rc.local question/problem (partly solved w/ setenforce=0)

Mon Jul 4 02:00:41 UTC 2011

inline and at tail ...

On 7/3/2011 6:22 PM, Cameron Simpson wrote:
> On 03Jul2011 17:35, Paul Allen Newell<pnewell at cs.cmu.edu>  wrote:
>
>
> My habit for a virus scanner would be sbin; these days bin is for general
> purpose commands which sbin is for administrative commands (eg setenforce)
> and daemons (eg sshd).
>
> [...]

Reading FHS 2.3 seems to consider bin "local binaries" and sbin "local 
system binaries". Going up to /usr/bin and /usr/sbin seems to be 
"primary" vs "non-essential" respectively. Given that it is embedded in 
rc.local, it doesn't seem non-essential as errors will occur if it not 
there. That being said, it sure looks academic so long as it is in 
/usr/local/{bin,sbin}.

> [...]
>
> | I have been reading up about rules and audit2allow.
> | [...]
> |
>
> I expect it varies depending on what clamscan thinks is needs to scan
> each time.
>
> Do you run prelink? It hacks binaries about on a regular basis and may
> be causing clamscan to be more active.

If I am running prelink, I don't know it. Your "varies" comment makes 
sense and I am not paying too much attention to it right now

> | [...]
> |
> | My first question is whether there is a way to go "allow clamscan_t *
> | {read open search getattr}" so that clamscan will have permission to
> | examine anything on the system (which is what I would want with a virus
> | scan, right?).
>
> That's what I would look for. I am not an selinux guru and can't help
> you with the syntax there, but I would think you're on the right track
> with that rule.

Making sure I am correct that it will understand "clamscan_t" and the 
wild card are not showing up in the docs from selinuxpolicy.org and I 
ain't seeing anything in related links when googling. I'll give it 
another round before posting a new thread explicitly on that with the 
hopes that some selinux gurus see. You certainly know enough to have 
gotten me to the point of "something working" ... many thanks !!!

> [...]
>
> | The second question is why wouldn't selinux be defaulted to allow clamav
> | given that's what Fedora seems to be suggesting/using?
>
> Maybe it is, if it runs from /etc/init.d or something. Is clamav a
> fedora supplied package? If so, why is it run from rc.local instead of
> via a conventional presupplied chkconfig-controlled start/stop script?
>
It isn't part of the default "fresh" install, so I have to yum install 
it after. I remember seeing a Fedora draft doc talking about security 
and clamav, implying that it made sense to incorporate clamav into 
Fedora, but I can't find it now. The best I can spot is a reference to 
it in https://fedoraproject.org/wiki/SecurityBasics that says its in 
Fedora Extras. My goal is to get email up and running (rather than 
relying on Windows) and I wanted to try to sort out best defense 
available that meshed with Fedora.

The choice of rc.local is mine as I want it to happen at least once per 
time I use this F14 computer and don't want to have to su to root and 
manually run each time.

I've seen mention of chkconfig but know nothing about it ... and haven't 
been able to see any reason why rc.local isn't a reasonable choice for 
doing freshclam and clamscan

Once again, your help is very appreciated. I think I am actually 
up-and-running and just need to figure out how to do it cleaner.

Paul