fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: Clamd - again...

Re: Clamd - again...

From: Arthur Dent <misc.lists_at_nospam>
Date: Mon Aug 23 2010 - 22:20:44 GMT
To: selinux@lists.fedoraproject.org

On Mon, 2010-08-23 at 20:50 +0200, Dominick Grift wrote:

> open your ~/myclamd/myclamd.te file and append the following:
>
> gen_require(`
> type clamscan_t;
> ')
>
> procmail_rw_tmp_files(clamscan_t)
> mta_read_queue(clamscan_t)
>
>
> Then rebuild be binary representation and reinstall it:
>
> cd ~/myclamd;
> make -f /usr/share/selinux/devel/Makefile myclamd.pp
> sudo semodule -i myclamd.pp

I'm sorry to be a nuisance Dominick, but I'm afraid there's another
problem.

Many people, including myself, who use clamd run a program called
clamdwatch to monitor the fact that the clamd daemon is alive and well.

This basically works by sending the Eicar virus to clamd and if it
doesn't get back the expected virus warning it assumes clamd is dead and
tries to restart it.

I have it running from a cron job:
*/10 * * * * /root/scripts/clamdwatch -q && ( /usr/bin/killall -9 clamd; rm -fr /var/run/clamd.sock; rm -rf /tmp/clamav-*; /etc/init.d/clamd start 2>&1 )

At the moment, every time this runs it restarts clamd.

Here is the associated avc (still with semanage -DB).

---- time->Mon Aug 23 23:10:02 2010 type=SYSCALL msg=audit(1282601402.200:45477): arch=40000003 syscall=33 success=no exit=-13 a0=a5600488 a1=4 a2=a61ff1fc a3=44 items=0 ppid=1 pid=30729 auid=0 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503 sgid=503 fsgid=503 tty=(none) ses=1341 comm="clamd" exe="/usr/local/sbin/clamd" subj=unconfined_u:system_r:clamd_t:s0 key=(null) type=AVC msg=audit(1282601402.200:45477): avc: denied { read } for pid=30729 comm="clamd" name="clamdwatch-Hv4FZ1XIhEGihCAR" dev=sda6 ino=86007 scontext=unconfined_u:system_r:clamd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file ---- > Next rebuild the policy with the hidden denials loaded. > > sudo semodule -B

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux