fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: Clamd - again...

Re: Clamd - again...

From: Dominick Grift <domg472_at_nospam>
Date: Tue Aug 24 2010 - 06:41:49 GMT
To: selinux@lists.fedoraproject.org

On 08/24/2010 12:20 AM, Arthur Dent wrote:
> On Mon, 2010-08-23 at 20:50 +0200, Dominick Grift wrote:
>
>> open your ~/myclamd/myclamd.te file and append the following:
>>
>> gen_require(`
>> type clamscan_t;
>> ')
>>
>> procmail_rw_tmp_files(clamscan_t)
>> mta_read_queue(clamscan_t)
>>
>>
>> Then rebuild be binary representation and reinstall it:
>>
>> cd ~/myclamd;
>> make -f /usr/share/selinux/devel/Makefile myclamd.pp
>> sudo semodule -i myclamd.pp
>
> I'm sorry to be a nuisance Dominick, but I'm afraid there's another
> problem.
>
> Many people, including myself, who use clamd run a program called
> clamdwatch to monitor the fact that the clamd daemon is alive and well.
>
> This basically works by sending the Eicar virus to clamd and if it
> doesn't get back the expected virus warning it assumes clamd is dead and
> tries to restart it.
>
> I have it running from a cron job:
> */10 * * * * /root/scripts/clamdwatch -q && ( /usr/bin/killall -9 clamd; rm -fr /var/run/clamd.sock; rm -rf /tmp/clamav-*; /etc/init.d/clamd start 2>&1 )
>
> At the moment, every time this runs it restarts clamd.
>
> Here is the associated avc (still with semanage -DB).

i guess you could chcon the file from the cronjob to use a type that
clamd_t can access. for example append chcon -t clamd_tmp_t /tmp/clamdwatch*

That would be a workaround.

The other approach is to write policy for clamdwatch.

Another approach which is not encouraged is to allow clamd_t access to
user temporary content.

What package provides this app? and why is it in the admin directory?

> ----
> time->Mon Aug 23 23:10:02 2010
> type=SYSCALL msg=audit(1282601402.200:45477): arch=40000003 syscall=33
> success=no exit=-13 a0=a5600488 a1=4 a2=a61ff1fc a3=44 items=0 ppid=1
> pid=30729 auid=0 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503
> sgid=503 fsgid=503 tty=(none) ses=1341 comm="clamd"
> exe="/usr/local/sbin/clamd" subj=unconfined_u:system_r:clamd_t:s0
> key=(null)
> type=AVC msg=audit(1282601402.200:45477): avc: denied { read } for
> pid=30729 comm="clamd" name="clamdwatch-Hv4FZ1XIhEGihCAR" dev=sda6
> ino=86007 scontext=unconfined_u:system_r:clamd_t:s0
> tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
> ----
>
>
>> Next rebuild the policy with the hidden denials loaded.
>>
>> sudo semodule -B
>
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux