Clamav/SeLinux, issue with system call recvmsg, and auxilary data.

Dominick Grift domg472 at gmail.com
Mon Sep 28 15:49:32 UTC 2009 

On Mon, Sep 28, 2009 at 04:22:18PM +0100, J. David Rye of Roadtech wrote:
> 
> 
> Hello All
> 
> I triggered this issue with clamav/clamav-milter 0.95.2 from rpmforge running on a test box with Centos 5.3
> 
> Clamd opens a socket /var/run/clamav/clamd.sock to accept requests to scan things.
> 
> ls -Z /var/run/clamav/clamd.sock
> srwxrwxrwx  clamav clamav root:object_r:clamd_var_run_t    /var/run/clamav/clamd.sock
> 
> Requests are read using the system call recvmsg, this allows for the passing auxiliary control data.
> 
> Clamav-milter 0.95.2 uses this to pass a handle to the temp file containing the data to be scanned
> 
> With SeLinux set to  targeted enforcing, this call reads and returns the normal data fine, but returns with the
> flag MSG_CTRUNC set.
> 
> according to the man page this is
> "indicates that some control data were discarded due to lack of space in the buffer for ancillary data."
> 
> clamd responded by closing the socket, clamav-milter responded to the closed socket by looping a 100% CPU. :-(
> 
> 
> Running the audit log through audit2allow suggests 
> 
> grep clam /var/log/audit/audit.log | audit2allow -m local > local.te
> [root at fallback0 selinux]# cat local.te
> 
> module local 1.0;
> 
> require {
>         type initrc_tmp_t;
>         type proc_t;
>         type sysctl_kernel_t;
>         type clamd_t;
>         class dir search;
>         class file { read write getattr };
> }
> 
> #============= clamd_t ==============
> allow clamd_t initrc_tmp_t:file { read write getattr };
> allow clamd_t proc_t:file { read getattr };
> allow clamd_t sysctl_kernel_t:dir search;
> allow clamd_t sysctl_kernel_t:file read;

The first line means that something runs in the initrc_t init script domain. Either the program executable file for this process is mislabeled or there is no policy for this init daemon.

ps auxZ | grep initrc_t

The second and third /
  fourth line signal that clamd_t needs read access to read_system_state and read_sysctls.

You could extend the clamd domain with a custom policy module to implement this

echo "policy_module(myclamd, 0.0.1)" >> myclamd.te;
echo "require { type clamd_t; }" > myclamd.te;
echo "kernel_read_system_state(clamd_t)" > myclamd.te;
echo "kernel_read_kernel_sysctls(clamd_t)" > myclamd.te;

make -f /usr/share/selinux/devel/Makefile myclamd.pp
sudo semodule -i myclamd.pp
> 
> 
> The allow clamd_t proc_t:file { read getattr }; looks to relate to reading /proc/meminfo
> 
> allow clamd_t sysctl_kernel_t:dir search;
> allow clamd_t sysctl_kernel_t:file read;
> Look to relate to these log entries 
> type=AVC msg=audit(1254139856.343:48724): avc:  denied  { search } for  pid=14771 comm="clamd" name="kernel" dev=proc ino=-268435416 scontext=root:system_r:clamd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
> type=AVC msg=audit(1254139856.343:48724): avc:  denied  { read } for  pid=14771 comm="clamd" name="ngroups_max" dev=proc ino=-268435368 scontext=root:system_r:clamd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file
> type=AVC msg=audit(1254149740.665:48885): avc:  denied  { search } for  pid=1261 comm="clamd" name="kernel" dev=proc ino=-268435416 scontext=root:system_r:clamd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
> 
> This if I have figured it out right relate to something that clamd is calling in turn trying to read /proc/sys/kernel/ngroups_max
> 
> 
> So by elimination 
> allow clamd_t initrc_tmp_t:file { read write getattr };
> 
> Must relate to the the use of auxiliary data with the socket, and the following log entries but I do not see why.
> Can anyone explain?
> 
> type=AVC msg=audit(1254150147.188:48924): avc:  denied  { read write } for  pid=1288 comm="clamd" path=2F746D702F636C616D61762D3063666237656532666331656139656636323364373463316236626532623735202864656C6574656429 dev=dm-0 ino=34668546 scontext=root:system_r:clamd_t:s0 tcontext=root:object_r:initrc_tmp_t:s0 tclass=file
> type=AVC msg=audit(1254150153.681:48925): avc:  denied  { read write } for  pid=1288 comm="clamd" path=2F746D702F636C616D61762D3336316332323033323138613239633865363633633937303962663133363664202864656C6574656429 dev=dm-0 ino=34668546 scontext=root:system_r:clamd_t:s0 tcontext=root:object_r:initrc_tmp_t:s0 tclass=file
> type=AVC msg=audit(1254150177.903:48926): avc:  denied  { read write } for  pid=1288 comm="clamd" path=2F746D702F636C616D61762D3366636162623138633237636231383466643064656630643838353063363933202864656C6574656429 dev=dm-0 ino=34668546 scontext=root:system_r:clamd_t:s0 tcontext=root:object_r:initrc_tmp_t:s0 tclass=file
> type=AVC msg=audit(1254150188.366:48927): avc:  denied  { read write } for  pid=1288 comm="clamd" path=2F746D702F636C616D61762D6366393131623632353130333564353832656435396466663136373362626131202864656C6574656429 dev=dm-0 ino=34668546 scontext=root:system_r:clamd_t:s0 tcontext=root:object_r:initrc_tmp_t:s0 tclass=file
> type=AVC msg=audit(1254150220.428:48928): avc:  denied  { read write } for  pid=1288 comm="clamd" path=2F746D702F636C616D61762D3931633534623761393630653531386630363539653033363537303937323135202864656C6574656429 dev=dm-0 ino=34668546 scontext=root:system_r:clamd_t:s0 tcontext=root:object_r:initrc_tmp_t:s0 tclass=file
> 
> 
> Yours
> 
> J. David Rye 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> *************************************************************************
> This e-mail is confidential and may be legally privileged. It is intended
> solely for the use of the individual(s) to whom it is addressed. Any
> content in this message is not necessarily a view or statement from Road
> Tech Computer Systems Limited but is that of the individual sender. If
> you are not the intended recipient, be advised that you have received
> this e-mail in error and that any use, dissemination, forwarding,
> printing, or copying of this e-mail is strictly prohibited. We use
> reasonable endeavours to virus scan all e-mails leaving the company but
> no warranty is given that this e-mail and any attachments are virus free.
> You should undertake your own virus checking. The right to monitor e-mail
> communications through our networks is reserved by us
> 
>   Road Tech Computer Systems Ltd. Shenley Hall, Rectory Lane, Shenley,
>   Radlett, Hertfordshire, WD7 9AN. - VAT Registration No GB 449 3582 17
>   Registered in England No: 02017435, Registered Address: Charter Court, 
>   Midland Road, Hemel Hempstead,  Hertfordshire, HP2 5GE. 
> *************************************************************************
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090928/b81602fa/attachment.sig>

More information about the fedora-selinux-list mailing list