fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: Clamd - again...

Re: Clamd - again...

From: Dominick Grift <domg472_at_nospam>
Date: Mon Aug 23 2010 - 10:31:23 GMT
To: selinux@lists.fedoraproject.org

On 08/23/2010 12:20 PM, Arthur Dent wrote:
> On Mon, 2010-08-23 at 10:56 +0200, Dominick Grift wrote:
>> On 08/23/2010 10:47 AM, Arthur Dent wrote:
>>> On Mon, 2010-08-23 at 10:42 +0200, Dominick Grift wrote:
>>>> On 08/23/2010 10:40 AM, Arthur Dent wrote:
>>>>> On Mon, 2010-08-23 at 10:29 +0200, Dominick Grift wrote:
>>>>>> On 08/23/2010 10:09 AM, Arthur Dent wrote:
>>>>>>> On Sun, 2010-08-22 at 22:44 +0100, Arthur Dent wrote:
>>>>>>>> On Sun, 2010-08-22 at 23:07 +0200, Dominick Grift wrote:
>>>>>>>>> On 08/22/2010 08:24 PM, Arthur Dent wrote:
>>>>>>>> ----
>>>>>>> time->Mon Aug 23 08:57:07 2010
>>>>>>> type=SYSCALL msg=audit(1282550227.058:42734): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf800420 a2=3 a3=1 items=0 ppid=23912 pid=23920 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan" exe="/usr/local/bin/clamdscan" subj=system_u:system_r:procmail_t:s0 key=(null)
>>>>>>> type=AVC msg=audit(1282550227.058:42734): avc: denied { search } for pid=23920 comm="clamdscan" name="clamd" dev=sda6 ino=269280 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0 tclass=dir
>>>>>>
>>>>>> This is still an issue:
>>>>>>
>>>>>> some process running in the procmail_t domain is running
>>>>>> /usr/bin/clamdscan (ls -alZ /usr/bin/clamdscan to verify its context),
>>>>>> but it is not domain transitioning to the clamscan_t domain.
>>>>>
>>>>> # which clamdscan
>>>>> /usr/local/bin/clamdscan
>>>>>
>>>>> # ls -laZ /usr/local/bin/clamdscan
>>>>> -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/local/bin/clamdscan
>>>>>
>>>>> Now, in actual fact, procmail does not call clamdscan directly (it can't
>>>>> deal with emails), it calls a program called clamassassin which in turn
>>>>> calls clamdscan.
>>>>>
>>>>> # ls -laZ /usr/local/bin/clamassassin
>>>>> -r-xr-xr-x. root root system_u:object_r:bin_t:s0 /usr/local/bin/clamassassin
>>>>>
>>>>
>>>> Why are these files located there and not /usr/bin where they are
>>>> expected to be? The files are mislabelled.
>>>
>>> In both cases I compiled from source and accepted the defaults
>>> in ./configure.
>>>
>>> I guess I could try to recompile them in /usr/bin if it is a problem -
>>> but I'm no expert...
>>
>> The problem there is; who knows what other locations owned by these apps
>> differ from the expected locations.
>>
>> Why are you not using redhat supplied packages?
>
> Well I started compiling clam from source about 3 or 4 years ago. I got
> frustrated with the fact that (at that time - I don't know if it's
> better now) it would take sometimes 3-4 weeks after a new release of
> clam before the redhat package became available. In the meantime I would
> have to put up with daily warnings in syslog.
>
> Also, I am often unable to upgrade to the latest Fedora package until it
> is already at end of life (viz - I have only just upgraded to F13 from
> F11) and the clam packages would often not be available at all...
>>
>> As for clamdscan; for now you could try the following to see if it would
>> work if this file is labelled correctly:
>>
>> chcon -t clamscan_exec_t /usr/local/bin/clamdscan
>>
>> See if that makes things work for you
>
> Well I am still getting permission denied...
>
> Latest messages:
>
> ----
> time->Mon Aug 23 11:09:06 2010
> type=SYSCALL msg=audit(1282558146.211:43246): arch=40000003 syscall=11
> success=yes exit=0 a0=15559d0 a1=bf9c9f7c a2=303840 a3=41904 items=0
> ppid=24933 pid=24934 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail"
> exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)
> type=AVC msg=audit(1282558146.211:43246): avc: denied { noatsecure }
> for pid=24934 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
> tcontext=system_u:system_r:procmail_t:s0 tclass=process
> type=AVC msg=audit(1282558146.211:43246): avc: denied { siginh } for
> pid=24934 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
> tcontext=system_u:system_r:procmail_t:s0 tclass=process
> type=AVC msg=audit(1282558146.211:43246): avc: denied { rlimitinh }
> for pid=24934 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
> tcontext=system_u:system_r:procmail_t:s0 tclass=process
> ----
> time->Mon Aug 23 11:12:05 2010
> type=SYSCALL msg=audit(1282558325.997:43259): arch=40000003 syscall=11
> success=yes exit=0 a0=15559d0 a1=bf9c9f7c a2=303840 a3=41904 items=0
> ppid=24953 pid=24954 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail"
> exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)
> type=AVC msg=audit(1282558325.997:43259): avc: denied { noatsecure }
> for pid=24954 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
> tcontext=system_u:system_r:procmail_t:s0 tclass=process
> type=AVC msg=audit(1282558325.997:43259): avc: denied { siginh } for
> pid=24954 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
> tcontext=system_u:system_r:procmail_t:s0 tclass=process
> type=AVC msg=audit(1282558325.997:43259): avc: denied { rlimitinh }
> for pid=24954 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
> tcontext=system_u:system_r:procmail_t:s0 tclass=process
> ----
> time->Mon Aug 23 11:12:06 2010
> type=SYSCALL msg=audit(1282558326.163:43260): arch=40000003 syscall=11
> success=yes exit=0 a0=9d75660 a1=9d75538 a2=9d715b8 a3=9d75538 items=0
> ppid=24956 pid=24960 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
> egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
> exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
> key=(null)
> type=AVC msg=audit(1282558326.163:43260): avc: denied { noatsecure }
> for pid=24960 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:system_r:clamscan_t:s0 tclass=process
> type=AVC msg=audit(1282558326.163:43260): avc: denied { siginh } for
> pid=24960 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:system_r:clamscan_t:s0 tclass=process
> type=AVC msg=audit(1282558326.163:43260): avc: denied { rlimitinh }
> for pid=24960 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:system_r:clamscan_t:s0 tclass=process
> type=AVC msg=audit(1282558326.163:43260): avc: denied { read } for
> pid=24960 comm="clamdscan" path="/var/spool/mqueue/dfo7NAC5wD024952"
> dev=sda6 ino=14772 scontext=system_u:system_r:clamscan_t:s0
> tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=file
> ----
> time->Mon Aug 23 11:12:06 2010
> type=SYSCALL msg=audit(1282558326.179:43261): arch=40000003 syscall=102
> success=no exit=-13 a0=3 a1=bfcfd440 a2=3 a3=0 items=0 ppid=24956
> pid=24960 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12
> sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
> exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
> key=(null)
> type=AVC msg=audit(1282558326.179:43261): avc: denied { connectto }
> for pid=24960 comm="clamdscan" path="/var/run/clamd/clamd.sock"
> scontext=system_u:system_r:clamscan_t:s0
> tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket
> ----
> time->Mon Aug 23 11:12:06 2010
> type=SYSCALL msg=audit(1282558326.209:43262): arch=40000003 syscall=11
> success=yes exit=0 a0=9d75ab0 a1=9d75380 a2=9d715b8 a3=9d75380 items=0
> ppid=24956 pid=24964 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
> egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
> exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
> key=(null)
> type=AVC msg=audit(1282558326.209:43262): avc: denied { noatsecure }
> for pid=24964 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:system_r:clamscan_t:s0 tclass=process
> type=AVC msg=audit(1282558326.209:43262): avc: denied { siginh } for
> pid=24964 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:system_r:clamscan_t:s0 tclass=process
> type=AVC msg=audit(1282558326.209:43262): avc: denied { rlimitinh }
> for pid=24964 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:system_r:clamscan_t:s0 tclass=process
> type=AVC msg=audit(1282558326.209:43262): avc: denied { read } for
> pid=24964 comm="clamdscan" path="/var/spool/mqueue/dfo7NAC5wD024952"
> dev=sda6 ino=14772 scontext=system_u:system_r:clamscan_t:s0
> tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=file
> type=AVC msg=audit(1282558326.209:43262): avc: denied { write } for
> pid=24964 comm="clamdscan" path="/tmp/clamassassinlog.9knHcazJ44"
> dev=sda6 ino=86007 scontext=system_u:system_r:clamscan_t:s0
> tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
> type=AVC msg=audit(1282558326.209:43262): avc: denied { read } for
> pid=24964 comm="clamdscan" path="/tmp/clamassassinmsg.fyU9qe9Rn4"
> dev=sda6 ino=67816 scontext=system_u:system_r:clamscan_t:s0
> tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file

this is due to clamassassin not having its own policy currently. You
could probably allow this with audit2allow but only after the problem
described below is fixed.

> ----
> time->Mon Aug 23 11:12:06 2010
> type=SYSCALL msg=audit(1282558326.213:43263): arch=40000003 syscall=102
> success=no exit=-13 a0=3 a1=bf9e8a30 a2=3 a3=1 items=0 ppid=24956
> pid=24964 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12
> sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
> exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
> key=(null)
> type=AVC msg=audit(1282558326.213:43263): avc: denied { connectto }
> for pid=24964 comm="clamdscan" path="/var/run/clamd/clamd.sock"
> scontext=system_u:system_r:clamscan_t:s0
> tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket

Looks like clamd again/or still runs in the init script domain.
Therefore clamdscan cannot connect to it

ps -auxZ | grep initrc_t

We need to make sure that clamd runs in its own domain.

> ----
> time->Mon Aug 23 11:12:06 2010
> type=SYSCALL msg=audit(1282558326.267:43264): arch=40000003 syscall=11
> success=yes exit=0 a0=9e31dd0 a1=9e334c8 a2=9e33620 a3=9e334c8 items=0
> ppid=24967 pid=24968 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
> egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="spamc"
> exe="/usr/bin/spamc" subj=system_u:system_r:spamc_t:s0 key=(null)
> type=AVC msg=audit(1282558326.267:43264): avc: denied { noatsecure }
> for pid=24968 comm="spamc" scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:system_r:spamc_t:s0 tclass=process
> type=AVC msg=audit(1282558326.267:43264): avc: denied { siginh } for
> pid=24968 comm="spamc" scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:system_r:spamc_t:s0 tclass=process
> type=AVC msg=audit(1282558326.267:43264): avc: denied { rlimitinh }
> for pid=24968 comm="spamc" scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:system_r:spamc_t:s0 tclass=process
> ----
> time->Mon Aug 23 11:12:06 2010
> type=SYSCALL msg=audit(1282558326.309:43265): arch=40000003 syscall=5
> success=no exit=-13 a0=606a29 a1=80000 a2=1b6 a3=6069c5 items=0
> ppid=20953 pid=20954 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) ses=772 comm="spamd" exe="/usr/bin/perl"
> subj=unconfined_u:system_r:spamd_t:s0 key=(null)
> type=AVC msg=audit(1282558326.309:43265): avc: denied { read } for
> pid=20954 comm="spamd" name="shadow" dev=sda6 ino=85497
> scontext=unconfined_u:system_r:spamd_t:s0
> tcontext=system_u:object_r:shadow_t:s0 tclass=file
> ----
> time->Mon Aug 23 11:12:09 2010
> type=SYSCALL msg=audit(1282558329.941:43268): arch=40000003 syscall=300
> success=no exit=-13 a0=9 a1=243c883 a2=bf8d6de0 a3=0 items=0 ppid=1
> pid=1228 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="rpc.mountd"
> exe="/usr/sbin/rpc.mountd" subj=system_u:system_r:nfsd_t:s0 key=(null)
> type=AVC msg=audit(1282558329.941:43268): avc: denied { getattr } for
> pid=1228 comm="rpc.mountd" path="/proc/kcore" dev=proc ino=4026531989
> scontext=system_u:system_r:nfsd_t:s0
> tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file
> ----
> time->Mon Aug 23 11:12:09 2010
> type=SYSCALL msg=audit(1282558329.947:43269): arch=40000003 syscall=5
> success=no exit=-13 a0=243b978 a1=8000 a2=0 a3=243b938 items=0 ppid=1
> pid=1228 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="rpc.mountd"
> exe="/usr/sbin/rpc.mountd" subj=system_u:system_r:nfsd_t:s0 key=(null)
> type=AVC msg=audit(1282558329.947:43269): avc: denied { read } for
> pid=1228 comm="rpc.mountd" name="sda8" dev=devtmpfs ino=5613
> scontext=system_u:system_r:nfsd_t:s0
> tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
> ----
>
>
>
>>>>
>>>>>>
>>>>>> Policy defines that if a process running in the procmail_t domain runs a
>>>>>> file labelled clamscan_exec_t, that procmail_t will domain transition to
>>>>>> clamscan_t domain.
>>>>>>
>>>>>> This did not happen on your config.
>>>>>>
>>>>>> Either your clamdscan executable file is mislabelled or you are missing
>>>>>> a domain transition rule.
>>>>>>
>>>>>> Where is your "clamdscan" executable file located, and what is it labelled?
>>>>>
>>>>> see above.
>>>>>
>>>>>> What does the following return:
>>>>>>
>>>>>> sesearch -SC --allow -s procmail_t -t clamscan_t -c process
>>>>>> sesearch -SC --allow -s procmail_t -t clamscan_exec_t -f file
>>>>>
>>>>> # sesearch -SC --allow -s procmail_t -t clamscan_t -c process
>>>>> Found 1 semantic av rules:
>>>>> allow procmail_t clamscan_t : process transition ;
>>>>>
>>>>> # sesearch -SC --allow -s procmail_t -t clamscan_exec_t -f file
>>>>> sesearch: invalid option -- 'f'
>>>>> Usage: sesearch [OPTIONS] RULE_TYPE [RULE_TYPE ...] [EXPESSION]
>>>>> [POLICY ...]
>>>>>
>>>>> Try sesearch --help for more help.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> selinux mailing list
>>>>> selinux@lists.fedoraproject.org
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>>>>
>>>> --
>>>> selinux mailing list
>>>> selinux@lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>>>>
>>>> --
>>>> selinux mailing list
>>>> selinux@lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>> --
>> selinux mailing list
>> selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>> --
>> selinux mailing list
>> selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux