On Wed, 2006-06-28 at 15:56 -0500, Marc Schwartz (via MN) wrote:
On Wed, 2006-06-28 at 21:13 +0100, Paul Howarth wrote:
> On Wed, 2006-06-28 at 14:22 -0500, Marc Schwartz (via MN) wrote:
> > New avc's:
> >
> > type=AVC msg=audit(1151521329.964:1158): avc: denied { search } for pid=5442
comm="local" name="clamav" dev=dm-1 ino=44957
scontext=system_u:system_r:postfix_local_t:s0
tcontext=system_u:object_r:clamd_var_lib_t:s0 tclass=dir
> > type=SYSCALL msg=audit(1151521329.964:1158): arch=40000003 syscall=196
success=no exit=-2 a0=939f848 a1=bffd2e80 a2=721ff4 a3=3 items=1 pid=5442 auid=4294967295
uid=0 gid=0 euid=100 suid=0 fsuid=100 egid=101 sgid=0 fsgid=101 tty=(none)
comm="local" exe="/usr/libexec/postfix/local"
subj=system_u:system_r:postfix_local_t:s0
> > type=CWD msg=audit(1151521329.964:1158): cwd="/var/spool/postfix"
> > type=PATH msg=audit(1151521329.964:1158): item=0
name="/var/lib/clamav/.forward" obj=system_u:object_r:etc_t:s0
>
> postfix local looking in /var/lib/clamav
>
> > type=AVC msg=audit(1151521329.988:1159): avc: denied { search } for pid=5449
comm="procmail" name="clamav" dev=dm-1 ino=44957
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_lib_t:s0
tclass=dir
> > type=SYSCALL msg=audit(1151521329.988:1159): arch=40000003 syscall=195
success=no exit=-2 a0=8dd0d60 a1=bfe27a6c a2=4891eff4 a3=0 items=1 pid=5449
auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101 sgid=101 fsgid=101
tty=(none) comm="procmail" exe="/usr/bin/procmail"
subj=system_u:system_r:procmail_t:s0
> > type=CWD msg=audit(1151521329.988:1159): cwd="/var/spool/postfix"
>
> same for procmail
>
> This appears to be postfix local and procmail trying to
> read /var/lib/clamav/.forward; does that sound reasonable?
There are no .forward files on my system at all, unless that is a temp
file, which does not make sense location-wise.
A Google search came up empty for that file, so I can only presume that
there are certain configuration scenarios where the pipelining of
e-mails would require that file.
Since I am using clamassassin, I also searched through that script and
noted nothing relevant here.
Not sure what else to make of it.
That might be dontaudit-able. Is /var/lib/clamav any user's home
directory?
> You can bump myclamav.te to version 0.1.5 and append the
following:
>
> # ===========================================
> # things that should be done via an interface
> # ===========================================
> allow postfix_local_t clamd_var_lib_t:dir r_dir_perms;
> allow procmail_t clamd_var_lib_t:dir r_dir_perms;
>
> Paul.
Done, including the add in your second e-mail.
# semodule -l
amavis 1.0.4
clamav 1.0.1
dcc 1.0.0
myclamav 0.1.5
mydcc 0.1.8
mypostfix 0.1.0
mypyzor 0.2.3
myspamassassin 0.1.1
procmail 0.5.4
pyzor 1.0.1
razor 1.0.0
No further avc's at this time.
Is it time to venture back into the Enforcing World once again?
Give it a try. Bear in mind it may fail if any of the dontaudit rules
should be allows instead.
Paul.