Clamd getting out of hand...
Daniel J Walsh
dwalsh at redhat.com
Wed Aug 13 18:48:01 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Arthur Dent wrote:
> On Tue, Aug 12, 2008 at 03:31:59PM -0400, Daniel J Walsh wrote:
>> Arthur Dent wrote:
>>> On Wed, Aug 06, 2008 at 09:34:03AM -0400, Daniel J Walsh wrote:
>>>> Arthur Dent wrote:
>>>>> On Wed, Jul 30, 2008 at 03:33:14PM -0400, Daniel J Walsh wrote:
>>>
>>>> Adding the following policy to clamscan
>>>>
>>>> mta_send_mail(clamscan_t)
>>>> corenet_all_recvfrom_unlabeled(clamscan_t)
>>>> corenet_all_recvfrom_netlabel(clamscan_t)
>>>> corenet_tcp_sendrecv_all_if(clamscan_t)
>>>> corenet_tcp_sendrecv_all_nodes(clamscan_t)
>>>> corenet_tcp_sendrecv_all_ports(clamscan_t)
>>>> corenet_tcp_sendrecv_clamd_port(clamscan_t)
>>>> corenet_tcp_connect_clamd_port(clamscan_t)
>>>>
>>>> Shoudl fix.
>>>>
>>>> Updated in selinux-policy-3.3.1-85.fc9
>>> Hi Daniel,
>>>
>>> Thank you very much for taking the time to help me on this.
>>>
>>> This is the first chance I've had to test your policy. With setenforce
>>> set to 0 and just the above lines in my clamd policy I got 11 (eleven)
>>> AVC denials for the first inbound email.
>>>
>>> I have put all 11 AVCs (full) here:
>>>
>>> http://pastebin.com/m3126be9d
>>>
>>>
>>> Running audit2allow on those says I should also have the following
>>> policies:
>>>
>>> require {
>>> type clamscan_t;
>>> type procmail_log_t;
>>> type clamd_t;
>>> class tcp_socket { write create connect };
>>> class file append;
>>> }
>>> require {
>>> type clamscan_t;
>>> type procmail_log_t;
>>> type clamd_t;
>>> class tcp_socket { write create connect };
>>> class file append;
>>> }
>>>
>>> #============= clamd_t ==============
>>> corenet_tcp_bind_generic_port(clamd_t)
>>>
>> What port is it binding do?
>>> #============= clamscan_t ==============
>>> allow clamscan_t procmail_log_t:file append;
>> Sounds ok
>>> allow clamscan_t self:tcp_socket { write create connect };
>> allow clamscan_t self:tcp_socket create_stream_socket_perms;
>>> corenet_tcp_connect_generic_port(clamscan_t)
>> What port is it connecting to?
>>> mta_read_queue(clamscan_t)
>>> procmail_rw_tmp_files(clamscan_t)
>> Ok
>>> What do you think?
>
> Daniel, thanks for your input. Much appreciated.
>
> I'm not sure I understand the inner workings of clamd, nor do I really
> know the difference between binding to a port and connecting to a port.
> I therefore list the only entries I can see in clamd.conf that relate
> vaguely to "ports":
>
> #
> # TCP port address.
> # Default: no
> TCPSocket 3310
> #
> # TCP address.
> # By default we bind to INADDR_ANY, probably not wise.
> # Enable the following to provide some degree of protection
> # from the outside world.
> # Default: no
> TCPAddr 127.0.0.1
> #
>
> and
>
> #
> # Limit port range.
> # Default: 1024
> StreamMinPort 30000
> # Default: 2048
> StreamMaxPort 32000
> #
>
> If you think I should change these clamd settings or modify by clamd
> selinux policy please let me know.
>
> Thanks again...
>
> AD
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
No if you look at the avc message that referred to port_t there is a src
or dest field. This is the number of the port that clamd tried to
connect listened for incoming connections on.
network_port(clamd, tcp,3310,s0)
Is already in policy so it must be another port.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkijLGEACgkQrlYvE4MpobM/TgCgpu/XiHVkvdz0nKIY20wOfXYg
ojkAoM63/HUYya2L5M3DlN0Yjf5f/cT3
=3Y5G
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list