Clamd - again...

Dominick Grift domg472 at gmail.com
Mon Aug 23 18:50:15 UTC 2010 

On 08/23/2010 08:41 PM, Arthur Dent wrote:
> On Mon, 2010-08-23 at 13:20 +0200, Dominick Grift wrote:
>> On 08/23/2010 01:12 PM, Arthur Dent wrote:
>>> On Mon, 2010-08-23 at 13:01 +0200, Dominick Grift wrote:
>>>> On 08/23/2010 12:57 PM, Arthur Dent wrote:
>>>>> On Mon, 2010-08-23 at 12:31 +0200, Dominick Grift wrote:
>>>>>> On 08/23/2010 12:20 PM, Arthur Dent wrote:
>>>>>>> On Mon, 2010-08-23 at 10:56 +0200, Dominick Grift wrote:
>>>>>>>> On 08/23/2010 10:47 AM, Arthur Dent wrote:
>>>>>>>>> On Mon, 2010-08-23 at 10:42 +0200, Dominick Grift wrote:
>>>>>>>>>> On 08/23/2010 10:40 AM, Arthur Dent wrote:
>>>>>>>>>>> On Mon, 2010-08-23 at 10:29 +0200, Dominick Grift wrote:
>>>>>>>>>>>> On 08/23/2010 10:09 AM, Arthur Dent wrote:
>>>>>>>>>>>>> On Sun, 2010-08-22 at 22:44 +0100, Arthur Dent wrote:
>>>>>>>>>>>>>> On Sun, 2010-08-22 at 23:07 +0200, Dominick Grift wrote:
>>>>>>>>>>>>>>> On 08/22/2010 08:24 PM, Arthur Dent wrote:
> 
> 
>>
>> Well now clamd runs in the proper domain but it is denied to read
>> generic files in /usr/share.
>>
>> Basically likely another side effect of using a custom package.
>>
>> Here is how to allow it:
>>
>> mkdir ~/myclamd; cd ~/myclamd;
>> echo "policy_module(myclamd, 1.0.0)" > myclamd.te;
>> echo "gen_require(\`" >> myclamd.te;
>> echo "type clamd_t;" >> myclamd.te;
>> echo "')" >> myclamd.te;
>> echo "files_read_usr_files(clamd_t)" >> myclamd.te;
>>
>> make -f /usr/share/selinux/devel/Makefile myclamd.pp
>> sudo semodule -i myclamd.pp
>>
>> But expect more issues after this
> 
> Well that certainly seemed to work - at least to the extent that clamd
> restarted OK this time - and now messages are being checked with it and
> I am no longer getter permission denied messages. So progress!
> 
> There are still some avcs:
> 
> ----
> time->Mon Aug 23 19:36:08 2010
> type=SYSCALL msg=audit(1282588568.794:44819): arch=40000003 syscall=11
> success=yes exit=0 a0=15559d0 a1=bf9c9f7c a2=303840 a3=41904 items=0
> ppid=27824 pid=27825 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail"
> exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)
> type=AVC msg=audit(1282588568.794:44819): avc:  denied  { noatsecure }
> for  pid=27825 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
> tcontext=system_u:system_r:procmail_t:s0 tclass=process
> type=AVC msg=audit(1282588568.794:44819): avc:  denied  { siginh } for
> pid=27825 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
> tcontext=system_u:system_r:procmail_t:s0 tclass=process
> type=AVC msg=audit(1282588568.794:44819): avc:  denied  { rlimitinh }
> for  pid=27825 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
> tcontext=system_u:system_r:procmail_t:s0 tclass=process
> ----
> time->Mon Aug 23 19:36:09 2010
> type=SYSCALL msg=audit(1282588569.206:44820): arch=40000003 syscall=11
> success=yes exit=0 a0=9dfd660 a1=9dfd538 a2=9df95b8 a3=9dfd538 items=0
> ppid=27827 pid=27831 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
> egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
> exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
> key=(null)
> type=AVC msg=audit(1282588569.206:44820): avc:  denied  { noatsecure }
> for  pid=27831 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:system_r:clamscan_t:s0 tclass=process
> type=AVC msg=audit(1282588569.206:44820): avc:  denied  { siginh } for
> pid=27831 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:system_r:clamscan_t:s0 tclass=process
> type=AVC msg=audit(1282588569.206:44820): avc:  denied  { rlimitinh }
> for  pid=27831 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:system_r:clamscan_t:s0 tclass=process
> type=AVC msg=audit(1282588569.206:44820): avc:  denied  { read } for
> pid=27831 comm="clamdscan" path="/var/spool/mqueue/dfo7NIa8Pw027823"
> dev=sda6 ino=29025 scontext=system_u:system_r:clamscan_t:s0
> tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=file
> ----
> time->Mon Aug 23 19:36:09 2010
> type=SYSCALL msg=audit(1282588569.311:44821): arch=40000003 syscall=11
> success=yes exit=0 a0=9dfcb40 a1=9dfcae8 a2=9df95b8 a3=9dfcae8 items=0
> ppid=27827 pid=27835 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
> egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
> exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
> key=(null)
> type=AVC msg=audit(1282588569.311:44821): avc:  denied  { noatsecure }
> for  pid=27835 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:system_r:clamscan_t:s0 tclass=process
> type=AVC msg=audit(1282588569.311:44821): avc:  denied  { siginh } for
> pid=27835 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:system_r:clamscan_t:s0 tclass=process
> type=AVC msg=audit(1282588569.311:44821): avc:  denied  { rlimitinh }
> for  pid=27835 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:system_r:clamscan_t:s0 tclass=process
> type=AVC msg=audit(1282588569.311:44821): avc:  denied  { read } for
> pid=27835 comm="clamdscan" path="/var/spool/mqueue/dfo7NIa8Pw027823"
> dev=sda6 ino=29025 scontext=system_u:system_r:clamscan_t:s0
> tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=file
> type=AVC msg=audit(1282588569.311:44821): avc:  denied  { write } for
> pid=27835 comm="clamdscan" path="/tmp/clamassassinlog.oeoLKk3sph"
> dev=sda6 ino=86007 scontext=system_u:system_r:clamscan_t:s0
> tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
> type=AVC msg=audit(1282588569.311:44821): avc:  denied  { read } for
> pid=27835 comm="clamdscan" path="/tmp/clamassassinmsg.hx0zrEnf40"
> dev=sda6 ino=85937 scontext=system_u:system_r:clamscan_t:s0
> tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
> ----
> time->Mon Aug 23 19:36:09 2010
> type=SYSCALL msg=audit(1282588569.400:44822): arch=40000003 syscall=11
> success=yes exit=0 a0=8281dd0 a1=8281020 a2=8283650 a3=8281020 items=0
> ppid=27839 pid=27840 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
> egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="spamc"
> exe="/usr/bin/spamc" subj=system_u:system_r:spamc_t:s0 key=(null)
> type=AVC msg=audit(1282588569.400:44822): avc:  denied  { noatsecure }
> for  pid=27840 comm="spamc" scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:system_r:spamc_t:s0 tclass=process
> type=AVC msg=audit(1282588569.400:44822): avc:  denied  { siginh } for
> pid=27840 comm="spamc" scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:system_r:spamc_t:s0 tclass=process
> type=AVC msg=audit(1282588569.400:44822): avc:  denied  { rlimitinh }
> for  pid=27840 comm="spamc" scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:system_r:spamc_t:s0 tclass=process
> ----
> time->Mon Aug 23 19:36:09 2010
> type=SYSCALL msg=audit(1282588569.460:44823): arch=40000003 syscall=5
> success=no exit=-13 a0=606a29 a1=80000 a2=1b6 a3=6069c5 items=0
> ppid=20953 pid=20954 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) ses=772 comm="spamd" exe="/usr/bin/perl"
> subj=unconfined_u:system_r:spamd_t:s0 key=(null)
> type=AVC msg=audit(1282588569.460:44823): avc:  denied  { read } for
> pid=20954 comm="spamd" name="shadow" dev=sda6 ino=85497
> scontext=unconfined_u:system_r:spamd_t:s0
> tcontext=system_u:object_r:shadow_t:s0 tclass=file
> 
> 
> Not sure if they're serious or not...
> 
> Thanks again for all your help so far. Much appreciated.
> 
> Mark
> 
> 

open your ~/myclamd/myclamd.te file and append the following:

gen_require(`
	type clamscan_t;
')

procmail_rw_tmp_files(clamscan_t)
mta_read_queue(clamscan_t)


Then rebuild be binary representation and reinstall it:

cd ~/myclamd;
make -f /usr/share/selinux/devel/Makefile myclamd.pp
sudo semodule -i myclamd.pp

Next rebuild the policy with the hidden denials loaded.

sudo semodule -B

> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100823/c3eaf58f/attachment.bin

More information about the selinux mailing list