Clamd - again...

Dominick Grift domg472 at gmail.com
Tue Aug 24 07:18:08 UTC 2010 

On 08/24/2010 08:55 AM, Arthur Dent wrote:
> On Tue, 2010-08-24 at 08:41 +0200, Dominick Grift wrote:
>> On 08/24/2010 12:20 AM, Arthur Dent wrote:
>>> On Mon, 2010-08-23 at 20:50 +0200, Dominick Grift wrote:
>>>
>>>> open your ~/myclamd/myclamd.te file and append the following:
>>>>
>>>> gen_require(`
>>>> 	type clamscan_t;
>>>> ')
>>>>
>>>> procmail_rw_tmp_files(clamscan_t)
>>>> mta_read_queue(clamscan_t)
>>>>
>>>>
>>>> Then rebuild be binary representation and reinstall it:
>>>>
>>>> cd ~/myclamd;
>>>> make -f /usr/share/selinux/devel/Makefile myclamd.pp
>>>> sudo semodule -i myclamd.pp
>>>
>>> I'm sorry to be a nuisance Dominick, but I'm afraid there's another
>>> problem.
>>>
>>> Many people, including myself, who use clamd run a program called
>>> clamdwatch to monitor the fact that the clamd daemon is alive and well.
>>>
>>> This basically works by sending the Eicar virus to clamd and if it
>>> doesn't get back the expected virus warning it assumes clamd is dead and
>>> tries to restart it.
>>>
>>> I have it running from a cron job:
>>> */10 * * * * /root/scripts/clamdwatch -q && ( /usr/bin/killall -9 clamd; rm -fr /var/run/clamd.sock; rm -rf /tmp/clamav-*; /etc/init.d/clamd start 2>&1 )
>>>
>>> At the moment, every time this runs it restarts clamd.
>>>
>>> Here is the associated avc (still with semanage -DB).
>>
>> i guess you could chcon the file from the cronjob to use a type that
>> clamd_t can access. for example append chcon -t clamd_tmp_t /tmp/clamdwatch*
>>
>> That would be a workaround.
>>
>> The other approach is to write policy for clamdwatch.
>>
>> Another approach which is not encouraged is to allow clamd_t access to
>> user temporary content.
>>
>> What package provides this app? and why is it in the admin directory?
> 
> Sorry - It's not an app, it's a script (perl). It comes in the clamav
> tarball. I have put it in my /root/scripts/ directory where I keep most
> of my scripts run from cron.
> 
> I can send you a copy if that would help?

no thanks.

Does:
/root/scripts/clamdwatch -q && ( /usr/bin/killall -9 clamd; rm -fr
/var/run/clamd.sock; rm -rf /tmp/clamav-*; chcon -t /tmp/clamdwatch*;
/etc/init.d/clamd start 2>&1 )

make it work?


> 
> Thanks
> 
> Mark
> 
> 
> 
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100824/8599186d/attachment.bin

More information about the selinux mailing list