fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: Clamd - again...

Re: Clamd - again...

From: Arthur Dent <misc.lists_at_nospam>
Date: Mon Aug 23 2010 - 08:40:38 GMT
To: selinux@lists.fedoraproject.org

On Mon, 2010-08-23 at 10:29 +0200, Dominick Grift wrote:
> On 08/23/2010 10:09 AM, Arthur Dent wrote:
> > On Sun, 2010-08-22 at 22:44 +0100, Arthur Dent wrote:
> >> On Sun, 2010-08-22 at 23:07 +0200, Dominick Grift wrote:
> >>> On 08/22/2010 08:24 PM, Arthur Dent wrote:
> >> ----
> > time->Mon Aug 23 08:57:07 2010
> > type=SYSCALL msg=audit(1282550227.058:42734): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf800420 a2=3 a3=1 items=0 ppid=23912 pid=23920 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan" exe="/usr/local/bin/clamdscan" subj=system_u:system_r:procmail_t:s0 key=(null)
> > type=AVC msg=audit(1282550227.058:42734): avc: denied { search } for pid=23920 comm="clamdscan" name="clamd" dev=sda6 ino=269280 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0 tclass=dir
>
> This is still an issue:
>
> some process running in the procmail_t domain is running
> /usr/bin/clamdscan (ls -alZ /usr/bin/clamdscan to verify its context),
> but it is not domain transitioning to the clamscan_t domain.

# which clamdscan
/usr/local/bin/clamdscan

# ls -laZ /usr/local/bin/clamdscan
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/local/bin/clamdscan

Now, in actual fact, procmail does not call clamdscan directly (it can't
deal with emails), it calls a program called clamassassin which in turn
calls clamdscan.

# ls -laZ /usr/local/bin/clamassassin
-r-xr-xr-x. root root system_u:object_r:bin_t:s0 /usr/local/bin/clamassassin

>
> Policy defines that if a process running in the procmail_t domain runs a
> file labelled clamscan_exec_t, that procmail_t will domain transition to
> clamscan_t domain.
>
> This did not happen on your config.
>
> Either your clamdscan executable file is mislabelled or you are missing
> a domain transition rule.
>
> Where is your "clamdscan" executable file located, and what is it labelled?

see above.

> What does the following return:
>
> sesearch -SC --allow -s procmail_t -t clamscan_t -c process
> sesearch -SC --allow -s procmail_t -t clamscan_exec_t -f file

# sesearch -SC --allow -s procmail_t -t clamscan_t -c process
Found 1 semantic av rules:
   allow procmail_t clamscan_t : process transition ;

# sesearch -SC --allow -s procmail_t -t clamscan_exec_t -f file
sesearch: invalid option -- 'f'
Usage: sesearch [OPTIONS] RULE_TYPE [RULE_TYPE ...] [EXPESSION]
[POLICY ...]

        Try sesearch --help for more help.

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux