SELinux interfering with clamav?
Daniel J Walsh
dwalsh at redhat.com
Fri Feb 29 14:16:34 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Edward Kuns wrote:
> A couple times a day (23 times in 10 days), I get the following AVC:
>
> Summary
> SELinux is preventing /usr/sbin/clamav-milter (clamd_t) "search" to
> <Unknown> (bin_t).
>
> Detailed Description
> SELinux denied access requested by /usr/sbin/clamav-milter. It is
> not
> expected that this access is required by /usr/sbin/clamav-milter and
> this
> access may signal an intrusion attempt. It is also possible that the
> specific version or configuration of the application is causing it
> to
> require additional access.
>
> Allowing Access
> Sometimes labeling problems can cause SELinux denials. You could
> try to
> restore the default system file context for <Unknown>, restorecon -v
> <Unknown> If this does not work, there is currently no automatic way
> to
> allow this access. Instead, you can generate a local policy module
> to allow
> this access - see
> http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
> Or you can disable SELinux protection altogether. Disabling SELinux
> protection is not recommended. Please file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
> package.
>
> Additional Information
>
> Source Context system_u:system_r:clamd_t:s0
> Target Context system_u:object_r:bin_t:s0
> Target Objects None [ dir ]
> Affected RPM Packages clamav-milter-0.92.1-1.fc8 [application]
> Policy RPM selinux-policy-3.0.8-84.fc8
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name plugins.catchall_file
> Host Name kilroy.chi.il.us
> Platform Linux kilroy.chi.il.us 2.6.23.15-137.fc8
> #1 SMP
> Sun Feb 10 17:48:34 EST 2008 i686 i686
> Alert Count 23
> First Seen Wed 20 Feb 2008 12:25:16 PM CST
> Last Seen Thu 28 Feb 2008 09:11:28 PM CST
> Local ID 7eb02331-c2e4-4c65-a413-d283fbb7ca6f
> Line Numbers
>
> Raw Audit Messages
>
> avc: denied { search } for comm=clamav-milter dev=dm-0 egid=486 euid=492
> exe=/usr/sbin/clamav-milter exit=-13 fsgid=486 fsuid=492 gid=486 items=0
> name=bin pid=13663 scontext=system_u:system_r:clamd_t:s0 sgid=486
> subj=system_u:system_r:clamd_t:s0 suid=492 tclass=dir
> tcontext=system_u:object_r:bin_t:s0 tty=(none) uid=492
>
>
>
> I assume that we want to allow clamav to scan anything on the system,
> yes? If I follow the advice from an earlier Email and try the
> following:
>
> grep clamav /var/log/audit/audit.log | audit2allow -M clamav
>
> I get a file that contains:
>
>
> module clamav 1.0;
>
> require {
> type bin_t;
> type clamd_t;
> class dir search;
> }
>
> #============= clamd_t ==============
> allow clamd_t bin_t:dir search;
>
>
> Is this something that should be part of standard policy? Hmm, I try to
> install the above policy and get a complaint:
>
> # semodule -i clamav.pp
> libsepol.print_missing_requirements: clamav's global requirements were
> not met: type/attribute clamd_t
> libsemanage.semanage_link_sandbox: Link packages failed
> semodule: Failed!
>
>
> Any thoughts?
>
> Thanks
>
> Eddie
>
Always add a user specify front end to your policy.
grep clamav /var/log/audit/audit.log | audit2allow -M MYclamav
semodule -i MYclamav.pp
Otherwise you are trying to replace the clamav.pp installed as part of
selinux-policy.
This policy seems reasonable but most likely clamav-milter is going to
/usr/bin to execute something. So you might end up needing either
corecmd_exec_bin(clamd_t)
Or some transition to another domain.
If you have an idea what app it is looking for, we can correct the policy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkfIE8IACgkQrlYvE4MpobPhwgCfcgcKhHGGDf6gg7fmb5dq7cpD
7RoAnRNSgbnK0tU/MCTywypjOmHQQ33b
=n80j
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list