Bug 1248785
| Summary: | SELinux is preventing /usr/sbin/clamd from name_bind access on the tcp_socket | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | dan |
| Component: | selinux-policy | Assignee: | Vit Mojzis <vmojzis> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 22 | CC: | dan, dominick.grift, dwalsh, lvrabec, mgrepl, mmalik, plautrba, yafrank |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-128.23.fc22 selinux-policy-3.13.1-128.28.fc22 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1039644 | Environment: | |
| Last Closed: | 2016-05-10 17:57:31 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
dan
2015-07-30 20:03:52 UTC
Checking to see if this will be addressed during the FC22 lifecycle? You can allow it for now using # grep clamd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Every time clamd runs, it seeks to bind to a different ephemeral port. Will running this allow for all > 1023 or just 1533 as is my understand? Please advise. It will allow just 1533 as you wrote. We need to update the policy to allow all ephemeral ports. Did you mean all unreserved ports? unreserved_port_t tcp 1024-32767, 61001-65535 ephemeral_port_t tcp 32768-61000 It looks like unreserved would work...however, the answer may be more granular. I found that there is a port range defined in /etc/clamd.d/scan.conf which defaults to 1024-2048. StreamingMinPort 1024 StreamingMaxPort 2048 So I tried the following: semanage port -a -t clamd_port_t -p tcp 1024-2048 I am still having some issues with clamd but it appears to have gotten rid of the selinux blocks. Some further info...in attempting to make use of the ClamAV.pm plugin for spamassassin with clamd, I have determined that there also needs to be a related policy change for spamassassin. spamassassin tries to use /usr/bin/perl for a name_connect that is being denied. I put both spamassassin and antivirus in permissive mode to get this all working. When an incoming email arrives, spamassassin attempts a connect to a local socket and the following is observed: SELinux is preventing /usr/sbin/clamd from name_bind access on the tcp_socket port xxxx. (unreserved) SELinux is preventing /usr/bin/perl from name_connect access on the tcp_socket port xxxx. (unreserved) So now I see both sides of the connection. This should fix the issue for clamd. As for perl, please file a separate bug. https://github.com/fedora-selinux/selinux-policy/pull/71 commit bf50440b673199148f9bc07d18db37e17e5e1d38 Author: Vit Mojzis <vmojzis> Date: Thu Nov 19 14:59:08 2015 +0100 Allow antivirus_t to bind to all unreserved ports. Clamd binds to random unassigned port (by default in range 1024-2048). Seems to work, thank you. Is there a way to display what is allowed for a process domain using sepolicy or some other command? sesearch -s antivirus_t -c tcp_socket -p name_bind -A -C The sesearch tool comes from setools-console package. Confirm rule is installed and behavior is correct. Bug report can be resolved.
Found 6 semantic av rules:
allow antivirus_domain amavisd_recv_port_t : tcp_socket name_bind ;
allow antivirus_t unreserved_port_type : tcp_socket name_bind ;
allow antivirus_domain clamd_port_t : tcp_socket { name_bind name_connect } ;
DT allow nsswitch_domain port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ]
DT allow nsswitch_domain ephemeral_port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ]
DT allow nsswitch_domain unreserved_port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ]
The occassional port is still being denied:
Additional Information:
Source Context system_u:system_r:antivirus_t:s0
Target Context system_u:object_r:flash_port_t:s0
Target Objects port 1935 [ tcp_socket ]
Source clamd
Source Path /usr/sbin/clamd
Port 1935
Host ears.private
Source RPM Packages clamav-server-0.98.7-1.fc22.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-128.21.fc22.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name ears.private
Platform Linux ears.private 4.2.6-200.fc22.x86_64 #1 SMP
Tue Nov 10 16:45:19 UTC 2015 x86_64 x86_64
Alert Count 3
First Seen 2015-11-27 00:00:43 EST
Last Seen 2015-12-01 06:54:21 EST
Local ID e563e79c-7bbe-4895-991c-3f4f0406321c
Raw Audit Messages
type=AVC msg=audit(1448970861.756:7548): avc: denied { name_bind } for pid=10411 comm="clamd" src=1935 scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:flash_port_t:s0 tclass=tcp_socket permissive=0
type=SYSCALL msg=audit(1448970861.756:7548): arch=x86_64 syscall=bind success=no exit=EACCES a0=b a1=7f5750b3da90 a2=10 a3=8 items=0 ppid=1 pid=10411 auid=4294967295 uid=400 gid=289 euid=400 suid=400 fsuid=400 egid=289 sgid=289 fsgid=289 tty=(none) ses=4294967295 comm=clamd exe=/usr/sbin/clamd subj=system_u:system_r:antivirus_t:s0 key=(null)
