Re: clamd -selinux Should I allow?

Daniel J Walsh <dwalsh@xxxxxxxxxx> · Mon, 20 Jun 2011 07:16:31 -0400



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/20/2011 05:52 AM, Frank Murphy wrote:
> On 19/06/11 10:43, Dominick Grift wrote:
> <snip>
>>
>> ignore for now.
>>
>> You have not enclosed the complete report so i cannot determine the
>> issue. However it is very likely that the suggestion by setroubleshooter
>> is not applicable here.
>>
>>
> 
> Here's the full report:
> 
> SELinux is preventing /usr/sbin/clamd from search access on the 
> directory /selinux.
> 
> *****  Plugin file (36.8 confidence) suggests 
> *******************************
> 
> If you think this is caused by a badly mislabeled machine.
> Then you need to fully relabel.
> Do
> touch /.autorelabel; reboot
> 
> *****  Plugin file (36.8 confidence) suggests 
> *******************************
> 
> If you think this is caused by a badly mislabeled machine.
> Then you need to fully relabel.
> Do
> touch /.autorelabel; reboot
> 
> *****  Plugin catchall_labels (23.2 confidence) suggests 
> ********************
> 
> If you want to allow clamd to have search access on the selinux directory
> Then you need to change the label on /selinux
> Do
> # semanage fcontext -a -t FILE_TYPE '/selinux'
> where FILE_TYPE is one of the following: sysctl_crypto_t, samba_var_t, 
> amavis_var_lib_t, avahi_var_run_t, clamd_var_log_t, setrans_var_run_t, 
> net_conf_t, clamd_var_lib_t, clamd_var_run_t, sysctl_t, sysctl_kernel_t, 
> abrt_t, bin_t, nscd_var_run_t, nslcd_var_run_t, clamd_etc_t, lib_t, 
> mnt_t, sssd_var_lib_t, root_t, tmp_t, usr_t, var_t, device_t, etc_t, 
> clamd_tmp_t, amavis_spool_t, proc_t, sysfs_t, var_lib_t, exim_spool_t, 
> textrel_shlib_t, sysctl_t, bin_t, cert_t, clamd_t, tmp_t, 
> rpm_script_tmp_t, usr_t, var_t, winbind_var_run_t, security_t, device_t, 
> devpts_t, locale_t, sssd_public_t, etc_t, proc_t, default_t, etc_mail_t, 
> sosreport_tmp_t, fail2ban_var_lib_t, likewise_var_lib_t, rpm_tmp_t, 
> var_run_t, krb5_conf_t, httpd_sys_content_t, rpm_log_t, var_log_t, 
> var_spool_t, var_lib_t, var_run_t, abrt_var_run_t, var_t, var_log_t, 
> nscd_var_run_t, pcscd_var_run_t, var_t, var_t, cgroup_t, var_run_t, 
> var_run_t, root_t, sysfs_t, tmpfs_t.
> Then execute:
> restorecon -v '/selinux'
> 
> 
> *****  Plugin catchall (5.04 confidence) suggests 
> ***************************
> 
> If you believe that clamd should be allowed search access on the selinux 
> directory by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep clamd /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
> 
> Additional Information:
> Source Context                system_u:system_r:clamd_t:s0
> Target Context                system_u:object_r:file_t:s0
> Target Objects                /selinux [ dir ]
> Source                        clamd
> Source Path                   /usr/sbin/clamd
> Port                          <Unknown>
> Host                          test08...................
> Source RPM Packages           clamav-server-0.97.1-1600.fc16
> Target RPM Packages           filesystem-2.4.42-1.fc16
> Policy RPM                    selinux-policy-3.9.16-29.1.fc16
> Selinux Enabled               True
> Policy Type                   targeted
> Enforcing Mode                Enforcing
> Host Name                     test08...................
> Platform                      Linux test08...............
>                                3.0-0.rc3.git5.1.fc16.x86_64 #1 SMP Fri 
> Jun 17
>                                16:21:59 UTC 2011 x86_64 x86_64
> Alert Count                   13
> First Seen                    Sat 18 Jun 2011 13:49:32 IST
> Last Seen                     Mon 20 Jun 2011 10:43:22 IST
> Local ID                      3220d418-bbfb-4955-a14c-8b7e99e55f91
> 
> Raw Audit Messages
> type=AVC msg=audit(1308563002.180:97): avc:  denied  { search } for 
> pid=1536 comm="clamd" name="selinux" dev=dm-3 ino=25 
> scontext=system_u:system_r:clamd_t:s0 
> tcontext=system_u:object_r:file_t:s0 tclass=dir
> 
> 
> type=SYSCALL msg=audit(1308563002.180:97): arch=x86_64 syscall=open 
> success=no exit=EACCES a0=309376440a a1=0 a2=1b6 a3=9 items=0 ppid=1 
> pid=1536 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 
> egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm=clamd 
> exe=/usr/sbin/clamd subj=system_u:system_r:clamd_t:s0 key=(null)
> 
> Hash: clamd,clamd_t,file_t,dir,search
> 
> audit2allow
> 
> #============= clamd_t ==============
> allow clamd_t file_t:dir search;
> 
> audit2allow -R
> 
> #============= clamd_t ==============
> allow clamd_t file_t:dir search;
> 
> 
> 
> 
file_t means you have a mislabeled file system.  any app that loads
libselinux will do a search on /selinux which is probably causing this
problem.  If you just run restorecon on /selinux it might solve the
problem.  But if you see other file_t files on your disk, then you need
to relabel the system.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk3/LA8ACgkQrlYvE4MpobMUTQCfRv6Nu2eBALWpgBqZ9AYVC1Jk
WIYAn3v3D8vrGv/G7tIeBxsPbU2V6j42
=1VdQ
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux