[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: postfix, procmail and SELinux - No Go



On Fri, 2006-07-21 at 18:26 +0100, Paul Howarth wrote:
> Marc Schwartz (via MN) wrote:
> > On Fri, 2006-07-21 at 18:06 +0100, Paul Howarth wrote:
> >> Marc Schwartz (via MN) wrote:
> >>> Well, after a couple of days and several re-boots, the following is the
> >>> only avc so far:
> >>>
> >>> type=AVC msg=audit(1153435170.422:48): avc:  denied  { search } for  pid=15586 comm="clamscan" name="marcs" dev=dm-0 ino=425153 scontext=system_u:system_r:clamscan_t:s0 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir
> >>> type=SYSCALL msg=audit(1153435170.422:48): arch=40000003 syscall=10 success=no exit=-13 a0=9730020 a1=1 a2=448ce93c a3=972f7e0 items=1 pid=15586 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="clamscan" exe="/usr/bin/clamscan" subj=system_u:system_r:clamscan_t:s0
> >>> type=CWD msg=audit(1153435170.422:48):  cwd="/home/marcs"
> >>> type=PATH msg=audit(1153435170.422:48): item=0 name="tnef" parent=58512 dev=fd:02 mode=0100600 ouid=500 ogid=500 rdev=00:00 obj=system_u:object_r:clamscan_tmp_t:s0
> >>>
> >>> I am running in Enforcing mode.
> >> It appears to be trying to look in your home directory whilst scanning a 
> >> temporary file called "tnef".
> > 
> > 'tnef' files (Transport Neutral Encapsulation Format) are a MIME type
> > coming from Winders Outlook users. They tend to show up in Evolution as
> > 'winmail.dat' attachments, which then require a tnef viewer such as tnef
> > or KTnef or similar to open and view:
> > 
> > http://sourceforge.net/projects/tnef
> > 
> > I do occasionally get this from co-workers and others who are on
> > Windows.
> > 
> >> The program appears to be running in your home directory, probably since 
> >> it's running from your .procmailrc and clamassassin. I wonder if this 
> >> can be dontaudited? Any idea whether the scan of this file worked or not?
> > 
> > I can confirm that I have received at least one 'tnef' type attachment
> > in the past 48 hours, which came through to Evo without problem. These
> > would not normally be picked up as a virus/worm, etc. via scanners.
> 
> I'd expect you to get one of these AVCs for each scanned attachment; 
> have you only seen the one instance?

There has only been one in the past day or two that I can recall.

> Could you try getting it to scan something that should be detected as 
> "bad" and make sure it works?

An incoming external e-mail will be hard. Between the virus filters now
on my personal ISP and those that my company has installed on the
corporate mail server, it is virtually impossible to get one to get in
the pipeline on my system to be scanned by clamav.

Oh wait a minute, presuming that this works properly, mail path wise, I
can use mutt to attach an EICAR signature file and then send that e-mail
to my local user account (ie. marcs localhost) via the CLI.

OK.  That appears to work.  I do get the e-mails, with the subject
header re-write "[***** VIRUS *****]" via clamassassin. So if the mail
path of a locally sent e-mail (versus an incoming POP3 msg) is OK, we
are good to go.

OK on the avc's also. The only avc still output is the one that I sent
earlier.

HTH,

Marc





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]