Thank for your response, i really appreciate it.
Squid clam binary is located in:
/usr/local/squidclamav/bin
I isssue:
[root@shiva jay]# chcon -t bin_t *`which /usr/local/squidclamav/bin/`
and get error:
/usr/bin/which: no in (/usr/local/squidclamav/bin)
Then i try:
chcon -t bin_t *`/usr/local/squidclamav/bin/squidclamav`
SquidClamav running as UID 0: writing logs to stderr
Mon Oct 24 08:23:18 2005:Reading Patterns from config
/usr/local/squidclamav/etc/squidclamav.conf
Mon Oct 24 08:23:18 2005:SquidClamav (PID 4550) started
Does the original error mean the SELinux has not been configured to
allow squidclamav?
Last nite i ran a touch /.autorelabel
which relabelled my system, still the same problem. I have disabled
SELinux support for squid, so at least squid is working now.
God bless.
Daniel J Walsh wrote:
Jayendren Anand Maduray wrote:
> Greetings fellow travellers.
>
I would start by trying something like
chcon -t bin_t *`which squidclamav`
Btw where does squidclamav reside?
*
>
> Could someone please help me with the following errors:
>
> *audit(1129788324.500:0): avc: denied { execute } for pid=3105
> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
> scontext=user_u:system_r:squid_t t
> context=root:object_r:usr_t tclass=file
> audit(1129788324.501:0): avc: denied { execute } for pid=3106
> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
> scontext=user_u:system_r:squid_t t
> context=root:object_r:usr_t tclass=file
> audit(1129788324.507:0): avc: denied { execute } for pid=3107
> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
> scontext=user_u:system_r:squid_t t
> context=root:object_r:usr_t tclass=file
> audit(1129788324.510:0): avc: denied { execute } for pid=3108
> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
> scontext=user_u:system_r:squid_t t
> context=root:object_r:usr_t tclass=file
> audit(1129788324.514:0): avc: denied { execute } for pid=3109
> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
> scontext=user_u:system_r:squid_t t
> context=root:object_r:usr_t tclass=file
> audit(1129788324.517:0): avc: denied { execute } for pid=3110
> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
> scontext=user_u:system_r:squid_t t
> context=root:object_r:usr_t tclass=file
> audit(1129788324.521:0): avc: denied { execute } for pid=3111
> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
> scontext=user_u:system_r:squid_t t
> context=root:object_r:usr_t tclass=file
> audit(1129788324.522:0): avc: denied { execute } for pid=3112
> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
> scontext=user_u:system_r:squid_t t
> context=root:object_r:usr_t tclass=file
> audit(1129788324.528:0): avc: denied { execute } for pid=3113
> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
> scontext=user_u:system_r:squid_t t
> context=root:object_r:usr_t tclass=file
> audit(1129788324.529:0): avc: denied { execute } for pid=3114
> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
> scontext=user_u:system_r:squid_t t
> context=root:object_r:usr_t tclass=file*
>
>
> These errors are from dmesg, and occured after compiling and
> installing squidclam from source.
>
> Here is the output of selinuxconf:
>
> [*root@shiva jay]# selinuxconfig
> selinux state="enforcing"
> policypath="/etc/selinux/targeted"
> default_type_path="/etc/selinux/targeted/contexts/default_type"
> default_context_path="/etc/selinux/targeted/contexts/default_contexts"
>
default_failsafe_context_path="/etc/selinux/targeted/contexts/failsafe_context"
>
> binary_policy_path="/etc/selinux/targeted/policy/policy"
> user_contexts_path="/etc/selinux/targeted/contexts/users/"
> contexts_path="/etc/selinux/targeted/contexts"*
>
> Output of uname -a:
> *[root@shiva jay]# uname -a
> Linux shiva 2.6.9-1.667smp #1 SMP Tue Nov 2 14:59:52 EST 2004 i686
> i686 i386 GNU/Linux*
>
> Any help would be greatly appreciated.
>
> God bless.
>
>
> fedora-selinux-list-request(a)redhat.com wrote:
>
>> Send fedora-selinux-list mailing list submissions to
>> fedora-selinux-list(a)redhat.com
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>>
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> or, via email, send a message with subject or body 'help' to
>> fedora-selinux-list-request(a)redhat.com
>>
>> You can reach the person managing the list at
>> fedora-selinux-list-owner(a)redhat.com
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of fedora-selinux-list digest..."
