4:29 a.m.
Hello all,
Since upgrading from F11 to F13 I still have 3 outstanding issues. 1 is
my earlier thread about mlogc which is still the subject of some
correspondence on the modsecurity list, another is a mysterious "leaked
file descriptor" AVC which has a permissive type anyway so I will worry
about that later (and may have stopped since the latest selinux policy
release) and that just leaves clamd... sigh...
The relationship between procmail and clamd and selinux always seems to
be a troubled one and I don't know why it should be so, but hey...
Every time I upgrade Fedora I go through this little dance - remove my
old home made clamd policy, run my fetchmail->procmail->clamd( and
spamd)-> dovecot mail-chain and see what AVCs emerge. I create a policy
using audit2allow, rinse, repeat until all AVCs go away.
Well I have done that as usual, all the AVCs have gone away, but still I
get this message in my logs:
X-virus-report: /usr/local/bin/clamdscan error 2
X-virus-checker-version: clamassassin 1.2.4 with clamdscan / ERROR: Can't connect to
clamd: Permission denied
But NO AVCs
I have proved that selinux is the culprit. Putting SEL into permissive
mode temporarily allows clamd to work as it should (but still no AVCs).
I am a little reluctant to do the "semodule -DB" to reveal any silent
denials as I get swamped with stuff (but if that's what it takes...)
In the meantime can anyone suggest any other approach?
Here is my current clamd module as created by audit2allow:
=========================8<========================================
# cat selinux/myclamd.te
module myclamd 13.1.3;
require {
type unconfined_t;
type var_run_t;
type clamd_var_run_t;
type initrc_t;
type procmail_t;
class sock_file write;
class unix_stream_socket connectto;
}
#============= procmail_t ==============
allow procmail_t initrc_t:unix_stream_socket connectto;
#!!!! This avc is allowed in the current policy
allow procmail_t unconfined_t:unix_stream_socket connectto;
#!!!! This avc is allowed in the current policy
allow procmail_t var_run_t:sock_file write;
allow procmail_t clamd_var_run_t:sock_file write;
#!!!! This avc is allowed in the current policy
=========================8<========================================
Note - those comments are created by audit2allow.
Thanks in advance...
Mark
1:08 p.m.
On 08/22/2010 11:29 AM, Arthur Dent wrote:
Hello all,
Since upgrading from F11 to F13 I still have 3 outstanding issues. 1 is
my earlier thread about mlogc which is still the subject of some
correspondence on the modsecurity list, another is a mysterious "leaked
file descriptor" AVC which has a permissive type anyway so I will worry
about that later (and may have stopped since the latest selinux policy
release) and that just leaves clamd... sigh...
The relationship between procmail and clamd and selinux always seems to
be a troubled one and I don't know why it should be so, but hey...
Every time I upgrade Fedora I go through this little dance - remove my
old home made clamd policy, run my fetchmail->procmail->clamd( and
spamd)-> dovecot mail-chain and see what AVCs emerge. I create a policy
using audit2allow, rinse, repeat until all AVCs go away.
So why not do it properly this time and help fix this upstream?
Can you remove your custom modules and enclose raw AVC denials please?
Well I have done that as usual, all the AVCs have gone away, but
still I
get this message in my logs:
X-virus-report: /usr/local/bin/clamdscan error 2
X-virus-checker-version: clamassassin 1.2.4 with clamdscan / ERROR: Can't connect to
clamd: Permission denied
But NO AVCs
I have proved that selinux is the culprit. Putting SEL into permissive
mode temporarily allows clamd to work as it should (but still no AVCs).
I am a little reluctant to do the "semodule -DB" to reveal any silent
denials as I get swamped with stuff (but if that's what it takes...)
In the meantime can anyone suggest any other approach?
Show us raw AVC denials, also for the rules you added below. Also use
semodule -DB to collect the AVC denials as it may reveal hidden denials.
Here is my current clamd module as created by audit2allow:
=========================8<========================================
# cat selinux/myclamd.te
module myclamd 13.1.3;
require {
type unconfined_t;
type var_run_t;
type clamd_var_run_t;
type initrc_t;
type procmail_t;
class sock_file write;
class unix_stream_socket connectto;
}
#============= procmail_t ==============
allow procmail_t initrc_t:unix_stream_socket connectto;
#!!!! This avc is allowed in the current policy
What is running initrc_t? Can you show the raw avc denial.
allow procmail_t unconfined_t:unix_stream_socket connectto;
#!!!! This avc is allowed in the current policy
allow procmail_t var_run_t:sock_file write;
Mislabeled sock file.
allow procmail_t clamd_var_run_t:sock_file write;
#!!!! This avc is allowed in the current policy
This does look legit to me
=========================8<========================================
Note - those comments are created by audit2allow.
Yes, those comments are annoying.
Thanks in advance...
Mark
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
1:24 p.m.
On Sun, 2010-08-22 at 20:08 +0200, Dominick Grift wrote:
On 08/22/2010 11:29 AM, Arthur Dent wrote:
> Hello all,
>
> Since upgrading from F11 to F13 I still have 3 outstanding issues. 1 is
> my earlier thread about mlogc which is still the subject of some
> correspondence on the modsecurity list, another is a mysterious "leaked
> file descriptor" AVC which has a permissive type anyway so I will worry
> about that later (and may have stopped since the latest selinux policy
> release) and that just leaves clamd... sigh...
>
> The relationship between procmail and clamd and selinux always seems to
> be a troubled one and I don't know why it should be so, but hey...
>
> Every time I upgrade Fedora I go through this little dance - remove my
> old home made clamd policy, run my fetchmail->procmail->clamd( and
> spamd)-> dovecot mail-chain and see what AVCs emerge. I create a policy
> using audit2allow, rinse, repeat until all AVCs go away.
So why not do it properly this time and help fix this upstream?
OK - Happy to try...
Can you remove your custom modules and enclose raw AVC denials
please?
OK - I have removed the module. As each new denial comes in I will post
the AVCs here. In the meantime I have included (at the bottom of this
mail) the AVCs that led to the creation of this module.
> Well I have done that as usual, all the AVCs have gone away, but
still I
> get this message in my logs:
> X-virus-report: /usr/local/bin/clamdscan error 2
> X-virus-checker-version: clamassassin 1.2.4 with clamdscan / ERROR: Can't
connect to clamd: Permission denied
>
> But NO AVCs
>
> I have proved that selinux is the culprit. Putting SEL into permissive
> mode temporarily allows clamd to work as it should (but still no AVCs).
>
> I am a little reluctant to do the "semodule -DB" to reveal any silent
> denials as I get swamped with stuff (but if that's what it takes...)
>
> In the meantime can anyone suggest any other approach?
Show us raw AVC denials, also for the rules you added below. Also use
semodule -DB to collect the AVC denials as it may reveal hidden denials.
Raw AVCs posted below. If I can, I would prefer to avoid semodule -DB -
at least until there's no alternative. The last time I did this I was
swamped with messages...
Thanks for your help so far...
OLD Raw AVCs:
=============
(Note: I have not attempted to remove duplicates in case they may not
actually be duplicates...)
# grep clam /var/log/audit/audit.log
type=AVC msg=audit(1281549967.522:25603): avc: denied { write } for pid=7413
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549967.522:25603): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bf9c19b0 a2=3 a3=0 items=0 ppid=7409 pid=7413 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549967.553:25604): avc: denied { write } for pid=7419
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549967.553:25604): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfe176c0 a2=3 a3=1 items=0 ppid=7409 pid=7419 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549968.933:25605): avc: denied { write } for pid=7433
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549968.933:25605): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bf9f7d60 a2=3 a3=0 items=0 ppid=7429 pid=7433 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549968.944:25606): avc: denied { write } for pid=7437
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549968.944:25606): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfef94f0 a2=3 a3=1 items=0 ppid=7429 pid=7437 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549972.233:25607): avc: denied { write } for pid=7457
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549972.233:25607): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bffd3850 a2=3 a3=0 items=0 ppid=7453 pid=7457 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549972.245:25608): avc: denied { write } for pid=7461
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549972.245:25608): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfbd0860 a2=3 a3=1 items=0 ppid=7453 pid=7461 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549974.951:25609): avc: denied { write } for pid=7480
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549974.951:25609): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfdd9980 a2=3 a3=0 items=0 ppid=7476 pid=7480 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549974.962:25610): avc: denied { write } for pid=7484
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549974.962:25610): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bf9009f0 a2=3 a3=1 items=0 ppid=7476 pid=7484 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549979.649:25611): avc: denied { write } for pid=7503
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549979.649:25611): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfa76ac0 a2=3 a3=0 items=0 ppid=7499 pid=7503 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549979.684:25612): avc: denied { write } for pid=7509
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549979.684:25612): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfee7530 a2=3 a3=1 items=0 ppid=7499 pid=7509 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549989.907:25613): avc: denied { write } for pid=7547
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549989.907:25613): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bff2eae0 a2=3 a3=0 items=0 ppid=7543 pid=7547 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549989.918:25614): avc: denied { write } for pid=7552
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549989.918:25614): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bff8b3b0 a2=3 a3=1 items=0 ppid=7543 pid=7552 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549992.167:25615): avc: denied { write } for pid=7569
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549992.167:25615): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfb02b50 a2=3 a3=0 items=0 ppid=7565 pid=7569 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549992.178:25616): avc: denied { write } for pid=7573
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549992.178:25616): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bf8de0a0 a2=3 a3=1 items=0 ppid=7565 pid=7573 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549995.114:25617): avc: denied { write } for pid=7593
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549995.114:25617): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfea68f0 a2=3 a3=0 items=0 ppid=7589 pid=7593 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549995.129:25618): avc: denied { write } for pid=7598
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549995.129:25618): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bffb0530 a2=3 a3=1 items=0 ppid=7589 pid=7598 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549997.583:25619): avc: denied { write } for pid=7617
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549997.583:25619): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfdedaa0 a2=3 a3=0 items=0 ppid=7613 pid=7617 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549997.594:25620): avc: denied { write } for pid=7621
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549997.594:25620): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfb8fcc0 a2=3 a3=1 items=0 ppid=7613 pid=7621 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549998.782:25621): avc: denied { write } for pid=7637
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549998.782:25621): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bffd7cc0 a2=3 a3=0 items=0 ppid=7633 pid=7637 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549998.795:25622): avc: denied { write } for pid=7641
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549998.795:25622): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfa4cfd0 a2=3 a3=1 items=0 ppid=7633 pid=7641 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281553746.456:28957): avc: denied { write } for pid=1875
comm="clamdscan" name="clamd.sock" dev=sda6 ino=265935
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281553746.456:28957): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfd26f70 a2=3 a3=0 items=0 ppid=1871 pid=1875 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281553746.467:28958): avc: denied { write } for pid=1879
comm="clamdscan" name="clamd.sock" dev=sda6 ino=265935
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281553746.467:28958): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bffec380 a2=3 a3=1 items=0 ppid=1871 pid=1879 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281553747.846:28959): avc: denied { write } for pid=1891
comm="clamdscan" name="clamd.sock" dev=sda6 ino=265935
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281553747.846:28959): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfc59ac0 a2=3 a3=0 items=0 ppid=1887 pid=1891 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281553747.853:28960): avc: denied { write } for pid=1895
comm="clamdscan" name="clamd.sock" dev=sda6 ino=265935
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281553747.853:28960): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfd65ef0 a2=3 a3=1 items=0 ppid=1887 pid=1895 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281556447.007:29081): avc: denied { write } for pid=2066
comm="clamdscan" name="clamd.sock" dev=sda6 ino=265935
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281556447.007:29081): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfe8c5f0 a2=3 a3=0 items=0 ppid=2062 pid=2066 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281556447.066:29082): avc: denied { write } for pid=2072
comm="clamdscan" name="clamd.sock" dev=sda6 ino=265935
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281556447.066:29082): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bf95f8f0 a2=3 a3=1 items=0 ppid=2062 pid=2072 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281560962.921:29306): avc: denied { connectto } for pid=2813
comm="clamdscan" path="/var/run/clamd/clamd.sock"
scontext=system_u:system_r:procmail_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=SYSCALL msg=audit(1281560962.921:29306): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfe09950 a2=3 a3=0 items=0 ppid=2809 pid=2813 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281560962.956:29307): avc: denied { connectto } for pid=2819
comm="clamdscan" path="/var/run/clamd/clamd.sock"
scontext=system_u:system_r:procmail_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=SYSCALL msg=audit(1281560962.956:29307): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfa97fd0 a2=3 a3=1 items=0 ppid=2809 pid=2819 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281708366.973:25738): avc: denied { connectto } for pid=4423
comm="clamdscan" path="/var/run/clamd/clamd.sock"
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:system_r:initrc_t:s0
tclass=unix_stream_socket
type=SYSCALL msg=audit(1281708366.973:25738): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfa9ce30 a2=3 a3=0 items=0 ppid=4419 pid=4423 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281708367.002:25739): avc: denied { connectto } for pid=4427
comm="clamdscan" path="/var/run/clamd/clamd.sock"
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:system_r:initrc_t:s0
tclass=unix_stream_socket
type=SYSCALL msg=audit(1281708367.002:25739): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bf91cf30 a2=3 a3=1 items=0 ppid=4419 pid=4427 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281709806.425:25816): avc: denied { connectto } for pid=4791
comm="clamdscan" path="/var/run/clamd/clamd.sock"
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:system_r:initrc_t:s0
tclass=unix_stream_socket
type=SYSCALL msg=audit(1281709806.425:25816): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bf933ba0 a2=3 a3=0 items=0 ppid=4787 pid=4791 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281709806.479:25817): avc: denied { connectto } for pid=4797
comm="clamdscan" path="/var/run/clamd/clamd.sock"
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:system_r:initrc_t:s0
tclass=unix_stream_socket
type=SYSCALL msg=audit(1281709806.479:25817): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfdc0d20 a2=3 a3=1 items=0 ppid=4787 pid=4797 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281822126.149:31680): avc: denied { write } for pid=7792
comm="clamdscan" name="clamd.sock" dev=sda6 ino=263415
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:clamd_var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281822126.149:31680): arch=40000003 syscall=102 success=yes exit=0
a0=3 a1=bfc60bb0 a2=3 a3=0 items=0 ppid=7788 pid=7792 auid=4294967295 uid=0 gid=12 euid=0
suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281823207.443:31735): avc: denied { write } for pid=7961
comm="clamdscan" name="clamd.sock" dev=sda6 ino=263415
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:clamd_var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281823207.443:31735): arch=40000003 syscall=102 success=yes exit=0
a0=3 a1=bfd83ea0 a2=3 a3=0 items=0 ppid=7957 pid=7961 auid=4294967295 uid=0 gid=12 euid=0
suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281825185.251:31827): avc: denied { write } for pid=8786
comm="clamdscan" name="clamd.sock" dev=sda6 ino=263415
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:clamd_var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281825185.251:31827): arch=40000003 syscall=102 success=yes exit=0
a0=3 a1=bfc7a9e0 a2=3 a3=0 items=0 ppid=8782 pid=8786 auid=4294967295 uid=0 gid=12 euid=0
suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281826265.840:31876): avc: denied { write } for pid=8910
comm="clamdscan" name="clamd.sock" dev=sda6 ino=263415
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:clamd_var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281826265.840:31876): arch=40000003 syscall=102 success=yes exit=0
a0=3 a1=bfe511a0 a2=3 a3=0 items=0 ppid=8906 pid=8910 auid=4294967295 uid=0 gid=12 euid=0
suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
4:07 p.m.
On 08/22/2010 08:24 PM, Arthur Dent wrote:
OK - I have removed the module. As each new denial comes in I will
post
the AVCs here. In the meantime I have included (at the bottom of this
mail) the AVCs that led to the creation of this module.
I rather we start all over because some of the avc denials below dont
make sense i believe.
Which version of policy are you using?
Raw AVCs posted below. If I can, I would prefer to avoid semodule -DB -
at least until there's no alternative. The last time I did this I was
swamped with messages...
You can. We're starting over.
Thanks for your help so far...
OLD Raw AVCs:
=============
(Note: I have not attempted to remove duplicates in case they may not
actually be duplicates...)
# grep clam /var/log/audit/audit.log
type=AVC msg=audit(1281549967.522:25603): avc: denied { write } for pid=7413
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549967.522:25603): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bf9c19b0 a2=3 a3=0 items=0 ppid=7409 pid=7413 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549967.553:25604): avc: denied { write } for pid=7419
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549967.553:25604): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfe176c0 a2=3 a3=1 items=0 ppid=7409 pid=7419 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549968.933:25605): avc: denied { write } for pid=7433
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549968.933:25605): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bf9f7d60 a2=3 a3=0 items=0 ppid=7429 pid=7433 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549968.944:25606): avc: denied { write } for pid=7437
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549968.944:25606): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfef94f0 a2=3 a3=1 items=0 ppid=7429 pid=7437 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549972.233:25607): avc: denied { write } for pid=7457
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549972.233:25607): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bffd3850 a2=3 a3=0 items=0 ppid=7453 pid=7457 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549972.245:25608): avc: denied { write } for pid=7461
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549972.245:25608): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfbd0860 a2=3 a3=1 items=0 ppid=7453 pid=7461 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549974.951:25609): avc: denied { write } for pid=7480
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549974.951:25609): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfdd9980 a2=3 a3=0 items=0 ppid=7476 pid=7480 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549974.962:25610): avc: denied { write } for pid=7484
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549974.962:25610): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bf9009f0 a2=3 a3=1 items=0 ppid=7476 pid=7484 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549979.649:25611): avc: denied { write } for pid=7503
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549979.649:25611): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfa76ac0 a2=3 a3=0 items=0 ppid=7499 pid=7503 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549979.684:25612): avc: denied { write } for pid=7509
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549979.684:25612): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfee7530 a2=3 a3=1 items=0 ppid=7499 pid=7509 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549989.907:25613): avc: denied { write } for pid=7547
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549989.907:25613): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bff2eae0 a2=3 a3=0 items=0 ppid=7543 pid=7547 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549989.918:25614): avc: denied { write } for pid=7552
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549989.918:25614): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bff8b3b0 a2=3 a3=1 items=0 ppid=7543 pid=7552 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549992.167:25615): avc: denied { write } for pid=7569
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549992.167:25615): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfb02b50 a2=3 a3=0 items=0 ppid=7565 pid=7569 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549992.178:25616): avc: denied { write } for pid=7573
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549992.178:25616): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bf8de0a0 a2=3 a3=1 items=0 ppid=7565 pid=7573 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549995.114:25617): avc: denied { write } for pid=7593
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549995.114:25617): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfea68f0 a2=3 a3=0 items=0 ppid=7589 pid=7593 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549995.129:25618): avc: denied { write } for pid=7598
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549995.129:25618): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bffb0530 a2=3 a3=1 items=0 ppid=7589 pid=7598 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549997.583:25619): avc: denied { write } for pid=7617
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549997.583:25619): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfdedaa0 a2=3 a3=0 items=0 ppid=7613 pid=7617 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549997.594:25620): avc: denied { write } for pid=7621
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549997.594:25620): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfb8fcc0 a2=3 a3=1 items=0 ppid=7613 pid=7621 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549998.782:25621): avc: denied { write } for pid=7637
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549998.782:25621): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bffd7cc0 a2=3 a3=0 items=0 ppid=7633 pid=7637 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281549998.795:25622): avc: denied { write } for pid=7641
comm="clamdscan" name="clamd.sock" dev=sda6 ino=269301
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281549998.795:25622): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfa4cfd0 a2=3 a3=1 items=0 ppid=7633 pid=7641 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281553746.456:28957): avc: denied { write } for pid=1875
comm="clamdscan" name="clamd.sock" dev=sda6 ino=265935
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281553746.456:28957): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfd26f70 a2=3 a3=0 items=0 ppid=1871 pid=1875 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281553746.467:28958): avc: denied { write } for pid=1879
comm="clamdscan" name="clamd.sock" dev=sda6 ino=265935
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281553746.467:28958): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bffec380 a2=3 a3=1 items=0 ppid=1871 pid=1879 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281553747.846:28959): avc: denied { write } for pid=1891
comm="clamdscan" name="clamd.sock" dev=sda6 ino=265935
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281553747.846:28959): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfc59ac0 a2=3 a3=0 items=0 ppid=1887 pid=1891 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281553747.853:28960): avc: denied { write } for pid=1895
comm="clamdscan" name="clamd.sock" dev=sda6 ino=265935
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281553747.853:28960): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfd65ef0 a2=3 a3=1 items=0 ppid=1887 pid=1895 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281556447.007:29081): avc: denied { write } for pid=2066
comm="clamdscan" name="clamd.sock" dev=sda6 ino=265935
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281556447.007:29081): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfe8c5f0 a2=3 a3=0 items=0 ppid=2062 pid=2066 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281556447.066:29082): avc: denied { write } for pid=2072
comm="clamdscan" name="clamd.sock" dev=sda6 ino=265935
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=sock_file
Somehow you were running clamd in the init script domain rather then in
the clamd domain, this caused clamd to create its socket with a wrong
type, causing clamscan, which by the way seems to run in the wrong
domain aswell, to be denied access to the mislabelled sock file.
type=SYSCALL msg=audit(1281556447.066:29082): arch=40000003
syscall=102 success=no exit=-13 a0=3 a1=bf95f8f0 a2=3 a3=1 items=0 ppid=2062 pid=2072
auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none)
ses=4294967295 comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281560962.921:29306): avc: denied { connectto } for pid=2813
comm="clamdscan" path="/var/run/clamd/clamd.sock"
scontext=system_u:system_r:procmail_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=SYSCALL msg=audit(1281560962.921:29306): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfe09950 a2=3 a3=0 items=0 ppid=2809 pid=2813 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281560962.956:29307): avc: denied { connectto } for pid=2819
comm="clamdscan" path="/var/run/clamd/clamd.sock"
scontext=system_u:system_r:procmail_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=SYSCALL msg=audit(1281560962.956:29307): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfa97fd0 a2=3 a3=1 items=0 ppid=2809 pid=2819 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281708366.973:25738): avc: denied { connectto } for pid=4423
comm="clamdscan" path="/var/run/clamd/clamd.sock"
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:system_r:initrc_t:s0
tclass=unix_stream_socket
type=SYSCALL msg=audit(1281708366.973:25738): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfa9ce30 a2=3 a3=0 items=0 ppid=4419 pid=4423 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281708367.002:25739): avc: denied { connectto } for pid=4427
comm="clamdscan" path="/var/run/clamd/clamd.sock"
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:system_r:initrc_t:s0
tclass=unix_stream_socket
type=SYSCALL msg=audit(1281708367.002:25739): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bf91cf30 a2=3 a3=1 items=0 ppid=4419 pid=4427 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281709806.425:25816): avc: denied { connectto } for pid=4791
comm="clamdscan" path="/var/run/clamd/clamd.sock"
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:system_r:initrc_t:s0
tclass=unix_stream_socket
type=SYSCALL msg=audit(1281709806.425:25816): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bf933ba0 a2=3 a3=0 items=0 ppid=4787 pid=4791 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281709806.479:25817): avc: denied { connectto } for pid=4797
comm="clamdscan" path="/var/run/clamd/clamd.sock"
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:system_r:initrc_t:s0
tclass=unix_stream_socket
type=SYSCALL msg=audit(1281709806.479:25817): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfdc0d20 a2=3 a3=1 items=0 ppid=4787 pid=4797 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
This is clamscan trying to stream connect to clamd that is running in
the wrong (init rc script domain)
My first guess is that you have mislabeled files. Try to relabel your
file system and then try again from scratch, then if you get any AVC
denials please send them here.
type=AVC msg=audit(1281822126.149:31680): avc: denied { write } for
pid=7792 comm="clamdscan" name="clamd.sock" dev=sda6 ino=263415
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:clamd_var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281822126.149:31680): arch=40000003 syscall=102 success=yes
exit=0 a0=3 a1=bfc60bb0 a2=3 a3=0 items=0 ppid=7788 pid=7792 auid=4294967295 uid=0 gid=12
euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281823207.443:31735): avc: denied { write } for pid=7961
comm="clamdscan" name="clamd.sock" dev=sda6 ino=263415
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:clamd_var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281823207.443:31735): arch=40000003 syscall=102 success=yes
exit=0 a0=3 a1=bfd83ea0 a2=3 a3=0 items=0 ppid=7957 pid=7961 auid=4294967295 uid=0 gid=12
euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281825185.251:31827): avc: denied { write } for pid=8786
comm="clamdscan" name="clamd.sock" dev=sda6 ino=263415
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:clamd_var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281825185.251:31827): arch=40000003 syscall=102 success=yes
exit=0 a0=3 a1=bfc7a9e0 a2=3 a3=0 items=0 ppid=8782 pid=8786 auid=4294967295 uid=0 gid=12
euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1281826265.840:31876): avc: denied { write } for pid=8910
comm="clamdscan" name="clamd.sock" dev=sda6 ino=263415
scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:clamd_var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1281826265.840:31876): arch=40000003 syscall=102 success=yes
exit=0 a0=3 a1=bfe511a0 a2=3 a3=0 items=0 ppid=8906 pid=8910 auid=4294967295 uid=0 gid=12
euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
4:44 p.m.
