SELinux interfering with clamav?
Daniel J Walsh
dwalsh at redhat.com
Fri Feb 29 14:39:15 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Edward Kuns wrote:
> On Fri, 2008-02-29 at 09:16 -0500, Daniel J Walsh wrote:
>> Always add a user specify front end to your policy.
>
> D'oh! That fixed it. Thanks.
>
>
>> This policy seems reasonable but most likely clamav-milter is going to
>> /usr/bin to execute something. So you might end up needing either
>>
>> corecmd_exec_bin(clamd_t)
>>
>> Or some transition to another domain.
>>
>> If you have an idea what app it is looking for, we can correct the policy.
>
> How can I find out what it's looking for? As a test, I just added the
> policy:
>
> module myclamav 1.0;
>
> require {
> type bin_t;
> type clamd_t;
> class dir search;
> }
>
> #============= clamd_t ==============
> allow clamd_t bin_t:dir search;
>
> so if I understand this, you expect that I should later today get an AVC
> that clamav is trying to execute something that is bin_t? Assuming
> that's the case, I'll see what is there when I get home from work later
> and I'll post that. But if there's something else I can do to find out,
> let me know.
>
> Thanks
>
> Eddie
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Nope, that is the best you can do. You could put your machine in
permissive mode to get all of the AVC's but that could be dangerous. We
hope to have permissive domains eventually, were we could allow clamd_t
only to do it's thing, but we don't have it yet.
THanks for your help diagnosing this.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkfIGRMACgkQrlYvE4MpobMiBwCePpuERf+k4vRKPlwEMtOgzg0l
yB0AoLHFBaLJcEodsF1oYFWjGydP0Mzx
=6YRg
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list