SELinux interfering with clamav?
Edward Kuns
ekuns at kilroy.chi.il.us
Fri Feb 29 14:30:00 UTC 2008
On Fri, 2008-02-29 at 09:16 -0500, Daniel J Walsh wrote:
> Always add a user specify front end to your policy.
D'oh! That fixed it. Thanks.
> This policy seems reasonable but most likely clamav-milter is going to
> /usr/bin to execute something. So you might end up needing either
>
> corecmd_exec_bin(clamd_t)
>
> Or some transition to another domain.
>
> If you have an idea what app it is looking for, we can correct the policy.
How can I find out what it's looking for? As a test, I just added the
policy:
module myclamav 1.0;
require {
type bin_t;
type clamd_t;
class dir search;
}
#============= clamd_t ==============
allow clamd_t bin_t:dir search;
so if I understand this, you expect that I should later today get an AVC
that clamav is trying to execute something that is bin_t? Assuming
that's the case, I'll see what is there when I get home from work later
and I'll post that. But if there's something else I can do to find out,
let me know.
Thanks
Eddie
More information about the fedora-selinux-list
mailing list