Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1002593

Summary: Antiviruses' policy comparison regarding the move to antivirus_t
Product: Red Hat Enterprise Linux 6 Reporter: Michal Trunecka <mtruneck>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Michal Trunecka <mtruneck>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.5CC: dwalsh, ebenes, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-214.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-21 10:50:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michal Trunecka 2013-08-29 13:49:06 UTC 
Description of problem:
I compared policies of antiviruses' types (amavis_t, clamd_t, clamscan_t and freshclam_t) with the current policy with single antivirus_t type.

The comparison was performed between following policy versions:

selinux-policy-3.7.19-212.el6
selinux-policy-3.7.19-195.el6_4.12

Basicaly I reviewed what access was granted before and was removed by the move to antivirus_t.


=== ALLOW RULES ===

Following rules were allowed in the RHEL6.4 policy, but don't have equivalent rules in 6.5.0 policy:

allow freshclam_t user_tmp_t : sock_file { write append open }
allow freshclam_t proc_net_t : file { ioctl read getattr lock open }
allow freshclam_t proc_net_t : dir { ioctl read getattr lock search open }
allow freshclam_t proc_net_t : lnk_file { read getattr }
allow freshclam_t http_cache_port_t : tcp_socket { name_connect }
allow freshclam_t userdomain : unix_stream_socket { connectto }


Following rules was not found in the new policy, because the target types are not marked as aliases of the new ones. It won't block access but it might cause some backward compatibility problems:

allow clamd_t clamd_var_log_t : dir { create unlink link rename reparent rmdir }
allow amavis_t amavis_etc_t : file { ioctl read getattr lock open }
allow amavis_t amavis_etc_t : dir { ioctl read getattr lock open search }
allow amavis_t amavis_etc_t : lnk_file {  read getattr  }


=== DONTAUDIT RULES ===

A lot of tcp_socket name_bind dontaudit rules were removed:

e.g.:
dontaudit clamd_t ftp_data_port_t : tcp_socket name_bind


And here is the rest of dontaudit rules which are no longer in RHEL6.5 policy:

dontaudit clamscan_t initrc_var_run_t : file { write lock }
dontaudit amavis_t clamscan_t : process { noatsecure siginh rlimitinh }
dontaudit amavis_t proc_t : file { ioctl read getattr lock open }
dontaudit clamscan_t clamscan_t : process execmem
dontaudit freshclam_t freshclam_t : process execmem
dontaudit amavis_t amavis_t : process execmem
dontaudit clamd_t clamd_t : process execmem
Comment 1 Daniel Walsh 2013-08-29 14:32:47 UTC 
Nice work Michal.
Comment 2 Miroslav Grepl 2013-09-02 14:13:28 UTC 
Yeap.

Michal,
I see

typealias antivirus_log_t alias { amavis_var_log_t clamd_var_log_t freshclam_var_log_t }
Comment 3 Miroslav Grepl 2013-09-06 10:20:26 UTC 
dontaudit clamscan_t initrc_var_run_t : file { write lock }

Fixed.

dontaudit amavis_t proc_t : file { ioctl read getattr lock open }

we allow it now.

dontaudit clamscan_t clamscan_t : process execmem
dontaudit freshclam_t freshclam_t : process execmem
dontaudit amavis_t amavis_t : process execmem
dontaudit clamd_t clamd_t : process execmem

these are a part of the antivirus_use_jit boolean boolean.
Comment 6 errata-xmlrpc 2013-11-21 10:50:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html