SOLVED: error ClamAV daemon
Paul Howarth
paul at city-fan.org
Thu Jun 15 13:18:04 UTC 2006
Peter Lesterhuis wrote:
>> All the remaining audit messages are not SELinux-related.
>>
>> Can you let me know if freshclam works OK in enforcing mode after doing
>> the "restorecon" above please (also look for any more AVC messages).
>>
> # ls -lZ /etc/freshclam.conf
> -rw-r----- root root user_u:object_r:rpm_script_tmp_t /etc/freshclam.conf
>
> # restorecon -v /etc/freshclam.conf
> restorecon reset /etc/freshclam.conf context
> user_u:object_r:rpm_script_tmp_t->system_u:object_r:etc_t
>
> I am using the clamav-package from crash-hat:
There is a bug in the post-install script of the crash-hat clamav
package, which edits the freshclam.conf file to use a local database
mirror. It creates the new file in /tmp (resulting in the
rpm_script_tmp_t context type) and then moves it into place (which
doesn't change the context type), hence leaving the freshclam.conf file
with the wrong file context.
To fix this, it should do something like:
[ -x /sbin/restorecon ] && /sbin/restorecon
%{_sysconfdir}/freshclam.conf* &> /dev/null
Doing this just after the place where it does:
chmod 0640 %{_sysconfdir}/freshclam.conf*
would seem sensible.
I suggest you report this issue to the repo maintainer.
> Freshclam works all right.
> There are no new AVC messages.
Good. I'll add the ability to read generic kernel sysctls (there's no
interface for not auditing them), which should shut up the ones you had
earlier.
Replace the myfreshclam.te with this one:
policy_module(myfreshclam, 0.1.2)
require {
type freshclam_t;
};
# Allow freshclam to send syslog messages
logging_send_syslog_msg(freshclam_t)
# Allow freshclam to read generic kernel sysctls
kernel_read_kernel_sysctls(freshclam_t)
Re-run make and load the updated module:
# cd /root/selinux.local
# make
# semodule -i myfreshclam.pp
Paul.
More information about the fedora-list
mailing list