-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/20/2011 05:52 AM, Frank Murphy wrote:
On 19/06/11 10:43, Dominick Grift wrote:
<snip>
>
> ignore for now.
>
> You have not enclosed the complete report so i cannot determine the
> issue. However it is very likely that the suggestion by setroubleshooter
> is not applicable here.
>
>
Here's the full report:
SELinux is preventing /usr/sbin/clamd from search access on the
directory /selinux.
***** Plugin file (36.8 confidence) suggests
*******************************
If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot
***** Plugin file (36.8 confidence) suggests
*******************************
If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot
***** Plugin catchall_labels (23.2 confidence) suggests
********************
If you want to allow clamd to have search access on the selinux directory
Then you need to change the label on /selinux
Do
# semanage fcontext -a -t FILE_TYPE '/selinux'
where FILE_TYPE is one of the following: sysctl_crypto_t, samba_var_t,
amavis_var_lib_t, avahi_var_run_t, clamd_var_log_t, setrans_var_run_t,
net_conf_t, clamd_var_lib_t, clamd_var_run_t, sysctl_t, sysctl_kernel_t,
abrt_t, bin_t, nscd_var_run_t, nslcd_var_run_t, clamd_etc_t, lib_t,
mnt_t, sssd_var_lib_t, root_t, tmp_t, usr_t, var_t, device_t, etc_t,
clamd_tmp_t, amavis_spool_t, proc_t, sysfs_t, var_lib_t, exim_spool_t,
textrel_shlib_t, sysctl_t, bin_t, cert_t, clamd_t, tmp_t,
rpm_script_tmp_t, usr_t, var_t, winbind_var_run_t, security_t, device_t,
devpts_t, locale_t, sssd_public_t, etc_t, proc_t, default_t, etc_mail_t,
sosreport_tmp_t, fail2ban_var_lib_t, likewise_var_lib_t, rpm_tmp_t,
var_run_t, krb5_conf_t, httpd_sys_content_t, rpm_log_t, var_log_t,
var_spool_t, var_lib_t, var_run_t, abrt_var_run_t, var_t, var_log_t,
nscd_var_run_t, pcscd_var_run_t, var_t, var_t, cgroup_t, var_run_t,
var_run_t, root_t, sysfs_t, tmpfs_t.
Then execute:
restorecon -v '/selinux'
***** Plugin catchall (5.04 confidence) suggests
***************************
If you believe that clamd should be allowed search access on the selinux
directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep clamd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:clamd_t:s0
Target Context system_u:object_r:file_t:s0
Target Objects /selinux [ dir ]
Source clamd
Source Path /usr/sbin/clamd
Port <Unknown>
Host test08...................
Source RPM Packages clamav-server-0.97.1-1600.fc16
Target RPM Packages filesystem-2.4.42-1.fc16
Policy RPM selinux-policy-3.9.16-29.1.fc16
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name test08...................
Platform Linux test08...............
3.0-0.rc3.git5.1.fc16.x86_64 #1 SMP Fri
Jun 17
16:21:59 UTC 2011 x86_64 x86_64
Alert Count 13
First Seen Sat 18 Jun 2011 13:49:32 IST
Last Seen Mon 20 Jun 2011 10:43:22 IST
Local ID 3220d418-bbfb-4955-a14c-8b7e99e55f91
Raw Audit Messages
type=AVC msg=audit(1308563002.180:97): avc: denied { search } for
pid=1536 comm="clamd" name="selinux" dev=dm-3 ino=25
scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=dir
type=SYSCALL msg=audit(1308563002.180:97): arch=x86_64 syscall=open
success=no exit=EACCES a0=309376440a a1=0 a2=1b6 a3=9 items=0 ppid=1
pid=1536 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494
egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm=clamd
exe=/usr/sbin/clamd subj=system_u:system_r:clamd_t:s0 key=(null)
Hash: clamd,clamd_t,file_t,dir,search
audit2allow
#============= clamd_t ==============
allow clamd_t file_t:dir search;
audit2allow -R
#============= clamd_t ==============
allow clamd_t file_t:dir search;
file_t means you have a mislabeled file system. any app that loads
libselinux will do a search on /selinux which is probably causing this
problem. If you just run restorecon on /selinux it might solve the
problem. But if you see other file_t files on your disk, then you need
to relabel the system.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAk3/LA8ACgkQrlYvE4MpobMUTQCfRv6Nu2eBALWpgBqZ9AYVC1Jk
WIYAn3v3D8vrGv/G7tIeBxsPbU2V6j42
=1VdQ
-----END PGP SIGNATURE-----