On Sun, 2010-08-22 at 23:07 +0200, Dominick Grift wrote:
On 08/22/2010 08:24 PM, Arthur Dent wrote:
snip...
My first guess is that you have mislabeled files. Try to relabel
your
file system and then try again from scratch, then if you get any AVC
denials please send them here.
OK - Fair point. In fact, now you come to mention it, I have done a lot
of copying from my F11 setup and a lot of other configuration and
haven't done a relabel since about half way through my implementation.
Yesterday I updated with yum and it delivered:
selinux-policy-3.7.19-47.fc13.noarch
selinux-policy-targeted-3.7.19-47.fc13.noarch
So now might be a good time for a relabel...
I will report back (probably tomorrow).
Thanks again...
Mark
3:09 a.m.
On Sun, 2010-08-22 at 22:44 +0100, Arthur Dent wrote:
On Sun, 2010-08-22 at 23:07 +0200, Dominick Grift wrote:
> On 08/22/2010 08:24 PM, Arthur Dent wrote:
snip...
> My first guess is that you have mislabeled files. Try to relabel your
> file system and then try again from scratch, then if you get any AVC
> denials please send them here.
OK - Fair point. In fact, now you come to mention it, I have done a lot
of copying from my F11 setup and a lot of other configuration and
haven't done a relabel since about half way through my implementation.
Yesterday I updated with yum and it delivered:
selinux-policy-3.7.19-47.fc13.noarch
selinux-policy-targeted-3.7.19-47.fc13.noarch
So now might be a good time for a relabel...
I will report back (probably tomorrow).
Well this is interesting...
Since unloading my custom clamd module and relabelling I have had NO
avcs! - Not one.
Clamd is still being blocked however, so I have now activated the
semodule -DB thing...
No AVCs have been produced (in the sense that no setroubleshoot emails
have been produced), but here is the output of
ausearch -m avc -ts recent :
time->Mon Aug 23 08:57:02 2010
type=SYSCALL msg=audit(1282550222.014:42728): arch=40000003 syscall=11 success=yes exit=0
a0=9297fe0 a1=9297c90 a2=9297008 a3=929a1e8 items=0 ppid=23900 pid=23901 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="setroubleshootd" exe="/usr/bin/python"
subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1282550222.014:42728): avc: denied { noatsecure } for pid=23901
comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1282550222.014:42728): avc: denied { siginh } for pid=23901
comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1282550222.014:42728): avc: denied { rlimitinh } for pid=23901
comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
----
time->Mon Aug 23 08:57:02 2010
type=SYSCALL msg=audit(1282550222.302:42730): arch=40000003 syscall=33 success=no exit=-13
a0=87ffc90 a1=2 a2=6fb4f8 a3=86b4088 items=0 ppid=23900 pid=23901 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="setroubleshootd" exe="/usr/bin/python"
subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1282550222.302:42730): avc: denied { write } for pid=23901
comm="setroubleshootd" name="rpm" dev=sda6 ino=203
scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
----
time->Mon Aug 23 08:57:02 2010
type=SYSCALL msg=audit(1282550222.304:42731): arch=40000003 syscall=33 success=no exit=-13
a0=87ffc90 a1=2 a2=6fb4f8 a3=87f9398 items=0 ppid=23900 pid=23901 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="setroubleshootd" exe="/usr/bin/python"
subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1282550222.304:42731): avc: denied { write } for pid=23901
comm="setroubleshootd" name="rpm" dev=sda6 ino=203
scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
----
time->Mon Aug 23 08:57:07 2010
type=SYSCALL msg=audit(1282550227.040:42733): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfe490a0 a2=3 a3=0 items=0 ppid=23912 pid=23916 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1282550227.040:42733): avc: denied { search } for pid=23916
comm="clamdscan" name="clamd" dev=sda6 ino=269280
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0
tclass=dir
----
time->Mon Aug 23 08:57:07 2010
type=SYSCALL msg=audit(1282550227.058:42734): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bf800420 a2=3 a3=1 items=0 ppid=23912 pid=23920 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1282550227.058:42734): avc: denied { search } for pid=23920
comm="clamdscan" name="clamd" dev=sda6 ino=269280
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0
tclass=dir
----
time->Mon Aug 23 08:57:07 2010
type=SYSCALL msg=audit(1282550227.096:42735): arch=40000003 syscall=11 success=yes exit=0
a0=8e92dd0 a1=8e95760 a2=8e95888 a3=8e95760 items=0 ppid=23925 pid=23926 auid=4294967295
uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="spamc" exe="/usr/bin/spamc" subj=system_u:system_r:spamc_t:s0
key=(null)
type=AVC msg=audit(1282550227.096:42735): avc: denied { noatsecure } for pid=23926
comm="spamc" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=process
type=AVC msg=audit(1282550227.096:42735): avc: denied { siginh } for pid=23926
comm="spamc" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=process
type=AVC msg=audit(1282550227.096:42735): avc: denied { rlimitinh } for pid=23926
comm="spamc" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=process
----
time->Mon Aug 23 08:57:06 2010
type=SYSCALL msg=audit(1282550226.692:42732): arch=40000003 syscall=11 success=yes exit=0
a0=15559d0 a1=bf9c9f7c a2=303840 a3=41904 items=0 ppid=23909 pid=23910 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="procmail" exe="/usr/bin/procmail"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1282550226.692:42732): avc: denied { noatsecure } for pid=23910
comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
type=AVC msg=audit(1282550226.692:42732): avc: denied { siginh } for pid=23910
comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
type=AVC msg=audit(1282550226.692:42732): avc: denied { rlimitinh } for pid=23910
comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
----
time->Mon Aug 23 08:57:07 2010
type=SYSCALL msg=audit(1282550227.209:42736): arch=40000003 syscall=5 success=no exit=-13
a0=606a29 a1=80000 a2=1b6 a3=6069c5 items=0 ppid=20953 pid=20954 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=772 comm="spamd"
exe="/usr/bin/perl" subj=unconfined_u:system_r:spamd_t:s0 key=(null)
type=AVC msg=audit(1282550227.209:42736): avc: denied { read } for pid=20954
comm="spamd" name="shadow" dev=sda6 ino=85497
scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:object_r:shadow_t:s0
tclass=file
Audit2allow produce some funny stuff when I tried to run this through it
so I think it is best if you take a look at it!
Thanks again.
Mark
3:29 a.m.
On 08/23/2010 10:09 AM, Arthur Dent wrote:
On Sun, 2010-08-22 at 22:44 +0100, Arthur Dent wrote:
> On Sun, 2010-08-22 at 23:07 +0200, Dominick Grift wrote:
>> On 08/22/2010 08:24 PM, Arthur Dent wrote:
>
> snip...
>
>> My first guess is that you have mislabeled files. Try to relabel your
>> file system and then try again from scratch, then if you get any AVC
>> denials please send them here.
>
> OK - Fair point. In fact, now you come to mention it, I have done a lot
> of copying from my F11 setup and a lot of other configuration and
> haven't done a relabel since about half way through my implementation.
>
> Yesterday I updated with yum and it delivered:
> selinux-policy-3.7.19-47.fc13.noarch
> selinux-policy-targeted-3.7.19-47.fc13.noarch
>
> So now might be a good time for a relabel...
>
> I will report back (probably tomorrow).
Well this is interesting...
Since unloading my custom clamd module and relabelling I have had NO
avcs! - Not one.
Clamd is still being blocked however, so I have now activated the
semodule -DB thing...
No AVCs have been produced (in the sense that no setroubleshoot emails
have been produced), but here is the output of
ausearch -m avc -ts recent :
time->Mon Aug 23 08:57:02 2010
type=SYSCALL msg=audit(1282550222.014:42728): arch=40000003 syscall=11 success=yes exit=0
a0=9297fe0 a1=9297c90 a2=9297008 a3=929a1e8 items=0 ppid=23900 pid=23901 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="setroubleshootd" exe="/usr/bin/python"
subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1282550222.014:42728): avc: denied { noatsecure } for pid=23901
comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1282550222.014:42728): avc: denied { siginh } for pid=23901
comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1282550222.014:42728): avc: denied { rlimitinh } for pid=23901
comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
----
time->Mon Aug 23 08:57:02 2010
type=SYSCALL msg=audit(1282550222.302:42730): arch=40000003 syscall=33 success=no
exit=-13 a0=87ffc90 a1=2 a2=6fb4f8 a3=86b4088 items=0 ppid=23900 pid=23901 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="setroubleshootd" exe="/usr/bin/python"
subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1282550222.302:42730): avc: denied { write } for pid=23901
comm="setroubleshootd" name="rpm" dev=sda6 ino=203
scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
----
time->Mon Aug 23 08:57:02 2010
type=SYSCALL msg=audit(1282550222.304:42731): arch=40000003 syscall=33 success=no
exit=-13 a0=87ffc90 a1=2 a2=6fb4f8 a3=87f9398 items=0 ppid=23900 pid=23901 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="setroubleshootd" exe="/usr/bin/python"
subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1282550222.304:42731): avc: denied { write } for pid=23901
comm="setroubleshootd" name="rpm" dev=sda6 ino=203
scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
----
time->Mon Aug 23 08:57:07 2010
type=SYSCALL msg=audit(1282550227.040:42733): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfe490a0 a2=3 a3=0 items=0 ppid=23912 pid=23916 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1282550227.040:42733): avc: denied { search } for pid=23916
comm="clamdscan" name="clamd" dev=sda6 ino=269280
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0
tclass=dir
----
time->Mon Aug 23 08:57:07 2010
type=SYSCALL msg=audit(1282550227.058:42734): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bf800420 a2=3 a3=1 items=0 ppid=23912 pid=23920 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1282550227.058:42734): avc: denied { search } for pid=23920
comm="clamdscan" name="clamd" dev=sda6 ino=269280
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0
tclass=dir
This is still an issue:
some process running in the procmail_t domain is running
/usr/bin/clamdscan (ls -alZ /usr/bin/clamdscan to verify its context),
but it is not domain transitioning to the clamscan_t domain.
Policy defines that if a process running in the procmail_t domain runs a
file labelled clamscan_exec_t, that procmail_t will domain transition to
clamscan_t domain.
This did not happen on your config.
Either your clamdscan executable file is mislabelled or you are missing
a domain transition rule.
Where is your "clamdscan" executable file located, and what is it labelled?
What does the following return:
sesearch -SC --allow -s procmail_t -t clamscan_t -c process
sesearch -SC --allow -s procmail_t -t clamscan_exec_t -f file
----
time->Mon Aug 23 08:57:07 2010
type=SYSCALL msg=audit(1282550227.096:42735): arch=40000003 syscall=11 success=yes exit=0
a0=8e92dd0 a1=8e95760 a2=8e95888 a3=8e95760 items=0 ppid=23925 pid=23926 auid=4294967295
uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="spamc" exe="/usr/bin/spamc" subj=system_u:system_r:spamc_t:s0
key=(null)
type=AVC msg=audit(1282550227.096:42735): avc: denied { noatsecure } for pid=23926
comm="spamc" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=process
type=AVC msg=audit(1282550227.096:42735): avc: denied { siginh } for pid=23926
comm="spamc" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=process
type=AVC msg=audit(1282550227.096:42735): avc: denied { rlimitinh } for pid=23926
comm="spamc" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=process
----
time->Mon Aug 23 08:57:06 2010
type=SYSCALL msg=audit(1282550226.692:42732): arch=40000003 syscall=11 success=yes exit=0
a0=15559d0 a1=bf9c9f7c a2=303840 a3=41904 items=0 ppid=23909 pid=23910 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="procmail" exe="/usr/bin/procmail"
subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1282550226.692:42732): avc: denied { noatsecure } for pid=23910
comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
type=AVC msg=audit(1282550226.692:42732): avc: denied { siginh } for pid=23910
comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
type=AVC msg=audit(1282550226.692:42732): avc: denied { rlimitinh } for pid=23910
comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
----
time->Mon Aug 23 08:57:07 2010
type=SYSCALL msg=audit(1282550227.209:42736): arch=40000003 syscall=5 success=no exit=-13
a0=606a29 a1=80000 a2=1b6 a3=6069c5 items=0 ppid=20953 pid=20954 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=772 comm="spamd"
exe="/usr/bin/perl" subj=unconfined_u:system_r:spamd_t:s0 key=(null)
type=AVC msg=audit(1282550227.209:42736): avc: denied { read } for pid=20954
comm="spamd" name="shadow" dev=sda6 ino=85497
scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:object_r:shadow_t:s0
tclass=file
Audit2allow produce some funny stuff when I tried to run this through it
so I think it is best if you take a look at it!
Thanks again.
Mark
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
3:40 a.m.
On Mon, 2010-08-23 at 10:29 +0200, Dominick Grift wrote:
On 08/23/2010 10:09 AM, Arthur Dent wrote:
> On Sun, 2010-08-22 at 22:44 +0100, Arthur Dent wrote:
>> On Sun, 2010-08-22 at 23:07 +0200, Dominick Grift wrote:
>>> On 08/22/2010 08:24 PM, Arthur Dent wrote:
>> ----
> time->Mon Aug 23 08:57:07 2010
> type=SYSCALL msg=audit(1282550227.058:42734): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bf800420 a2=3 a3=1 items=0 ppid=23912 pid=23920 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
> type=AVC msg=audit(1282550227.058:42734): avc: denied { search } for pid=23920
comm="clamdscan" name="clamd" dev=sda6 ino=269280
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0
tclass=dir
This is still an issue:
some process running in the procmail_t domain is running
/usr/bin/clamdscan (ls -alZ /usr/bin/clamdscan to verify its context),
but it is not domain transitioning to the clamscan_t domain.
# which clamdscan
/usr/local/bin/clamdscan
# ls -laZ /usr/local/bin/clamdscan
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/local/bin/clamdscan
Now, in actual fact, procmail does not call clamdscan directly (it can't
deal with emails), it calls a program called clamassassin which in turn
calls clamdscan.
# ls -laZ /usr/local/bin/clamassassin
-r-xr-xr-x. root root system_u:object_r:bin_t:s0 /usr/local/bin/clamassassin
Policy defines that if a process running in the procmail_t domain runs a
file labelled clamscan_exec_t, that procmail_t will domain transition to
clamscan_t domain.
This did not happen on your config.
Either your clamdscan executable file is mislabelled or you are missing
a domain transition rule.
Where is your "clamdscan" executable file located, and what is it labelled?
see above.
What does the following return:
sesearch -SC --allow -s procmail_t -t clamscan_t -c process
sesearch -SC --allow -s procmail_t -t clamscan_exec_t -f file
# sesearch -SC --allow -s procmail_t -t clamscan_t -c process
Found 1 semantic av rules:
allow procmail_t clamscan_t : process transition ;
# sesearch -SC --allow -s procmail_t -t clamscan_exec_t -f file
sesearch: invalid option -- 'f'
Usage: sesearch [OPTIONS] RULE_TYPE [RULE_TYPE ...] [EXPESSION]
[POLICY ...]
Try sesearch --help for more help.
3:42 a.m.
On 08/23/2010 10:40 AM, Arthur Dent wrote:
On Mon, 2010-08-23 at 10:29 +0200, Dominick Grift wrote:
> On 08/23/2010 10:09 AM, Arthur Dent wrote:
>> On Sun, 2010-08-22 at 22:44 +0100, Arthur Dent wrote:
>>> On Sun, 2010-08-22 at 23:07 +0200, Dominick Grift wrote:
>>>> On 08/22/2010 08:24 PM, Arthur Dent wrote:
>>> ----
>> time->Mon Aug 23 08:57:07 2010
>> type=SYSCALL msg=audit(1282550227.058:42734): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf800420 a2=3 a3=1 items=0 ppid=23912 pid=23920
auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none)
ses=4294967295 comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
>> type=AVC msg=audit(1282550227.058:42734): avc: denied { search } for pid=23920
comm="clamdscan" name="clamd" dev=sda6 ino=269280
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0
tclass=dir
>
> This is still an issue:
>
> some process running in the procmail_t domain is running
> /usr/bin/clamdscan (ls -alZ /usr/bin/clamdscan to verify its context),
> but it is not domain transitioning to the clamscan_t domain.
# which clamdscan
/usr/local/bin/clamdscan
# ls -laZ /usr/local/bin/clamdscan
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/local/bin/clamdscan
Now, in actual fact, procmail does not call clamdscan directly (it can't
deal with emails), it calls a program called clamassassin which in turn
calls clamdscan.
# ls -laZ /usr/local/bin/clamassassin
-r-xr-xr-x. root root system_u:object_r:bin_t:s0 /usr/local/bin/clamassassin
Why are these files located there and not /usr/bin where they are
expected to be? The files are mislabelled.
>
> Policy defines that if a process running in the procmail_t domain runs a
> file labelled clamscan_exec_t, that procmail_t will domain transition to
> clamscan_t domain.
>
> This did not happen on your config.
>
> Either your clamdscan executable file is mislabelled or you are missing
> a domain transition rule.
>
> Where is your "clamdscan" executable file located, and what is it
labelled?
see above.
> What does the following return:
>
> sesearch -SC --allow -s procmail_t -t clamscan_t -c process
> sesearch -SC --allow -s procmail_t -t clamscan_exec_t -f file
# sesearch -SC --allow -s procmail_t -t clamscan_t -c process
Found 1 semantic av rules:
allow procmail_t clamscan_t : process transition ;
# sesearch -SC --allow -s procmail_t -t clamscan_exec_t -f file
sesearch: invalid option -- 'f'
Usage: sesearch [OPTIONS] RULE_TYPE [RULE_TYPE ...] [EXPESSION]
[POLICY ...]
Try sesearch --help for more help.
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
3:47 a.m.
On Mon, 2010-08-23 at 10:42 +0200, Dominick Grift wrote:
On 08/23/2010 10:40 AM, Arthur Dent wrote:
> On Mon, 2010-08-23 at 10:29 +0200, Dominick Grift wrote:
>> On 08/23/2010 10:09 AM, Arthur Dent wrote:
>>> On Sun, 2010-08-22 at 22:44 +0100, Arthur Dent wrote:
>>>> On Sun, 2010-08-22 at 23:07 +0200, Dominick Grift wrote:
>>>>> On 08/22/2010 08:24 PM, Arthur Dent wrote:
>>>> ----
>>> time->Mon Aug 23 08:57:07 2010
>>> type=SYSCALL msg=audit(1282550227.058:42734): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf800420 a2=3 a3=1 items=0 ppid=23912 pid=23920
auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none)
ses=4294967295 comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
>>> type=AVC msg=audit(1282550227.058:42734): avc: denied { search } for
pid=23920 comm="clamdscan" name="clamd" dev=sda6 ino=269280
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0
tclass=dir
>>
>> This is still an issue:
>>
>> some process running in the procmail_t domain is running
>> /usr/bin/clamdscan (ls -alZ /usr/bin/clamdscan to verify its context),
>> but it is not domain transitioning to the clamscan_t domain.
>
> # which clamdscan
> /usr/local/bin/clamdscan
>
> # ls -laZ /usr/local/bin/clamdscan
> -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/local/bin/clamdscan
>
> Now, in actual fact, procmail does not call clamdscan directly (it can't
> deal with emails), it calls a program called clamassassin which in turn
> calls clamdscan.
>
> # ls -laZ /usr/local/bin/clamassassin
> -r-xr-xr-x. root root system_u:object_r:bin_t:s0 /usr/local/bin/clamassassin
>
Why are these files located there and not /usr/bin where they are
expected to be? The files are mislabelled.
In both cases I compiled from source and accepted the defaults
in ./configure.
I guess I could try to recompile them in /usr/bin if it is a problem -
but I'm no expert...
>>
>> Policy defines that if a process running in the procmail_t domain runs a
>> file labelled clamscan_exec_t, that procmail_t will domain transition to
>> clamscan_t domain.
>>
>> This did not happen on your config.
>>
>> Either your clamdscan executable file is mislabelled or you are missing
>> a domain transition rule.
>>
>> Where is your "clamdscan" executable file located, and what is it
labelled?
>
> see above.
>
>> What does the following return:
>>
>> sesearch -SC --allow -s procmail_t -t clamscan_t -c process
>> sesearch -SC --allow -s procmail_t -t clamscan_exec_t -f file
>
> # sesearch -SC --allow -s procmail_t -t clamscan_t -c process
> Found 1 semantic av rules:
> allow procmail_t clamscan_t : process transition ;
>
> # sesearch -SC --allow -s procmail_t -t clamscan_exec_t -f file
> sesearch: invalid option -- 'f'
> Usage: sesearch [OPTIONS] RULE_TYPE [RULE_TYPE ...] [EXPESSION]
> [POLICY ...]
>
> Try sesearch --help for more help.
>
>
>
>
>
>
>
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
3:56 a.m.
On 08/23/2010 10:47 AM, Arthur Dent wrote:
On Mon, 2010-08-23 at 10:42 +0200, Dominick Grift wrote:
> On 08/23/2010 10:40 AM, Arthur Dent wrote:
>> On Mon, 2010-08-23 at 10:29 +0200, Dominick Grift wrote:
>>> On 08/23/2010 10:09 AM, Arthur Dent wrote:
>>>> On Sun, 2010-08-22 at 22:44 +0100, Arthur Dent wrote:
>>>>> On Sun, 2010-08-22 at 23:07 +0200, Dominick Grift wrote:
>>>>>> On 08/22/2010 08:24 PM, Arthur Dent wrote:
>>>>> ----
>>>> time->Mon Aug 23 08:57:07 2010
>>>> type=SYSCALL msg=audit(1282550227.058:42734): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf800420 a2=3 a3=1 items=0 ppid=23912 pid=23920
auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none)
ses=4294967295 comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
>>>> type=AVC msg=audit(1282550227.058:42734): avc: denied { search } for
pid=23920 comm="clamdscan" name="clamd" dev=sda6 ino=269280
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0
tclass=dir
>>>
>>> This is still an issue:
>>>
>>> some process running in the procmail_t domain is running
>>> /usr/bin/clamdscan (ls -alZ /usr/bin/clamdscan to verify its context),
>>> but it is not domain transitioning to the clamscan_t domain.
>>
>> # which clamdscan
>> /usr/local/bin/clamdscan
>>
>> # ls -laZ /usr/local/bin/clamdscan
>> -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/local/bin/clamdscan
>>
>> Now, in actual fact, procmail does not call clamdscan directly (it can't
>> deal with emails), it calls a program called clamassassin which in turn
>> calls clamdscan.
>>
>> # ls -laZ /usr/local/bin/clamassassin
>> -r-xr-xr-x. root root system_u:object_r:bin_t:s0
/usr/local/bin/clamassassin
>>
>
> Why are these files located there and not /usr/bin where they are
> expected to be? The files are mislabelled.
In both cases I compiled from source and accepted the defaults
in ./configure.
I guess I could try to recompile them in /usr/bin if it is a problem -
but I'm no expert...
The problem there is; who knows what other locations owned by these apps
differ from the expected locations.
Why are you not using redhat supplied packages?
As for clamdscan; for now you could try the following to see if it would
work if this file is labelled correctly:
chcon -t clamscan_exec_t /usr/local/bin/clamdscan
See if that makes things work for you
>
>
>>>
>>> Policy defines that if a process running in the procmail_t domain runs a
>>> file labelled clamscan_exec_t, that procmail_t will domain transition to
>>> clamscan_t domain.
>>>
>>> This did not happen on your config.
>>>
>>> Either your clamdscan executable file is mislabelled or you are missing
>>> a domain transition rule.
>>>
>>> Where is your "clamdscan" executable file located, and what is it
labelled?
>>
>> see above.
>>
>>> What does the following return:
>>>
>>> sesearch -SC --allow -s procmail_t -t clamscan_t -c process
>>> sesearch -SC --allow -s procmail_t -t clamscan_exec_t -f file
>>
>> # sesearch -SC --allow -s procmail_t -t clamscan_t -c process
>> Found 1 semantic av rules:
>> allow procmail_t clamscan_t : process transition ;
>>
>> # sesearch -SC --allow -s procmail_t -t clamscan_exec_t -f file
>> sesearch: invalid option -- 'f'
>> Usage: sesearch [OPTIONS] RULE_TYPE [RULE_TYPE ...] [EXPESSION]
>> [POLICY ...]
>>
>> Try sesearch --help for more help.
>>
>>
>>
>>
>>
>>
>>
>> --
>> selinux mailing list
>> selinux(a)lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
5:20 a.m.
On Mon, 2010-08-23 at 10:56 +0200, Dominick Grift wrote:
On 08/23/2010 10:47 AM, Arthur Dent wrote:
> On Mon, 2010-08-23 at 10:42 +0200, Dominick Grift wrote:
>> On 08/23/2010 10:40 AM, Arthur Dent wrote:
>>> On Mon, 2010-08-23 at 10:29 +0200, Dominick Grift wrote:
>>>> On 08/23/2010 10:09 AM, Arthur Dent wrote:
>>>>> On Sun, 2010-08-22 at 22:44 +0100, Arthur Dent wrote:
>>>>>> On Sun, 2010-08-22 at 23:07 +0200, Dominick Grift wrote:
>>>>>>> On 08/22/2010 08:24 PM, Arthur Dent wrote:
>>>>>> ----
>>>>> time->Mon Aug 23 08:57:07 2010
>>>>> type=SYSCALL msg=audit(1282550227.058:42734): arch=40000003
syscall=102 success=no exit=-13 a0=3 a1=bf800420 a2=3 a3=1 items=0 ppid=23912 pid=23920
auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none)
ses=4294967295 comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
>>>>> type=AVC msg=audit(1282550227.058:42734): avc: denied { search }
for pid=23920 comm="clamdscan" name="clamd" dev=sda6 ino=269280
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0
tclass=dir
>>>>
>>>> This is still an issue:
>>>>
>>>> some process running in the procmail_t domain is running
>>>> /usr/bin/clamdscan (ls -alZ /usr/bin/clamdscan to verify its context),
>>>> but it is not domain transitioning to the clamscan_t domain.
>>>
>>> # which clamdscan
>>> /usr/local/bin/clamdscan
>>>
>>> # ls -laZ /usr/local/bin/clamdscan
>>> -rwxr-xr-x. root root system_u:object_r:bin_t:s0
/usr/local/bin/clamdscan
>>>
>>> Now, in actual fact, procmail does not call clamdscan directly (it
can't
>>> deal with emails), it calls a program called clamassassin which in turn
>>> calls clamdscan.
>>>
>>> # ls -laZ /usr/local/bin/clamassassin
>>> -r-xr-xr-x. root root system_u:object_r:bin_t:s0
/usr/local/bin/clamassassin
>>>
>>
>> Why are these files located there and not /usr/bin where they are
>> expected to be? The files are mislabelled.
>
> In both cases I compiled from source and accepted the defaults
> in ./configure.
>
> I guess I could try to recompile them in /usr/bin if it is a problem -
> but I'm no expert...
The problem there is; who knows what other locations owned by these apps
differ from the expected locations.
Why are you not using redhat supplied packages?
Well I started compiling clam from source about 3 or 4 years ago. I got
frustrated with the fact that (at that time - I don't know if it's
better now) it would take sometimes 3-4 weeks after a new release of
clam before the redhat package became available. In the meantime I would
have to put up with daily warnings in syslog.
Also, I am often unable to upgrade to the latest Fedora package until it
is already at end of life (viz - I have only just upgraded to F13 from
F11) and the clam packages would often not be available at all...
As for clamdscan; for now you could try the following to see if it would
work if this file is labelled correctly:
chcon -t clamscan_exec_t /usr/local/bin/clamdscan
See if that makes things work for you
Well I am still getting permission denied...
Latest messages:
----
time->Mon Aug 23 11:09:06 2010
type=SYSCALL msg=audit(1282558146.211:43246): arch=40000003 syscall=11
success=yes exit=0 a0=15559d0 a1=bf9c9f7c a2=303840 a3=41904 items=0
ppid=24933 pid=24934 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail"
exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1282558146.211:43246): avc: denied { noatsecure }
for pid=24934 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
type=AVC msg=audit(1282558146.211:43246): avc: denied { siginh } for
pid=24934 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
type=AVC msg=audit(1282558146.211:43246): avc: denied { rlimitinh }
for pid=24934 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
----
time->Mon Aug 23 11:12:05 2010
type=SYSCALL msg=audit(1282558325.997:43259): arch=40000003 syscall=11
success=yes exit=0 a0=15559d0 a1=bf9c9f7c a2=303840 a3=41904 items=0
ppid=24953 pid=24954 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail"
exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1282558325.997:43259): avc: denied { noatsecure }
for pid=24954 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
type=AVC msg=audit(1282558325.997:43259): avc: denied { siginh } for
pid=24954 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
type=AVC msg=audit(1282558325.997:43259): avc: denied { rlimitinh }
for pid=24954 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
----
time->Mon Aug 23 11:12:06 2010
type=SYSCALL msg=audit(1282558326.163:43260): arch=40000003 syscall=11
success=yes exit=0 a0=9d75660 a1=9d75538 a2=9d715b8 a3=9d75538 items=0
ppid=24956 pid=24960 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282558326.163:43260): avc: denied { noatsecure }
for pid=24960 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282558326.163:43260): avc: denied { siginh } for
pid=24960 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282558326.163:43260): avc: denied { rlimitinh }
for pid=24960 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282558326.163:43260): avc: denied { read } for
pid=24960 comm="clamdscan" path="/var/spool/mqueue/dfo7NAC5wD024952"
dev=sda6 ino=14772 scontext=system_u:system_r:clamscan_t:s0
tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=file
----
time->Mon Aug 23 11:12:06 2010
type=SYSCALL msg=audit(1282558326.179:43261): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bfcfd440 a2=3 a3=0 items=0 ppid=24956
pid=24960 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12
sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282558326.179:43261): avc: denied { connectto }
for pid=24960 comm="clamdscan" path="/var/run/clamd/clamd.sock"
scontext=system_u:system_r:clamscan_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket
----
time->Mon Aug 23 11:12:06 2010
type=SYSCALL msg=audit(1282558326.209:43262): arch=40000003 syscall=11
success=yes exit=0 a0=9d75ab0 a1=9d75380 a2=9d715b8 a3=9d75380 items=0
ppid=24956 pid=24964 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282558326.209:43262): avc: denied { noatsecure }
for pid=24964 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282558326.209:43262): avc: denied { siginh } for
pid=24964 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282558326.209:43262): avc: denied { rlimitinh }
for pid=24964 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282558326.209:43262): avc: denied { read } for
pid=24964 comm="clamdscan" path="/var/spool/mqueue/dfo7NAC5wD024952"
dev=sda6 ino=14772 scontext=system_u:system_r:clamscan_t:s0
tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=file
type=AVC msg=audit(1282558326.209:43262): avc: denied { write } for
pid=24964 comm="clamdscan" path="/tmp/clamassassinlog.9knHcazJ44"
dev=sda6 ino=86007 scontext=system_u:system_r:clamscan_t:s0
tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
type=AVC msg=audit(1282558326.209:43262): avc: denied { read } for
pid=24964 comm="clamdscan" path="/tmp/clamassassinmsg.fyU9qe9Rn4"
dev=sda6 ino=67816 scontext=system_u:system_r:clamscan_t:s0
tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
----
time->Mon Aug 23 11:12:06 2010
type=SYSCALL msg=audit(1282558326.213:43263): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf9e8a30 a2=3 a3=1 items=0 ppid=24956
pid=24964 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12
sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282558326.213:43263): avc: denied { connectto }
for pid=24964 comm="clamdscan" path="/var/run/clamd/clamd.sock"
scontext=system_u:system_r:clamscan_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket
----
time->Mon Aug 23 11:12:06 2010
type=SYSCALL msg=audit(1282558326.267:43264): arch=40000003 syscall=11
success=yes exit=0 a0=9e31dd0 a1=9e334c8 a2=9e33620 a3=9e334c8 items=0
ppid=24967 pid=24968 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="spamc"
exe="/usr/bin/spamc" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1282558326.267:43264): avc: denied { noatsecure }
for pid=24968 comm="spamc" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=process
type=AVC msg=audit(1282558326.267:43264): avc: denied { siginh } for
pid=24968 comm="spamc" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=process
type=AVC msg=audit(1282558326.267:43264): avc: denied { rlimitinh }
for pid=24968 comm="spamc" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=process
----
time->Mon Aug 23 11:12:06 2010
type=SYSCALL msg=audit(1282558326.309:43265): arch=40000003 syscall=5
success=no exit=-13 a0=606a29 a1=80000 a2=1b6 a3=6069c5 items=0
ppid=20953 pid=20954 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=772 comm="spamd" exe="/usr/bin/perl"
subj=unconfined_u:system_r:spamd_t:s0 key=(null)
type=AVC msg=audit(1282558326.309:43265): avc: denied { read } for
pid=20954 comm="spamd" name="shadow" dev=sda6 ino=85497
scontext=unconfined_u:system_r:spamd_t:s0
tcontext=system_u:object_r:shadow_t:s0 tclass=file
----
time->Mon Aug 23 11:12:09 2010
type=SYSCALL msg=audit(1282558329.941:43268): arch=40000003 syscall=300
success=no exit=-13 a0=9 a1=243c883 a2=bf8d6de0 a3=0 items=0 ppid=1
pid=1228 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="rpc.mountd"
exe="/usr/sbin/rpc.mountd" subj=system_u:system_r:nfsd_t:s0 key=(null)
type=AVC msg=audit(1282558329.941:43268): avc: denied { getattr } for
pid=1228 comm="rpc.mountd" path="/proc/kcore" dev=proc ino=4026531989
scontext=system_u:system_r:nfsd_t:s0
tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file
----
time->Mon Aug 23 11:12:09 2010
type=SYSCALL msg=audit(1282558329.947:43269): arch=40000003 syscall=5
success=no exit=-13 a0=243b978 a1=8000 a2=0 a3=243b938 items=0 ppid=1
pid=1228 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="rpc.mountd"
exe="/usr/sbin/rpc.mountd" subj=system_u:system_r:nfsd_t:s0 key=(null)
type=AVC msg=audit(1282558329.947:43269): avc: denied { read } for
pid=1228 comm="rpc.mountd" name="sda8" dev=devtmpfs ino=5613
scontext=system_u:system_r:nfsd_t:s0
tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
----
>>
>>>>
>>>> Policy defines that if a process running in the procmail_t domain runs
a
>>>> file labelled clamscan_exec_t, that procmail_t will domain transition
to
>>>> clamscan_t domain.
>>>>
>>>> This did not happen on your config.
>>>>
>>>> Either your clamdscan executable file is mislabelled or you are missing
>>>> a domain transition rule.
>>>>
>>>> Where is your "clamdscan" executable file located, and what is
it labelled?
>>>
>>> see above.
>>>
>>>> What does the following return:
>>>>
>>>> sesearch -SC --allow -s procmail_t -t clamscan_t -c process
>>>> sesearch -SC --allow -s procmail_t -t clamscan_exec_t -f file
>>>
>>> # sesearch -SC --allow -s procmail_t -t clamscan_t -c process
>>> Found 1 semantic av rules:
>>> allow procmail_t clamscan_t : process transition ;
>>>
>>> # sesearch -SC --allow -s procmail_t -t clamscan_exec_t -f file
>>> sesearch: invalid option -- 'f'
>>> Usage: sesearch [OPTIONS] RULE_TYPE [RULE_TYPE ...] [EXPESSION]
>>> [POLICY ...]
>>>
>>> Try sesearch --help for more help.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> selinux mailing list
>>> selinux(a)lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>> --
>> selinux mailing list
>> selinux(a)lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>> --
>> selinux mailing list
>> selinux(a)lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
5:31 a.m.
On 08/23/2010 12:20 PM, Arthur Dent wrote:
On Mon, 2010-08-23 at 10:56 +0200, Dominick Grift wrote:
> On 08/23/2010 10:47 AM, Arthur Dent wrote:
>> On Mon, 2010-08-23 at 10:42 +0200, Dominick Grift wrote:
>>> On 08/23/2010 10:40 AM, Arthur Dent wrote:
>>>> On Mon, 2010-08-23 at 10:29 +0200, Dominick Grift wrote:
>>>>> On 08/23/2010 10:09 AM, Arthur Dent wrote:
>>>>>> On Sun, 2010-08-22 at 22:44 +0100, Arthur Dent wrote:
>>>>>>> On Sun, 2010-08-22 at 23:07 +0200, Dominick Grift wrote:
>>>>>>>> On 08/22/2010 08:24 PM, Arthur Dent wrote:
>>>>>>> ----
>>>>>> time->Mon Aug 23 08:57:07 2010
>>>>>> type=SYSCALL msg=audit(1282550227.058:42734): arch=40000003
syscall=102 success=no exit=-13 a0=3 a1=bf800420 a2=3 a3=1 items=0 ppid=23912 pid=23920
auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none)
ses=4294967295 comm="clamdscan" exe="/usr/local/bin/clamdscan"
subj=system_u:system_r:procmail_t:s0 key=(null)
>>>>>> type=AVC msg=audit(1282550227.058:42734): avc: denied { search
} for pid=23920 comm="clamdscan" name="clamd" dev=sda6 ino=269280
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0
tclass=dir
>>>>>
>>>>> This is still an issue:
>>>>>
>>>>> some process running in the procmail_t domain is running
>>>>> /usr/bin/clamdscan (ls -alZ /usr/bin/clamdscan to verify its
context),
>>>>> but it is not domain transitioning to the clamscan_t domain.
>>>>
>>>> # which clamdscan
>>>> /usr/local/bin/clamdscan
>>>>
>>>> # ls -laZ /usr/local/bin/clamdscan
>>>> -rwxr-xr-x. root root system_u:object_r:bin_t:s0
/usr/local/bin/clamdscan
>>>>
>>>> Now, in actual fact, procmail does not call clamdscan directly (it
can't
>>>> deal with emails), it calls a program called clamassassin which in turn
>>>> calls clamdscan.
>>>>
>>>> # ls -laZ /usr/local/bin/clamassassin
>>>> -r-xr-xr-x. root root system_u:object_r:bin_t:s0
/usr/local/bin/clamassassin
>>>>
>>>
>>> Why are these files located there and not /usr/bin where they are
>>> expected to be? The files are mislabelled.
>>
>> In both cases I compiled from source and accepted the defaults
>> in ./configure.
>>
>> I guess I could try to recompile them in /usr/bin if it is a problem -
>> but I'm no expert...
>
> The problem there is; who knows what other locations owned by these apps
> differ from the expected locations.
>
> Why are you not using redhat supplied packages?
Well I started compiling clam from source about 3 or 4 years ago. I got
frustrated with the fact that (at that time - I don't know if it's
better now) it would take sometimes 3-4 weeks after a new release of
clam before the redhat package became available. In the meantime I would
have to put up with daily warnings in syslog.
Also, I am often unable to upgrade to the latest Fedora package until it
is already at end of life (viz - I have only just upgraded to F13 from
F11) and the clam packages would often not be available at all...
>
> As for clamdscan; for now you could try the following to see if it would
> work if this file is labelled correctly:
>
> chcon -t clamscan_exec_t /usr/local/bin/clamdscan
>
> See if that makes things work for you
Well I am still getting permission denied...
