Clamd - again...
Arthur Dent
misc.lists at blueyonder.co.uk
Mon Aug 23 08:47:51 UTC 2010
On Mon, 2010-08-23 at 10:42 +0200, Dominick Grift wrote:
> On 08/23/2010 10:40 AM, Arthur Dent wrote:
> > On Mon, 2010-08-23 at 10:29 +0200, Dominick Grift wrote:
> >> On 08/23/2010 10:09 AM, Arthur Dent wrote:
> >>> On Sun, 2010-08-22 at 22:44 +0100, Arthur Dent wrote:
> >>>> On Sun, 2010-08-22 at 23:07 +0200, Dominick Grift wrote:
> >>>>> On 08/22/2010 08:24 PM, Arthur Dent wrote:
> >>>> ----
> >>> time->Mon Aug 23 08:57:07 2010
> >>> type=SYSCALL msg=audit(1282550227.058:42734): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf800420 a2=3 a3=1 items=0 ppid=23912 pid=23920 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan" exe="/usr/local/bin/clamdscan" subj=system_u:system_r:procmail_t:s0 key=(null)
> >>> type=AVC msg=audit(1282550227.058:42734): avc: denied { search } for pid=23920 comm="clamdscan" name="clamd" dev=sda6 ino=269280 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0 tclass=dir
> >>
> >> This is still an issue:
> >>
> >> some process running in the procmail_t domain is running
> >> /usr/bin/clamdscan (ls -alZ /usr/bin/clamdscan to verify its context),
> >> but it is not domain transitioning to the clamscan_t domain.
> >
> > # which clamdscan
> > /usr/local/bin/clamdscan
> >
> > # ls -laZ /usr/local/bin/clamdscan
> > -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/local/bin/clamdscan
> >
> > Now, in actual fact, procmail does not call clamdscan directly (it can't
> > deal with emails), it calls a program called clamassassin which in turn
> > calls clamdscan.
> >
> > # ls -laZ /usr/local/bin/clamassassin
> > -r-xr-xr-x. root root system_u:object_r:bin_t:s0 /usr/local/bin/clamassassin
> >
>
> Why are these files located there and not /usr/bin where they are
> expected to be? The files are mislabelled.
In both cases I compiled from source and accepted the defaults
in ./configure.
I guess I could try to recompile them in /usr/bin if it is a problem -
but I'm no expert...
>
>
> >>
> >> Policy defines that if a process running in the procmail_t domain runs a
> >> file labelled clamscan_exec_t, that procmail_t will domain transition to
> >> clamscan_t domain.
> >>
> >> This did not happen on your config.
> >>
> >> Either your clamdscan executable file is mislabelled or you are missing
> >> a domain transition rule.
> >>
> >> Where is your "clamdscan" executable file located, and what is it labelled?
> >
> > see above.
> >
> >> What does the following return:
> >>
> >> sesearch -SC --allow -s procmail_t -t clamscan_t -c process
> >> sesearch -SC --allow -s procmail_t -t clamscan_exec_t -f file
> >
> > # sesearch -SC --allow -s procmail_t -t clamscan_t -c process
> > Found 1 semantic av rules:
> > allow procmail_t clamscan_t : process transition ;
> >
> > # sesearch -SC --allow -s procmail_t -t clamscan_exec_t -f file
> > sesearch: invalid option -- 'f'
> > Usage: sesearch [OPTIONS] RULE_TYPE [RULE_TYPE ...] [EXPESSION]
> > [POLICY ...]
> >
> > Try sesearch --help for more help.
> >
> >
> >
> >
> >
> >
> >
> > --
> > selinux mailing list
> > selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100823/4904268e/attachment.bin
More information about the selinux
mailing list