Selinux denial on clamd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I’m currently trying to integrate Squid, c-icap and clamd together to get A/V scanning of objects through squid on a CentOS 6.5 server.

 

I have things working but every time I try and download the eicar.com test virus, I see the following in the logs:

 

type=AVC msg=audit(1410534437.751:227204): avc:  denied  { write } for  pid=22480 comm="clamd" path="/var/tmp/CI_TMP_DaewkQ" dev=dm-1 ino=182 scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=unconfined_u:object_r:initrc_tmp_t:s0 tclass=file

 

For the record, this server has been hardened according to the CIS CentOS 6.5 benchmark document.

 

/tmp and /var/tmp are mounted as so, if this matters:

 

/dev/mapper/VolGroup00-tmp on /tmp type ext4 (rw,noexec,nosuid,nodev)

/tmp on /var/tmp type none (rw,noexec,nosuid,nodev,bind)

 

If I set “semanage permissive -a clamd_t” then everything works.

 

 

Audit2allow suggests I need the following, but I’m not really understanding why:

 

allow antivirus_t initrc_tmp_t:file write;

 

 

Any guidance?

 

Mark.

 

--

Mark Watts

Infrastructure Engineer, iSolutions

University of Southampton

Tel: (02380) 595788 Int: 25788

 

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux