cron_t freshclam

Daniel J Walsh dwalsh at redhat.com
Mon Sep 29 14:54:38 UTC 2008 

Sebastian Hennebrueder wrote:
> Hello,
> the freshclam daemon tries to download the updated virus definition to
> /var/clamav
> 
> The directory has the context
> drwxr-xr-x  clamav clamav system_u:object_r:clamd_t        clamav
> 
A directory should not have a type of clamd_t,  This is a processes
type.  You probably want to label this clamd_var_lib_t.  Then everything
should work.

You must have put this label on in permissive mode.

chcon -t clamd_var_lib_t /var/clamav

will fix the problem.  Is this a standard directory for this?  My policy
expects you to use /var/lib/clamav?  Although I just saw mention of this
directory in debian policy.


> I get the following error message
> type=AVC msg=audit(1222221728.847:3043): avc:  denied  { write } for 
> pid=10192 comm="freshclam" name="clamav" dev=dm-1 ino=522241
> scontext=user_u:system_r:unconfined_t:s0
> tcontext=system_u:object_r:clamd_t:s0 tclass=dir
> type=AVC msg=audit(1222304223.589:82): avc:  denied  { write } for 
> pid=6100 comm="freshclam" name="clamav" dev=dm-1 ino=522241
> scontext=system_u:system_r:crond_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:clamd_t:s0 tclass=dir
> type=AVC msg=audit(1222304223.666:83): avc:  denied  { write } for 
> pid=6100 comm="freshclam" name="clamav" dev=dm-1 ino=522241
> scontext=system_u:system_r:crond_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:clamd_t:s0 tclass=dir
> type=AVC msg=audit(1222308125.673:100): avc:  denied  { write } for 
> pid=7622 comm="freshclam" name="clamav" dev=dm-1 ino=522241
> scontext=user_u:system_r:unconfined_t:s0
> tcontext=system_u:object_r:clamd_t:s0 tclass=dir
> type=AVC msg=audit(1222308125.911:101): avc:  denied  { write } for 
> pid=7622 comm="freshclam" name="clamav" dev=dm-1 ino=522241
> scontext=user_u:system_r:unconfined_t:s0
> tcontext=system_u:object_r:clamd_t:s0 tclass=dir
> 
> Using audit2allow I get
> module dummy 1.0;
> 
> require {
>        type unconfined_t;
>        type crond_t;
>        type clamd_t;
>        class dir write;
> }
> 
> #============= crond_t ==============
> allow crond_t clamd_t:dir write;
> 
> #============= unconfined_t ==============
> allow unconfined_t clamd_t:dir write;
> 
> 
> My impression was that unconfined_ access allows a quite wide access but
> some testing showed me that without even root cannot create files in
> that directory.
> type=AVC msg=audit(1222590942.079:771): avc:  denied  { write } for 
> pid=27753 comm="touch" name="clamav" dev=dm-1 ino=522241
> scontext=user_u:system_r:unconfined_t:s0
> tcontext=system_u:object_r:clamd_t:s0 tclass=dir
> type=SYSCALL msg=audit(1222590942.079:771): arch=c000003e syscall=2
> success=no exit=-13 a0=7fffc9188c93 a1=941 a2=1b6 a3=3ff8d4e0ec items=0
> ppid=25482 pid=27753 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts0 ses=96 comm="touch" exe="/bin/touch"
> subj=user_u:system_r:unconfined_t:s0 key=(null)
> 
> So my question, can I allow unconfined access and to which extend will
> this open the directory?
> 
> Best Regards
> 
> Sebastian Hennebrueder
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list