Clamd getting out of hand...
Arthur Dent
selinux.list at troodos.demon.co.uk
Wed Jul 30 17:29:23 UTC 2008
On Wed, Jul 30, 2008 at 11:24:47AM -0400, Daniel J Walsh wrote:
> Arthur Dent wrote:
> > Hello All,
> >
> > I have been using SELinux in enforcing mode on my F8 box for some time
> > now. I had to go through a bit of pain to get clamassassin working with
> > clamd to scan my emails but it worked OK.
> >
> > This weekend I upgraded to F9 and have now had about a gazillion AVC
> > denials related to clamd.
> >
> > I have therefore been forced to use audit2allow to add to the already
> > pretty cumbersome local policy I had with F8.
> >
> > I list the policy below. All of the entries are as a result of some
> > denial and subsequent audit2allow policy generation.
> >
> > My question is basically - can one of you gurus tell me if all this
> > stuff is still necessary? Is there a policy in the works that might
> > avoid all this?
> >
> > Thanks in advance
> >
> > AD
> >
> >
> > ##########################################
> > # cat myclamd.te
> > policy_module(myclamd, 1.1.11)
> > require {
> > type clamscan_t;
> > type clamd_t;
> > class tcp_socket { write create connect };
> > type var_run_t;
> > type user_home_t;
> > class sock_file { write unlink create };
> > class file append;
> > type unlabeled_t;
> > class association recvfrom;
> >
> > }
> >
> > #============= clamd_t ==============
> > allow clamd_t var_run_t:sock_file { unlink create };
> Looks like a labeling problem.
Well I did run touch /.autorelabel; reboot
> > corenet_tcp_bind_generic_port(clamd_t)
> What port did it bind to?
In case it helps I have posted my entire clamd.conf file here:
http://pastebin.com/m72927397
> > userdom_read_generic_user_home_content_files(clamd_t)
> >
> > #============= clamscan_t ==============
> > allow clamscan_t self:tcp_socket { write create connect };
> > allow clamscan_t user_home_t:file append;
> Labeling?
> > allow clamscan_t var_run_t:sock_file write;
> > corenet_tcp_connect_generic_port(clamscan_t)
> > corenet_sendrecv_unlabeled_packets(clamscan_t)
> > mta_read_queue(clamscan_t)
> > procmail_rw_tmp_files(clamscan_t)
> > userdom_read_generic_user_home_content_files(clamscan_t)
> > allow clamscan_t unlabeled_t:association recvfrom;
> > ##########################################
> >
> Please attach the avc's used to create this policy?
Well I no longer have many of the older ones - much of the above was
generated when I was running F8. If it's really important I could try
to recover them from the backup archive - but that would be quite a lot
of work...
A selection of some of the 500 or so recent ones (since my upgrade
to F9) can be found here:
http://pastebin.com/m7b60d46a
My current policy (now up to version 14!) looks like this (below),
though with it in place everything now works fine. I have one other
problem (with VMWare and unrelated to this) which merits its own thread
and which I will post later.
In the meantime time, thank you very much for your help. It's much
appreciated...
AD
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20080730/ac614e11/attachment.sig>
More information about the fedora-selinux-list
mailing list