Current status of mailman and clamav selinux

Edward Kuns ekuns at kilroy.chi.il.us
Thu Mar 20 00:42:55 UTC 2008 

With current policies from RH8 updates, I removed the clamav policy I
had in place to see what current AVCs I receive.  All AVCs I receive
regularly are related to mailman.  

I get a *lot* of this:

host=kilroy.chi.il.us type=AVC msg=audit(1205972595.706:10245): avc:
denied { read write } for pid=28531 comm="mailman"
path="socket:[3905242]" dev=sockfs ino=3905242
scontext=system_u:system_r:mailman_mail_t:s0
tcontext=system_u:system_r:sendmail_t:s0 tclass=unix_stream_socket
host=kilroy.chi.il.us type=SYSCALL msg=audit(1205972595.706:10245):
arch=40000003 syscall=11 success=yes exit=0 a0=8845e78 a1=8845f48
a2=88454f8 a3=40 items=0 ppid=28530 pid=28531 auid=4294967295 uid=8
gid=12 euid=8 suid=8 fsuid=8 egid=41 sgid=41 fsgid=41 tty=(none)
comm="mailman" exe="/usr/lib/mailman/mail/mailman"
subj=system_u:system_r:mailman_mail_t:s0 key=(null) 

which I suspect is sendmail not closing a socket before it forks
mailman, but I am not certain how to judge, nor how to get sendmail to
address the issue.


The one I get more rarely seems to occur once every time clamav finds a
virus.  I get the following collection of AVCs for each virus discovered
by clamav:

type=AVC msg=audit(1205970966.746:10166): avc:  denied  { append } for
pid=26516 comm="sendmail" path="/var/log/clamd.milter" dev=dm-2
ino=327743 scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:clamd_var_log_t:s0 tclass=file
type=AVC msg=audit(1205970966.746:10166): avc:  denied  { append } for
pid=26516 comm="sendmail" path="/var/log/clamd.milter" dev=dm-2
ino=327743 scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:clamd_var_log_t:s0 tclass=file
type=AVC msg=audit(1205970966.746:10166): avc:  denied  { read write }
for  pid=26516 comm="sendmail" path="socket:[3831091]" dev=sockfs
ino=3831091 scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:system_r:clamd_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1205970966.746:10166): avc:  denied  { read write }
for  pid=26516 comm="sendmail" path="socket:[3855167]" dev=sockfs
ino=3855167 scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:system_r:clamd_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1205970966.746:10166): avc:  denied  { read write }
for  pid=26516 comm="sendmail"
path="/var/tmp/clamav-00c6b962e3f10e1caad8ced3cff4e084/msg.2Orwhh"
dev=dm-2 ino=32843 scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:clamd_tmp_t:s0 tclass=file
host=kilroy.chi.il.us type=SYSCALL msg=audit(1205970966.746:10166):
arch=40000003 syscall=11 success=yes exit=0 a0=89d56d0 a1=89d57a8
a2=89d4b98 a3=40 items=0 ppid=2867 pid=26516 auid=4294967295 uid=492
gid=486 euid=492 suid=492 fsuid=492 egid=51 sgid=51 fsgid=51 tty=(none)
comm="sendmail" exe="/usr/sbin/sendmail.sendmail"
subj=system_u:system_r:system_mail_t:s0 key=(null) 

The setroubleshoot browser message associated with these AVCs is:
"SELinux is preventing sendmail (system_mail_t) "append"
to /var/log/clamd.milter (clamd_var_log_t)."  For now I've created a new
myclamav policy from the above AVCs (just the 2nd set listed).

		Eddie

-- 
  Eddie Kuns  |  Home: ekuns at kilroy.chi.il.us
--------------/  URL:  http://kilroy.chi.il.us/
  "Ah, savory cheese puffs, made inedible by time and fate." -- The Tick

More information about the fedora-selinux-list mailing list