Clamd - again...

Arthur Dent misc.lists at blueyonder.co.uk
Wed Aug 25 21:07:47 UTC 2010 

On Wed, 2010-08-25 at 22:47 +0200, Dominick Grift wrote:
> On 08/25/2010 10:42 PM, Arthur Dent wrote:
> 
> > 
> > These are avcs I have collected today. I have made no attempt to remove
> > duplicates and some of them probably relate to when I was playing with
> > the clamdwatch problem...
> 
> > type=AVC msg=audit(1282693685.536:49993): avc:  denied  { read } for
> > pid=8053 comm="clamd" path="/tmp/clamassassinmsg.ELpNsCwoK2" dev=sda6
> > ino=86012 scontext=unconfined_u:system_r:clamd_t:s0
> > tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
> > ----
> 
> I thought we allowed this already?
> 
> add that to myclamd.te, then rebuild, reinstall
> 
> all the other denials can be ignored. (hidden)
> 
> procmail_rw_tmp_files(clamd_t)

procmail_rw_tmp_file(clad_t) is not in myclamd.te but
procmail_rw_tmp_files(clamscan_t) is.

should I alter, add, or replace it?

i.e. should I have both or just the clamd_t one?

While I have been writing this I have had a tail -f running on the
clamd.log file. At 21:50 I got this message in the clamd.log:

Wed Aug 25 21:51:11 2010 -> WARNING: Control message truncated, no control data received, 1 bytes read(Is SELinux/AppArmor enabled, and blocking file descriptor passing?)
Wed Aug 25 21:51:11 2010 -> WARNING: Error condition on fd 9

These are the avs at the corresponding time:

----
time->Wed Aug 25 21:51:10 2010
type=SYSCALL msg=audit(1282769470.861:53248): arch=40000003 syscall=11
success=yes exit=0 a0=15559d0 a1=bf9c9f7c a2=303840 a3=41904 items=0
ppid=25769 pid=25770 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail"
exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1282769470.861:53248): avc:  denied  { noatsecure }
for  pid=25770 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
type=AVC msg=audit(1282769470.861:53248): avc:  denied  { siginh } for
pid=25770 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
type=AVC msg=audit(1282769470.861:53248): avc:  denied  { rlimitinh }
for  pid=25770 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
----
time->Wed Aug 25 21:51:10 2010
type=SYSCALL msg=audit(1282769470.982:53249): arch=40000003 syscall=11
success=yes exit=0 a0=8b3c660 a1=8b3c538 a2=8b385b8 a3=8b3c538 items=0
ppid=25772 pid=25776 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282769470.982:53249): avc:  denied  { noatsecure }
for  pid=25776 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282769470.982:53249): avc:  denied  { siginh } for
pid=25776 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282769470.982:53249): avc:  denied  { rlimitinh }
for  pid=25776 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
----
time->Wed Aug 25 21:51:11 2010
type=SYSCALL msg=audit(1282769471.032:53250): arch=40000003 syscall=11
success=yes exit=0 a0=8b3bb40 a1=8b3bae8 a2=8b385b8 a3=8b3bae8 items=0
ppid=25772 pid=25780 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282769471.032:53250): avc:  denied  { noatsecure }
for  pid=25780 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282769471.032:53250): avc:  denied  { siginh } for
pid=25780 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282769471.032:53250): avc:  denied  { rlimitinh }
for  pid=25780 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
----
time->Wed Aug 25 21:51:11 2010
type=SYSCALL msg=audit(1282769471.036:53251): arch=40000003 syscall=102
success=yes exit=1 a0=11 a1=bf9e5ab0 a2=bf9e6158 a3=0 items=0 ppid=1
pid=8053 auid=0 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503
sgid=503 fsgid=503 tty=(none) ses=1619 comm="clamd"
exe="/usr/local/sbin/clamd" subj=unconfined_u:system_r:clamd_t:s0
key=(null)
type=AVC msg=audit(1282769471.036:53251): avc:  denied  { read } for
pid=8053 comm="clamd" path="/tmp/clamassassinmsg.Vl92TPjc8V" dev=sda6
ino=86064 scontext=unconfined_u:system_r:clamd_t:s0
tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
----
time->Wed Aug 25 21:51:11 2010
type=SYSCALL msg=audit(1282769471.055:53252): arch=40000003 syscall=11
success=yes exit=0 a0=866bdd0 a1=866d4f0 a2=866d670 a3=866d4f0 items=0
ppid=25783 pid=25784 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="spamc"
exe="/usr/bin/spamc" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1282769471.055:53252): avc:  denied  { noatsecure }
for  pid=25784 comm="spamc" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=process
type=AVC msg=audit(1282769471.055:53252): avc:  denied  { siginh } for
pid=25784 comm="spamc" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=process
type=AVC msg=audit(1282769471.055:53252): avc:  denied  { rlimitinh }
for  pid=25784 comm="spamc" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=process
----
time->Wed Aug 25 21:51:11 2010
type=SYSCALL msg=audit(1282769471.092:53253): arch=40000003 syscall=5
success=no exit=-13 a0=f75a29 a1=80000 a2=1b6 a3=f759c5 items=0
ppid=17891 pid=17892 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=1959 comm="spamd" exe="/usr/bin/perl"
subj=unconfined_u:system_r:spamd_t:s0 key=(null)
type=AVC msg=audit(1282769471.092:53253): avc:  denied  { read } for
pid=17892 comm="spamd" name="shadow" dev=sda6 ino=85497
scontext=unconfined_u:system_r:spamd_t:s0
tcontext=system_u:object_r:shadow_t:s0 tclass=file
----



-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100825/24fff869/attachment.bin

More information about the selinux mailing list