Latest messages:
----
time->Mon Aug 23 11:09:06 2010
type=SYSCALL msg=audit(1282558146.211:43246): arch=40000003 syscall=11
success=yes exit=0 a0=15559d0 a1=bf9c9f7c a2=303840 a3=41904 items=0
ppid=24933 pid=24934 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail"
exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1282558146.211:43246): avc: denied { noatsecure }
for pid=24934 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
type=AVC msg=audit(1282558146.211:43246): avc: denied { siginh } for
pid=24934 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
type=AVC msg=audit(1282558146.211:43246): avc: denied { rlimitinh }
for pid=24934 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
----
time->Mon Aug 23 11:12:05 2010
type=SYSCALL msg=audit(1282558325.997:43259): arch=40000003 syscall=11
success=yes exit=0 a0=15559d0 a1=bf9c9f7c a2=303840 a3=41904 items=0
ppid=24953 pid=24954 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail"
exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1282558325.997:43259): avc: denied { noatsecure }
for pid=24954 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
type=AVC msg=audit(1282558325.997:43259): avc: denied { siginh } for
pid=24954 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
type=AVC msg=audit(1282558325.997:43259): avc: denied { rlimitinh }
for pid=24954 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
----
time->Mon Aug 23 11:12:06 2010
type=SYSCALL msg=audit(1282558326.163:43260): arch=40000003 syscall=11
success=yes exit=0 a0=9d75660 a1=9d75538 a2=9d715b8 a3=9d75538 items=0
ppid=24956 pid=24960 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282558326.163:43260): avc: denied { noatsecure }
for pid=24960 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282558326.163:43260): avc: denied { siginh } for
pid=24960 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282558326.163:43260): avc: denied { rlimitinh }
for pid=24960 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282558326.163:43260): avc: denied { read } for
pid=24960 comm="clamdscan" path="/var/spool/mqueue/dfo7NAC5wD024952"
dev=sda6 ino=14772 scontext=system_u:system_r:clamscan_t:s0
tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=file
----
time->Mon Aug 23 11:12:06 2010
type=SYSCALL msg=audit(1282558326.179:43261): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bfcfd440 a2=3 a3=0 items=0 ppid=24956
pid=24960 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12
sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282558326.179:43261): avc: denied { connectto }
for pid=24960 comm="clamdscan" path="/var/run/clamd/clamd.sock"
scontext=system_u:system_r:clamscan_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket
----
time->Mon Aug 23 11:12:06 2010
type=SYSCALL msg=audit(1282558326.209:43262): arch=40000003 syscall=11
success=yes exit=0 a0=9d75ab0 a1=9d75380 a2=9d715b8 a3=9d75380 items=0
ppid=24956 pid=24964 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282558326.209:43262): avc: denied { noatsecure }
for pid=24964 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282558326.209:43262): avc: denied { siginh } for
pid=24964 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282558326.209:43262): avc: denied { rlimitinh }
for pid=24964 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282558326.209:43262): avc: denied { read } for
pid=24964 comm="clamdscan" path="/var/spool/mqueue/dfo7NAC5wD024952"
dev=sda6 ino=14772 scontext=system_u:system_r:clamscan_t:s0
tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=file
type=AVC msg=audit(1282558326.209:43262): avc: denied { write } for
pid=24964 comm="clamdscan" path="/tmp/clamassassinlog.9knHcazJ44"
dev=sda6 ino=86007 scontext=system_u:system_r:clamscan_t:s0
tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
type=AVC msg=audit(1282558326.209:43262): avc: denied { read } for
pid=24964 comm="clamdscan" path="/tmp/clamassassinmsg.fyU9qe9Rn4"
dev=sda6 ino=67816 scontext=system_u:system_r:clamscan_t:s0
tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
this is due to clamassassin not having its own policy currently. You
could probably allow this with audit2allow but only after the problem
described below is fixed.
----
time->Mon Aug 23 11:12:06 2010
type=SYSCALL msg=audit(1282558326.213:43263): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf9e8a30 a2=3 a3=1 items=0 ppid=24956
pid=24964 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12
sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282558326.213:43263): avc: denied { connectto }
for pid=24964 comm="clamdscan" path="/var/run/clamd/clamd.sock"
scontext=system_u:system_r:clamscan_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket
Looks like clamd again/or still runs in the init script domain.
Therefore clamdscan cannot connect to it
ps -auxZ | grep initrc_t
We need to make sure that clamd runs in its own domain.
----
time->Mon Aug 23 11:12:06 2010
type=SYSCALL msg=audit(1282558326.267:43264): arch=40000003 syscall=11
success=yes exit=0 a0=9e31dd0 a1=9e334c8 a2=9e33620 a3=9e334c8 items=0
ppid=24967 pid=24968 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="spamc"
exe="/usr/bin/spamc" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1282558326.267:43264): avc: denied { noatsecure }
for pid=24968 comm="spamc" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=process
type=AVC msg=audit(1282558326.267:43264): avc: denied { siginh } for
pid=24968 comm="spamc" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=process
type=AVC msg=audit(1282558326.267:43264): avc: denied { rlimitinh }
for pid=24968 comm="spamc" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=process
----
time->Mon Aug 23 11:12:06 2010
type=SYSCALL msg=audit(1282558326.309:43265): arch=40000003 syscall=5
success=no exit=-13 a0=606a29 a1=80000 a2=1b6 a3=6069c5 items=0
ppid=20953 pid=20954 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=772 comm="spamd" exe="/usr/bin/perl"
subj=unconfined_u:system_r:spamd_t:s0 key=(null)
type=AVC msg=audit(1282558326.309:43265): avc: denied { read } for
pid=20954 comm="spamd" name="shadow" dev=sda6 ino=85497
scontext=unconfined_u:system_r:spamd_t:s0
tcontext=system_u:object_r:shadow_t:s0 tclass=file
----
time->Mon Aug 23 11:12:09 2010
type=SYSCALL msg=audit(1282558329.941:43268): arch=40000003 syscall=300
success=no exit=-13 a0=9 a1=243c883 a2=bf8d6de0 a3=0 items=0 ppid=1
pid=1228 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="rpc.mountd"
exe="/usr/sbin/rpc.mountd" subj=system_u:system_r:nfsd_t:s0 key=(null)
type=AVC msg=audit(1282558329.941:43268): avc: denied { getattr } for
pid=1228 comm="rpc.mountd" path="/proc/kcore" dev=proc
ino=4026531989
scontext=system_u:system_r:nfsd_t:s0
tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file
----
time->Mon Aug 23 11:12:09 2010
type=SYSCALL msg=audit(1282558329.947:43269): arch=40000003 syscall=5
success=no exit=-13 a0=243b978 a1=8000 a2=0 a3=243b938 items=0 ppid=1
pid=1228 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="rpc.mountd"
exe="/usr/sbin/rpc.mountd" subj=system_u:system_r:nfsd_t:s0 key=(null)
type=AVC msg=audit(1282558329.947:43269): avc: denied { read } for
pid=1228 comm="rpc.mountd" name="sda8" dev=devtmpfs ino=5613
scontext=system_u:system_r:nfsd_t:s0
tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
----
>>>
>>>>>
>>>>> Policy defines that if a process running in the procmail_t domain
runs a
>>>>> file labelled clamscan_exec_t, that procmail_t will domain transition
to
>>>>> clamscan_t domain.
>>>>>
>>>>> This did not happen on your config.
>>>>>
>>>>> Either your clamdscan executable file is mislabelled or you are
missing
>>>>> a domain transition rule.
>>>>>
>>>>> Where is your "clamdscan" executable file located, and what
is it labelled?
>>>>
>>>> see above.
>>>>
>>>>> What does the following return:
>>>>>
>>>>> sesearch -SC --allow -s procmail_t -t clamscan_t -c process
>>>>> sesearch -SC --allow -s procmail_t -t clamscan_exec_t -f file
>>>>
>>>> # sesearch -SC --allow -s procmail_t -t clamscan_t -c process
>>>> Found 1 semantic av rules:
>>>> allow procmail_t clamscan_t : process transition ;
>>>>
>>>> # sesearch -SC --allow -s procmail_t -t clamscan_exec_t -f file
>>>> sesearch: invalid option -- 'f'
>>>> Usage: sesearch [OPTIONS] RULE_TYPE [RULE_TYPE ...] [EXPESSION]
>>>> [POLICY ...]
>>>>
>>>> Try sesearch --help for more help.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> selinux mailing list
>>>> selinux(a)lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>>
>>> --
>>> selinux mailing list
>>> selinux(a)lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>>
>>> --
>>> selinux mailing list
>>> selinux(a)lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
5:57 a.m.
On Mon, 2010-08-23 at 12:31 +0200, Dominick Grift wrote:
On 08/23/2010 12:20 PM, Arthur Dent wrote:
> On Mon, 2010-08-23 at 10:56 +0200, Dominick Grift wrote:
>> On 08/23/2010 10:47 AM, Arthur Dent wrote:
>>> On Mon, 2010-08-23 at 10:42 +0200, Dominick Grift wrote:
>>>> On 08/23/2010 10:40 AM, Arthur Dent wrote:
>>>>> On Mon, 2010-08-23 at 10:29 +0200, Dominick Grift wrote:
>>>>>> On 08/23/2010 10:09 AM, Arthur Dent wrote:
>>>>>>> On Sun, 2010-08-22 at 22:44 +0100, Arthur Dent wrote:
>>>>>>>> On Sun, 2010-08-22 at 23:07 +0200, Dominick Grift
wrote:
>>>>>>>>> On 08/22/2010 08:24 PM, Arthur Dent wrote:
>>>>>>>>
Looks like clamd again/or still runs in the init script domain.
Therefore clamdscan cannot connect to it
ps -auxZ | grep initrc_t
# ps -auxZ | grep initrc_t
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.8/FAQ
system_u:system_r:initrc_t:s0 ddclient 1141 0.0 0.1 9148 1824 ? S Aug21
0:02 ddclient - sleeping for 20 seconds
unconfined_u:system_r:initrc_t:s0 clamav 19801 0.2 27.6 309276 279772 ? Ssl Aug22
4:01 /usr/local/sbin/clamd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 25217 0.0 0.0 4312 728 pts/0
S+ 11:55 0:00 grep initrc_t
We need to make sure that clamd runs in its own domain.
6:01 a.m.
On 08/23/2010 12:57 PM, Arthur Dent wrote:
On Mon, 2010-08-23 at 12:31 +0200, Dominick Grift wrote:
> On 08/23/2010 12:20 PM, Arthur Dent wrote:
>> On Mon, 2010-08-23 at 10:56 +0200, Dominick Grift wrote:
>>> On 08/23/2010 10:47 AM, Arthur Dent wrote:
>>>> On Mon, 2010-08-23 at 10:42 +0200, Dominick Grift wrote:
>>>>> On 08/23/2010 10:40 AM, Arthur Dent wrote:
>>>>>> On Mon, 2010-08-23 at 10:29 +0200, Dominick Grift wrote:
>>>>>>> On 08/23/2010 10:09 AM, Arthur Dent wrote:
>>>>>>>> On Sun, 2010-08-22 at 22:44 +0100, Arthur Dent wrote:
>>>>>>>>> On Sun, 2010-08-22 at 23:07 +0200, Dominick Grift
wrote:
>>>>>>>>>> On 08/22/2010 08:24 PM, Arthur Dent wrote:
>>>>>>>>>
>
> Looks like clamd again/or still runs in the init script domain.
> Therefore clamdscan cannot connect to it
>
> ps -auxZ | grep initrc_t
# ps -auxZ | grep initrc_t
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.8/FAQ
system_u:system_r:initrc_t:s0 ddclient 1141 0.0 0.1 9148 1824 ? S Aug21
0:02 ddclient - sleeping for 20 seconds
unconfined_u:system_r:initrc_t:s0 clamav 19801 0.2 27.6 309276 279772 ? Ssl Aug22
4:01 /usr/local/sbin/clamd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 25217 0.0 0.0 4312 728 pts/0
S+ 11:55 0:00 grep initrc_t
So clamd runs in the wrong domain:
try:
matchpathcon /usr/local/sbin/clamd
chcon -t clamd_exec_t /usr/local/sbin/clamd
service clamd restart
>
> We need to make sure that clamd runs in its own domain.
>
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
6:12 a.m.
On Mon, 2010-08-23 at 13:01 +0200, Dominick Grift wrote:
On 08/23/2010 12:57 PM, Arthur Dent wrote:
> On Mon, 2010-08-23 at 12:31 +0200, Dominick Grift wrote:
>> On 08/23/2010 12:20 PM, Arthur Dent wrote:
>>> On Mon, 2010-08-23 at 10:56 +0200, Dominick Grift wrote:
>>>> On 08/23/2010 10:47 AM, Arthur Dent wrote:
>>>>> On Mon, 2010-08-23 at 10:42 +0200, Dominick Grift wrote:
>>>>>> On 08/23/2010 10:40 AM, Arthur Dent wrote:
>>>>>>> On Mon, 2010-08-23 at 10:29 +0200, Dominick Grift wrote:
>>>>>>>> On 08/23/2010 10:09 AM, Arthur Dent wrote:
>>>>>>>>> On Sun, 2010-08-22 at 22:44 +0100, Arthur Dent
wrote:
>>>>>>>>>> On Sun, 2010-08-22 at 23:07 +0200, Dominick
Grift wrote:
>>>>>>>>>>> On 08/22/2010 08:24 PM, Arthur Dent wrote:
>>>>>>>>>>
>>
>> Looks like clamd again/or still runs in the init script domain.
>> Therefore clamdscan cannot connect to it
>>
>> ps -auxZ | grep initrc_t
>
> # ps -auxZ | grep initrc_t
> Warning: bad syntax, perhaps a bogus '-'? See
/usr/share/doc/procps-3.2.8/FAQ
> system_u:system_r:initrc_t:s0 ddclient 1141 0.0 0.1 9148 1824 ? S
Aug21 0:02 ddclient - sleeping for 20 seconds
> unconfined_u:system_r:initrc_t:s0 clamav 19801 0.2 27.6 309276 279772 ? Ssl
Aug22 4:01 /usr/local/sbin/clamd
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 25217 0.0 0.0 4312 728
pts/0 S+ 11:55 0:00 grep initrc_t
So clamd runs in the wrong domain:
try:
matchpathcon /usr/local/sbin/clamd
chcon -t clamd_exec_t /usr/local/sbin/clamd
service clamd restart
Not quite sure what went wrong here...
# matchpathcon /usr/local/sbin/clamd
/usr/local/sbin/clamd system_u:object_r:bin_t:s0
# chcon -t clamd_exec_t /usr/local/sbin/clamd
# service clamd restart
Stopping clamd: [ OK ]
Starting clamd: [FAILED]
# ausearch -m avc -ts recent
----
time->Mon Aug 23 12:08:19 2010
type=SYSCALL msg=audit(1282561699.384:43466): arch=40000003 syscall=33
success=no exit=-13 a0=8c94b80 a1=4 a2=168ed30 a3=8c94b80 items=0
ppid=25311 pid=25312 auid=4294967295 uid=503 gid=503 euid=503 suid=503
fsuid=503 egid=503 sgid=503 fsgid=503 tty=(none) ses=4294967295
comm="clamd" exe="/usr/local/sbin/clamd"
subj=unconfined_u:system_r:clamd_t:s0 key=(null)
type=AVC msg=audit(1282561699.384:43466): avc: denied { read } for
pid=25312 comm="clamd" name="daily.cld" dev=sda6 ino=272876
scontext=unconfined_u:system_r:clamd_t:s0
tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
----
time->Mon Aug 23 12:08:19 2010
type=SYSCALL msg=audit(1282561699.384:43467): arch=40000003 syscall=5
success=no exit=-13 a0=8c94c38 a1=0 a2=1b6 a3=154d519 items=0 ppid=25311
pid=25312 auid=4294967295 uid=503 gid=503 euid=503 suid=503 fsuid=503
egid=503 sgid=503 fsgid=503 tty=(none) ses=4294967295 comm="clamd"
exe="/usr/local/sbin/clamd" subj=unconfined_u:system_r:clamd_t:s0
key=(null)
type=AVC msg=audit(1282561699.384:43467): avc: denied { read } for
pid=25312 comm="clamd" name="phish.ndb" dev=sda6 ino=263326
scontext=unconfined_u:system_r:clamd_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=file
----
time->Mon Aug 23 12:08:19 2010
type=SYSCALL msg=audit(1282561699.384:43465): arch=40000003 syscall=33
success=no exit=-13 a0=8c94b80 a1=4 a2=168ed30 a3=8c94b80 items=0
ppid=25311 pid=25312 auid=4294967295 uid=503 gid=503 euid=503 suid=503
fsuid=503 egid=503 sgid=503 fsgid=503 tty=(none) ses=4294967295
comm="clamd" exe="/usr/local/sbin/clamd"
subj=unconfined_u:system_r:clamd_t:s0 key=(null)
type=AVC msg=audit(1282561699.384:43465): avc: denied { read } for
pid=25312 comm="clamd" name="daily.cld" dev=sda6 ino=272876
scontext=unconfined_u:system_r:clamd_t:s0
tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
----
time->Mon Aug 23 12:08:19 2010
type=SYSCALL msg=audit(1282561699.384:43468): arch=40000003 syscall=33
success=no exit=-13 a0=8c94c38 a1=4 a2=168ed30 a3=0 items=0 ppid=25311
pid=25312 auid=4294967295 uid=503 gid=503 euid=503 suid=503 fsuid=503
egid=503 sgid=503 fsgid=503 tty=(none) ses=4294967295 comm="clamd"
exe="/usr/local/sbin/clamd" subj=unconfined_u:system_r:clamd_t:s0
key=(null)
type=AVC msg=audit(1282561699.384:43468): avc: denied { read } for
pid=25312 comm="clamd" name="phish.ndb" dev=sda6 ino=263326
scontext=unconfined_u:system_r:clamd_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=file
6:18 a.m.
On Mon, 2010-08-23 at 12:12 +0100, Arthur Dent wrote:
On Mon, 2010-08-23 at 13:01 +0200, Dominick Grift wrote:
> On 08/23/2010 12:57 PM, Arthur Dent wrote:
> > On Mon, 2010-08-23 at 12:31 +0200, Dominick Grift wrote:
> >> On 08/23/2010 12:20 PM, Arthur Dent wrote:
> >>> On Mon, 2010-08-23 at 10:56 +0200, Dominick Grift wrote:
> >>>> On 08/23/2010 10:47 AM, Arthur Dent wrote:
> >>>>> On Mon, 2010-08-23 at 10:42 +0200, Dominick Grift wrote:
> >>>>>> On 08/23/2010 10:40 AM, Arthur Dent wrote:
> >>>>>>> On Mon, 2010-08-23 at 10:29 +0200, Dominick Grift
wrote:
> >>>>>>>> On 08/23/2010 10:09 AM, Arthur Dent wrote:
> >>>>>>>>> On Sun, 2010-08-22 at 22:44 +0100, Arthur Dent
wrote:
> >>>>>>>>>> On Sun, 2010-08-22 at 23:07 +0200, Dominick
Grift wrote:
> >>>>>>>>>>> On 08/22/2010 08:24 PM, Arthur Dent
wrote:
> >>>>>>>>>>
> >>
> >> Looks like clamd again/or still runs in the init script domain.
> >> Therefore clamdscan cannot connect to it
> >>
> >> ps -auxZ | grep initrc_t
> >
> > # ps -auxZ | grep initrc_t
> > Warning: bad syntax, perhaps a bogus '-'? See
/usr/share/doc/procps-3.2.8/FAQ
> > system_u:system_r:initrc_t:s0 ddclient 1141 0.0 0.1 9148 1824 ?
S Aug21 0:02 ddclient - sleeping for 20 seconds
> > unconfined_u:system_r:initrc_t:s0 clamav 19801 0.2 27.6 309276 279772 ?
Ssl Aug22 4:01 /usr/local/sbin/clamd
> > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 25217 0.0 0.0 4312
728 pts/0 S+ 11:55 0:00 grep initrc_t
>
> So clamd runs in the wrong domain:
>
> try:
>
> matchpathcon /usr/local/sbin/clamd
> chcon -t clamd_exec_t /usr/local/sbin/clamd
> service clamd restart
Not quite sure what went wrong here...
# matchpathcon /usr/local/sbin/clamd
/usr/local/sbin/clamd system_u:object_r:bin_t:s0
# chcon -t clamd_exec_t /usr/local/sbin/clamd
# service clamd restart
Stopping clamd: [ OK ]
Starting clamd: [FAILED]
Addendum:
Just after I sent this message I saw this:
Should I try the setsebool command?
*************************
* !!! ALERT !!! *
* CLAMD IS NOT RUNNING! *
*************************
Attempting to start ClamD...
libclamav JIT: Can't allocate RWX Memory: Permission denied
libclamav JIT: SELinux is preventing 'execmem' access. Run 'setsebool -P
clamd_use_jit on' to allow access
libclamav JIT: falling back to interpreter mode
LibClamAV Error: cli_load(): Can't open file /usr/local/share/clamav/phish.ndb
ERROR: Can't open file or directory
*************************
* !!! PANIC !!! *
* CLAMD FAILED TO START *
*************************
Check to confirm that the clamd start process defined for
the 'start_clamd' variable in the 'USER EDIT SECTION' is
set correctly for your particular distro. If it is, then
check your logs to determine why clamd failed to start.
6:22 a.m.
On 08/23/2010 01:18 PM, Arthur Dent wrote:
On Mon, 2010-08-23 at 12:12 +0100, Arthur Dent wrote:
> On Mon, 2010-08-23 at 13:01 +0200, Dominick Grift wrote:
>> On 08/23/2010 12:57 PM, Arthur Dent wrote:
>>> On Mon, 2010-08-23 at 12:31 +0200, Dominick Grift wrote:
>>>> On 08/23/2010 12:20 PM, Arthur Dent wrote:
>>>>> On Mon, 2010-08-23 at 10:56 +0200, Dominick Grift wrote:
>>>>>> On 08/23/2010 10:47 AM, Arthur Dent wrote:
>>>>>>> On Mon, 2010-08-23 at 10:42 +0200, Dominick Grift wrote:
>>>>>>>> On 08/23/2010 10:40 AM, Arthur Dent wrote:
>>>>>>>>> On Mon, 2010-08-23 at 10:29 +0200, Dominick Grift
wrote:
>>>>>>>>>> On 08/23/2010 10:09 AM, Arthur Dent wrote:
>>>>>>>>>>> On Sun, 2010-08-22 at 22:44 +0100, Arthur
Dent wrote:
>>>>>>>>>>>> On Sun, 2010-08-22 at 23:07 +0200,
Dominick Grift wrote:
>>>>>>>>>>>>> On 08/22/2010 08:24 PM, Arthur Dent
wrote:
>>>>>>>>>>>>
>>>>
>>>> Looks like clamd again/or still runs in the init script domain.
>>>> Therefore clamdscan cannot connect to it
>>>>
>>>> ps -auxZ | grep initrc_t
>>>
>>> # ps -auxZ | grep initrc_t
>>> Warning: bad syntax, perhaps a bogus '-'? See
/usr/share/doc/procps-3.2.8/FAQ
>>> system_u:system_r:initrc_t:s0 ddclient 1141 0.0 0.1 9148 1824 ?
S Aug21 0:02 ddclient - sleeping for 20 seconds
>>> unconfined_u:system_r:initrc_t:s0 clamav 19801 0.2 27.6 309276 279772 ?
Ssl Aug22 4:01 /usr/local/sbin/clamd
>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 25217 0.0 0.0
4312 728 pts/0 S+ 11:55 0:00 grep initrc_t
>>
>> So clamd runs in the wrong domain:
>>
>> try:
>>
>> matchpathcon /usr/local/sbin/clamd
>> chcon -t clamd_exec_t /usr/local/sbin/clamd
>> service clamd restart
>
> Not quite sure what went wrong here...
