cron_t freshclam

Sebastian Hennebrueder usenet at laliluna.de
Sun Sep 28 08:37:29 UTC 2008 

Hello,
the freshclam daemon tries to download the updated virus definition to 
/var/clamav

The directory has the context
drwxr-xr-x  clamav clamav system_u:object_r:clamd_t        clamav

I get the following error message
type=AVC msg=audit(1222221728.847:3043): avc:  denied  { write } for  
pid=10192 comm="freshclam" name="clamav" dev=dm-1 ino=522241 
scontext=user_u:system_r:unconfined_t:s0 
tcontext=system_u:object_r:clamd_t:s0 tclass=dir
type=AVC msg=audit(1222304223.589:82): avc:  denied  { write } for  
pid=6100 comm="freshclam" name="clamav" dev=dm-1 ino=522241 
scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:clamd_t:s0 tclass=dir
type=AVC msg=audit(1222304223.666:83): avc:  denied  { write } for  
pid=6100 comm="freshclam" name="clamav" dev=dm-1 ino=522241 
scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:clamd_t:s0 tclass=dir
type=AVC msg=audit(1222308125.673:100): avc:  denied  { write } for  
pid=7622 comm="freshclam" name="clamav" dev=dm-1 ino=522241 
scontext=user_u:system_r:unconfined_t:s0 
tcontext=system_u:object_r:clamd_t:s0 tclass=dir
type=AVC msg=audit(1222308125.911:101): avc:  denied  { write } for  
pid=7622 comm="freshclam" name="clamav" dev=dm-1 ino=522241 
scontext=user_u:system_r:unconfined_t:s0 
tcontext=system_u:object_r:clamd_t:s0 tclass=dir

Using audit2allow I get
module dummy 1.0;

require {
        type unconfined_t;
        type crond_t;
        type clamd_t;
        class dir write;
}

#============= crond_t ==============
allow crond_t clamd_t:dir write;

#============= unconfined_t ==============
allow unconfined_t clamd_t:dir write;


My impression was that unconfined_ access allows a quite wide access but 
some testing showed me that without even root cannot create files in 
that directory.
type=AVC msg=audit(1222590942.079:771): avc:  denied  { write } for  
pid=27753 comm="touch" name="clamav" dev=dm-1 ino=522241 
scontext=user_u:system_r:unconfined_t:s0 
tcontext=system_u:object_r:clamd_t:s0 tclass=dir
type=SYSCALL msg=audit(1222590942.079:771): arch=c000003e syscall=2 
success=no exit=-13 a0=7fffc9188c93 a1=941 a2=1b6 a3=3ff8d4e0ec items=0 
ppid=25482 pid=27753 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=pts0 ses=96 comm="touch" exe="/bin/touch" 
subj=user_u:system_r:unconfined_t:s0 key=(null)

So my question, can I allow unconfined access and to which extend will 
this open the directory?

Best Regards

Sebastian Hennebrueder

More information about the fedora-selinux-list mailing list