Clamav/SeLinux, issue with system call recvmsg, and auxilary data.

J. David Rye of Roadtech d.rye at roadtech.co.uk
Mon Sep 28 15:22:18 UTC 2009 


Hello All

I triggered this issue with clamav/clamav-milter 0.95.2 from rpmforge running on a test box with Centos 5.3

Clamd opens a socket /var/run/clamav/clamd.sock to accept requests to scan things.

ls -Z /var/run/clamav/clamd.sock
srwxrwxrwx  clamav clamav root:object_r:clamd_var_run_t    /var/run/clamav/clamd.sock

Requests are read using the system call recvmsg, this allows for the passing auxiliary control data.

Clamav-milter 0.95.2 uses this to pass a handle to the temp file containing the data to be scanned

With SeLinux set to  targeted enforcing, this call reads and returns the normal data fine, but returns with the
flag MSG_CTRUNC set.

according to the man page this is
"indicates that some control data were discarded due to lack of space in the buffer for ancillary data."

clamd responded by closing the socket, clamav-milter responded to the closed socket by looping a 100% CPU. :-(


Running the audit log through audit2allow suggests 

grep clam /var/log/audit/audit.log | audit2allow -m local > local.te
[root at fallback0 selinux]# cat local.te

module local 1.0;

require {
        type initrc_tmp_t;
        type proc_t;
        type sysctl_kernel_t;
        type clamd_t;
        class dir search;
        class file { read write getattr };
}

#============= clamd_t ==============
allow clamd_t initrc_tmp_t:file { read write getattr };
allow clamd_t proc_t:file { read getattr };
allow clamd_t sysctl_kernel_t:dir search;
allow clamd_t sysctl_kernel_t:file read;


The allow clamd_t proc_t:file { read getattr }; looks to relate to reading /proc/meminfo

allow clamd_t sysctl_kernel_t:dir search;
allow clamd_t sysctl_kernel_t:file read;
Look to relate to these log entries 
type=AVC msg=audit(1254139856.343:48724): avc:  denied  { search } for  pid=14771 comm="clamd" name="kernel" dev=proc ino=-268435416 scontext=root:system_r:clamd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
type=AVC msg=audit(1254139856.343:48724): avc:  denied  { read } for  pid=14771 comm="clamd" name="ngroups_max" dev=proc ino=-268435368 scontext=root:system_r:clamd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file
type=AVC msg=audit(1254149740.665:48885): avc:  denied  { search } for  pid=1261 comm="clamd" name="kernel" dev=proc ino=-268435416 scontext=root:system_r:clamd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir

This if I have figured it out right relate to something that clamd is calling in turn trying to read /proc/sys/kernel/ngroups_max


So by elimination 
allow clamd_t initrc_tmp_t:file { read write getattr };

Must relate to the the use of auxiliary data with the socket, and the following log entries but I do not see why.
Can anyone explain?

type=AVC msg=audit(1254150147.188:48924): avc:  denied  { read write } for  pid=1288 comm="clamd" path=2F746D702F636C616D61762D3063666237656532666331656139656636323364373463316236626532623735202864656C6574656429 dev=dm-0 ino=34668546 scontext=root:system_r:clamd_t:s0 tcontext=root:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(1254150153.681:48925): avc:  denied  { read write } for  pid=1288 comm="clamd" path=2F746D702F636C616D61762D3336316332323033323138613239633865363633633937303962663133363664202864656C6574656429 dev=dm-0 ino=34668546 scontext=root:system_r:clamd_t:s0 tcontext=root:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(1254150177.903:48926): avc:  denied  { read write } for  pid=1288 comm="clamd" path=2F746D702F636C616D61762D3366636162623138633237636231383466643064656630643838353063363933202864656C6574656429 dev=dm-0 ino=34668546 scontext=root:system_r:clamd_t:s0 tcontext=root:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(1254150188.366:48927): avc:  denied  { read write } for  pid=1288 comm="clamd" path=2F746D702F636C616D61762D6366393131623632353130333564353832656435396466663136373362626131202864656C6574656429 dev=dm-0 ino=34668546 scontext=root:system_r:clamd_t:s0 tcontext=root:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(1254150220.428:48928): avc:  denied  { read write } for  pid=1288 comm="clamd" path=2F746D702F636C616D61762D3931633534623761393630653531386630363539653033363537303937323135202864656C6574656429 dev=dm-0 ino=34668546 scontext=root:system_r:clamd_t:s0 tcontext=root:object_r:initrc_tmp_t:s0 tclass=file


Yours

J. David Rye 











*************************************************************************
This e-mail is confidential and may be legally privileged. It is intended
solely for the use of the individual(s) to whom it is addressed. Any
content in this message is not necessarily a view or statement from Road
Tech Computer Systems Limited but is that of the individual sender. If
you are not the intended recipient, be advised that you have received
this e-mail in error and that any use, dissemination, forwarding,
printing, or copying of this e-mail is strictly prohibited. We use
reasonable endeavours to virus scan all e-mails leaving the company but
no warranty is given that this e-mail and any attachments are virus free.
You should undertake your own virus checking. The right to monitor e-mail
communications through our networks is reserved by us

  Road Tech Computer Systems Ltd. Shenley Hall, Rectory Lane, Shenley,
  Radlett, Hertfordshire, WD7 9AN. - VAT Registration No GB 449 3582 17
  Registered in England No: 02017435, Registered Address: Charter Court, 
  Midland Road, Hemel Hempstead,  Hertfordshire, HP2 5GE. 
*************************************************************************

More information about the fedora-selinux-list mailing list