Clamd getting out of hand...

Daniel J Walsh dwalsh at redhat.com
Wed Aug 6 13:34:03 UTC 2008 

Arthur Dent wrote:
> On Wed, Jul 30, 2008 at 03:33:14PM -0400, Daniel J Walsh wrote:
> 
> 
>> But do you have the original avc messages used to generate the policy.
>> I want to see if we are missing transitions?  What port is it
>> communicating with etc.
> 
> Apologies for the slow response. RL gets in the way sometimes...
> 
> To recap:
> 
> My mail chain is as follows:
> 
> fetchmail -> procmail
>                 |
>                  -> clamassassin -> spamassassin -> dovecot -> MUA
>                         |
>                          -> clamdscan
>                                |
>                                 -> clamd
> 
> I had made several home-made policies to allow clamd to work under F8.
> Following an upgrade to F9 I get a whole load more avc denials and have
> had to add a bunch of policies to get it to work.
> 
> With SEL in enforcing mode (I know I should have set it to permissive
> until I had sorted this out but I though each problem would be the
> last..) the recent denials fell into 3 types:
> 
> sending denials
> receiving denial
> write to pipe denials
> 
> I got several hundred sending denials until I wrote a policy with
> audit2allow then I got sever hundred receiving denials until I fixed
> that and finally a ton of write-to pipe. If you look at the collection
> of raw audit messages (just a sample) that I posted here
> 
> http://pastebin.com/m7b60d46a
> 
> you will see that almost every part of the mail chain seems to be
> affected.
> 
> Finding the original avc messages from my F8 install would be hard work,
> but I have included 3 (one of each type) from the F9 upgrade. You can
> see them here:
> 
> http://pastebin.com/m1fc5a466
> 
> If you want others (as referred to in the raw avcs) just let me know.
> 
> So, clamd settings can be seen here (entire clamd.conf file) :
> http://pastebin.com/m72927397
> A selection of raw avc messages can be seen here:
> http://pastebin.com/m7b60d46a
> And 3 of the entire avc messages here:
> http://pastebin.com/m1fc5a466
> 
> 
> I really do thank you for your help...
> 
> AD
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Adding the following policy to clamscan

mta_send_mail(clamscan_t)
corenet_all_recvfrom_unlabeled(clamscan_t)
corenet_all_recvfrom_netlabel(clamscan_t)
corenet_tcp_sendrecv_all_if(clamscan_t)
corenet_tcp_sendrecv_all_nodes(clamscan_t)
corenet_tcp_sendrecv_all_ports(clamscan_t)
corenet_tcp_sendrecv_clamd_port(clamscan_t)
corenet_tcp_connect_clamd_port(clamscan_t)

Shoudl fix.

Updated in selinux-policy-3.3.1-85.fc9

More information about the fedora-selinux-list mailing list