>
> # matchpathcon /usr/local/sbin/clamd
> /usr/local/sbin/clamd system_u:object_r:bin_t:s0
> # chcon -t clamd_exec_t /usr/local/sbin/clamd
> # service clamd restart
> Stopping clamd: [ OK ]
> Starting clamd: [FAILED]
>
Addendum:
Just after I sent this message I saw this:
Should I try the setsebool command?
Yes but that may have a bug as well (recently fixed) and we can manually
implement it aswell.
But also implement the patch in my previous post to make fallback to non
execmem work.
*************************
* !!! ALERT !!! *
* CLAMD IS NOT RUNNING! *
*************************
Attempting to start ClamD...
libclamav JIT: Can't allocate RWX Memory: Permission denied
libclamav JIT: SELinux is preventing 'execmem' access. Run 'setsebool -P
clamd_use_jit on' to allow access
libclamav JIT: falling back to interpreter mode
LibClamAV Error: cli_load(): Can't open file /usr/local/share/clamav/phish.ndb
ERROR: Can't open file or directory
*************************
* !!! PANIC !!! *
* CLAMD FAILED TO START *
*************************
Check to confirm that the clamd start process defined for
the 'start_clamd' variable in the 'USER EDIT SECTION' is
set correctly for your particular distro. If it is, then
check your logs to determine why clamd failed to start.
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
6:20 a.m.
On 08/23/2010 01:12 PM, Arthur Dent wrote:
On Mon, 2010-08-23 at 13:01 +0200, Dominick Grift wrote:
> On 08/23/2010 12:57 PM, Arthur Dent wrote:
>> On Mon, 2010-08-23 at 12:31 +0200, Dominick Grift wrote:
>>> On 08/23/2010 12:20 PM, Arthur Dent wrote:
>>>> On Mon, 2010-08-23 at 10:56 +0200, Dominick Grift wrote:
>>>>> On 08/23/2010 10:47 AM, Arthur Dent wrote:
>>>>>> On Mon, 2010-08-23 at 10:42 +0200, Dominick Grift wrote:
>>>>>>> On 08/23/2010 10:40 AM, Arthur Dent wrote:
>>>>>>>> On Mon, 2010-08-23 at 10:29 +0200, Dominick Grift wrote:
>>>>>>>>> On 08/23/2010 10:09 AM, Arthur Dent wrote:
>>>>>>>>>> On Sun, 2010-08-22 at 22:44 +0100, Arthur Dent
wrote:
>>>>>>>>>>> On Sun, 2010-08-22 at 23:07 +0200, Dominick
Grift wrote:
>>>>>>>>>>>> On 08/22/2010 08:24 PM, Arthur Dent
wrote:
>>>>>>>>>>>
>>>
>>> Looks like clamd again/or still runs in the init script domain.
>>> Therefore clamdscan cannot connect to it
>>>
>>> ps -auxZ | grep initrc_t
>>
>> # ps -auxZ | grep initrc_t
>> Warning: bad syntax, perhaps a bogus '-'? See
/usr/share/doc/procps-3.2.8/FAQ
>> system_u:system_r:initrc_t:s0 ddclient 1141 0.0 0.1 9148 1824 ? S
Aug21 0:02 ddclient - sleeping for 20 seconds
>> unconfined_u:system_r:initrc_t:s0 clamav 19801 0.2 27.6 309276 279772 ?
Ssl Aug22 4:01 /usr/local/sbin/clamd
>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 25217 0.0 0.0 4312
728 pts/0 S+ 11:55 0:00 grep initrc_t
>
> So clamd runs in the wrong domain:
>
> try:
>
> matchpathcon /usr/local/sbin/clamd
> chcon -t clamd_exec_t /usr/local/sbin/clamd
> service clamd restart
Not quite sure what went wrong here...
Well now clamd runs in the proper domain but it is denied to read
generic files in /usr/share.
Basically likely another side effect of using a custom package.
Here is how to allow it:
mkdir ~/myclamd; cd ~/myclamd;
echo "policy_module(myclamd, 1.0.0)" > myclamd.te;
echo "gen_require(\`" >> myclamd.te;
echo "type clamd_t;" >> myclamd.te;
echo "')" >> myclamd.te;
echo "files_read_usr_files(clamd_t)" >> myclamd.te;
make -f /usr/share/selinux/devel/Makefile myclamd.pp
sudo semodule -i myclamd.pp
But expect more issues after this
# matchpathcon /usr/local/sbin/clamd
/usr/local/sbin/clamd system_u:object_r:bin_t:s0
# chcon -t clamd_exec_t /usr/local/sbin/clamd
# service clamd restart
Stopping clamd: [ OK ]
Starting clamd: [FAILED]
# ausearch -m avc -ts recent
----
time->Mon Aug 23 12:08:19 2010
type=SYSCALL msg=audit(1282561699.384:43466): arch=40000003 syscall=33
success=no exit=-13 a0=8c94b80 a1=4 a2=168ed30 a3=8c94b80 items=0
ppid=25311 pid=25312 auid=4294967295 uid=503 gid=503 euid=503 suid=503
fsuid=503 egid=503 sgid=503 fsgid=503 tty=(none) ses=4294967295
comm="clamd" exe="/usr/local/sbin/clamd"
subj=unconfined_u:system_r:clamd_t:s0 key=(null)
type=AVC msg=audit(1282561699.384:43466): avc: denied { read } for
pid=25312 comm="clamd" name="daily.cld" dev=sda6 ino=272876
scontext=unconfined_u:system_r:clamd_t:s0
tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
----
time->Mon Aug 23 12:08:19 2010
type=SYSCALL msg=audit(1282561699.384:43467): arch=40000003 syscall=5
success=no exit=-13 a0=8c94c38 a1=0 a2=1b6 a3=154d519 items=0 ppid=25311
pid=25312 auid=4294967295 uid=503 gid=503 euid=503 suid=503 fsuid=503
egid=503 sgid=503 fsgid=503 tty=(none) ses=4294967295 comm="clamd"
exe="/usr/local/sbin/clamd" subj=unconfined_u:system_r:clamd_t:s0
key=(null)
type=AVC msg=audit(1282561699.384:43467): avc: denied { read } for
pid=25312 comm="clamd" name="phish.ndb" dev=sda6 ino=263326
scontext=unconfined_u:system_r:clamd_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=file
----
time->Mon Aug 23 12:08:19 2010
type=SYSCALL msg=audit(1282561699.384:43465): arch=40000003 syscall=33
success=no exit=-13 a0=8c94b80 a1=4 a2=168ed30 a3=8c94b80 items=0
ppid=25311 pid=25312 auid=4294967295 uid=503 gid=503 euid=503 suid=503
fsuid=503 egid=503 sgid=503 fsgid=503 tty=(none) ses=4294967295
comm="clamd" exe="/usr/local/sbin/clamd"
subj=unconfined_u:system_r:clamd_t:s0 key=(null)
type=AVC msg=audit(1282561699.384:43465): avc: denied { read } for
pid=25312 comm="clamd" name="daily.cld" dev=sda6 ino=272876
scontext=unconfined_u:system_r:clamd_t:s0
tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
----
time->Mon Aug 23 12:08:19 2010
type=SYSCALL msg=audit(1282561699.384:43468): arch=40000003 syscall=33
success=no exit=-13 a0=8c94c38 a1=4 a2=168ed30 a3=0 items=0 ppid=25311
pid=25312 auid=4294967295 uid=503 gid=503 euid=503 suid=503 fsuid=503
egid=503 sgid=503 fsgid=503 tty=(none) ses=4294967295 comm="clamd"
exe="/usr/local/sbin/clamd" subj=unconfined_u:system_r:clamd_t:s0
key=(null)
type=AVC msg=audit(1282561699.384:43468): avc: denied { read } for
pid=25312 comm="clamd" name="phish.ndb" dev=sda6 ino=263326
scontext=unconfined_u:system_r:clamd_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=file
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
1:41 p.m.
On Mon, 2010-08-23 at 13:20 +0200, Dominick Grift wrote:
On 08/23/2010 01:12 PM, Arthur Dent wrote:
> On Mon, 2010-08-23 at 13:01 +0200, Dominick Grift wrote:
>> On 08/23/2010 12:57 PM, Arthur Dent wrote:
>>> On Mon, 2010-08-23 at 12:31 +0200, Dominick Grift wrote:
>>>> On 08/23/2010 12:20 PM, Arthur Dent wrote:
>>>>> On Mon, 2010-08-23 at 10:56 +0200, Dominick Grift wrote:
>>>>>> On 08/23/2010 10:47 AM, Arthur Dent wrote:
>>>>>>> On Mon, 2010-08-23 at 10:42 +0200, Dominick Grift wrote:
>>>>>>>> On 08/23/2010 10:40 AM, Arthur Dent wrote:
>>>>>>>>> On Mon, 2010-08-23 at 10:29 +0200, Dominick Grift
wrote:
>>>>>>>>>> On 08/23/2010 10:09 AM, Arthur Dent wrote:
>>>>>>>>>>> On Sun, 2010-08-22 at 22:44 +0100, Arthur
Dent wrote:
>>>>>>>>>>>> On Sun, 2010-08-22 at 23:07 +0200,
Dominick Grift wrote:
>>>>>>>>>>>>> On 08/22/2010 08:24 PM, Arthur Dent
wrote:
Well now clamd runs in the proper domain but it is denied to read
generic files in /usr/share.
Basically likely another side effect of using a custom package.
Here is how to allow it:
mkdir ~/myclamd; cd ~/myclamd;
echo "policy_module(myclamd, 1.0.0)" > myclamd.te;
echo "gen_require(\`" >> myclamd.te;
echo "type clamd_t;" >> myclamd.te;
echo "')" >> myclamd.te;
echo "files_read_usr_files(clamd_t)" >> myclamd.te;
make -f /usr/share/selinux/devel/Makefile myclamd.pp
sudo semodule -i myclamd.pp
But expect more issues after this
Well that certainly seemed to work - at least to the extent that clamd
restarted OK this time - and now messages are being checked with it and
I am no longer getter permission denied messages. So progress!
There are still some avcs:
----
time->Mon Aug 23 19:36:08 2010
type=SYSCALL msg=audit(1282588568.794:44819): arch=40000003 syscall=11
success=yes exit=0 a0=15559d0 a1=bf9c9f7c a2=303840 a3=41904 items=0
ppid=27824 pid=27825 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail"
exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1282588568.794:44819): avc: denied { noatsecure }
for pid=27825 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
type=AVC msg=audit(1282588568.794:44819): avc: denied { siginh } for
pid=27825 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
type=AVC msg=audit(1282588568.794:44819): avc: denied { rlimitinh }
for pid=27825 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
----
time->Mon Aug 23 19:36:09 2010
type=SYSCALL msg=audit(1282588569.206:44820): arch=40000003 syscall=11
success=yes exit=0 a0=9dfd660 a1=9dfd538 a2=9df95b8 a3=9dfd538 items=0
ppid=27827 pid=27831 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282588569.206:44820): avc: denied { noatsecure }
for pid=27831 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282588569.206:44820): avc: denied { siginh } for
pid=27831 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282588569.206:44820): avc: denied { rlimitinh }
for pid=27831 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282588569.206:44820): avc: denied { read } for
pid=27831 comm="clamdscan" path="/var/spool/mqueue/dfo7NIa8Pw027823"
dev=sda6 ino=29025 scontext=system_u:system_r:clamscan_t:s0
tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=file
----
time->Mon Aug 23 19:36:09 2010
type=SYSCALL msg=audit(1282588569.311:44821): arch=40000003 syscall=11
success=yes exit=0 a0=9dfcb40 a1=9dfcae8 a2=9df95b8 a3=9dfcae8 items=0
ppid=27827 pid=27835 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282588569.311:44821): avc: denied { noatsecure }
for pid=27835 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282588569.311:44821): avc: denied { siginh } for
pid=27835 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282588569.311:44821): avc: denied { rlimitinh }
for pid=27835 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282588569.311:44821): avc: denied { read } for
pid=27835 comm="clamdscan" path="/var/spool/mqueue/dfo7NIa8Pw027823"
dev=sda6 ino=29025 scontext=system_u:system_r:clamscan_t:s0
tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=file
type=AVC msg=audit(1282588569.311:44821): avc: denied { write } for
pid=27835 comm="clamdscan" path="/tmp/clamassassinlog.oeoLKk3sph"
dev=sda6 ino=86007 scontext=system_u:system_r:clamscan_t:s0
tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
type=AVC msg=audit(1282588569.311:44821): avc: denied { read } for
pid=27835 comm="clamdscan" path="/tmp/clamassassinmsg.hx0zrEnf40"
dev=sda6 ino=85937 scontext=system_u:system_r:clamscan_t:s0
tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
----
time->Mon Aug 23 19:36:09 2010
type=SYSCALL msg=audit(1282588569.400:44822): arch=40000003 syscall=11
success=yes exit=0 a0=8281dd0 a1=8281020 a2=8283650 a3=8281020 items=0
ppid=27839 pid=27840 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="spamc"
exe="/usr/bin/spamc" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1282588569.400:44822): avc: denied { noatsecure }
for pid=27840 comm="spamc" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=process
type=AVC msg=audit(1282588569.400:44822): avc: denied { siginh } for
pid=27840 comm="spamc" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=process
type=AVC msg=audit(1282588569.400:44822): avc: denied { rlimitinh }
for pid=27840 comm="spamc" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=process
----
time->Mon Aug 23 19:36:09 2010
type=SYSCALL msg=audit(1282588569.460:44823): arch=40000003 syscall=5
success=no exit=-13 a0=606a29 a1=80000 a2=1b6 a3=6069c5 items=0
ppid=20953 pid=20954 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=772 comm="spamd" exe="/usr/bin/perl"
subj=unconfined_u:system_r:spamd_t:s0 key=(null)
type=AVC msg=audit(1282588569.460:44823): avc: denied { read } for
pid=20954 comm="spamd" name="shadow" dev=sda6 ino=85497
scontext=unconfined_u:system_r:spamd_t:s0
tcontext=system_u:object_r:shadow_t:s0 tclass=file
Not sure if they're serious or not...
Thanks again for all your help so far. Much appreciated.
Mark
1:50 p.m.
On 08/23/2010 08:41 PM, Arthur Dent wrote:
On Mon, 2010-08-23 at 13:20 +0200, Dominick Grift wrote:
> On 08/23/2010 01:12 PM, Arthur Dent wrote:
>> On Mon, 2010-08-23 at 13:01 +0200, Dominick Grift wrote:
>>> On 08/23/2010 12:57 PM, Arthur Dent wrote:
>>>> On Mon, 2010-08-23 at 12:31 +0200, Dominick Grift wrote:
>>>>> On 08/23/2010 12:20 PM, Arthur Dent wrote:
>>>>>> On Mon, 2010-08-23 at 10:56 +0200, Dominick Grift wrote:
>>>>>>> On 08/23/2010 10:47 AM, Arthur Dent wrote:
>>>>>>>> On Mon, 2010-08-23 at 10:42 +0200, Dominick Grift wrote:
>>>>>>>>> On 08/23/2010 10:40 AM, Arthur Dent wrote:
>>>>>>>>>> On Mon, 2010-08-23 at 10:29 +0200, Dominick Grift
wrote:
>>>>>>>>>>> On 08/23/2010 10:09 AM, Arthur Dent wrote:
>>>>>>>>>>>> On Sun, 2010-08-22 at 22:44 +0100, Arthur
Dent wrote:
>>>>>>>>>>>>> On Sun, 2010-08-22 at 23:07 +0200,
Dominick Grift wrote:
>>>>>>>>>>>>>> On 08/22/2010 08:24 PM, Arthur
Dent wrote:
>
> Well now clamd runs in the proper domain but it is denied to read
> generic files in /usr/share.
>
> Basically likely another side effect of using a custom package.
>
> Here is how to allow it:
>
> mkdir ~/myclamd; cd ~/myclamd;
> echo "policy_module(myclamd, 1.0.0)" > myclamd.te;
> echo "gen_require(\`" >> myclamd.te;
> echo "type clamd_t;" >> myclamd.te;
> echo "')" >> myclamd.te;
> echo "files_read_usr_files(clamd_t)" >> myclamd.te;
>
> make -f /usr/share/selinux/devel/Makefile myclamd.pp
> sudo semodule -i myclamd.pp
>
> But expect more issues after this
Well that certainly seemed to work - at least to the extent that clamd
restarted OK this time - and now messages are being checked with it and
I am no longer getter permission denied messages. So progress!
There are still some avcs:
----
time->Mon Aug 23 19:36:08 2010
type=SYSCALL msg=audit(1282588568.794:44819): arch=40000003 syscall=11
success=yes exit=0 a0=15559d0 a1=bf9c9f7c a2=303840 a3=41904 items=0
ppid=27824 pid=27825 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail"
exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1282588568.794:44819): avc: denied { noatsecure }
for pid=27825 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
type=AVC msg=audit(1282588568.794:44819): avc: denied { siginh } for
pid=27825 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
type=AVC msg=audit(1282588568.794:44819): avc: denied { rlimitinh }
for pid=27825 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
----
time->Mon Aug 23 19:36:09 2010
type=SYSCALL msg=audit(1282588569.206:44820): arch=40000003 syscall=11
success=yes exit=0 a0=9dfd660 a1=9dfd538 a2=9df95b8 a3=9dfd538 items=0
ppid=27827 pid=27831 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282588569.206:44820): avc: denied { noatsecure }
for pid=27831 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282588569.206:44820): avc: denied { siginh } for
pid=27831 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282588569.206:44820): avc: denied { rlimitinh }
for pid=27831 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282588569.206:44820): avc: denied { read } for
pid=27831 comm="clamdscan" path="/var/spool/mqueue/dfo7NIa8Pw027823"
dev=sda6 ino=29025 scontext=system_u:system_r:clamscan_t:s0
tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=file
----
time->Mon Aug 23 19:36:09 2010
type=SYSCALL msg=audit(1282588569.311:44821): arch=40000003 syscall=11
success=yes exit=0 a0=9dfcb40 a1=9dfcae8 a2=9df95b8 a3=9dfcae8 items=0
ppid=27827 pid=27835 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282588569.311:44821): avc: denied { noatsecure }
for pid=27835 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282588569.311:44821): avc: denied { siginh } for
pid=27835 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282588569.311:44821): avc: denied { rlimitinh }
for pid=27835 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282588569.311:44821): avc: denied { read } for
pid=27835 comm="clamdscan" path="/var/spool/mqueue/dfo7NIa8Pw027823"
dev=sda6 ino=29025 scontext=system_u:system_r:clamscan_t:s0
tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=file
type=AVC msg=audit(1282588569.311:44821): avc: denied { write } for
pid=27835 comm="clamdscan" path="/tmp/clamassassinlog.oeoLKk3sph"
dev=sda6 ino=86007 scontext=system_u:system_r:clamscan_t:s0
tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
type=AVC msg=audit(1282588569.311:44821): avc: denied { read } for
pid=27835 comm="clamdscan" path="/tmp/clamassassinmsg.hx0zrEnf40"
dev=sda6 ino=85937 scontext=system_u:system_r:clamscan_t:s0
tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
----
time->Mon Aug 23 19:36:09 2010
type=SYSCALL msg=audit(1282588569.400:44822): arch=40000003 syscall=11
success=yes exit=0 a0=8281dd0 a1=8281020 a2=8283650 a3=8281020 items=0
ppid=27839 pid=27840 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="spamc"
exe="/usr/bin/spamc" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1282588569.400:44822): avc: denied { noatsecure }
for pid=27840 comm="spamc" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=process
type=AVC msg=audit(1282588569.400:44822): avc: denied { siginh } for
pid=27840 comm="spamc" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=process
type=AVC msg=audit(1282588569.400:44822): avc: denied { rlimitinh }
for pid=27840 comm="spamc" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=process
----
time->Mon Aug 23 19:36:09 2010
type=SYSCALL msg=audit(1282588569.460:44823): arch=40000003 syscall=5
success=no exit=-13 a0=606a29 a1=80000 a2=1b6 a3=6069c5 items=0
ppid=20953 pid=20954 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=772 comm="spamd" exe="/usr/bin/perl"
subj=unconfined_u:system_r:spamd_t:s0 key=(null)
type=AVC msg=audit(1282588569.460:44823): avc: denied { read } for
pid=20954 comm="spamd" name="shadow" dev=sda6 ino=85497
scontext=unconfined_u:system_r:spamd_t:s0
tcontext=system_u:object_r:shadow_t:s0 tclass=file
Not sure if they're serious or not...
Thanks again for all your help so far. Much appreciated.
Mark
open your ~/myclamd/myclamd.te file and append the following:
gen_require(`
type clamscan_t;
')
procmail_rw_tmp_files(clamscan_t)
mta_read_queue(clamscan_t)
Then rebuild be binary representation and reinstall it:
cd ~/myclamd;
make -f /usr/share/selinux/devel/Makefile myclamd.pp
sudo semodule -i myclamd.pp
Next rebuild the policy with the hidden denials loaded.
sudo semodule -B
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
5:20 p.m.
On Mon, 2010-08-23 at 20:50 +0200, Dominick Grift wrote:
open your ~/myclamd/myclamd.te file and append the following:
gen_require(`
type clamscan_t;
')
procmail_rw_tmp_files(clamscan_t)
mta_read_queue(clamscan_t)
Then rebuild be binary representation and reinstall it:
cd ~/myclamd;
make -f /usr/share/selinux/devel/Makefile myclamd.pp
sudo semodule -i myclamd.pp
I'm sorry to be a nuisance Dominick, but I'm afraid there's another
problem.
Many people, including myself, who use clamd run a program called
clamdwatch to monitor the fact that the clamd daemon is alive and well.
This basically works by sending the Eicar virus to clamd and if it
doesn't get back the expected virus warning it assumes clamd is dead and
tries to restart it.
