Clamd - again...

Dominick Grift domg472 at gmail.com
Mon Aug 23 08:29:19 UTC 2010 

On 08/23/2010 10:09 AM, Arthur Dent wrote:
> On Sun, 2010-08-22 at 22:44 +0100, Arthur Dent wrote:
>> On Sun, 2010-08-22 at 23:07 +0200, Dominick Grift wrote:
>>> On 08/22/2010 08:24 PM, Arthur Dent wrote:
>>
>> snip...
>>
>>> My first guess is that you have mislabeled files. Try to relabel your
>>> file system and then try again from scratch, then if you get any AVC
>>> denials please send them here.
>>
>> OK - Fair point. In fact, now you come to mention it, I have done a lot
>> of copying from my F11 setup and a lot of other configuration and
>> haven't done a relabel since about half way through my implementation.
>>
>> Yesterday I updated with yum and it delivered:
>> selinux-policy-3.7.19-47.fc13.noarch
>> selinux-policy-targeted-3.7.19-47.fc13.noarch
>>
>> So now might be a good time for a relabel...
>>
>> I will report back (probably tomorrow).
> 
> Well this is interesting...
> 
> Since unloading my custom clamd module and relabelling I have had NO
> avcs! - Not one.
> 
> Clamd is still being blocked however, so I have now activated the
> semodule -DB thing...
> 
> No AVCs have been produced (in the sense that no setroubleshoot emails
> have been produced), but here is the output of 
> ausearch -m avc -ts recent :
> 
> time->Mon Aug 23 08:57:02 2010
> type=SYSCALL msg=audit(1282550222.014:42728): arch=40000003 syscall=11 success=yes exit=0 a0=9297fe0 a1=9297c90 a2=9297008 a3=929a1e8 items=0 ppid=23900 pid=23901 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1282550222.014:42728): avc:  denied  { noatsecure } for  pid=23901 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1282550222.014:42728): avc:  denied  { siginh } for  pid=23901 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1282550222.014:42728): avc:  denied  { rlimitinh } for  pid=23901 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
> ----
> time->Mon Aug 23 08:57:02 2010
> type=SYSCALL msg=audit(1282550222.302:42730): arch=40000003 syscall=33 success=no exit=-13 a0=87ffc90 a1=2 a2=6fb4f8 a3=86b4088 items=0 ppid=23900 pid=23901 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1282550222.302:42730): avc:  denied  { write } for  pid=23901 comm="setroubleshootd" name="rpm" dev=sda6 ino=203 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
> ----
> time->Mon Aug 23 08:57:02 2010
> type=SYSCALL msg=audit(1282550222.304:42731): arch=40000003 syscall=33 success=no exit=-13 a0=87ffc90 a1=2 a2=6fb4f8 a3=87f9398 items=0 ppid=23900 pid=23901 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1282550222.304:42731): avc:  denied  { write } for  pid=23901 comm="setroubleshootd" name="rpm" dev=sda6 ino=203 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
> ----
> time->Mon Aug 23 08:57:07 2010
> type=SYSCALL msg=audit(1282550227.040:42733): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfe490a0 a2=3 a3=0 items=0 ppid=23912 pid=23916 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan" exe="/usr/local/bin/clamdscan" subj=system_u:system_r:procmail_t:s0 key=(null)
> type=AVC msg=audit(1282550227.040:42733): avc:  denied  { search } for  pid=23916 comm="clamdscan" name="clamd" dev=sda6 ino=269280 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0 tclass=dir
> ----
> time->Mon Aug 23 08:57:07 2010
> type=SYSCALL msg=audit(1282550227.058:42734): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf800420 a2=3 a3=1 items=0 ppid=23912 pid=23920 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan" exe="/usr/local/bin/clamdscan" subj=system_u:system_r:procmail_t:s0 key=(null)
> type=AVC msg=audit(1282550227.058:42734): avc:  denied  { search } for  pid=23920 comm="clamdscan" name="clamd" dev=sda6 ino=269280 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0 tclass=dir

This is still an issue:

some process running in the procmail_t domain is running
/usr/bin/clamdscan (ls -alZ /usr/bin/clamdscan to verify its context),
but it is not domain transitioning to the clamscan_t domain.

Policy defines that if a process running in the procmail_t domain runs a
file labelled clamscan_exec_t, that procmail_t will domain transition to
clamscan_t domain.

This did not happen on your config.

Either your clamdscan executable file is mislabelled or you are missing
a domain transition rule.

Where is your "clamdscan" executable file located, and what is it labelled?

What does the following return:

sesearch -SC --allow -s procmail_t -t clamscan_t -c process
sesearch -SC --allow -s procmail_t -t clamscan_exec_t -f file

> ----
> time->Mon Aug 23 08:57:07 2010
> type=SYSCALL msg=audit(1282550227.096:42735): arch=40000003 syscall=11 success=yes exit=0 a0=8e92dd0 a1=8e95760 a2=8e95888 a3=8e95760 items=0 ppid=23925 pid=23926 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc" subj=system_u:system_r:spamc_t:s0 key=(null)
> type=AVC msg=audit(1282550227.096:42735): avc:  denied  { noatsecure } for  pid=23926 comm="spamc" scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=process
> type=AVC msg=audit(1282550227.096:42735): avc:  denied  { siginh } for  pid=23926 comm="spamc" scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=process
> type=AVC msg=audit(1282550227.096:42735): avc:  denied  { rlimitinh } for  pid=23926 comm="spamc" scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=process
> ----
> time->Mon Aug 23 08:57:06 2010
> type=SYSCALL msg=audit(1282550226.692:42732): arch=40000003 syscall=11 success=yes exit=0 a0=15559d0 a1=bf9c9f7c a2=303840 a3=41904 items=0 ppid=23909 pid=23910 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)
> type=AVC msg=audit(1282550226.692:42732): avc:  denied  { noatsecure } for  pid=23910 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:procmail_t:s0 tclass=process
> type=AVC msg=audit(1282550226.692:42732): avc:  denied  { siginh } for  pid=23910 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:procmail_t:s0 tclass=process
> type=AVC msg=audit(1282550226.692:42732): avc:  denied  { rlimitinh } for  pid=23910 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:procmail_t:s0 tclass=process
> ----
> time->Mon Aug 23 08:57:07 2010
> type=SYSCALL msg=audit(1282550227.209:42736): arch=40000003 syscall=5 success=no exit=-13 a0=606a29 a1=80000 a2=1b6 a3=6069c5 items=0 ppid=20953 pid=20954 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=772 comm="spamd" exe="/usr/bin/perl" subj=unconfined_u:system_r:spamd_t:s0 key=(null)
> type=AVC msg=audit(1282550227.209:42736): avc:  denied  { read } for  pid=20954 comm="spamd" name="shadow" dev=sda6 ino=85497 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file
> 
> Audit2allow produce some funny stuff when I tried to run this through it
> so I think it is best if you take a look at it!
> 
> Thanks again.
> 
> Mark
> 
> 
> 
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100823/db73cedb/attachment.bin

More information about the selinux mailing list