>>
>>
>> Today's Topics:
>>
>> 1. Re: mailman cgi-bin denied search (Tim Fenn)
>> 2. Preserving Context with tar (W. Scott wilburn)
>> 3. Re: mailman cgi-bin denied search (Daniel J Walsh)
>> 4. Re: Preserving Context with tar (Daniel J Walsh)
>> 5. Re: mailman cgi-bin denied search (Tim Fenn)
>> 6. Re: Preserving Context with tar (Stephen Smalley)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Wed, 19 Oct 2005 13:49:47 -0700
>> From: Tim Fenn <fenn(a)stanford.edu>
>> Subject: Re: mailman cgi-bin denied search
>> To: Daniel J Walsh <dwalsh(a)redhat.com>
>> Cc: fedora-selinux-list(a)redhat.com
>> Message-ID: <20051019204947.GC6466(a)stanford.edu>
>> Content-Type: text/plain; charset=us-ascii
>>
>> On Wed, Oct 19, 2005 at 09:57:07AM -0400, Daniel J Walsh wrote:
>>
>>
>>> Tim Fenn wrote:
>>>
>>>
>>>> I recently installed mailman on my FC3 box (using the redhat based
>>>> RPMs), and it seems to be working just fine, except for the numerous
>>>> avc messages it cranks out whenever I run one of the cgi scripts
>>>> associated with mailman (e.g. via the web interface):
>>>>
>>>> Oct 19 00:34:21 agora kernel: audit(1129707261.236:212): avc: denied
>>>> { search } for pid=18761 comm="listinfo" name="run"
dev=sda1
>>>> ino=1294372 scontext=root:system_r:mailman_cgi_t tcontext=system_
>>>> u:object_r:var_run_t tclass=dir
>>>>
>>>>
>>>
>>> Why would mailman listinfo be searching /var/log directory?
>>>
>>>
>>
>>
>> Well, I get the same errors with mailmanctl:
>>
>> ./mailmanctl status
>>
>> yields no output, and the following errors:
>> Oct 19 13:22:39 agora kernel: audit(1129753359.647:314): avc: denied
>> { read write } for pid=20837 comm="mailmanctl" name="3"
dev=devpts
>> ino=5 scontext=root:system_r:mailman_mail_t
>> tcontext=root:object_r:devpts_t tclass=chr_file
>> Oct 19 13:22:39 agora kernel: audit(1129753359.694:318): avc: denied
>> { search } for pid=20837 comm="mailmanctl" name="run"
dev=sda1
>> ino=1294372 scontext=root:system_r:mailman_mail_t
>> tcontext=system_u:object_r:var_run_t tclass=dir
>> Oct 19 13:22:39 agora kernel: audit(1129753359.802:322): avc: denied
>> { setgid } for pid=20837 comm="mailmanctl" capability=6
>> scontext=root:system_r:mailman_mail_t
>> tcontext=root:system_r:mailman_mail_t tclass=capability
>>
>> However, if I comment out:
>>
>> from Mailman.Logging.Syslog import syslog
>>
>> in the mailmanctl script, all is well:
>>
>> # ./mailmanctl status
>> mailman (pid 17677) is running...
>>
>> and no error messages. I would assume the same is true with the
>> cgi-bin scripts, such as listinfo. Should I file a bugzilla report?
>>
>> Regards,
>> Tim
>>
>>
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Wed, 19 Oct 2005 15:56:06 -0600
>> From: "W. Scott wilburn" <wilburn(a)lanl.gov>
>> Subject: Preserving Context with tar
>> To: fedora-selinux-list(a)redhat.com
>> Message-ID: <20051019215606.GE4717(a)wilburn.lanl.gov>
>> Content-Type: text/plain; charset=us-ascii
>>
>> Sorry to be asking such a simple question. Is it possible to
>> preserve file contexts using tar? I would have thought -p would do
>> this, but it appears no, atleast on RHEL4 and FC4.
>>
>> The reason to do this is a use tar to install modified config files
>> on new machines. Having to relabel after doing this is somewhat
>> slow. Perhaps there is a better solution?
>>
>> Thanks,
>> Scott Wilburn
>>
>>
>>
>> ------------------------------
>>
>> Message: 3
>> Date: Wed, 19 Oct 2005 22:31:36 -0400
>> From: Daniel J Walsh <dwalsh(a)redhat.com>
>> Subject: Re: mailman cgi-bin denied search
>> To: Daniel J Walsh <dwalsh(a)redhat.com>, fedora-selinux-list(a)redhat.com
>> Message-ID: <43570188.5060201(a)redhat.com>
>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>
>> Tim Fenn wrote:
>>
>>
>>> On Wed, Oct 19, 2005 at 09:57:07AM -0400, Daniel J Walsh wrote:
>>>
>>>
>>>> Tim Fenn wrote:
>>>>
>>>>
>>>>> I recently installed mailman on my FC3 box (using the redhat based
>>>>> RPMs), and it seems to be working just fine, except for the numerous
>>>>> avc messages it cranks out whenever I run one of the cgi scripts
>>>>> associated with mailman (e.g. via the web interface):
>>>>>
>>>>> Oct 19 00:34:21 agora kernel: audit(1129707261.236:212): avc:
>>>>> denied
>>>>> { search } for pid=18761 comm="listinfo"
name="run" dev=sda1
>>>>> ino=1294372 scontext=root:system_r:mailman_cgi_t tcontext=system_
>>>>> u:object_r:var_run_t tclass=dir
>>>>>
>>>>>
>>>>
>>>> Why would mailman listinfo be searching /var/log directory?
>>>>
>>>>
>>>
>>> Well, I get the same errors with mailmanctl:
>>>
>>> ./mailmanctl status
>>>
>>> yields no output, and the following errors:
>>> Oct 19 13:22:39 agora kernel: audit(1129753359.647:314): avc: denied
>>> { read write } for pid=20837 comm="mailmanctl" name="3"
dev=devpts
>>> ino=5 scontext=root:system_r:mailman_mail_t
>>> tcontext=root:object_r:devpts_t tclass=chr_file
>>> Oct 19 13:22:39 agora kernel: audit(1129753359.694:318): avc: denied
>>> { search } for pid=20837 comm="mailmanctl" name="run"
dev=sda1
>>> ino=1294372 scontext=root:system_r:mailman_mail_t
>>> tcontext=system_u:object_r:var_run_t tclass=dir
>>> Oct 19 13:22:39 agora kernel: audit(1129753359.802:322): avc: denied
>>> { setgid } for pid=20837 comm="mailmanctl" capability=6
>>> scontext=root:system_r:mailman_mail_t
>>> tcontext=root:system_r:mailman_mail_t tclass=capability
>>>
>>> However, if I comment out:
>>>
>>> from Mailman.Logging.Syslog import syslog
>>>
>>> in the mailmanctl script, all is well:
>>>
>>> # ./mailmanctl status
>>> mailman (pid 17677) is running...
>>>
>>> and no error messages. I would assume the same is true with the
>>> cgi-bin scripts, such as listinfo. Should I file a bugzilla report?
>>>
>>> Regards,
>>> Tim
>>>
>>
>> Yes. submit a bug. Although generating these in FC4 would be far
>> more interesting. Also do these AVC messages cause problems or are
>> they just being reported. No output from the script is fixed in FC4.
>>
>>
>>
>>
>
>
> --
> Jayendren Anand Maduray
> Microsoft Certified Professional
> Network Plus
> IT Administrator
>
> Perinatal HIV Research Unit
> Old Potch Road
> Chris Hani Baragwanath Hospital
> Soweto
> South Africa
>
> Tel: +27 11 989 9776
> Tel: +27 11 989 9999
> Fax: +27 11 938 3973
> Cel: 082 22 774 94
>
> Alternate email address: jayendren(a)mweb.co.za
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
Jayendren Anand Maduray
Microsoft Certified Professional
Network Plus
IT Administrator
Perinatal HIV Research Unit
Old Potch Road
Chris Hani Baragwanath Hospital
Soweto
South Africa
Tel: +27 11 989 9776
Tel: +27 11 989 9999
Fax: +27 11 938 3973
Cel: 082 22 774 94
Alternate email address: jayendren(a)mweb.co.za