Current status of mailman and clamav selinux

Thu Mar 20 13:48:43 UTC 2008

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Edward Kuns wrote:
> With current policies from RH8 updates, I removed the clamav policy I
> had in place to see what current AVCs I receive.  All AVCs I receive
> regularly are related to mailman.  
> 
> I get a *lot* of this:
> 
> host=kilroy.chi.il.us type=AVC msg=audit(1205972595.706:10245): avc:
> denied { read write } for pid=28531 comm="mailman"
> path="socket:[3905242]" dev=sockfs ino=3905242
> scontext=system_u:system_r:mailman_mail_t:s0
> tcontext=system_u:system_r:sendmail_t:s0 tclass=unix_stream_socket
> host=kilroy.chi.il.us type=SYSCALL msg=audit(1205972595.706:10245):
> arch=40000003 syscall=11 success=yes exit=0 a0=8845e78 a1=8845f48
> a2=88454f8 a3=40 items=0 ppid=28530 pid=28531 auid=4294967295 uid=8
> gid=12 euid=8 suid=8 fsuid=8 egid=41 sgid=41 fsgid=41 tty=(none)
> comm="mailman" exe="/usr/lib/mailman/mail/mailman"
> subj=system_u:system_r:mailman_mail_t:s0 key=(null) 
> 
> which I suspect is sendmail not closing a socket before it forks
> mailman, but I am not certain how to judge, nor how to get sendmail to
> address the issue.
> 
> 
> The one I get more rarely seems to occur once every time clamav finds a
> virus.  I get the following collection of AVCs for each virus discovered
> by clamav:
> 
> type=AVC msg=audit(1205970966.746:10166): avc:  denied  { append } for
> pid=26516 comm="sendmail" path="/var/log/clamd.milter" dev=dm-2
> ino=327743 scontext=system_u:system_r:system_mail_t:s0
> tcontext=system_u:object_r:clamd_var_log_t:s0 tclass=file
> type=AVC msg=audit(1205970966.746:10166): avc:  denied  { append } for
> pid=26516 comm="sendmail" path="/var/log/clamd.milter" dev=dm-2
> ino=327743 scontext=system_u:system_r:system_mail_t:s0
> tcontext=system_u:object_r:clamd_var_log_t:s0 tclass=file
> type=AVC msg=audit(1205970966.746:10166): avc:  denied  { read write }
> for  pid=26516 comm="sendmail" path="socket:[3831091]" dev=sockfs
> ino=3831091 scontext=system_u:system_r:system_mail_t:s0
> tcontext=system_u:system_r:clamd_t:s0 tclass=unix_stream_socket
> type=AVC msg=audit(1205970966.746:10166): avc:  denied  { read write }
> for  pid=26516 comm="sendmail" path="socket:[3855167]" dev=sockfs
> ino=3855167 scontext=system_u:system_r:system_mail_t:s0
> tcontext=system_u:system_r:clamd_t:s0 tclass=unix_stream_socket
> type=AVC msg=audit(1205970966.746:10166): avc:  denied  { read write }
> for  pid=26516 comm="sendmail"
> path="/var/tmp/clamav-00c6b962e3f10e1caad8ced3cff4e084/msg.2Orwhh"
> dev=dm-2 ino=32843 scontext=system_u:system_r:system_mail_t:s0
> tcontext=system_u:object_r:clamd_tmp_t:s0 tclass=file
> host=kilroy.chi.il.us type=SYSCALL msg=audit(1205970966.746:10166):
> arch=40000003 syscall=11 success=yes exit=0 a0=89d56d0 a1=89d57a8
> a2=89d4b98 a3=40 items=0 ppid=2867 pid=26516 auid=4294967295 uid=492
> gid=486 euid=492 suid=492 fsuid=492 egid=51 sgid=51 fsgid=51 tty=(none)
> comm="sendmail" exe="/usr/sbin/sendmail.sendmail"
> subj=system_u:system_r:system_mail_t:s0 key=(null) 
> 
> The setroubleshoot browser message associated with these AVCs is:
> "SELinux is preventing sendmail (system_mail_t) "append"
> to /var/log/clamd.milter (clamd_var_log_t)."  For now I've created a new
> myclamav policy from the above AVCs (just the 2nd set listed).
> 
> 		Eddie
> 

I will add append, actually I am just going to allow system_mail_t to
append to all log files.  The others all seem to be leaked file descriptors.
audit2allow -i /tmp/t

#============= mailman_mail_t ==============
allow mailman_mail_t sendmail_t:unix_stream_socket { read write };

#============= system_mail_t ==============
allow system_mail_t clamd_t:unix_stream_socket { read write };
allow system_mail_t clamd_tmp_t:file { read write };

I think clamd is leaking.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfiazsACgkQrlYvE4MpobNW7wCePJ7K2OGKrZcnLr3Xq3zBgB+T
wjkAn3WBi3OcB/FWtl3MamaPxUVgd9Nm
=R9XE
-----END PGP SIGNATURE-----