SELinux interfering with clamav?
Edward Kuns
ekuns at kilroy.chi.il.us
Fri Feb 29 04:31:23 UTC 2008
A couple times a day (23 times in 10 days), I get the following AVC:
Summary
SELinux is preventing /usr/sbin/clamav-milter (clamd_t) "search" to
<Unknown> (bin_t).
Detailed Description
SELinux denied access requested by /usr/sbin/clamav-milter. It is
not
expected that this access is required by /usr/sbin/clamav-milter and
this
access may signal an intrusion attempt. It is also possible that the
specific version or configuration of the application is causing it
to
require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could
try to
restore the default system file context for <Unknown>, restorecon -v
<Unknown> If this does not work, there is currently no automatic way
to
allow this access. Instead, you can generate a local policy module
to allow
this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
package.
Additional Information
Source Context system_u:system_r:clamd_t:s0
Target Context system_u:object_r:bin_t:s0
Target Objects None [ dir ]
Affected RPM Packages clamav-milter-0.92.1-1.fc8 [application]
Policy RPM selinux-policy-3.0.8-84.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall_file
Host Name kilroy.chi.il.us
Platform Linux kilroy.chi.il.us 2.6.23.15-137.fc8
#1 SMP
Sun Feb 10 17:48:34 EST 2008 i686 i686
Alert Count 23
First Seen Wed 20 Feb 2008 12:25:16 PM CST
Last Seen Thu 28 Feb 2008 09:11:28 PM CST
Local ID 7eb02331-c2e4-4c65-a413-d283fbb7ca6f
Line Numbers
Raw Audit Messages
avc: denied { search } for comm=clamav-milter dev=dm-0 egid=486 euid=492
exe=/usr/sbin/clamav-milter exit=-13 fsgid=486 fsuid=492 gid=486 items=0
name=bin pid=13663 scontext=system_u:system_r:clamd_t:s0 sgid=486
subj=system_u:system_r:clamd_t:s0 suid=492 tclass=dir
tcontext=system_u:object_r:bin_t:s0 tty=(none) uid=492
I assume that we want to allow clamav to scan anything on the system,
yes? If I follow the advice from an earlier Email and try the
following:
grep clamav /var/log/audit/audit.log | audit2allow -M clamav
I get a file that contains:
module clamav 1.0;
require {
type bin_t;
type clamd_t;
class dir search;
}
#============= clamd_t ==============
allow clamd_t bin_t:dir search;
Is this something that should be part of standard policy? Hmm, I try to
install the above policy and get a complaint:
# semodule -i clamav.pp
libsepol.print_missing_requirements: clamav's global requirements were
not met: type/attribute clamd_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!
Any thoughts?
Thanks
Eddie
--
Edward Kuns <ekuns at kilroy.chi.il.us>
More information about the fedora-selinux-list
mailing list