[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: postfix, procmail and SELinux - No Go

Marc Schwartz (via MN) wrote:
On Fri, 2006-07-21 at 18:06 +0100, Paul Howarth wrote:
Marc Schwartz (via MN) wrote:
Well, after a couple of days and several re-boots, the following is the
only avc so far:

type=AVC msg=audit(1153435170.422:48): avc:  denied  { search } for  pid=15586 comm="clamscan" name="marcs" dev=dm-0 ino=425153 scontext=system_u:system_r:clamscan_t:s0 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir
type=SYSCALL msg=audit(1153435170.422:48): arch=40000003 syscall=10 success=no exit=-13 a0=9730020 a1=1 a2=448ce93c a3=972f7e0 items=1 pid=15586 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="clamscan" exe="/usr/bin/clamscan" subj=system_u:system_r:clamscan_t:s0
type=CWD msg=audit(1153435170.422:48):  cwd="/home/marcs"
type=PATH msg=audit(1153435170.422:48): item=0 name="tnef" parent=58512 dev=fd:02 mode=0100600 ouid=500 ogid=500 rdev=00:00 obj=system_u:object_r:clamscan_tmp_t:s0

I am running in Enforcing mode.
It appears to be trying to look in your home directory whilst scanning a temporary file called "tnef".

'tnef' files (Transport Neutral Encapsulation Format) are a MIME type
coming from Winders Outlook users. They tend to show up in Evolution as
'winmail.dat' attachments, which then require a tnef viewer such as tnef
or KTnef or similar to open and view:


I do occasionally get this from co-workers and others who are on

The program appears to be running in your home directory, probably since it's running from your .procmailrc and clamassassin. I wonder if this can be dontaudited? Any idea whether the scan of this file worked or not?

I can confirm that I have received at least one 'tnef' type attachment
in the past 48 hours, which came through to Evo without problem. These
would not normally be picked up as a virus/worm, etc. via scanners.

I'd expect you to get one of these AVCs for each scanned attachment; have you only seen the one instance?

Could you try getting it to scan something that should be detected as "bad" and make sure it works?


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]