I have it running from a cron job:
*/10 * * * * /root/scripts/clamdwatch -q && ( /usr/bin/killall -9 clamd; rm -fr
/var/run/clamd.sock; rm -rf /tmp/clamav-*; /etc/init.d/clamd start 2>&1 )
At the moment, every time this runs it restarts clamd.
Here is the associated avc (still with semanage -DB).
----
time->Mon Aug 23 23:10:02 2010
type=SYSCALL msg=audit(1282601402.200:45477): arch=40000003 syscall=33
success=no exit=-13 a0=a5600488 a1=4 a2=a61ff1fc a3=44 items=0 ppid=1
pid=30729 auid=0 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503
sgid=503 fsgid=503 tty=(none) ses=1341 comm="clamd"
exe="/usr/local/sbin/clamd" subj=unconfined_u:system_r:clamd_t:s0
key=(null)
type=AVC msg=audit(1282601402.200:45477): avc: denied { read } for
pid=30729 comm="clamd" name="clamdwatch-Hv4FZ1XIhEGihCAR" dev=sda6
ino=86007 scontext=unconfined_u:system_r:clamd_t:s0
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
----
Next rebuild the policy with the hidden denials loaded.
sudo semodule -B
1:41 a.m.
On 08/24/2010 12:20 AM, Arthur Dent wrote:
On Mon, 2010-08-23 at 20:50 +0200, Dominick Grift wrote:
> open your ~/myclamd/myclamd.te file and append the following:
>
> gen_require(`
> type clamscan_t;
> ')
>
> procmail_rw_tmp_files(clamscan_t)
> mta_read_queue(clamscan_t)
>
>
> Then rebuild be binary representation and reinstall it:
>
> cd ~/myclamd;
> make -f /usr/share/selinux/devel/Makefile myclamd.pp
> sudo semodule -i myclamd.pp
I'm sorry to be a nuisance Dominick, but I'm afraid there's another
problem.
Many people, including myself, who use clamd run a program called
clamdwatch to monitor the fact that the clamd daemon is alive and well.
This basically works by sending the Eicar virus to clamd and if it
doesn't get back the expected virus warning it assumes clamd is dead and
tries to restart it.
I have it running from a cron job:
*/10 * * * * /root/scripts/clamdwatch -q && ( /usr/bin/killall -9 clamd; rm -fr
/var/run/clamd.sock; rm -rf /tmp/clamav-*; /etc/init.d/clamd start 2>&1 )
At the moment, every time this runs it restarts clamd.
Here is the associated avc (still with semanage -DB).
i guess you could chcon the file from the cronjob to use a type that
clamd_t can access. for example append chcon -t clamd_tmp_t /tmp/clamdwatch*
That would be a workaround.
The other approach is to write policy for clamdwatch.
Another approach which is not encouraged is to allow clamd_t access to
user temporary content.
What package provides this app? and why is it in the admin directory?
----
time->Mon Aug 23 23:10:02 2010
type=SYSCALL msg=audit(1282601402.200:45477): arch=40000003 syscall=33
success=no exit=-13 a0=a5600488 a1=4 a2=a61ff1fc a3=44 items=0 ppid=1
pid=30729 auid=0 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503
sgid=503 fsgid=503 tty=(none) ses=1341 comm="clamd"
exe="/usr/local/sbin/clamd" subj=unconfined_u:system_r:clamd_t:s0
key=(null)
type=AVC msg=audit(1282601402.200:45477): avc: denied { read } for
pid=30729 comm="clamd" name="clamdwatch-Hv4FZ1XIhEGihCAR" dev=sda6
ino=86007 scontext=unconfined_u:system_r:clamd_t:s0
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
----
> Next rebuild the policy with the hidden denials loaded.
>
> sudo semodule -B
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
1:55 a.m.
On Tue, 2010-08-24 at 08:41 +0200, Dominick Grift wrote:
On 08/24/2010 12:20 AM, Arthur Dent wrote:
> On Mon, 2010-08-23 at 20:50 +0200, Dominick Grift wrote:
>
>> open your ~/myclamd/myclamd.te file and append the following:
>>
>> gen_require(`
>> type clamscan_t;
>> ')
>>
>> procmail_rw_tmp_files(clamscan_t)
>> mta_read_queue(clamscan_t)
>>
>>
>> Then rebuild be binary representation and reinstall it:
>>
>> cd ~/myclamd;
>> make -f /usr/share/selinux/devel/Makefile myclamd.pp
>> sudo semodule -i myclamd.pp
>
> I'm sorry to be a nuisance Dominick, but I'm afraid there's another
> problem.
>
> Many people, including myself, who use clamd run a program called
> clamdwatch to monitor the fact that the clamd daemon is alive and well.
>
> This basically works by sending the Eicar virus to clamd and if it
> doesn't get back the expected virus warning it assumes clamd is dead and
> tries to restart it.
>
> I have it running from a cron job:
> */10 * * * * /root/scripts/clamdwatch -q && ( /usr/bin/killall -9 clamd; rm
-fr /var/run/clamd.sock; rm -rf /tmp/clamav-*; /etc/init.d/clamd start 2>&1 )
>
> At the moment, every time this runs it restarts clamd.
>
> Here is the associated avc (still with semanage -DB).
i guess you could chcon the file from the cronjob to use a type that
clamd_t can access. for example append chcon -t clamd_tmp_t /tmp/clamdwatch*
That would be a workaround.
The other approach is to write policy for clamdwatch.
Another approach which is not encouraged is to allow clamd_t access to
user temporary content.
What package provides this app? and why is it in the admin directory?
Sorry - It's not an app, it's a script (perl). It comes in the clamav
tarball. I have put it in my /root/scripts/ directory where I keep most
of my scripts run from cron.
I can send you a copy if that would help?
Thanks
Mark
2:18 a.m.
On 08/24/2010 08:55 AM, Arthur Dent wrote:
On Tue, 2010-08-24 at 08:41 +0200, Dominick Grift wrote:
> On 08/24/2010 12:20 AM, Arthur Dent wrote:
>> On Mon, 2010-08-23 at 20:50 +0200, Dominick Grift wrote:
>>
>>> open your ~/myclamd/myclamd.te file and append the following:
>>>
>>> gen_require(`
>>> type clamscan_t;
>>> ')
>>>
>>> procmail_rw_tmp_files(clamscan_t)
>>> mta_read_queue(clamscan_t)
>>>
>>>
>>> Then rebuild be binary representation and reinstall it:
>>>
>>> cd ~/myclamd;
>>> make -f /usr/share/selinux/devel/Makefile myclamd.pp
>>> sudo semodule -i myclamd.pp
>>
>> I'm sorry to be a nuisance Dominick, but I'm afraid there's another
>> problem.
>>
>> Many people, including myself, who use clamd run a program called
>> clamdwatch to monitor the fact that the clamd daemon is alive and well.
>>
>> This basically works by sending the Eicar virus to clamd and if it
>> doesn't get back the expected virus warning it assumes clamd is dead and
>> tries to restart it.
>>
>> I have it running from a cron job:
>> */10 * * * * /root/scripts/clamdwatch -q && ( /usr/bin/killall -9 clamd;
rm -fr /var/run/clamd.sock; rm -rf /tmp/clamav-*; /etc/init.d/clamd start 2>&1 )
>>
>> At the moment, every time this runs it restarts clamd.
>>
>> Here is the associated avc (still with semanage -DB).
>
> i guess you could chcon the file from the cronjob to use a type that
> clamd_t can access. for example append chcon -t clamd_tmp_t /tmp/clamdwatch*
>
> That would be a workaround.
>
> The other approach is to write policy for clamdwatch.
>
> Another approach which is not encouraged is to allow clamd_t access to
> user temporary content.
>
> What package provides this app? and why is it in the admin directory?
Sorry - It's not an app, it's a script (perl). It comes in the clamav
tarball. I have put it in my /root/scripts/ directory where I keep most
of my scripts run from cron.
I can send you a copy if that would help?
no thanks.
Does:
/root/scripts/clamdwatch -q && ( /usr/bin/killall -9 clamd; rm -fr
/var/run/clamd.sock; rm -rf /tmp/clamav-*; chcon -t /tmp/clamdwatch*;
/etc/init.d/clamd start 2>&1 )
make it work?
Thanks
Mark
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
4:05 a.m.
On Tue, 2010-08-24 at 09:18 +0200, Dominick Grift wrote:
Does:
/root/scripts/clamdwatch -q && ( /usr/bin/killall -9 clamd; rm -fr
/var/run/clamd.sock; rm -rf /tmp/clamav-*; chcon -t /tmp/clamdwatch*;
/etc/init.d/clamd start 2>&1 )
make it work?
Hmm... Why doesn't it like that?
chcon: missing operand
Try `chcon --help' for more information.
Starting clamd: [ OK ]
4:07 a.m.
On 08/24/2010 11:05 AM, Arthur Dent wrote:
On Tue, 2010-08-24 at 09:18 +0200, Dominick Grift wrote:
>
> Does:
> /root/scripts/clamdwatch -q && ( /usr/bin/killall -9 clamd; rm -fr
> /var/run/clamd.sock; rm -rf /tmp/clamav-*; chcon -t /tmp/clamdwatch*;
> /etc/init.d/clamd start 2>&1 )
>
> make it work?
Hmm... Why doesn't it like that?
chcon: missing operand
Try `chcon --help' for more information.
Starting clamd: [ OK ]
Whoops, its: chcon -t clamd_tmp_t /tmp/clamdwatch*;
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
1:33 p.m.
On Tue, 2010-08-24 at 11:07 +0200, Dominick Grift wrote:
On 08/24/2010 11:05 AM, Arthur Dent wrote:
> On Tue, 2010-08-24 at 09:18 +0200, Dominick Grift wrote:
>
>>
>> Does:
>> /root/scripts/clamdwatch -q && ( /usr/bin/killall -9 clamd; rm -fr
>> /var/run/clamd.sock; rm -rf /tmp/clamav-*; chcon -t /tmp/clamdwatch*;
>> /etc/init.d/clamd start 2>&1 )
>>
>> make it work?
>
> Hmm... Why doesn't it like that?
>
> chcon: missing operand
> Try `chcon --help' for more information.
> Starting clamd: [ OK ]
>
Whoops, its: chcon -t clamd_tmp_t /tmp/clamdwatch*;
OK - I'm not sure this approach is going to work. If I run this cronjob
script it returns the following:
chcon: cannot access `/tmp/clamdwatch*': No such file or directory
Starting clamd: [ OK ]
The reason is - I think - because the clamdwatch script does certain
tests and puts the results in /tmp/clamdwatch. Only if the results of
the test fail does it kill everything and clean up after itself and then
restart clamd.
If I try to run the clamdwatch script from the command line this is what
I get:
[root@troodos scripts]# ./clamdwatch
Clamd is in an unknown state.
It returned: /tmp/clamdwatch-ymyC2PA1n1gjmt9Z: Access denied. ERROR
Thanks again..
Mark
2:32 p.m.
On 08/25/2010 08:33 PM, Arthur Dent wrote:
On Tue, 2010-08-24 at 11:07 +0200, Dominick Grift wrote:
> On 08/24/2010 11:05 AM, Arthur Dent wrote:
>> On Tue, 2010-08-24 at 09:18 +0200, Dominick Grift wrote:
>>
>>>
>>> Does:
>>> /root/scripts/clamdwatch -q && ( /usr/bin/killall -9 clamd; rm -fr
>>> /var/run/clamd.sock; rm -rf /tmp/clamav-*; chcon -t /tmp/clamdwatch*;
>>> /etc/init.d/clamd start 2>&1 )
>>>
>>> make it work?
>>
>> Hmm... Why doesn't it like that?
>>
>> chcon: missing operand
>> Try `chcon --help' for more information.
>> Starting clamd: [ OK ]
>>
>
> Whoops, its: chcon -t clamd_tmp_t /tmp/clamdwatch*;
OK - I'm not sure this approach is going to work. If I run this cronjob
script it returns the following:
chcon: cannot access `/tmp/clamdwatch*': No such file or directory
Starting clamd: [ OK ]
Why is that happening? It looks like clamd started "OK" ?
fact of the matter is that clamd_t cannot access user_tmp_t files/dir
so by labelling it clamd_tmp_t , clamd_t should be able to read it.
How to implement that best can be tested.
optionally one could (and probably should) confine clamdwatch but that
would take some work.
i am of the opinion that by just labelling the offending object manually
clamd_tmp_t it should work and be an easy fix.
The reason is - I think - because the clamdwatch script does certain
tests and puts the results in /tmp/clamdwatch. Only if the results of
the test fail does it kill everything and clean up after itself and then
restart clamd.
If I try to run the clamdwatch script from the command line this is what
I get:
[root@troodos scripts]# ./clamdwatch
Clamd is in an unknown state.
It returned: /tmp/clamdwatch-ymyC2PA1n1gjmt9Z: Access denied. ERROR
Thanks again..
Mark
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
3:17 p.m.
On Wed, 2010-08-25 at 21:32 +0200, Dominick Grift wrote:
On 08/25/2010 08:33 PM, Arthur Dent wrote:
> On Tue, 2010-08-24 at 11:07 +0200, Dominick Grift wrote:
>> On 08/24/2010 11:05 AM, Arthur Dent wrote:
>>> On Tue, 2010-08-24 at 09:18 +0200, Dominick Grift wrote:
>>>
>>>>
>>>> Does:
>>>> /root/scripts/clamdwatch -q && ( /usr/bin/killall -9 clamd; rm
-fr
>>>> /var/run/clamd.sock; rm -rf /tmp/clamav-*; chcon -t /tmp/clamdwatch*;
>>>> /etc/init.d/clamd start 2>&1 )
>>>>
>>>> make it work?
>>>
>>> Hmm... Why doesn't it like that?
>>>
>>> chcon: missing operand
>>> Try `chcon --help' for more information.
>>> Starting clamd: [ OK ]
>>>
>>
>> Whoops, its: chcon -t clamd_tmp_t /tmp/clamdwatch*;
>
> OK - I'm not sure this approach is going to work. If I run this cronjob
> script it returns the following:
> chcon: cannot access `/tmp/clamdwatch*': No such file or directory
> Starting clamd: [ OK ]
Why is that happening? It looks like clamd started "OK" ?
fact of the matter is that clamd_t cannot access user_tmp_t files/dir
so by labelling it clamd_tmp_t , clamd_t should be able to read it.
How to implement that best can be tested.
optionally one could (and probably should) confine clamdwatch but that
would take some work.
i am of the opinion that by just labelling the offending object manually
clamd_tmp_t it should work and be an easy fix.
Do you speak perl?
This is an extract of the clamdwatch script:
# "CONFIG" section
#
# $Socket values:
# = "3310" (as in the tcp port; make sure $ip is correct if you use this)
# = "/path/to/clamd/socket"
my $Socket = $options{s} || "/var/run/clamd/clamd.sock";
my $log = $options{l} || 0;
my $ip = "127.0.0.1";
my $timeout = $options{t} || 15;
my $lockFile = $options{L} || "/var/lock/subsys/clamd";
my $quiet = $options{q} || 0;
my $sock;
# reversed eicar
my $data =
"*H+H\$!ELIF-TSET-SURIVITNA-DRADNATS-RACIE\$}7)CC7)^P(45XZP\\4\[PA\@\%P!O5X";
srand;
my ($fh, $tempFile) = mkstemp( "/tmp/clamdwatch-XXXXXXXXXXXXXXXX" );
chmod('0644', $tempFile);
Could we change that line to add a chcon command?
3:26 p.m.
On 08/25/2010 10:17 PM, Arthur Dent wrote:
On Wed, 2010-08-25 at 21:32 +0200, Dominick Grift wrote:
> On 08/25/2010 08:33 PM, Arthur Dent wrote:
>> On Tue, 2010-08-24 at 11:07 +0200, Dominick Grift wrote:
>>> On 08/24/2010 11:05 AM, Arthur Dent wrote:
>>>> On Tue, 2010-08-24 at 09:18 +0200, Dominick Grift wrote:
>>>>
>>>>>
>>>>> Does:
>>>>> /root/scripts/clamdwatch -q && ( /usr/bin/killall -9 clamd;
rm -fr
>>>>> /var/run/clamd.sock; rm -rf /tmp/clamav-*; chcon -t
/tmp/clamdwatch*;
>>>>> /etc/init.d/clamd start 2>&1 )
>>>>>
>>>>> make it work?
>>>>
>>>> Hmm... Why doesn't it like that?
>>>>
>>>> chcon: missing operand
>>>> Try `chcon --help' for more information.
>>>> Starting clamd: [ OK ]
>>>>
>>>
>>> Whoops, its: chcon -t clamd_tmp_t /tmp/clamdwatch*;
>>
>> OK - I'm not sure this approach is going to work. If I run this cronjob
>> script it returns the following:
>> chcon: cannot access `/tmp/clamdwatch*': No such file or directory
>> Starting clamd: [ OK ]
>
> Why is that happening? It looks like clamd started "OK" ?
> fact of the matter is that clamd_t cannot access user_tmp_t files/dir
> so by labelling it clamd_tmp_t , clamd_t should be able to read it.
>
> How to implement that best can be tested.
>
> optionally one could (and probably should) confine clamdwatch but that
> would take some work.
>
> i am of the opinion that by just labelling the offending object manually
> clamd_tmp_t it should work and be an easy fix.
Do you speak perl?
This is an extract of the clamdwatch script:
# "CONFIG" section
#
# $Socket values:
# = "3310" (as in the tcp port; make sure $ip is correct if you use this)
# = "/path/to/clamd/socket"
my $Socket = $options{s} || "/var/run/clamd/clamd.sock";
my $log = $options{l} || 0;
my $ip = "127.0.0.1";
my $timeout = $options{t} || 15;
my $lockFile = $options{L} || "/var/lock/subsys/clamd";
my $quiet = $options{q} || 0;
my $sock;
# reversed eicar
my $data =
"*H+H\$!ELIF-TSET-SURIVITNA-DRADNATS-RACIE\$}7)CC7)^P(45XZP\\4\[PA\@\%P!O5X";
srand;
my ($fh, $tempFile) = mkstemp( "/tmp/clamdwatch-XXXXXXXXXXXXXXXX" );
chmod('0644', $tempFile);
Could we change that line to add a chcon command?
I dont do a lot if perl. this page may help implement it:
http://www.perlhowto.com/executing_external_commands
basically you need to run "chcon -t clamd_tmp_t $templfile"
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
3:48 p.m.
Hi,
On Wed, Aug 25, 2010 at 10:17 AM, Arthur Dent
<misc.lists(a)blueyonder.co.uk> wrote:
Do you speak perl?
I do. At least some.
This is an extract of the clamdwatch script:
# "CONFIG" section
#
# $Socket values:
# = "3310" (as in the tcp port; make sure $ip is correct if you use this)
# = "/path/to/clamd/socket"
my $Socket = $options{s} || "/var/run/clamd/clamd.sock";
my $log = $options{l} || 0;
my $ip = "127.0.0.1";
my $timeout = $options{t} || 15;
my $lockFile = $options{L} || "/var/lock/subsys/clamd";
my $quiet = $options{q} || 0;
my $sock;
# reversed eicar
my $data =
"*H+H\$!ELIF-TSET-SURIVITNA-DRADNATS-RACIE\$}7)CC7)^P(45XZP\\4\[PA\@\%P!O5X";
srand;
my ($fh, $tempFile) = mkstemp( "/tmp/clamdwatch-XXXXXXXXXXXXXXXX" );
chmod('0644', $tempFile);
Could we change that line to add a chcon command?
You just need to enclose it in backquotes (`). So something like this
`chcon -t clamd_tmp_t $templfile` would result in:
my $data =
"*H+H\$!ELIF-TSET-SURIVITNA-DRADNATS-RACIE\$}7)CC7)^P(45XZP\\4\[PA\@\%P!O5X";
srand;
my ($fh, $tempFile) = mkstemp( "/tmp/clamdwatch-XXXXXXXXXXXXXXXX" );
`chcon -t clamd_tmp_t $tempFile`
chmod('0644', $tempFile);
However, I think that the mkstemp call is failing since I think this
script cannot write into the /tmp/ directory. You may need to do
something like create a /tmp/clamd/ directory and give it a
clamd_tmp_t type.
Jason
3:51 p.m.
On 08/25/2010 10:48 PM, Jason Axelson wrote:
Hi,
On Wed, Aug 25, 2010 at 10:17 AM, Arthur Dent
<misc.lists(a)blueyonder.co.uk> wrote:
> Do you speak perl?
I do. At least some.
> This is an extract of the clamdwatch script:
>
> # "CONFIG" section
> #
> # $Socket values:
> # = "3310" (as in the tcp port; make sure $ip is correct if you use
this)
> # = "/path/to/clamd/socket"
> my $Socket = $options{s} || "/var/run/clamd/clamd.sock";
> my $log = $options{l} || 0;
> my $ip = "127.0.0.1";
> my $timeout = $options{t} || 15;
> my $lockFile = $options{L} || "/var/lock/subsys/clamd";
> my $quiet = $options{q} || 0;
> my $sock;
>
> # reversed eicar
> my $data =
"*H+H\$!ELIF-TSET-SURIVITNA-DRADNATS-RACIE\$}7)CC7)^P(45XZP\\4\[PA\@\%P!O5X";
> srand;
> my ($fh, $tempFile) = mkstemp( "/tmp/clamdwatch-XXXXXXXXXXXXXXXX" );
> chmod('0644', $tempFile);
>
>
> Could we change that line to add a chcon command?
You just need to enclose it in backquotes (`). So something like this
`chcon -t clamd_tmp_t $templfile` would result in:
my $data =
"*H+H\$!ELIF-TSET-SURIVITNA-DRADNATS-RACIE\$}7)CC7)^P(45XZP\\4\[PA\@\%P!O5X";
srand;
my ($fh, $tempFile) = mkstemp( "/tmp/clamdwatch-XXXXXXXXXXXXXXXX" );
`chcon -t clamd_tmp_t $tempFile`
chmod('0644', $tempFile);
However, I think that the mkstemp call is failing since I think this
script cannot write into the /tmp/ directory. You may need to do
something like create a /tmp/clamd/ directory and give it a
clamd_tmp_t type.
