Bug 1039644
| Summary: | SELinux is preventing /usr/sbin/clamd from name_bind access on the tcp_socket | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Frank Wang <yafrank> | ||||||||
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||||||
| Severity: | high | Docs Contact: | |||||||||
| Priority: | unspecified | ||||||||||
| Version: | 6.5 | CC: | dwalsh, mmalik, yafrank | ||||||||
| Target Milestone: | rc | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | x86_64 | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | |||||||||||
| : | 1248785 (view as bug list) | Environment: | |||||||||
| Last Closed: | 2014-10-14 07:58:23 UTC | Type: | Bug | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
clamd-0.98-2.el6.x86_64 dspam-3.10.2-4.el6.x86_64 Could you please attach raw AVC message from /var/log/audit/audit.log. Created attachment 834668 [details]
The clamd raw audit log
If any further info required, please let me know.
Created attachment 834777 [details]
local selinux policy installed before upgrade
These types were compiled and installed to make the mail system works with selinux before upgrade.
The selinux-policy-targeted is updated to 3.7.19-231.el6_5.3, and it's still the same. I had found a similar problem in BZ#1015819 which says glusterfsd using random local port blocking by selinux. That one was fixed. I've found a workaround from the clamd side to the problem. There're port range limiting settings in the /etc/clamd.conf. I set them as following,
vi /etc/clamd.conf
...
StreamMinPort 30000
StreamMaxPort 30099
Then label the source port range as selinux suggests,
for i in `seq 30000 30099`; do
echo $i
semanage port -a -t clamd_port_t -p tcp $i
done
service clamd start
vi /etc/dspam.conf
...
ClamAVPort 3310
ClamAVHost 127.0.0.1
ClamAVResponse spam
service clamd reload
Now, selinux won't complain and virus detection works as expected.
I think there's a problems for this workaround. As the OS could randomly choose source ports for other applicatons in the server, what if they're in the set range above that is not used by clamd? Then selinux will treat them from source domain clamd_port_t and probably blocks them.
Ok we need to add specific RHEL6 fixes to the policy for this case. I sent patch to Miroslav. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1568.html |
Created attachment 834395 [details] sample sealert information Description of problem: After upgrading to realease 6.5, clamd starts to fail handling any incoming mail and raising above selinux denials. As the source port is randomly selected by clamd, it's not possible to use sealert suggestion "grep clamd /var/log/audit/audit.log | audit2allow -M mypol" to work around the problem. Version-Release number of selected component (if applicable): selinux-policy-3.7.19-231.el6.noarch selinux-policy-targeted-3.7.19-231.el6.noarch How reproducible: Always Steps to Reproduce: 1.Install release 6.4 and config a mail server using clamd from EPEL as antivirus tool in the mail process chains. Verify mail sending/receiving works as expected and Eicar test attachment can be tagged correctly by the clamd. 2.Upgrade to release 6.5 3.Send any mail containing eicar test attachment to the server. Actual results: selinux denial raises like above and clamd fails to tag eicar test mail. The antivirus subsystem is actually down. Expected results: no selinux denial and clamd tags mail correctly. Additional info: In my case, clamd uses default config and is used by dspam.conf as following, ClamAVPort 3310 ClamAVHost 127.0.0.1 ClamAVResponse spam