selinux preventing clamd and amavisd even in Permissive

Sat Dec 1 07:49:35 UTC 2007

I am getting numerous AVCs from selinixtrobleshoot when clamd and 
amavisd try to operate even with selinux in Permissive mode the actions 
are still prevented.

I did a touch /.autorelabel before reporting this. The problem still occurs.

An example:

Summary
    SELinux is preventing /usr/bin/clamscan (clamscan_t) "read" to <Unknown>
    (amavis_spool_t).

Detailed Description
    SELinux denied access requested by /usr/bin/clamscan. It is not expected
    that this access is required by /usr/bin/clamscan and this access 
may signal
    an intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional 
access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module 
to allow
    this access - see 
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information       

Source Context                system_u:system_r:clamscan_t
Target Context                system_u:object_r:amavis_spool_t
Target Objects                None [ dir ]
Affected RPM Packages         clamav-0.91.2-3.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-56.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall_file
Host Name                     joe
Platform                      Linux joe 2.6.23.1-49.fc8 #1
                              SMP Thu Nov 8 21:41:26 EST 2007 i686 i686
Alert Count                   7
First Seen                    Sat 01 Dec 2007 02:13:33 AM EST
Last Seen                     Sat 01 Dec 2007 02:23:33 AM EST
Local ID                      d41e6d82-4a90-48ee-a554-3c557f6cfe61
Line Numbers                 

Raw Audit Messages           

avc: denied { read } for comm=clamscan dev=dm-0 egid=490 euid=495
exe=/usr/bin/clamscan exit=6 fsgid=490 fsuid=495 gid=490 items=0 
name=clamav-
f1269664cac0bef43a67b3a6dbae41b8 pid=2785
scontext=system_u:system_r:clamscan_t:s0 sgid=490
subj=system_u:system_r:clamscan_t:s0 suid=495 tclass=dir
tcontext=system_u:object_r:amavis_spool_t:s0 tty=(none) uid=495

There are others, but selinux should only log the AVCs in Permissive. 
Right? But the selinux system is actually doing denials. The email 
system will not work since the emails cannot be virus checked. Glad this 
is a test installation.

There was a problem in Fedora Core 6 with Postfix, amavisd, and clamd as 
I remember it, but it would run in Permissive.

I will post all the the AVCs later, but I thought this was important.

Regards,
John