It should be able to write into tmp and i think it is. This script is
run by an unconfined user in an unconfined domain
Jason
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
4:05 p.m.
On Wed, Aug 25, 2010 at 10:51 AM, Dominick Grift <domg472(a)gmail.com> wrote:
> my $data =
"*H+H\$!ELIF-TSET-SURIVITNA-DRADNATS-RACIE\$}7)CC7)^P(45XZP\\4\[PA\@\%P!O5X";
> srand;
> my ($fh, $tempFile) = mkstemp( "/tmp/clamdwatch-XXXXXXXXXXXXXXXX" );
> `chcon -t clamd_tmp_t $tempFile`
> chmod('0644', $tempFile);
>
> However, I think that the mkstemp call is failing since I think this
> script cannot write into the /tmp/ directory. You may need to do
> something like create a /tmp/clamd/ directory and give it a
> clamd_tmp_t type.
It should be able to write into tmp and i think it is. This script is
run by an unconfined user in an unconfined domain
In that case the above script should work.
Jason
4:11 p.m.
On Wed, 2010-08-25 at 10:48 -1000, Jason Axelson wrote:
Hi,
On Wed, Aug 25, 2010 at 10:17 AM, Arthur Dent
<misc.lists(a)blueyonder.co.uk> wrote:
> Do you speak perl?
I do. At least some.
> This is an extract of the clamdwatch script:
>
> # "CONFIG" section
> #
> # $Socket values:
> # = "3310" (as in the tcp port; make sure $ip is correct if you use
this)
> # = "/path/to/clamd/socket"
> my $Socket = $options{s} || "/var/run/clamd/clamd.sock";
> my $log = $options{l} || 0;
> my $ip = "127.0.0.1";
> my $timeout = $options{t} || 15;
> my $lockFile = $options{L} || "/var/lock/subsys/clamd";
> my $quiet = $options{q} || 0;
> my $sock;
>
> # reversed eicar
> my $data =
"*H+H\$!ELIF-TSET-SURIVITNA-DRADNATS-RACIE\$}7)CC7)^P(45XZP\\4\[PA\@\%P!O5X";
> srand;
> my ($fh, $tempFile) = mkstemp( "/tmp/clamdwatch-XXXXXXXXXXXXXXXX" );
> chmod('0644', $tempFile);
>
>
> Could we change that line to add a chcon command?
You just need to enclose it in backquotes (`). So something like this
`chcon -t clamd_tmp_t $templfile` would result in:
my $data =
"*H+H\$!ELIF-TSET-SURIVITNA-DRADNATS-RACIE\$}7)CC7)^P(45XZP\\4\[PA\@\%P!O5X";
srand;
my ($fh, $tempFile) = mkstemp( "/tmp/clamdwatch-XXXXXXXXXXXXXXXX" );
`chcon -t clamd_tmp_t $tempFile`
chmod('0644', $tempFile);
However, I think that the mkstemp call is failing since I think this
script cannot write into the /tmp/ directory. You may need to do
something like create a /tmp/clamd/ directory and give it a
clamd_tmp_t type.
Thank you Jason!
Adding `chcon -t clamd_tmp_t $tempFile` as you suggested did actually
work! (although I needed to add a ";" to the end of the line).
I haven't tried it from cron yet, but it works from the command line.
Thanks again.
Mark
4:36 p.m.
On Wed, Aug 25, 2010 at 11:11 AM, Arthur Dent
<misc.lists(a)blueyonder.co.uk> wrote:
Thank you Jason!
Adding `chcon -t clamd_tmp_t $tempFile` as you suggested did actually
work! (although I needed to add a ";" to the end of the line).
I haven't tried it from cron yet, but it works from the command line.
Thanks again.
Mark
Glad it worked Mark. Yeah, I guess I forgot the semi-colon. I think it
should work when you run it from cron although you may need to include
the full path to chcon.
Jason
4:42 p.m.
On Wed, 2010-08-25 at 11:36 -1000, Jason Axelson wrote:
On Wed, Aug 25, 2010 at 11:11 AM, Arthur Dent
<misc.lists(a)blueyonder.co.uk> wrote:
> Thank you Jason!
>
> Adding `chcon -t clamd_tmp_t $tempFile` as you suggested did actually
> work! (although I needed to add a ";" to the end of the line).
>
> I haven't tried it from cron yet, but it works from the command line.
>
> Thanks again.
>
> Mark
Glad it worked Mark. Yeah, I guess I forgot the semi-colon. I think it
should work when you run it from cron although you may need to include
the full path to chcon.
Jason
Yep - It's done two runs with cron so far and everything seems fine. My
thanks to both Jason and Dominick on this one...
Much appreciated.
Mark
1:13 p.m.
On Mon, 2010-08-23 at 20:50 +0200, Dominick Grift wrote:
open your ~/myclamd/myclamd.te file and append the following:
gen_require(`
type clamscan_t;
')
procmail_rw_tmp_files(clamscan_t)
mta_read_queue(clamscan_t)
Then rebuild be binary representation and reinstall it:
cd ~/myclamd;
make -f /usr/share/selinux/devel/Makefile myclamd.pp
sudo semodule -i myclamd.pp
Next rebuild the policy with the hidden denials loaded.
sudo semodule -B
I'm afraid we're still not quite there yet...
This is from /var/log/clamd.log:
Wed Aug 25 18:27:05 2010 -> WARNING: Control message truncated, no control data
received, 1 bytes read(Is SELinux/AppArmor enabled, and blocking file descriptor
passing?)
Wed Aug 25 18:27:05 2010 -> WARNING: Error condition on fd 9
I have no idea what fd 9 is.
I also still have a problem with clamdwatch, but I'll deal with that in
a separate posting.
Thanks for your patience and help.
Mark
1:18 p.m.
On 08/25/2010 08:13 PM, Arthur Dent wrote:
On Mon, 2010-08-23 at 20:50 +0200, Dominick Grift wrote:
>
> open your ~/myclamd/myclamd.te file and append the following:
>
> gen_require(`
> type clamscan_t;
> ')
>
> procmail_rw_tmp_files(clamscan_t)
> mta_read_queue(clamscan_t)
>
>
> Then rebuild be binary representation and reinstall it:
>
> cd ~/myclamd;
> make -f /usr/share/selinux/devel/Makefile myclamd.pp
> sudo semodule -i myclamd.pp
>
> Next rebuild the policy with the hidden denials loaded.
>
> sudo semodule -B
I'm afraid we're still not quite there yet...
This is from /var/log/clamd.log:
Wed Aug 25 18:27:05 2010 -> WARNING: Control message truncated, no control data
received, 1 bytes read(Is SELinux/AppArmor enabled, and blocking file descriptor
passing?)
Wed Aug 25 18:27:05 2010 -> WARNING: Error condition on fd 9
I have no idea what fd 9 is.
Probably a file descriptor we missed. run semodule -DB to unload hidden
denials, try to reproduce it and send the AVC denials you are getting so
that we can review them and fix it.
I also still have a problem with clamdwatch, but I'll deal with
that in
a separate posting.
Thanks for your patience and help.
Mark
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
3:42 p.m.
On Wed, 2010-08-25 at 20:18 +0200, Dominick Grift wrote:
>
> I'm afraid we're still not quite there yet...
>
> This is from /var/log/clamd.log:
> Wed Aug 25 18:27:05 2010 -> WARNING: Control message truncated, no control data
received, 1 bytes read(Is SELinux/AppArmor enabled, and blocking file descriptor
passing?)
> Wed Aug 25 18:27:05 2010 -> WARNING: Error condition on fd 9
>
> I have no idea what fd 9 is.
Probably a file descriptor we missed. run semodule -DB to unload hidden
denials, try to reproduce it and send the AVC denials you are getting so
that we can review them and fix it.
These are avcs I have collected today. I have made no attempt to remove
duplicates and some of them probably relate to when I was playing with
the clamdwatch problem...
----
time->Wed Aug 25 00:48:05 2010
type=SYSCALL msg=audit(1282693685.486:49991): arch=40000003 syscall=11
success=yes exit=0 a0=81af660 a1=81af538 a2=81ab5b8 a3=81af538 items=0
ppid=13003 pid=13007 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282693685.486:49991): avc: denied { noatsecure }
for pid=13007 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282693685.486:49991): avc: denied { siginh } for
pid=13007 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282693685.486:49991): avc: denied { rlimitinh }
for pid=13007 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
----
time->Wed Aug 25 00:48:05 2010
type=SYSCALL msg=audit(1282693685.532:49992): arch=40000003 syscall=11
success=yes exit=0 a0=81aeb40 a1=81aeae8 a2=81ab5b8 a3=81aeae8 items=0
ppid=13003 pid=13011 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282693685.532:49992): avc: denied { noatsecure }
for pid=13011 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282693685.532:49992): avc: denied { siginh } for
pid=13011 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282693685.532:49992): avc: denied { rlimitinh }
for pid=13011 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
----
time->Wed Aug 25 00:48:05 2010
type=SYSCALL msg=audit(1282693685.536:49993): arch=40000003 syscall=102
success=yes exit=9 a0=11 a1=bf9e5ab0 a2=bf9e6158 a3=0 items=0 ppid=1
pid=8053 auid=0 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503
sgid=503 fsgid=503 tty=(none) ses=1619 comm="clamd"
exe="/usr/local/sbin/clamd" subj=unconfined_u:system_r:clamd_t:s0
key=(null)
type=AVC msg=audit(1282693685.536:49993): avc: denied { read } for
pid=8053 comm="clamd" path="/tmp/clamassassinmsg.ELpNsCwoK2" dev=sda6
ino=86012 scontext=unconfined_u:system_r:clamd_t:s0
tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
----
time->Wed Aug 25 02:48:05 2010
type=SYSCALL msg=audit(1282700885.042:50296): arch=40000003 syscall=11
success=yes exit=0 a0=9f12660 a1=9f12538 a2=9f0e5b8 a3=9f12538 items=0
ppid=17983 pid=17987 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282700885.042:50296): avc: denied { noatsecure }
for pid=17987 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282700885.042:50296): avc: denied { siginh } for
pid=17987 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282700885.042:50296): avc: denied { rlimitinh }
for pid=17987 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
----
time->Wed Aug 25 02:48:05 2010
type=SYSCALL msg=audit(1282700885.104:50297): arch=40000003 syscall=11
success=yes exit=0 a0=9f11b40 a1=9f11ae8 a2=9f0e5b8 a3=9f11ae8 items=0
ppid=17983 pid=17991 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282700885.104:50297): avc: denied { noatsecure }
for pid=17991 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282700885.104:50297): avc: denied { siginh } for
pid=17991 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282700885.104:50297): avc: denied { rlimitinh }
for pid=17991 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
----
time->Wed Aug 25 02:48:05 2010
type=SYSCALL msg=audit(1282700885.108:50298): arch=40000003 syscall=102
success=yes exit=1 a0=11 a1=bf9e5ab0 a2=bf9e6158 a3=0 items=0 ppid=1
pid=8053 auid=0 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503
sgid=503 fsgid=503 tty=(none) ses=1619 comm="clamd"
exe="/usr/local/sbin/clamd" subj=unconfined_u:system_r:clamd_t:s0
key=(null)
type=AVC msg=audit(1282700885.108:50298): avc: denied { read } for
pid=8053 comm="clamd" path="/tmp/clamassassinmsg.MO3uL9qugu" dev=sda6
ino=86012 scontext=unconfined_u:system_r:clamd_t:s0
tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
----
time->Wed Aug 25 03:27:05 2010
type=SYSCALL msg=audit(1282703225.792:50393): arch=40000003 syscall=11
success=yes exit=0 a0=901d660 a1=901d538 a2=90195b8 a3=901d538 items=0
ppid=18347 pid=18351 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282703225.792:50393): avc: denied { noatsecure }
for pid=18351 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282703225.792:50393): avc: denied { siginh } for
pid=18351 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282703225.792:50393): avc: denied { rlimitinh }
for pid=18351 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
----
time->Wed Aug 25 03:27:05 2010
type=SYSCALL msg=audit(1282703225.806:50394): arch=40000003 syscall=11
success=yes exit=0 a0=901cb40 a1=901cae8 a2=90195b8 a3=901cae8 items=0
ppid=18347 pid=18355 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282703225.806:50394): avc: denied { noatsecure }
for pid=18355 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282703225.806:50394): avc: denied { siginh } for
pid=18355 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282703225.806:50394): avc: denied { rlimitinh }
for pid=18355 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
----
time->Wed Aug 25 03:27:05 2010
type=SYSCALL msg=audit(1282703225.810:50395): arch=40000003 syscall=102
success=yes exit=1 a0=11 a1=bf9e5ab0 a2=bf9e6158 a3=0 items=0 ppid=1
pid=8053 auid=0 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503
sgid=503 fsgid=503 tty=(none) ses=1619 comm="clamd"
exe="/usr/local/sbin/clamd" subj=unconfined_u:system_r:clamd_t:s0
key=(null)
type=AVC msg=audit(1282703225.810:50395): avc: denied { read } for
pid=8053 comm="clamd" path="/tmp/clamassassinmsg.Miai1XEtS5" dev=sda6
ino=86012 scontext=unconfined_u:system_r:clamd_t:s0
tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
----
time->Wed Aug 25 07:06:07 2010
type=SYSCALL msg=audit(1282716367.056:50913): arch=40000003 syscall=11
success=yes exit=0 a0=95a6660 a1=95a6538 a2=95a25b8 a3=95a6538 items=0
ppid=20093 pid=20097 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282716367.056:50913): avc: denied { noatsecure }
for pid=20097 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282716367.056:50913): avc: denied { siginh } for
pid=20097 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282716367.056:50913): avc: denied { rlimitinh }
for pid=20097 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
----
time->Wed Aug 25 07:06:07 2010
type=SYSCALL msg=audit(1282716367.101:50914): arch=40000003 syscall=11
success=yes exit=0 a0=95a5b40 a1=95a5ae8 a2=95a25b8 a3=95a5ae8 items=0
ppid=20093 pid=20101 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282716367.101:50914): avc: denied { noatsecure }
for pid=20101 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282716367.101:50914): avc: denied { siginh } for
pid=20101 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282716367.101:50914): avc: denied { rlimitinh }
for pid=20101 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
----
time->Wed Aug 25 07:06:07 2010
type=SYSCALL msg=audit(1282716367.105:50915): arch=40000003 syscall=102
success=yes exit=9 a0=11 a1=bf9e5ab0 a2=bf9e6158 a3=0 items=0 ppid=1
pid=8053 auid=0 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503
sgid=503 fsgid=503 tty=(none) ses=1619 comm="clamd"
exe="/usr/local/sbin/clamd" subj=unconfined_u:system_r:clamd_t:s0
key=(null)
type=AVC msg=audit(1282716367.105:50915): avc: denied { read } for
pid=8053 comm="clamd" path="/tmp/clamassassinmsg.5atFlfQtzg" dev=sda6
ino=86007 scontext=unconfined_u:system_r:clamd_t:s0
tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
----
time->Wed Aug 25 08:33:05 2010
type=SYSCALL msg=audit(1282721585.327:51099): arch=40000003 syscall=11
success=yes exit=0 a0=85fe660 a1=85fe538 a2=85fa5b8 a3=85fe538 items=0
ppid=20452 pid=20456 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282721585.327:51099): avc: denied { noatsecure }
for pid=20456 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282721585.327:51099): avc: denied { siginh } for
pid=20456 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282721585.327:51099): avc: denied { rlimitinh }
for pid=20456 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
----
time->Wed Aug 25 08:33:05 2010
type=SYSCALL msg=audit(1282721585.342:51100): arch=40000003 syscall=11
success=yes exit=0 a0=85fdb40 a1=85fdae8 a2=85fa5b8 a3=85fdae8 items=0
ppid=20452 pid=20460 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282721585.342:51100): avc: denied { noatsecure }
for pid=20460 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282721585.342:51100): avc: denied { siginh } for
pid=20460 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282721585.342:51100): avc: denied { rlimitinh }
for pid=20460 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
----
time->Wed Aug 25 08:33:05 2010
type=SYSCALL msg=audit(1282721585.346:51101): arch=40000003 syscall=102
success=yes exit=1 a0=11 a1=bf9e5ab0 a2=bf9e6158 a3=0 items=0 ppid=1
pid=8053 auid=0 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503
sgid=503 fsgid=503 tty=(none) ses=1619 comm="clamd"
exe="/usr/local/sbin/clamd" subj=unconfined_u:system_r:clamd_t:s0
key=(null)
type=AVC msg=audit(1282721585.346:51101): avc: denied { read } for
pid=8053 comm="clamd" path="/tmp/clamassassinmsg.INJ23gPAOG" dev=sda6
ino=86007 scontext=unconfined_u:system_r:clamd_t:s0
tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
----
time->Wed Aug 25 09:18:05 2010
type=SYSCALL msg=audit(1282724285.612:51207): arch=40000003 syscall=11
success=yes exit=0 a0=8ac8660 a1=8ac8538 a2=8ac45b8 a3=8ac8538 items=0
ppid=20860 pid=20864 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282724285.612:51207): avc: denied { noatsecure }
for pid=20864 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282724285.612:51207): avc: denied { siginh } for
pid=20864 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282724285.612:51207): avc: denied { rlimitinh }
for pid=20864 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
----
time->Wed Aug 25 09:18:05 2010
type=SYSCALL msg=audit(1282724285.626:51208): arch=40000003 syscall=11
success=yes exit=0 a0=8ac7b40 a1=8ac7ae8 a2=8ac45b8 a3=8ac7ae8 items=0
ppid=20860 pid=20868 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282724285.626:51208): avc: denied { noatsecure }
for pid=20868 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282724285.626:51208): avc: denied { siginh } for
pid=20868 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282724285.626:51208): avc: denied { rlimitinh }
for pid=20868 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
----
time->Wed Aug 25 09:18:05 2010
type=SYSCALL msg=audit(1282724285.630:51209): arch=40000003 syscall=102
success=yes exit=9 a0=11 a1=bf9e5ab0 a2=bf9e6158 a3=0 items=0 ppid=1
pid=8053 auid=0 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503
sgid=503 fsgid=503 tty=(none) ses=1619 comm="clamd"
exe="/usr/local/sbin/clamd" subj=unconfined_u:system_r:clamd_t:s0
key=(null)
type=AVC msg=audit(1282724285.630:51209): avc: denied { read } for
pid=8053 comm="clamd" path="/tmp/clamassassinmsg.5o03RffeYk" dev=sda6
ino=86007 scontext=unconfined_u:system_r:clamd_t:s0
tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
----
time->Wed Aug 25 10:06:06 2010
type=SYSCALL msg=audit(1282727166.230:51315): arch=40000003 syscall=11
success=yes exit=0 a0=9a56660 a1=9a56538 a2=9a525b8 a3=9a56538 items=0
ppid=21073 pid=21077 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282727166.230:51315): avc: denied { noatsecure }
for pid=21077 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282727166.230:51315): avc: denied { siginh } for
pid=21077 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282727166.230:51315): avc: denied { rlimitinh }
for pid=21077 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
----
time->Wed Aug 25 10:06:06 2010
type=SYSCALL msg=audit(1282727166.245:51316): arch=40000003 syscall=11
success=yes exit=0 a0=9a55b40 a1=9a55ae8 a2=9a525b8 a3=9a55ae8 items=0
ppid=21073 pid=21081 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282727166.245:51316): avc: denied { noatsecure }
for pid=21081 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282727166.245:51316): avc: denied { siginh } for
pid=21081 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282727166.245:51316): avc: denied { rlimitinh }
for pid=21081 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
----
time->Wed Aug 25 10:06:06 2010
type=SYSCALL msg=audit(1282727166.248:51317): arch=40000003 syscall=102
success=yes exit=9 a0=11 a1=bf9e5ab0 a2=bf9e6158 a3=0 items=0 ppid=1
pid=8053 auid=0 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503
sgid=503 fsgid=503 tty=(none) ses=1619 comm="clamd"
exe="/usr/local/sbin/clamd" subj=unconfined_u:system_r:clamd_t:s0
key=(null)
type=AVC msg=audit(1282727166.248:51317): avc: denied { read } for
pid=8053 comm="clamd" path="/tmp/clamassassinmsg.UEdCagKAf8" dev=sda6
ino=86007 scontext=unconfined_u:system_r:clamd_t:s0
tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
----
time->Wed Aug 25 15:06:05 2010
type=SYSCALL msg=audit(1282745165.938:52108): arch=40000003 syscall=11
success=yes exit=0 a0=9b2f660 a1=9b2f538 a2=9b2b5b8 a3=9b2f538 items=0
ppid=22700 pid=22704 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282745165.938:52108): avc: denied { noatsecure }
for pid=22704 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282745165.938:52108): avc: denied { siginh } for
pid=22704 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282745165.938:52108): avc: denied { rlimitinh }
for pid=22704 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
----
time->Wed Aug 25 15:06:06 2010
type=SYSCALL msg=audit(1282745166.008:52109): arch=40000003 syscall=11
success=yes exit=0 a0=9b2eb40 a1=9b2eae8 a2=9b2b5b8 a3=9b2eae8 items=0
ppid=22700 pid=22708 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282745166.008:52109): avc: denied { noatsecure }
for pid=22708 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282745166.008:52109): avc: denied { siginh } for
pid=22708 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282745166.008:52109): avc: denied { rlimitinh }
for pid=22708 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
----
time->Wed Aug 25 15:06:06 2010
type=SYSCALL msg=audit(1282745166.024:52110): arch=40000003 syscall=102
success=yes exit=9 a0=11 a1=bf9e5ab0 a2=bf9e6158 a3=0 items=0 ppid=1
pid=8053 auid=0 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503
sgid=503 fsgid=503 tty=(none) ses=1619 comm="clamd"
exe="/usr/local/sbin/clamd" subj=unconfined_u:system_r:clamd_t:s0
key=(null)
type=AVC msg=audit(1282745166.024:52110): avc: denied { read } for
pid=8053 comm="clamd" path="/tmp/clamassassinmsg.ZM4FXWKrfw" dev=sda6
ino=86007 scontext=unconfined_u:system_r:clamd_t:s0
tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
----
time->Wed Aug 25 17:06:04 2010
type=SYSCALL msg=audit(1282752364.895:52419): arch=40000003 syscall=11
