $lockFile = $options{L} || "/var/lock/subsys/clamd";
my $quiet = $options{q} || 0;
my $sock;

# reversed eicar
my $data = "*H+H\$!ELIF-TSET-SURIVITNA-DRADNATS-RACIE\$}7)CC7)^P(45XZP\\4\[PA\@\%P!O5X";
srand;
my ($fh, $tempFile) = mkstemp( "/tmp/clamdwatch-XXXXXXXXXXXXXXXX" );
chmod('0644', $tempFile);


Could we change that line to add a chcon command?

Attachment: signature.asc
Description: This is a digitally signed message part

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux