Clamd - again...

Dominick Grift domg472 at gmail.com
Wed Aug 25 20:26:23 UTC 2010 

On 08/25/2010 10:17 PM, Arthur Dent wrote:
> On Wed, 2010-08-25 at 21:32 +0200, Dominick Grift wrote:
>> On 08/25/2010 08:33 PM, Arthur Dent wrote:
>>> On Tue, 2010-08-24 at 11:07 +0200, Dominick Grift wrote:
>>>> On 08/24/2010 11:05 AM, Arthur Dent wrote:
>>>>> On Tue, 2010-08-24 at 09:18 +0200, Dominick Grift wrote:
>>>>>
>>>>>>
>>>>>> Does:
>>>>>> /root/scripts/clamdwatch -q && ( /usr/bin/killall -9 clamd; rm -fr
>>>>>> /var/run/clamd.sock; rm -rf /tmp/clamav-*; chcon -t /tmp/clamdwatch*;
>>>>>> /etc/init.d/clamd start 2>&1 )
>>>>>>
>>>>>> make it work?
>>>>>
>>>>> Hmm... Why doesn't it like that?
>>>>>
>>>>> chcon: missing operand
>>>>> Try `chcon --help' for more information.
>>>>> Starting clamd: [  OK  ]
>>>>>
>>>>
>>>> Whoops, its: chcon -t clamd_tmp_t /tmp/clamdwatch*;
>>>
>>> OK - I'm not sure this approach is going to work. If I run this cronjob
>>> script it returns the following:
>>> chcon: cannot access `/tmp/clamdwatch*': No such file or directory
>>> Starting clamd: [  OK  ]
>>
>> Why is that happening? It looks like clamd started "OK" ?
>> fact of the matter is that clamd_t cannot access user_tmp_t files/dir
>> so by labelling it clamd_tmp_t , clamd_t should be able to read it.
>>
>> How to implement that best can be tested.
>>
>> optionally one could (and probably should) confine clamdwatch but that
>> would take some work.
>>
>> i am of the opinion that by just labelling the offending object manually
>> clamd_tmp_t it should work and be an easy fix.
> 
> Do you speak perl?
> 
> This is an extract of the clamdwatch script:
> 
> # "CONFIG" section
> #
> # $Socket values:
> #   = "3310" (as in the tcp port; make sure $ip is correct if you use this)
> #   = "/path/to/clamd/socket"
> my $Socket = $options{s} || "/var/run/clamd/clamd.sock";
> my $log = $options{l} || 0;
> my $ip = "127.0.0.1";
> my $timeout = $options{t} || 15;
> my $lockFile = $options{L} || "/var/lock/subsys/clamd";
> my $quiet = $options{q} || 0;
> my $sock;
> 
> # reversed eicar
> my $data = "*H+H\$!ELIF-TSET-SURIVITNA-DRADNATS-RACIE\$}7)CC7)^P(45XZP\\4\[PA\@\%P!O5X";
> srand;
> my ($fh, $tempFile) = mkstemp( "/tmp/clamdwatch-XXXXXXXXXXXXXXXX" );
> chmod('0644', $tempFile);
> 
> 
> Could we change that line to add a chcon command?
> 
>

I dont do a lot if perl. this page may help implement it:
http://www.perlhowto.com/executing_external_commands

basically you need to run "chcon -t clamd_tmp_t $templfile"


> 
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100825/404984f4/attachment.bin

More information about the selinux mailing list