SELinux interfering with clamav?
Edward Kuns
ekuns at kilroy.chi.il.us
Sat Mar 1 21:22:51 UTC 2008
Well what do you know! Allowing bin_t dir search and lnk read, today I
get the following AVC (cleaned up a bit). It looks like the clamav
milter is trying to run a script. I am making the assumption that this
script execution is valid.
Summary
SELinux is preventing /usr/sbin/clamav-milter (clamd_t) "execute" to
<Unknown> (shell_exec_t).
Additional Information
Source Context system_u:system_r:clamd_t:s0
Target Context system_u:object_r:shell_exec_t:s0
Target Objects None [ file ]
Affected RPM Packages clamav-milter-0.92.1-1.fc8 [application]
Policy RPM selinux-policy-3.0.8-84.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall_file
Host Name kilroy.chi.il.us
Platform Linux kilroy.chi.il.us 2.6.23.15-137.fc8
#1 SMP
Sun Feb 10 17:48:34 EST 2008 i686 i686
Alert Count 1
First Seen Sat 01 Mar 2008 03:13:03 PM CST
Last Seen Sat 01 Mar 2008 03:13:03 PM CST
Local ID e5f2cc68-acf3-4cc6-8c75-c73e0863d49a
Line Numbers
Raw Audit Messages
avc: denied { execute } for comm=clamav-milter dev=dm-0 egid=486
euid=492
exe=/usr/sbin/clamav-milter exit=-13 fsgid=486 fsuid=492 gid=486 items=0
name=bash pid=22644 scontext=system_u:system_r:clamd_t:s0 sgid=486
subj=system_u:system_r:clamd_t:s0 suid=492 tclass=file
tcontext=system_u:object_r:shell_exec_t:s0 tty=(none) uid=492
The now current policy with all changes mentioned before is:
module myclamav 1.0;
require {
type shell_exec_t;
type bin_t;
type clamd_t;
class lnk_file read;
class file execute;
class dir search;
}
#============= clamd_t ==============
allow clamd_t bin_t:dir search;
allow clamd_t bin_t:lnk_file read;
allow clamd_t shell_exec_t:file execute;
If I get anything new I will send another EMail. I'll also upgrade to
the latest Fedora 8 selinux policy and setroubleshoot soon. :)
Eddie
--
Edward Kuns <ekuns at kilroy.chi.il.us>
More information about the fedora-selinux-list
mailing list