Clamd - again...

Dominick Grift domg472 at gmail.com
Wed Aug 25 21:11:04 UTC 2010 

On 08/25/2010 11:07 PM, Arthur Dent wrote:
> On Wed, 2010-08-25 at 22:47 +0200, Dominick Grift wrote:
>> On 08/25/2010 10:42 PM, Arthur Dent wrote:
>>
>>>
>>> These are avcs I have collected today. I have made no attempt to remove
>>> duplicates and some of them probably relate to when I was playing with
>>> the clamdwatch problem...
>>
>>> type=AVC msg=audit(1282693685.536:49993): avc:  denied  { read } for
>>> pid=8053 comm="clamd" path="/tmp/clamassassinmsg.ELpNsCwoK2" dev=sda6
>>> ino=86012 scontext=unconfined_u:system_r:clamd_t:s0
>>> tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
>>> ----
>>
>> I thought we allowed this already?
>>
>> add that to myclamd.te, then rebuild, reinstall
>>
>> all the other denials can be ignored. (hidden)
>>
>> procmail_rw_tmp_files(clamd_t)
> 
> procmail_rw_tmp_file(clad_t) is not in myclamd.te but
> procmail_rw_tmp_files(clamscan_t) is.
> 
> should I alter, add, or replace it?
> 
> i.e. should I have both or just the clamd_t one?

oh, right use both.

procmail_rw_tmp_files(clamd_t)
procmail_rw_tmp_files(clamscan_t)

> 
> While I have been writing this I have had a tail -f running on the
> clamd.log file. At 21:50 I got this message in the clamd.log:
> 
> Wed Aug 25 21:51:11 2010 -> WARNING: Control message truncated, no control data received, 1 bytes read(Is SELinux/AppArmor enabled, and blocking file descriptor passing?)
> Wed Aug 25 21:51:11 2010 -> WARNING: Error condition on fd 9
> 
> These are the avs at the corresponding time:
> 
> ----
> time->Wed Aug 25 21:51:10 2010
> type=SYSCALL msg=audit(1282769470.861:53248): arch=40000003 syscall=11
> success=yes exit=0 a0=15559d0 a1=bf9c9f7c a2=303840 a3=41904 items=0
> ppid=25769 pid=25770 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail"
> exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)
> type=AVC msg=audit(1282769470.861:53248): avc:  denied  { noatsecure }
> for  pid=25770 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
> tcontext=system_u:system_r:procmail_t:s0 tclass=process
> type=AVC msg=audit(1282769470.861:53248): avc:  denied  { siginh } for
> pid=25770 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
> tcontext=system_u:system_r:procmail_t:s0 tclass=process
> type=AVC msg=audit(1282769470.861:53248): avc:  denied  { rlimitinh }
> for  pid=25770 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
> tcontext=system_u:system_r:procmail_t:s0 tclass=process
> ----
> time->Wed Aug 25 21:51:10 2010
> type=SYSCALL msg=audit(1282769470.982:53249): arch=40000003 syscall=11
> success=yes exit=0 a0=8b3c660 a1=8b3c538 a2=8b385b8 a3=8b3c538 items=0
> ppid=25772 pid=25776 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
> egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
> exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
> key=(null)
> type=AVC msg=audit(1282769470.982:53249): avc:  denied  { noatsecure }
> for  pid=25776 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:system_r:clamscan_t:s0 tclass=process
> type=AVC msg=audit(1282769470.982:53249): avc:  denied  { siginh } for
> pid=25776 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:system_r:clamscan_t:s0 tclass=process
> type=AVC msg=audit(1282769470.982:53249): avc:  denied  { rlimitinh }
> for  pid=25776 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:system_r:clamscan_t:s0 tclass=process
> ----
> time->Wed Aug 25 21:51:11 2010
> type=SYSCALL msg=audit(1282769471.032:53250): arch=40000003 syscall=11
> success=yes exit=0 a0=8b3bb40 a1=8b3bae8 a2=8b385b8 a3=8b3bae8 items=0
> ppid=25772 pid=25780 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
> egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
> exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
> key=(null)
> type=AVC msg=audit(1282769471.032:53250): avc:  denied  { noatsecure }
> for  pid=25780 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:system_r:clamscan_t:s0 tclass=process
> type=AVC msg=audit(1282769471.032:53250): avc:  denied  { siginh } for
> pid=25780 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:system_r:clamscan_t:s0 tclass=process
> type=AVC msg=audit(1282769471.032:53250): avc:  denied  { rlimitinh }
> for  pid=25780 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:system_r:clamscan_t:s0 tclass=process
> ----
> time->Wed Aug 25 21:51:11 2010
> type=SYSCALL msg=audit(1282769471.036:53251): arch=40000003 syscall=102
> success=yes exit=1 a0=11 a1=bf9e5ab0 a2=bf9e6158 a3=0 items=0 ppid=1
> pid=8053 auid=0 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503
> sgid=503 fsgid=503 tty=(none) ses=1619 comm="clamd"
> exe="/usr/local/sbin/clamd" subj=unconfined_u:system_r:clamd_t:s0
> key=(null)
> type=AVC msg=audit(1282769471.036:53251): avc:  denied  { read } for
> pid=8053 comm="clamd" path="/tmp/clamassassinmsg.Vl92TPjc8V" dev=sda6
> ino=86064 scontext=unconfined_u:system_r:clamd_t:s0
> tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
> ----
> time->Wed Aug 25 21:51:11 2010
> type=SYSCALL msg=audit(1282769471.055:53252): arch=40000003 syscall=11
> success=yes exit=0 a0=866bdd0 a1=866d4f0 a2=866d670 a3=866d4f0 items=0
> ppid=25783 pid=25784 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
> egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="spamc"
> exe="/usr/bin/spamc" subj=system_u:system_r:spamc_t:s0 key=(null)
> type=AVC msg=audit(1282769471.055:53252): avc:  denied  { noatsecure }
> for  pid=25784 comm="spamc" scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:system_r:spamc_t:s0 tclass=process
> type=AVC msg=audit(1282769471.055:53252): avc:  denied  { siginh } for
> pid=25784 comm="spamc" scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:system_r:spamc_t:s0 tclass=process
> type=AVC msg=audit(1282769471.055:53252): avc:  denied  { rlimitinh }
> for  pid=25784 comm="spamc" scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:system_r:spamc_t:s0 tclass=process
> ----
> time->Wed Aug 25 21:51:11 2010
> type=SYSCALL msg=audit(1282769471.092:53253): arch=40000003 syscall=5
> success=no exit=-13 a0=f75a29 a1=80000 a2=1b6 a3=f759c5 items=0
> ppid=17891 pid=17892 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) ses=1959 comm="spamd" exe="/usr/bin/perl"
> subj=unconfined_u:system_r:spamd_t:s0 key=(null)
> type=AVC msg=audit(1282769471.092:53253): avc:  denied  { read } for
> pid=17892 comm="spamd" name="shadow" dev=sda6 ino=85497
> scontext=unconfined_u:system_r:spamd_t:s0
> tcontext=system_u:object_r:shadow_t:s0 tclass=file

Yes the remainder of these denails can be ignored

> ----
> 
> 
> 
> 
> 
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100825/1c2a9060/attachment.bin

More information about the selinux mailing list