success=yes exit=0 a0=8f1c660 a1=8f1c538 a2=8f185b8 a3=8f1c538 items=0
ppid=23444 pid=23448 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282752364.895:52419): avc: denied { noatsecure }
for pid=23448 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282752364.895:52419): avc: denied { siginh } for
pid=23448 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282752364.895:52419): avc: denied { rlimitinh }
for pid=23448 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
----
time->Wed Aug 25 17:06:04 2010
type=SYSCALL msg=audit(1282752364.911:52420): arch=40000003 syscall=11
success=yes exit=0 a0=8f1bb40 a1=8f1bae8 a2=8f185b8 a3=8f1bae8 items=0
ppid=23444 pid=23452 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282752364.911:52420): avc: denied { noatsecure }
for pid=23452 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282752364.911:52420): avc: denied { siginh } for
pid=23452 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282752364.911:52420): avc: denied { rlimitinh }
for pid=23452 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
----
time->Wed Aug 25 17:06:04 2010
type=SYSCALL msg=audit(1282752364.914:52421): arch=40000003 syscall=102
success=yes exit=1 a0=11 a1=bf9e5ab0 a2=bf9e6158 a3=0 items=0 ppid=1
pid=8053 auid=0 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503
sgid=503 fsgid=503 tty=(none) ses=1619 comm="clamd"
exe="/usr/local/sbin/clamd" subj=unconfined_u:system_r:clamd_t:s0
key=(null)
type=AVC msg=audit(1282752364.914:52421): avc: denied { read } for
pid=8053 comm="clamd" path="/tmp/clamassassinmsg.jp96Rb3i34" dev=sda6
ino=86007 scontext=unconfined_u:system_r:clamd_t:s0
tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
----
time->Wed Aug 25 17:18:10 2010
type=SYSCALL msg=audit(1282753090.532:52453): arch=40000003 syscall=11
success=yes exit=0 a0=9473660 a1=9473538 a2=946f5b8 a3=9473538 items=0
ppid=23506 pid=23510 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282753090.532:52453): avc: denied { noatsecure }
for pid=23510 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282753090.532:52453): avc: denied { siginh } for
pid=23510 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282753090.532:52453): avc: denied { rlimitinh }
for pid=23510 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
----
time->Wed Aug 25 17:18:10 2010
type=SYSCALL msg=audit(1282753090.548:52454): arch=40000003 syscall=11
success=yes exit=0 a0=9472b40 a1=9472ae8 a2=946f5b8 a3=9472ae8 items=0
ppid=23506 pid=23514 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282753090.548:52454): avc: denied { noatsecure }
for pid=23514 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282753090.548:52454): avc: denied { siginh } for
pid=23514 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282753090.548:52454): avc: denied { rlimitinh }
for pid=23514 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
----
time->Wed Aug 25 17:18:10 2010
type=SYSCALL msg=audit(1282753090.551:52455): arch=40000003 syscall=102
success=yes exit=1 a0=11 a1=bf9e5ab0 a2=bf9e6158 a3=0 items=0 ppid=1
pid=8053 auid=0 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503
sgid=503 fsgid=503 tty=(none) ses=1619 comm="clamd"
exe="/usr/local/sbin/clamd" subj=unconfined_u:system_r:clamd_t:s0
key=(null)
type=AVC msg=audit(1282753090.551:52455): avc: denied { read } for
pid=8053 comm="clamd" path="/tmp/clamassassinmsg.lABWgGT1Bx" dev=sda6
ino=86007 scontext=unconfined_u:system_r:clamd_t:s0
tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
----
time->Wed Aug 25 17:30:08 2010
type=SYSCALL msg=audit(1282753808.292:52485): arch=40000003 syscall=11
success=yes exit=0 a0=95bd660 a1=95bd538 a2=95b95b8 a3=95bd538 items=0
ppid=23570 pid=23574 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282753808.292:52485): avc: denied { noatsecure }
for pid=23574 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282753808.292:52485): avc: denied { siginh } for
pid=23574 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282753808.292:52485): avc: denied { rlimitinh }
for pid=23574 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
----
time->Wed Aug 25 17:30:08 2010
type=SYSCALL msg=audit(1282753808.306:52486): arch=40000003 syscall=11
success=yes exit=0 a0=95bcb40 a1=95bcae8 a2=95b95b8 a3=95bcae8 items=0
ppid=23570 pid=23578 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282753808.306:52486): avc: denied { noatsecure }
for pid=23578 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282753808.306:52486): avc: denied { siginh } for
pid=23578 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282753808.306:52486): avc: denied { rlimitinh }
for pid=23578 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
----
time->Wed Aug 25 17:30:08 2010
type=SYSCALL msg=audit(1282753808.310:52487): arch=40000003 syscall=102
success=yes exit=1 a0=11 a1=bf9e5ab0 a2=bf9e6158 a3=0 items=0 ppid=1
pid=8053 auid=0 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503
sgid=503 fsgid=503 tty=(none) ses=1619 comm="clamd"
exe="/usr/local/sbin/clamd" subj=unconfined_u:system_r:clamd_t:s0
key=(null)
type=AVC msg=audit(1282753808.310:52487): avc: denied { read } for
pid=8053 comm="clamd" path="/tmp/clamassassinmsg.SEBHp9J9FC" dev=sda6
ino=86007 scontext=unconfined_u:system_r:clamd_t:s0
tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
----
time->Wed Aug 25 18:27:05 2010
type=SYSCALL msg=audit(1282757225.655:52637): arch=40000003 syscall=11
success=yes exit=0 a0=8404660 a1=8404538 a2=84005b8 a3=8404538 items=0
ppid=23986 pid=23990 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282757225.655:52637): avc: denied { noatsecure }
for pid=23990 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282757225.655:52637): avc: denied { siginh } for
pid=23990 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282757225.655:52637): avc: denied { rlimitinh }
for pid=23990 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
----
time->Wed Aug 25 18:27:05 2010
type=SYSCALL msg=audit(1282757225.682:52638): arch=40000003 syscall=11
success=yes exit=0 a0=8403b40 a1=8403ae8 a2=84005b8 a3=8403ae8 items=0
ppid=23986 pid=23994 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282757225.682:52638): avc: denied { noatsecure }
for pid=23994 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282757225.682:52638): avc: denied { siginh } for
pid=23994 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282757225.682:52638): avc: denied { rlimitinh }
for pid=23994 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
----
time->Wed Aug 25 18:27:05 2010
type=SYSCALL msg=audit(1282757225.685:52639): arch=40000003 syscall=102
success=yes exit=1 a0=11 a1=bf9e5ab0 a2=bf9e6158 a3=0 items=0 ppid=1
pid=8053 auid=0 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503
sgid=503 fsgid=503 tty=(none) ses=1619 comm="clamd"
exe="/usr/local/sbin/clamd" subj=unconfined_u:system_r:clamd_t:s0
key=(null)
type=AVC msg=audit(1282757225.685:52639): avc: denied { read } for
pid=8053 comm="clamd" path="/tmp/clamassassinmsg.BmRYSmXIWX" dev=sda6
ino=86007 scontext=unconfined_u:system_r:clamd_t:s0
tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
----
time->Wed Aug 25 19:15:48 2010
type=SYSCALL msg=audit(1282760148.767:52789): arch=40000003 syscall=33
success=no exit=-13 a0=a5500488 a1=4 a2=a60ff1fc a3=44 items=0 ppid=1
pid=24208 auid=0 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503
sgid=503 fsgid=503 tty=(none) ses=1619 comm="clamd"
exe="/usr/local/sbin/clamd" subj=unconfined_u:system_r:clamd_t:s0
key=(null)
type=AVC msg=audit(1282760148.767:52789): avc: denied { read } for
pid=24208 comm="clamd" name="clamdwatch-dpJvpbczaviGA9DC" dev=sda6
ino=13129 scontext=unconfined_u:system_r:clamd_t:s0
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
----
time->Wed Aug 25 19:28:16 2010
type=SYSCALL msg=audit(1282760896.264:52831): arch=40000003 syscall=33
success=no exit=-13 a0=a5500488 a1=4 a2=a60ff1fc a3=44 items=0 ppid=1
pid=24267 auid=0 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503
sgid=503 fsgid=503 tty=(none) ses=1619 comm="clamd"
exe="/usr/local/sbin/clamd" subj=unconfined_u:system_r:clamd_t:s0
key=(null)
type=AVC msg=audit(1282760896.264:52831): avc: denied { read } for
pid=24267 comm="clamd" name="clamdwatch-b_nESSgoTkX3Y8ga" dev=sda6
ino=13129 scontext=unconfined_u:system_r:clamd_t:s0
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
----
time->Wed Aug 25 19:30:43 2010
type=SYSCALL msg=audit(1282761043.976:52838): arch=40000003 syscall=33
success=no exit=-13 a0=a5500488 a1=4 a2=a60ff1fc a3=44 items=0 ppid=1
pid=24280 auid=0 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503
sgid=503 fsgid=503 tty=(none) ses=1619 comm="clamd"
exe="/usr/local/sbin/clamd" subj=unconfined_u:system_r:clamd_t:s0
key=(null)
type=AVC msg=audit(1282761043.976:52838): avc: denied { read } for
pid=24280 comm="clamd" name="clamdwatch-ymyC2PA1n1gjmt9Z" dev=sda6
ino=13129 scontext=unconfined_u:system_r:clamd_t:s0
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
----
3:47 p.m.
On 08/25/2010 10:42 PM, Arthur Dent wrote:
These are avcs I have collected today. I have made no attempt to remove
duplicates and some of them probably relate to when I was playing with
the clamdwatch problem...
type=AVC msg=audit(1282693685.536:49993): avc: denied { read } for
pid=8053 comm="clamd" path="/tmp/clamassassinmsg.ELpNsCwoK2"
dev=sda6
ino=86012 scontext=unconfined_u:system_r:clamd_t:s0
tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
----
I thought we allowed this already?
add that to myclamd.te, then rebuild, reinstall
all the other denials can be ignored. (hidden)
procmail_rw_tmp_files(clamd_t)
4:07 p.m.
On Wed, 2010-08-25 at 22:47 +0200, Dominick Grift wrote:
On 08/25/2010 10:42 PM, Arthur Dent wrote:
>
> These are avcs I have collected today. I have made no attempt to remove
> duplicates and some of them probably relate to when I was playing with
> the clamdwatch problem...
> type=AVC msg=audit(1282693685.536:49993): avc: denied { read } for
> pid=8053 comm="clamd" path="/tmp/clamassassinmsg.ELpNsCwoK2"
dev=sda6
> ino=86012 scontext=unconfined_u:system_r:clamd_t:s0
> tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
> ----
I thought we allowed this already?
add that to myclamd.te, then rebuild, reinstall
all the other denials can be ignored. (hidden)
procmail_rw_tmp_files(clamd_t)
procmail_rw_tmp_file(clad_t) is not in myclamd.te but
procmail_rw_tmp_files(clamscan_t) is.
should I alter, add, or replace it?
i.e. should I have both or just the clamd_t one?
While I have been writing this I have had a tail -f running on the
clamd.log file. At 21:50 I got this message in the clamd.log:
Wed Aug 25 21:51:11 2010 -> WARNING: Control message truncated, no control data
received, 1 bytes read(Is SELinux/AppArmor enabled, and blocking file descriptor
passing?)
Wed Aug 25 21:51:11 2010 -> WARNING: Error condition on fd 9
These are the avs at the corresponding time:
----
time->Wed Aug 25 21:51:10 2010
type=SYSCALL msg=audit(1282769470.861:53248): arch=40000003 syscall=11
success=yes exit=0 a0=15559d0 a1=bf9c9f7c a2=303840 a3=41904 items=0
ppid=25769 pid=25770 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail"
exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1282769470.861:53248): avc: denied { noatsecure }
for pid=25770 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
type=AVC msg=audit(1282769470.861:53248): avc: denied { siginh } for
pid=25770 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
type=AVC msg=audit(1282769470.861:53248): avc: denied { rlimitinh }
for pid=25770 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
----
time->Wed Aug 25 21:51:10 2010
type=SYSCALL msg=audit(1282769470.982:53249): arch=40000003 syscall=11
success=yes exit=0 a0=8b3c660 a1=8b3c538 a2=8b385b8 a3=8b3c538 items=0
ppid=25772 pid=25776 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282769470.982:53249): avc: denied { noatsecure }
for pid=25776 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282769470.982:53249): avc: denied { siginh } for
pid=25776 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282769470.982:53249): avc: denied { rlimitinh }
for pid=25776 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
----
time->Wed Aug 25 21:51:11 2010
type=SYSCALL msg=audit(1282769471.032:53250): arch=40000003 syscall=11
success=yes exit=0 a0=8b3bb40 a1=8b3bae8 a2=8b385b8 a3=8b3bae8 items=0
ppid=25772 pid=25780 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282769471.032:53250): avc: denied { noatsecure }
for pid=25780 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282769471.032:53250): avc: denied { siginh } for
pid=25780 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282769471.032:53250): avc: denied { rlimitinh }
for pid=25780 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
----
time->Wed Aug 25 21:51:11 2010
type=SYSCALL msg=audit(1282769471.036:53251): arch=40000003 syscall=102
success=yes exit=1 a0=11 a1=bf9e5ab0 a2=bf9e6158 a3=0 items=0 ppid=1
pid=8053 auid=0 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503
sgid=503 fsgid=503 tty=(none) ses=1619 comm="clamd"
exe="/usr/local/sbin/clamd" subj=unconfined_u:system_r:clamd_t:s0
key=(null)
type=AVC msg=audit(1282769471.036:53251): avc: denied { read } for
pid=8053 comm="clamd" path="/tmp/clamassassinmsg.Vl92TPjc8V" dev=sda6
ino=86064 scontext=unconfined_u:system_r:clamd_t:s0
tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
----
time->Wed Aug 25 21:51:11 2010
type=SYSCALL msg=audit(1282769471.055:53252): arch=40000003 syscall=11
success=yes exit=0 a0=866bdd0 a1=866d4f0 a2=866d670 a3=866d4f0 items=0
ppid=25783 pid=25784 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="spamc"
exe="/usr/bin/spamc" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1282769471.055:53252): avc: denied { noatsecure }
for pid=25784 comm="spamc" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=process
type=AVC msg=audit(1282769471.055:53252): avc: denied { siginh } for
pid=25784 comm="spamc" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=process
type=AVC msg=audit(1282769471.055:53252): avc: denied { rlimitinh }
for pid=25784 comm="spamc" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=process
----
time->Wed Aug 25 21:51:11 2010
type=SYSCALL msg=audit(1282769471.092:53253): arch=40000003 syscall=5
success=no exit=-13 a0=f75a29 a1=80000 a2=1b6 a3=f759c5 items=0
ppid=17891 pid=17892 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=1959 comm="spamd" exe="/usr/bin/perl"
subj=unconfined_u:system_r:spamd_t:s0 key=(null)
type=AVC msg=audit(1282769471.092:53253): avc: denied { read } for
pid=17892 comm="spamd" name="shadow" dev=sda6 ino=85497
scontext=unconfined_u:system_r:spamd_t:s0
tcontext=system_u:object_r:shadow_t:s0 tclass=file
----
4:11 p.m.
On 08/25/2010 11:07 PM, Arthur Dent wrote:
On Wed, 2010-08-25 at 22:47 +0200, Dominick Grift wrote:
> On 08/25/2010 10:42 PM, Arthur Dent wrote:
>
>>
>> These are avcs I have collected today. I have made no attempt to remove
>> duplicates and some of them probably relate to when I was playing with
>> the clamdwatch problem...
>
>> type=AVC msg=audit(1282693685.536:49993): avc: denied { read } for
>> pid=8053 comm="clamd" path="/tmp/clamassassinmsg.ELpNsCwoK2"
dev=sda6
>> ino=86012 scontext=unconfined_u:system_r:clamd_t:s0
>> tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
>> ----
>
> I thought we allowed this already?
>
> add that to myclamd.te, then rebuild, reinstall
>
> all the other denials can be ignored. (hidden)
>
> procmail_rw_tmp_files(clamd_t)
procmail_rw_tmp_file(clad_t) is not in myclamd.te but
procmail_rw_tmp_files(clamscan_t) is.
should I alter, add, or replace it?
i.e. should I have both or just the clamd_t one?
oh, right use both.
procmail_rw_tmp_files(clamd_t)
procmail_rw_tmp_files(clamscan_t)
While I have been writing this I have had a tail -f running on the
clamd.log file. At 21:50 I got this message in the clamd.log:
Wed Aug 25 21:51:11 2010 -> WARNING: Control message truncated, no control data
received, 1 bytes read(Is SELinux/AppArmor enabled, and blocking file descriptor
passing?)
Wed Aug 25 21:51:11 2010 -> WARNING: Error condition on fd 9
These are the avs at the corresponding time:
----
time->Wed Aug 25 21:51:10 2010
type=SYSCALL msg=audit(1282769470.861:53248): arch=40000003 syscall=11
success=yes exit=0 a0=15559d0 a1=bf9c9f7c a2=303840 a3=41904 items=0
ppid=25769 pid=25770 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail"
exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1282769470.861:53248): avc: denied { noatsecure }
for pid=25770 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
type=AVC msg=audit(1282769470.861:53248): avc: denied { siginh } for
pid=25770 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
type=AVC msg=audit(1282769470.861:53248): avc: denied { rlimitinh }
for pid=25770 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
----
time->Wed Aug 25 21:51:10 2010
type=SYSCALL msg=audit(1282769470.982:53249): arch=40000003 syscall=11
success=yes exit=0 a0=8b3c660 a1=8b3c538 a2=8b385b8 a3=8b3c538 items=0
ppid=25772 pid=25776 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282769470.982:53249): avc: denied { noatsecure }
for pid=25776 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282769470.982:53249): avc: denied { siginh } for
pid=25776 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282769470.982:53249): avc: denied { rlimitinh }
for pid=25776 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
----
time->Wed Aug 25 21:51:11 2010
type=SYSCALL msg=audit(1282769471.032:53250): arch=40000003 syscall=11
success=yes exit=0 a0=8b3bb40 a1=8b3bae8 a2=8b385b8 a3=8b3bae8 items=0
ppid=25772 pid=25780 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="clamdscan"
exe="/usr/local/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0
key=(null)
type=AVC msg=audit(1282769471.032:53250): avc: denied { noatsecure }
for pid=25780 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282769471.032:53250): avc: denied { siginh } for
pid=25780 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
type=AVC msg=audit(1282769471.032:53250): avc: denied { rlimitinh }
for pid=25780 comm="clamdscan" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:clamscan_t:s0 tclass=process
----
time->Wed Aug 25 21:51:11 2010
type=SYSCALL msg=audit(1282769471.036:53251): arch=40000003 syscall=102
success=yes exit=1 a0=11 a1=bf9e5ab0 a2=bf9e6158 a3=0 items=0 ppid=1
pid=8053 auid=0 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503
sgid=503 fsgid=503 tty=(none) ses=1619 comm="clamd"
exe="/usr/local/sbin/clamd" subj=unconfined_u:system_r:clamd_t:s0
key=(null)
type=AVC msg=audit(1282769471.036:53251): avc: denied { read } for
pid=8053 comm="clamd" path="/tmp/clamassassinmsg.Vl92TPjc8V"
dev=sda6
ino=86064 scontext=unconfined_u:system_r:clamd_t:s0
tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
----
time->Wed Aug 25 21:51:11 2010
type=SYSCALL msg=audit(1282769471.055:53252): arch=40000003 syscall=11
success=yes exit=0 a0=866bdd0 a1=866d4f0 a2=866d670 a3=866d4f0 items=0
ppid=25783 pid=25784 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="spamc"
exe="/usr/bin/spamc" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1282769471.055:53252): avc: denied { noatsecure }
for pid=25784 comm="spamc" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=process
type=AVC msg=audit(1282769471.055:53252): avc: denied { siginh } for
pid=25784 comm="spamc" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=process
type=AVC msg=audit(1282769471.055:53252): avc: denied { rlimitinh }
for pid=25784 comm="spamc" scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=process
----
time->Wed Aug 25 21:51:11 2010
type=SYSCALL msg=audit(1282769471.092:53253): arch=40000003 syscall=5
success=no exit=-13 a0=f75a29 a1=80000 a2=1b6 a3=f759c5 items=0
ppid=17891 pid=17892 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=1959 comm="spamd" exe="/usr/bin/perl"
subj=unconfined_u:system_r:spamd_t:s0 key=(null)
type=AVC msg=audit(1282769471.092:53253): avc: denied { read } for
pid=17892 comm="spamd" name="shadow" dev=sda6 ino=85497
scontext=unconfined_u:system_r:spamd_t:s0
tcontext=system_u:object_r:shadow_t:s0 tclass=file
Yes the remainder of these denails can be ignored
----
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
4:43 a.m.
On Wed, 2010-08-25 at 23:11 +0200, Dominick Grift wrote:
Yes the remainder of these denails can be ignored
Well Dominick, Things seem to be running very well now. No avcs or
permission errors related to clam for the last few hours.
I still have a few other minor problems but I will make them the subject
of another post.
Dank u wel...
Another virtual beer on its way to the Netherlands...
Mark
4:45 a.m.
On 08/26/2010 11:43 AM, Arthur Dent wrote:
On Wed, 2010-08-25 at 23:11 +0200, Dominick Grift wrote:
>
> Yes the remainder of these denails can be ignored
Well Dominick, Things seem to be running very well now. No avcs or
permission errors related to clam for the last few hours.
I still have a few other minor problems but I will make them the subject
of another post.
Dank u wel...
Another virtual beer on its way to the Netherlands...
you're welcome, cheers
Mark
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
5006
days inactive
5010
days old
selinux@lists.fedoraproject.org
44 comments
3 participants
participants (3)
-
Arthur Dent -
Dominick Grift -
Jason Axelson