Selinux denial on clamd

[Daniel J Walsh]

Does it not work without permissive mode?

Looks like a stdout redirection or leaked file descriptor.

Do you have something like

script << _EOF
command
command
comand
_EOF

Where clamd is running as one of the commands?

Or some other tmp file being created in /var/tmp/CI_TMP

Which is being passed on to clamd

On 09/12/2014 11:11 AM, Watts M.R. wrote:
>
> I’m currently trying to integrate Squid, c-icap and clamd together to
> get A/V scanning of objects through squid on a CentOS 6.5 server.
>
>  
>
> I have things working but every time I try and download the eicar.com
> test virus, I see the following in the logs:
>
>  
>
> type=AVC msg=audit(1410534437.751:227204): avc:  denied  { write }
> for  pid=22480 comm="clamd" path="/var/tmp/CI_TMP_DaewkQ" dev=dm-1
> ino=182 scontext=unconfined_u:system_r:antivirus_t:s0
> tcontext=unconfined_u:object_r:initrc_tmp_t:s0 tclass=file
>
>  
>
> For the record, this server has been hardened according to the CIS
> CentOS 6.5 benchmark document.
>
>  
>
> /tmp and /var/tmp are mounted as so, if this matters:
>
>  
>
> /dev/mapper/VolGroup00-tmp on /tmp type ext4 (rw,noexec,nosuid,nodev)
>
> /tmp on /var/tmp type none (rw,noexec,nosuid,nodev,bind)
>
>  
>
> If I set “semanage permissive -a clamd_t” then everything works.
>
>  
>
>  
>
> Audit2allow suggests I need the following, but I’m not really
> understanding why:
>
>  
>
> allow antivirus_t initrc_tmp_t:file write;
>
>  
>
>  
>
> Any guidance?
>
>  
>
> Mark.
>
>  
>
> --
>
> Mark Watts
>
> Infrastructure Engineer, iSolutions
>
> University of Southampton
>
> Tel: (02380) 595788 Int: 25788
>
>  
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140913/f2b5e852/attachment.html>