Clamav/SeLinux, issue with system call recvmsg, and auxilary data.
Dominick Grift
domg472 at gmail.com
Mon Sep 28 15:49:32 UTC 2009
On Mon, Sep 28, 2009 at 04:22:18PM +0100, J. David Rye of Roadtech wrote:
>
>
> Hello All
>
> I triggered this issue with clamav/clamav-milter 0.95.2 from rpmforge running on a test box with Centos 5.3
>
> Clamd opens a socket /var/run/clamav/clamd.sock to accept requests to scan things.
>
> ls -Z /var/run/clamav/clamd.sock
> srwxrwxrwx clamav clamav root:object_r:clamd_var_run_t /var/run/clamav/clamd.sock
>
> Requests are read using the system call recvmsg, this allows for the passing auxiliary control data.
>
> Clamav-milter 0.95.2 uses this to pass a handle to the temp file containing the data to be scanned
>
> With SeLinux set to targeted enforcing, this call reads and returns the normal data fine, but returns with the
> flag MSG_CTRUNC set.
>
> according to the man page this is
> "indicates that some control data were discarded due to lack of space in the buffer for ancillary data."
>
> clamd responded by closing the socket, clamav-milter responded to the closed socket by looping a 100% CPU. :-(
>
>
> Running the audit log through audit2allow suggests
>
> grep clam /var/log/audit/audit.log | audit2allow -m local > local.te
> [root at fallback0 selinux]# cat local.te
>
> module local 1.0;
>
> require {
> type initrc_tmp_t;
> type proc_t;
> type sysctl_kernel_t;
> type clamd_t;
> class dir search;
> class file { read write getattr };
> }
>
> #============= clamd_t ==============
> allow clamd_t initrc_tmp_t:file { read write getattr };
> allow clamd_t proc_t:file { read getattr };
> allow clamd_t sysctl_kernel_t:dir search;
> allow clamd_t sysctl_kernel_t:file read;
The first line means that something runs in the initrc_t init script domain. Either the program executable file for this process is mislabeled or there is no policy for this init daemon.
ps auxZ | grep initrc_t
The second and third /
fourth line signal that clamd_t needs read access to read_system_state and read_sysctls.
You could extend the clamd domain with a custom policy module to implement this
echo "policy_module(myclamd, 0.0.1)" >> myclamd.te;
echo "require { type clamd_t; }" > myclamd.te;
echo "kernel_read_system_state(clamd_t)" > myclamd.te;
echo "kernel_read_kernel_sysctls(clamd_t)" > myclamd.te;
make -f /usr/share/selinux/devel/Makefile myclamd.pp
sudo semodule -i myclamd.pp
>
>
> The allow clamd_t proc_t:file { read getattr }; looks to relate to reading /proc/meminfo
>
> allow clamd_t sysctl_kernel_t:dir search;
> allow clamd_t sysctl_kernel_t:file read;
> Look to relate to these log entries
> type=AVC msg=audit(1254139856.343:48724): avc: denied { search } for pid=14771 comm="clamd" name="kernel" dev=proc ino=-268435416 scontext=root:system_r:clamd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
> type=AVC msg=audit(1254139856.343:48724): avc: denied { read } for pid=14771 comm="clamd" name="ngroups_max" dev=proc ino=-268435368 scontext=root:system_r:clamd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file
> type=AVC msg=audit(1254149740.665:48885): avc: denied { search } for pid=1261 comm="clamd" name="kernel" dev=proc ino=-268435416 scontext=root:system_r:clamd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
>
> This if I have figured it out right relate to something that clamd is calling in turn trying to read /proc/sys/kernel/ngroups_max
>
>
> So by elimination
> allow clamd_t initrc_tmp_t:file { read write getattr };
>
> Must relate to the the use of auxiliary data with the socket, and the following log entries but I do not see why.
> Can anyone explain?
>
> type=AVC msg=audit(1254150147.188:48924): avc: denied { read write } for pid=1288 comm="clamd" path=2F746D702F636C616D61762D3063666237656532666331656139656636323364373463316236626532623735202864656C6574656429 dev=dm-0 ino=34668546 scontext=root:system_r:clamd_t:s0 tcontext=root:object_r:initrc_tmp_t:s0 tclass=file
> type=AVC msg=audit(1254150153.681:48925): avc: denied { read write } for pid=1288 comm="clamd" path=2F746D702F636C616D61762D3336316332323033323138613239633865363633633937303962663133363664202864656C6574656429 dev=dm-0 ino=34668546 scontext=root:system_r:clamd_t:s0 tcontext=root:object_r:initrc_tmp_t:s0 tclass=file
> type=AVC msg=audit(1254150177.903:48926): avc: denied { read write } for pid=1288 comm="clamd" path=2F746D702F636C616D61762D3366636162623138633237636231383466643064656630643838353063363933202864656C6574656429 dev=dm-0 ino=34668546 scontext=root:system_r:clamd_t:s0 tcontext=root:object_r:initrc_tmp_t:s0 tclass=file
> type=AVC msg=audit(1254150188.366:48927): avc: denied { read write } for pid=1288 comm="clamd" path=2F746D702F636C616D61762D6366393131623632353130333564353832656435396466663136373362626131202864656C6574656429 dev=dm-0 ino=34668546 scontext=root:system_r:clamd_t:s0 tcontext=root:object_r:initrc_tmp_t:s0 tclass=file
> type=AVC msg=audit(1254150220.428:48928): avc: denied { read write } for pid=1288 comm="clamd" path=2F746D702F636C616D61762D3931633534623761393630653531386630363539653033363537303937323135202864656C6574656429 dev=dm-0 ino=34668546 scontext=root:system_r:clamd_t:s0 tcontext=root:object_r:initrc_tmp_t:s0 tclass=file
>
>
> Yours
>
> J. David Rye
>
>
>
>
>
>
>
>
>
>
>
> *************************************************************************
> This e-mail is confidential and may be legally privileged. It is intended
> solely for the use of the individual(s) to whom it is addressed. Any
> content in this message is not necessarily a view or statement from Road
> Tech Computer Systems Limited but is that of the individual sender. If
> you are not the intended recipient, be advised that you have received
> this e-mail in error and that any use, dissemination, forwarding,
> printing, or copying of this e-mail is strictly prohibited. We use
> reasonable endeavours to virus scan all e-mails leaving the company but
> no warranty is given that this e-mail and any attachments are virus free.
> You should undertake your own virus checking. The right to monitor e-mail
> communications through our networks is reserved by us
>
> Road Tech Computer Systems Ltd. Shenley Hall, Rectory Lane, Shenley,
> Radlett, Hertfordshire, WD7 9AN. - VAT Registration No GB 449 3582 17
> Registered in England No: 02017435, Registered Address: Charter Court,
> Midland Road, Hemel Hempstead, Hertfordshire, HP2 5GE.
> *************************************************************************
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090928/b81602fa/attachment.sig>
More information about the fedora-selinux-list
mailing list