SELinux interfering with clamav?

Sat Mar 1 03:45:23 UTC 2008

Interesting.  After I enabled the last policy, I get one new AVC about
lnk files.  I make a new policy using the same method as before and now
I get this policy:

module myclamav 1.0;

require {
        type bin_t;
        type clamd_t;
        class lnk_file read;
        class dir search;
}

#============= clamd_t ==============
allow clamd_t bin_t:dir search;
allow clamd_t bin_t:lnk_file read;

I'll let you know if more show up with the modified policy above
applied.  Here is the AVC:

Summary
    SELinux is preventing /usr/sbin/clamav-milter (clamd_t) "read" to
<Unknown>
    (bin_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/clamav-milter. It is
not
    expected that this access is required by /usr/sbin/clamav-milter and
this
    access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it
to
    require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could
try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way
to
    allow this access. Instead,  you can generate a local policy module
to allow
    this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
package.

Additional Information        

Source Context                system_u:system_r:clamd_t:s0
Target Context                system_u:object_r:bin_t:s0
Target Objects                None [ lnk_file ]
Affected RPM Packages         clamav-milter-0.92.1-1.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-84.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     kilroy.chi.il.us
Platform                      Linux kilroy.chi.il.us 2.6.23.15-137.fc8
#1 SMP
                              Sun Feb 10 17:48:34 EST 2008 i686 i686
Alert Count                   4
First Seen                    Fri 29 Feb 2008 12:22:44 PM CST
Last Seen                     Fri 29 Feb 2008 07:56:45 PM CST
Local ID                      c5169662-b069-4270-84f8-a7aa4aa38100
Line Numbers                  

Raw Audit Messages            

avc: denied { read } for comm=clamav-milter dev=dm-0 egid=486 euid=492
exe=/usr/sbin/clamav-milter exit=-13 fsgid=486 fsuid=492 gid=486 items=0
name=sh
pid=2928 scontext=system_u:system_r:clamd_t:s0 sgid=486
subj=system_u:system_r:clamd_t:s0 suid=492 tclass=lnk_file
tcontext=system_u:object_r:bin_t:s0 tty=(none) uid=492