Clamd getting out of hand...
Daniel J Walsh
dwalsh at redhat.com
Wed Aug 6 13:34:03 UTC 2008
Arthur Dent wrote:
> On Wed, Jul 30, 2008 at 03:33:14PM -0400, Daniel J Walsh wrote:
>
>
>> But do you have the original avc messages used to generate the policy.
>> I want to see if we are missing transitions? What port is it
>> communicating with etc.
>
> Apologies for the slow response. RL gets in the way sometimes...
>
> To recap:
>
> My mail chain is as follows:
>
> fetchmail -> procmail
> |
> -> clamassassin -> spamassassin -> dovecot -> MUA
> |
> -> clamdscan
> |
> -> clamd
>
> I had made several home-made policies to allow clamd to work under F8.
> Following an upgrade to F9 I get a whole load more avc denials and have
> had to add a bunch of policies to get it to work.
>
> With SEL in enforcing mode (I know I should have set it to permissive
> until I had sorted this out but I though each problem would be the
> last..) the recent denials fell into 3 types:
>
> sending denials
> receiving denial
> write to pipe denials
>
> I got several hundred sending denials until I wrote a policy with
> audit2allow then I got sever hundred receiving denials until I fixed
> that and finally a ton of write-to pipe. If you look at the collection
> of raw audit messages (just a sample) that I posted here
>
> http://pastebin.com/m7b60d46a
>
> you will see that almost every part of the mail chain seems to be
> affected.
>
> Finding the original avc messages from my F8 install would be hard work,
> but I have included 3 (one of each type) from the F9 upgrade. You can
> see them here:
>
> http://pastebin.com/m1fc5a466
>
> If you want others (as referred to in the raw avcs) just let me know.
>
> So, clamd settings can be seen here (entire clamd.conf file) :
> http://pastebin.com/m72927397
> A selection of raw avc messages can be seen here:
> http://pastebin.com/m7b60d46a
> And 3 of the entire avc messages here:
> http://pastebin.com/m1fc5a466
>
>
> I really do thank you for your help...
>
> AD
>
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Adding the following policy to clamscan
mta_send_mail(clamscan_t)
corenet_all_recvfrom_unlabeled(clamscan_t)
corenet_all_recvfrom_netlabel(clamscan_t)
corenet_tcp_sendrecv_all_if(clamscan_t)
corenet_tcp_sendrecv_all_nodes(clamscan_t)
corenet_tcp_sendrecv_all_ports(clamscan_t)
corenet_tcp_sendrecv_clamd_port(clamscan_t)
corenet_tcp_connect_clamd_port(clamscan_t)
Shoudl fix.
Updated in selinux-policy-3.3.1-85.fc9
More information about the fedora-selinux-list
mailing list