I'm currently trying to integrate Squid, c-icap and clamd together to get A/V scanning of objects through squid on a CentOS 6.5 server.
I have things working but every time I try and download the eicar.com test virus, I see the following in the logs:
type=AVC msg=audit(1410534437.751:227204): avc: denied { write } for pid=22480 comm="clamd" path="/var/tmp/CI_TMP_DaewkQ" dev=dm-1 ino=182 scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=unconfined_u:object_r:initrc_tmp_t:s0 tclass=file
For the record, this server has been hardened according to the CIS CentOS 6.5 benchmark document.
/tmp and /var/tmp are mounted as so, if this matters:
/dev/mapper/VolGroup00-tmp on /tmp type ext4 (rw,noexec,nosuid,nodev) /tmp on /var/tmp type none (rw,noexec,nosuid,nodev,bind)
If I set "semanage permissive -a clamd_t" then everything works.
Audit2allow suggests I need the following, but I'm not really understanding why:
allow antivirus_t initrc_tmp_t:file write;
Any guidance?
Mark.
-- Mark Watts Infrastructure Engineer, iSolutions University of Southampton Tel: (02380) 595788 Int: 25788
Does it not work without permissive mode?
Looks like a stdout redirection or leaked file descriptor.
Do you have something like
script << _EOF command command comand _EOF
Where clamd is running as one of the commands?
Or some other tmp file being created in /var/tmp/CI_TMP
Which is being passed on to clamd
On 09/12/2014 11:11 AM, Watts M.R. wrote:
I’m currently trying to integrate Squid, c-icap and clamd together to get A/V scanning of objects through squid on a CentOS 6.5 server.
I have things working but every time I try and download the eicar.com test virus, I see the following in the logs:
type=AVC msg=audit(1410534437.751:227204): avc: denied { write } for pid=22480 comm="clamd" path="/var/tmp/CI_TMP_DaewkQ" dev=dm-1 ino=182 scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=unconfined_u:object_r:initrc_tmp_t:s0 tclass=file
For the record, this server has been hardened according to the CIS CentOS 6.5 benchmark document.
/tmp and /var/tmp are mounted as so, if this matters:
/dev/mapper/VolGroup00-tmp on /tmp type ext4 (rw,noexec,nosuid,nodev)
/tmp on /var/tmp type none (rw,noexec,nosuid,nodev,bind)
If I set “semanage permissive -a clamd_t” then everything works.
Audit2allow suggests I need the following, but I’m not really understanding why:
allow antivirus_t initrc_tmp_t:file write;
Any guidance?
Mark.
--
Mark Watts
Infrastructure Engineer, iSolutions
University of Southampton
Tel: (02380) 595788 Int: 25788
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Data flow is: Squid -> c-icap (via TCP) -> c-icap virus_scan module -> c-icap clamd_mod module
c-icap's TmpDir is set to /var/tmp so my guess is that its c-icap which is writing the object to scan to the CI_TMP file which it then passes to its virus_scan module which ultimately gets passed to clamd through the clamd_mod c-icap module. I can't tell this explicitly from the documentation at [1] though so this is just an educated guess.
Mark.
[1] http://c-icap.sourceforge.net/c-icap-modules.conf-0.3.x.html
-- Mark Watts Infrastructure Engineer, iSolutions University of Southampton Tel: (02380) 595788 Int: 25788 ________________________________ From: Daniel J Walsh [dwalsh@redhat.com] Sent: 13 September 2014 11:07 To: Watts M.R.; selinux@lists.fedoraproject.org Subject: Re: Selinux denial on clamd
Does it not work without permissive mode?
Looks like a stdout redirection or leaked file descriptor.
Do you have something like
script << _EOF command command comand _EOF
Where clamd is running as one of the commands?
