SELinux interfering with clamav?

Edward Kuns ekuns at kilroy.chi.il.us
Fri Feb 29 04:31:23 UTC 2008 

A couple times a day (23 times in 10 days), I get the following AVC:

Summary
    SELinux is preventing /usr/sbin/clamav-milter (clamd_t) "search" to
    <Unknown> (bin_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/clamav-milter. It is
not
    expected that this access is required by /usr/sbin/clamav-milter and
this
    access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it
to
    require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could
try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way
to
    allow this access. Instead,  you can generate a local policy module
to allow
    this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
package.

Additional Information        

Source Context                system_u:system_r:clamd_t:s0
Target Context                system_u:object_r:bin_t:s0
Target Objects                None [ dir ]
Affected RPM Packages         clamav-milter-0.92.1-1.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-84.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     kilroy.chi.il.us
Platform                      Linux kilroy.chi.il.us 2.6.23.15-137.fc8
#1 SMP
                              Sun Feb 10 17:48:34 EST 2008 i686 i686
Alert Count                   23
First Seen                    Wed 20 Feb 2008 12:25:16 PM CST
Last Seen                     Thu 28 Feb 2008 09:11:28 PM CST
Local ID                      7eb02331-c2e4-4c65-a413-d283fbb7ca6f
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm=clamav-milter dev=dm-0 egid=486 euid=492
exe=/usr/sbin/clamav-milter exit=-13 fsgid=486 fsuid=492 gid=486 items=0
name=bin pid=13663 scontext=system_u:system_r:clamd_t:s0 sgid=486
subj=system_u:system_r:clamd_t:s0 suid=492 tclass=dir
tcontext=system_u:object_r:bin_t:s0 tty=(none) uid=492



I assume that we want to allow clamav to scan anything on the system,
yes?  If I follow the advice from an earlier Email and try the
following:

grep clamav /var/log/audit/audit.log | audit2allow -M clamav

I get a file that contains:


module clamav 1.0;

require {
	type bin_t;
	type clamd_t;
	class dir search;
}

#============= clamd_t ==============
allow clamd_t bin_t:dir search;


Is this something that should be part of standard policy?  Hmm, I try to
install the above policy and get a complaint:

# semodule -i clamav.pp 
libsepol.print_missing_requirements: clamav's global requirements were
not met: type/attribute clamd_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!


Any thoughts?

            Thanks

               Eddie

-- 
Edward Kuns <ekuns at kilroy.chi.il.us>

More information about the fedora-selinux-list mailing list