Bug 1002593
| Summary: | Antiviruses' policy comparison regarding the move to antivirus_t | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Michal Trunecka <mtruneck> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Michal Trunecka <mtruneck> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.5 | CC: | dwalsh, ebenes, mmalik |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-214.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-11-21 10:50:15 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Nice work Michal. Yeap.
Michal,
I see
typealias antivirus_log_t alias { amavis_var_log_t clamd_var_log_t freshclam_var_log_t }
dontaudit clamscan_t initrc_var_run_t : file { write lock }
Fixed.
dontaudit amavis_t proc_t : file { ioctl read getattr lock open }
we allow it now.
dontaudit clamscan_t clamscan_t : process execmem
dontaudit freshclam_t freshclam_t : process execmem
dontaudit amavis_t amavis_t : process execmem
dontaudit clamd_t clamd_t : process execmem
these are a part of the antivirus_use_jit boolean boolean.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1598.html |
Description of problem: I compared policies of antiviruses' types (amavis_t, clamd_t, clamscan_t and freshclam_t) with the current policy with single antivirus_t type. The comparison was performed between following policy versions: selinux-policy-3.7.19-212.el6 selinux-policy-3.7.19-195.el6_4.12 Basicaly I reviewed what access was granted before and was removed by the move to antivirus_t. === ALLOW RULES === Following rules were allowed in the RHEL6.4 policy, but don't have equivalent rules in 6.5.0 policy: allow freshclam_t user_tmp_t : sock_file { write append open } allow freshclam_t proc_net_t : file { ioctl read getattr lock open } allow freshclam_t proc_net_t : dir { ioctl read getattr lock search open } allow freshclam_t proc_net_t : lnk_file { read getattr } allow freshclam_t http_cache_port_t : tcp_socket { name_connect } allow freshclam_t userdomain : unix_stream_socket { connectto } Following rules was not found in the new policy, because the target types are not marked as aliases of the new ones. It won't block access but it might cause some backward compatibility problems: allow clamd_t clamd_var_log_t : dir { create unlink link rename reparent rmdir } allow amavis_t amavis_etc_t : file { ioctl read getattr lock open } allow amavis_t amavis_etc_t : dir { ioctl read getattr lock open search } allow amavis_t amavis_etc_t : lnk_file { read getattr } === DONTAUDIT RULES === A lot of tcp_socket name_bind dontaudit rules were removed: e.g.: dontaudit clamd_t ftp_data_port_t : tcp_socket name_bind And here is the rest of dontaudit rules which are no longer in RHEL6.5 policy: dontaudit clamscan_t initrc_var_run_t : file { write lock } dontaudit amavis_t clamscan_t : process { noatsecure siginh rlimitinh } dontaudit amavis_t proc_t : file { ioctl read getattr lock open } dontaudit clamscan_t clamscan_t : process execmem dontaudit freshclam_t freshclam_t : process execmem dontaudit amavis_t amavis_t : process execmem dontaudit clamd_t clamd_t : process execmem