Clamd getting out of hand...

Daniel J Walsh dwalsh at redhat.com
Wed Jul 30 19:33:14 UTC 2008 

Arthur Dent wrote:
> On Wed, Jul 30, 2008 at 11:24:47AM -0400, Daniel J Walsh wrote:
>> Arthur Dent wrote:
>>> Hello All,
>>>
>>> I have been using SELinux in enforcing mode on my F8 box for some time
>>> now. I had to go through a bit of pain to get clamassassin working with
>>> clamd to scan my emails but it worked OK.
>>>
>>> This weekend I upgraded to F9 and have now had about a gazillion AVC
>>> denials related to clamd.
>>>
>>> I have therefore been forced to use audit2allow to add to the already
>>> pretty cumbersome local policy I had with F8.
>>>
>>> I list the policy below. All of the entries are as a result of some
>>> denial and subsequent audit2allow policy generation.
>>>
>>> My question is basically - can one of you gurus tell me if all this
>>> stuff is still necessary? Is there a policy in the works that might 
>>> avoid all this?
>>>
>>> Thanks in advance
>>>
>>> AD
>>>
>>>
>>> ##########################################
>>> # cat myclamd.te
>>> policy_module(myclamd, 1.1.11)
>>> require {
>>>         type clamscan_t;
>>>         type clamd_t;
>>>         class tcp_socket { write create connect };
>>> 	type var_run_t;
>>>         type user_home_t;
>>>         class sock_file { write unlink create };
>>>         class file append;
>>> 	type unlabeled_t;
>>>         class association recvfrom;
>>>
>>> }
>>>
>>> #============= clamd_t ==============
>>> allow clamd_t var_run_t:sock_file { unlink create };
>> Looks like a labeling problem.
> 
> Well I did run touch /.autorelabel; reboot
> 
>>> corenet_tcp_bind_generic_port(clamd_t)
>> What port did it bind to?
> 
> In case it helps I have posted my entire clamd.conf file here:
> http://pastebin.com/m72927397
> 
>>> userdom_read_generic_user_home_content_files(clamd_t)
>>>
>>> #============= clamscan_t ==============
>>> allow clamscan_t self:tcp_socket { write create connect };
>>> allow clamscan_t user_home_t:file append;
>> Labeling?
>>> allow clamscan_t var_run_t:sock_file write;
>>> corenet_tcp_connect_generic_port(clamscan_t)
>>> corenet_sendrecv_unlabeled_packets(clamscan_t)
>>> mta_read_queue(clamscan_t)
>>> procmail_rw_tmp_files(clamscan_t)
>>> userdom_read_generic_user_home_content_files(clamscan_t)
>>> allow clamscan_t unlabeled_t:association recvfrom;
>>> ########################################## 
>>>
>> Please attach the avc's used to create this policy?
> 
> Well I no longer have many of the older ones - much of the above was
> generated when I was running F8. If it's really important I could try
> to recover them from the backup archive - but that would be quite a lot
> of work...
> 
> A selection of some of the 500 or so recent ones (since my upgrade
> to F9) can be found here:
> http://pastebin.com/m7b60d46a
> 
> My current policy (now up to version 14!) looks like this (below),
> though with it in place everything now works fine. I have one other
> problem (with VMWare and unrelated to this) which merits its own thread
> and which I will post later.
> 
> In the meantime time, thank you very much for your help. It's much
> appreciated...
> 
> AD
> 
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
But do you have the original avc messages used to generate the policy.
I want to see if we are missing transitions?  What port is it
communicating with etc.

More information about the fedora-selinux-list mailing list