On 08/25/2010 10:17 PM, Arthur Dent wrote:
> On Wed, 2010-08-25 at 21:32 +0200, Dominick Grift wrote:
>> On 08/25/2010 08:33 PM, Arthur Dent wrote:
>>> On Tue, 2010-08-24 at 11:07 +0200, Dominick Grift wrote:
>>>> On 08/24/2010 11:05 AM, Arthur Dent wrote:
>>>>> On Tue, 2010-08-24 at 09:18 +0200, Dominick Grift wrote:
>>>>>
>>>>>>
>>>>>> Does:
>>>>>> /root/scripts/clamdwatch -q && ( /usr/bin/killall -9 clamd; rm -fr
>>>>>> /var/run/clamd.sock; rm -rf /tmp/clamav-*; chcon -t /tmp/clamdwatch*;
>>>>>> /etc/init.d/clamd start 2>&1 )
>>>>>>
>>>>>> make it work?
>>>>>
>>>>> Hmm... Why doesn't it like that?
>>>>>
>>>>> chcon: missing operand
>>>>> Try `chcon --help' for more information.
>>>>> Starting clamd: [ OK ]
>>>>>
>>>>
>>>> Whoops, its: chcon -t clamd_tmp_t /tmp/clamdwatch*;
>>>
>>> OK - I'm not sure this approach is going to work. If I run this cronjob
>>> script it returns the following:
>>> chcon: cannot access `/tmp/clamdwatch*': No such file or directory
>>> Starting clamd: [ OK ]
>>
>> Why is that happening? It looks like clamd started "OK" ?
>> fact of the matter is that clamd_t cannot access user_tmp_t files/dir
>> so by labelling it clamd_tmp_t , clamd_t should be able to read it.
>>
>> How to implement that best can be tested.
>>
>> optionally one could (and probably should) confine clamdwatch but that
>> would take some work.
>>
>> i am of the opinion that by just labelling the offending object manually
>> clamd_tmp_t it should work and be an easy fix.
>
> Do you speak perl?
>
> This is an extract of the clamdwatch script:
>
> # "CONFIG" section
> #
> # $Socket values:
> # = "3310" (as in the tcp port; make sure $ip is correct if you use this)
> # = "/path/to/clamd/socket"
> my $Socket = $options{s} || "/var/run/clamd/clamd.sock";
> my $log = $options{l} || 0;
> my $ip = "127.0.0.1";
> my $timeout = $options{t} || 15;
> my $lockFile = $options{L} || "/var/lock/subsys/clamd";
> my $quiet = $options{q} || 0;
> my $sock;
>
> # reversed eicar
> my $data = "*H+H\$!ELIF-TSET-SURIVITNA-DRADNATS-RACIE\$}7)CC7)^P(45XZP\\4\[PA\@\%P!O5X";
> srand;
> my ($fh, $tempFile) = mkstemp( "/tmp/clamdwatch-XXXXXXXXXXXXXXXX" );
> chmod('0644', $tempFile);
>
>
> Could we change that line to add a chcon command?
>
>
I dont do a lot if perl. this page may help implement it:
http://www.perlhowto.com/executing_external_commands
basically you need to run "chcon -t clamd_tmp_t $templfile"
>
>
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
