Clamd - again...
Dominick Grift
domg472 at gmail.com
Mon Aug 23 08:29:19 UTC 2010
On 08/23/2010 10:09 AM, Arthur Dent wrote:
> On Sun, 2010-08-22 at 22:44 +0100, Arthur Dent wrote:
>> On Sun, 2010-08-22 at 23:07 +0200, Dominick Grift wrote:
>>> On 08/22/2010 08:24 PM, Arthur Dent wrote:
>>
>> snip...
>>
>>> My first guess is that you have mislabeled files. Try to relabel your
>>> file system and then try again from scratch, then if you get any AVC
>>> denials please send them here.
>>
>> OK - Fair point. In fact, now you come to mention it, I have done a lot
>> of copying from my F11 setup and a lot of other configuration and
>> haven't done a relabel since about half way through my implementation.
>>
>> Yesterday I updated with yum and it delivered:
>> selinux-policy-3.7.19-47.fc13.noarch
>> selinux-policy-targeted-3.7.19-47.fc13.noarch
>>
>> So now might be a good time for a relabel...
>>
>> I will report back (probably tomorrow).
>
> Well this is interesting...
>
> Since unloading my custom clamd module and relabelling I have had NO
> avcs! - Not one.
>
> Clamd is still being blocked however, so I have now activated the
> semodule -DB thing...
>
> No AVCs have been produced (in the sense that no setroubleshoot emails
> have been produced), but here is the output of
> ausearch -m avc -ts recent :
>
> time->Mon Aug 23 08:57:02 2010
> type=SYSCALL msg=audit(1282550222.014:42728): arch=40000003 syscall=11 success=yes exit=0 a0=9297fe0 a1=9297c90 a2=9297008 a3=929a1e8 items=0 ppid=23900 pid=23901 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1282550222.014:42728): avc: denied { noatsecure } for pid=23901 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1282550222.014:42728): avc: denied { siginh } for pid=23901 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1282550222.014:42728): avc: denied { rlimitinh } for pid=23901 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
> ----
> time->Mon Aug 23 08:57:02 2010
> type=SYSCALL msg=audit(1282550222.302:42730): arch=40000003 syscall=33 success=no exit=-13 a0=87ffc90 a1=2 a2=6fb4f8 a3=86b4088 items=0 ppid=23900 pid=23901 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1282550222.302:42730): avc: denied { write } for pid=23901 comm="setroubleshootd" name="rpm" dev=sda6 ino=203 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
> ----
> time->Mon Aug 23 08:57:02 2010
> type=SYSCALL msg=audit(1282550222.304:42731): arch=40000003 syscall=33 success=no exit=-13 a0=87ffc90 a1=2 a2=6fb4f8 a3=87f9398 items=0 ppid=23900 pid=23901 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1282550222.304:42731): avc: denied { write } for pid=23901 comm="setroubleshootd" name="rpm" dev=sda6 ino=203 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
> ----
> time->Mon Aug 23 08:57:07 2010
> type=SYSCALL msg=audit(1282550227.040:42733): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfe490a0 a2=3 a3=0 items=0 ppid=23912 pid=23916 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan" exe="/usr/local/bin/clamdscan" subj=system_u:system_r:procmail_t:s0 key=(null)
> type=AVC msg=audit(1282550227.040:42733): avc: denied { search } for pid=23916 comm="clamdscan" name="clamd" dev=sda6 ino=269280 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0 tclass=dir
> ----
> time->Mon Aug 23 08:57:07 2010
> type=SYSCALL msg=audit(1282550227.058:42734): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf800420 a2=3 a3=1 items=0 ppid=23912 pid=23920 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan" exe="/usr/local/bin/clamdscan" subj=system_u:system_r:procmail_t:s0 key=(null)
> type=AVC msg=audit(1282550227.058:42734): avc: denied { search } for pid=23920 comm="clamdscan" name="clamd" dev=sda6 ino=269280 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0 tclass=dir
This is still an issue:
some process running in the procmail_t domain is running
/usr/bin/clamdscan (ls -alZ /usr/bin/clamdscan to verify its context),
but it is not domain transitioning to the clamscan_t domain.
Policy defines that if a process running in the procmail_t domain runs a
file labelled clamscan_exec_t, that procmail_t will domain transition to
clamscan_t domain.
This did not happen on your config.
Either your clamdscan executable file is mislabelled or you are missing
a domain transition rule.
Where is your "clamdscan" executable file located, and what is it labelled?
What does the following return:
sesearch -SC --allow -s procmail_t -t clamscan_t -c process
sesearch -SC --allow -s procmail_t -t clamscan_exec_t -f file
> ----
> time->Mon Aug 23 08:57:07 2010
> type=SYSCALL msg=audit(1282550227.096:42735): arch=40000003 syscall=11 success=yes exit=0 a0=8e92dd0 a1=8e95760 a2=8e95888 a3=8e95760 items=0 ppid=23925 pid=23926 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc" subj=system_u:system_r:spamc_t:s0 key=(null)
> type=AVC msg=audit(1282550227.096:42735): avc: denied { noatsecure } for pid=23926 comm="spamc" scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=process
> type=AVC msg=audit(1282550227.096:42735): avc: denied { siginh } for pid=23926 comm="spamc" scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=process
> type=AVC msg=audit(1282550227.096:42735): avc: denied { rlimitinh } for pid=23926 comm="spamc" scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=process
> ----
> time->Mon Aug 23 08:57:06 2010
> type=SYSCALL msg=audit(1282550226.692:42732): arch=40000003 syscall=11 success=yes exit=0 a0=15559d0 a1=bf9c9f7c a2=303840 a3=41904 items=0 ppid=23909 pid=23910 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)
> type=AVC msg=audit(1282550226.692:42732): avc: denied { noatsecure } for pid=23910 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:procmail_t:s0 tclass=process
> type=AVC msg=audit(1282550226.692:42732): avc: denied { siginh } for pid=23910 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:procmail_t:s0 tclass=process
> type=AVC msg=audit(1282550226.692:42732): avc: denied { rlimitinh } for pid=23910 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:procmail_t:s0 tclass=process
> ----
> time->Mon Aug 23 08:57:07 2010
> type=SYSCALL msg=audit(1282550227.209:42736): arch=40000003 syscall=5 success=no exit=-13 a0=606a29 a1=80000 a2=1b6 a3=6069c5 items=0 ppid=20953 pid=20954 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=772 comm="spamd" exe="/usr/bin/perl" subj=unconfined_u:system_r:spamd_t:s0 key=(null)
> type=AVC msg=audit(1282550227.209:42736): avc: denied { read } for pid=20954 comm="spamd" name="shadow" dev=sda6 ino=85497 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file
>
> Audit2allow produce some funny stuff when I tried to run this through it
> so I think it is best if you take a look at it!
>
> Thanks again.
>
> Mark
>
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100823/db73cedb/attachment.bin
More information about the selinux
mailing list