Or some other tmp file being created in /var/tmp/CI_TMP
Which is being passed on to clamd
On 09/12/2014 11:11 AM, Watts M.R. wrote: I’m currently trying to integrate Squid, c-icap and clamd together to get A/V scanning of objects through squid on a CentOS 6.5 server.
I have things working but every time I try and download the eicar.com test virus, I see the following in the logs:
type=AVC msg=audit(1410534437.751:227204): avc: denied { write } for pid=22480 comm="clamd" path="/var/tmp/CI_TMP_DaewkQ" dev=dm-1 ino=182 scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=unconfined_u:object_r:initrc_tmp_t:s0 tclass=file
For the record, this server has been hardened according to the CIS CentOS 6.5 benchmark document.
/tmp and /var/tmp are mounted as so, if this matters:
/dev/mapper/VolGroup00-tmp on /tmp type ext4 (rw,noexec,nosuid,nodev) /tmp on /var/tmp type none (rw,noexec,nosuid,nodev,bind)
If I set “semanage permissive -a clamd_t” then everything works.
Audit2allow suggests I need the following, but I’m not really understanding why:
allow antivirus_t initrc_tmp_t:file write;
Any guidance?
Mark.
-- Mark Watts Infrastructure Engineer, iSolutions University of Southampton Tel: (02380) 595788 Int: 25788
-- selinux mailing list selinux@lists.fedoraproject.orgmailto:selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I would just allow the access, using audit2allow -M myclamd On 09/13/2014 07:57 AM, Watts M.R. wrote:
Data flow is: Squid -> c-icap (via TCP) -> c-icap virus_scan module -> c-icap clamd_mod module
c-icap's TmpDir is set to /var/tmp so my guess is that its c-icap which is writing the object to scan to the CI_TMP file which it then passes to its virus_scan module which ultimately gets passed to clamd through the clamd_mod c-icap module. I can't tell this explicitly from the documentation at [1] though so this is just an educated guess.
Mark.
[1] http://c-icap.sourceforge.net/c-icap-modules.conf-0.3.x.html
-- Mark Watts Infrastructure Engineer, iSolutions University of Southampton Tel: (02380) 595788 Int: 25788 ________________________________ From: Daniel J Walsh [dwalsh@redhat.com] Sent: 13 September 2014 11:07 To: Watts M.R.; selinux@lists.fedoraproject.org Subject: Re: Selinux denial on clamd
Does it not work without permissive mode?
Looks like a stdout redirection or leaked file descriptor.
Do you have something like
script << _EOF command command comand _EOF
Where clamd is running as one of the commands?
Or some other tmp file being created in /var/tmp/CI_TMP
Which is being passed on to clamd
On 09/12/2014 11:11 AM, Watts M.R. wrote: I’m currently trying to integrate Squid, c-icap and clamd together to get A/V scanning of objects through squid on a CentOS 6.5 server.
I have things working but every time I try and download the eicar.com test virus, I see the following in the logs:
type=AVC msg=audit(1410534437.751:227204): avc: denied { write } for pid=22480 comm="clamd" path="/var/tmp/CI_TMP_DaewkQ" dev=dm-1 ino=182 scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=unconfined_u:object_r:initrc_tmp_t:s0 tclass=file
For the record, this server has been hardened according to the CIS CentOS 6.5 benchmark document.
/tmp and /var/tmp are mounted as so, if this matters:
/dev/mapper/VolGroup00-tmp on /tmp type ext4 (rw,noexec,nosuid,nodev) /tmp on /var/tmp type none (rw,noexec,nosuid,nodev,bind)
If I set “semanage permissive -a clamd_t” then everything works.
Audit2allow suggests I need the following, but I’m not really understanding why:
allow antivirus_t initrc_tmp_t:file write;
Any guidance?
Mark.
-- Mark Watts Infrastructure Engineer, iSolutions University of Southampton Tel: (02380) 595788 Int: 25788
-- selinux mailing list selinux@lists.fedoraproject.orgmailto:selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
selinux@lists.fedoraproject.org