Hash: clamd,antivirus_t,flash_port_t,tcp_socket,name_bind
----------
Additional Information:
Source Context system_u:system_r:antivirus_t:s0
Target Context system_u:object_r:lmtp_port_t:s0
Target Objects port 2003 [ tcp_socket ]
Source clamd
Source Path /usr/sbin/clamd
Port 2003
Host ears.private
Source RPM Packages clamav-server-0.98.7-1.fc22.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-128.21.fc22.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name ears.private
Platform Linux ears.private 4.2.6-200.fc22.x86_64 #1 SMP
Tue Nov 10 16:45:19 UTC 2015 x86_64 x86_64
Alert Count 2
First Seen 2015-11-28 23:30:10 EST
Last Seen 2015-11-29 20:34:37 EST
Local ID 14c678c1-6092-4dd5-ae46-6a54cce610e2
Raw Audit Messages
type=AVC msg=audit(1448847277.766:5370): avc: denied { name_bind } for pid=364 comm="clamd" src=2003 scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:lmtp_port_t:s0 tclass=tcp_socket permissive=0
type=SYSCALL msg=audit(1448847277.766:5370): arch=x86_64 syscall=bind success=no exit=EACCES a0=b a1=7f5750b3da90 a2=10 a3=8 items=0 ppid=1 pid=364 auid=4294967295 uid=400 gid=289 euid=400 suid=400 fsuid=400 egid=289 sgid=289 fsgid=289 tty=(none) ses=4294967295 comm=clamd exe=/usr/sbin/clamd subj=system_u:system_r:antivirus_t:s0 key=(null)
Hash: clamd,antivirus_t,lmtp_port_t,tcp_socket,name_bind
-------
Additional Information:
Source Context system_u:system_r:antivirus_t:s0
Target Context system_u:object_r:pop_port_t:s0
Target Objects port 1109 [ tcp_socket ]
Source clamd
Source Path /usr/sbin/clamd
Port 1109
Host ears.private
Source RPM Packages clamav-server-0.98.7-1.fc22.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-128.21.fc22.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name ears.private
Platform Linux ears.private 4.2.6-200.fc22.x86_64 #1 SMP
Tue Nov 10 16:45:19 UTC 2015 x86_64 x86_64
Alert Count 1
First Seen 2015-11-28 08:06:23 EST
Last Seen 2015-11-28 08:06:23 EST
Local ID 0bbc22a3-a665-4170-ac3c-0840f10cd1da
Raw Audit Messages
type=AVC msg=audit(1448715983.858:3206): avc: denied { name_bind } for pid=30861 comm="clamd" src=1109 scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:pop_port_t:s0 tclass=tcp_socket permissive=0
type=SYSCALL msg=audit(1448715983.858:3206): arch=x86_64 syscall=bind success=no exit=EACCES a0=b a1=7f5750b3da90 a2=10 a3=8 items=0 ppid=1 pid=30861 auid=4294967295 uid=400 gid=289 euid=400 suid=400 fsuid=400 egid=289 sgid=289 fsgid=289 tty=(none) ses=4294967295 comm=clamd exe=/usr/sbin/clamd subj=system_u:system_r:antivirus_t:s0 key=(null)
Hash: clamd,antivirus_t,pop_port_t,tcp_socket,name_bind
Does the occasional deny cause clamd to crash, or does it simply choose different port? If it's the latter case, we could just stop auditing the failed attempts. Remote clients such as spam assassin would then only need access to unreserved ports. Good question, if you (or someone) can suggest a way to verify I will assist. I checked the system logs and there is no sign of a clamd crash. I would have to try to match up a particular piece of email received at the time of the selinux block to see if it was actually scanned by examining the message headers. I will try this unless someone has a more straightforward debugging suggestion. I did match up one incoming email that was flagged as spam with no virus with a date/time match to the AVC. The email appears to have been properly scanned so I surmise (but cannot confirm) that the client tried an alternate tcpopen when the first one failed. selinux-policy-3.13.1-128.22.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-8083abc683 My idea was to narrow down the range of available ports by changing values of StreamingMinPort and StreamingMaxPort, so as to increase the chance of deny by SELinux. The range would obviously have to contain an "assigned" port. Following values should do (documentation doesn't specify any limit for the range size, hopefully there isn't any) StreamingMinPort 1935 (assuming the range is inclusive) StreamingMaxPort 1936 as 1935 is labeled flash_port_t. You could then try sending yourself a fake email (eg. using https://emkei.cz/) containing key words (or source address) that would cause it to be flagged as spam. However, I believe that the absence of clamd crash reports (and your following analysis) should suffice as a confirmation. commit 55ab92e1aff5af3acc22c9c34fdac442e34ae5ca Author: Vit Mojzis <vmojzis> Date: Wed Dec 9 15:49:21 2015 +0100 Dontaudit attempts of antivirus_t to bind to reserved ports. #1248785 It randomly chooses port in range 1024-2048 (by default), some of which are assigned. selinux-policy-3.13.1-128.22.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update selinux-policy' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-8083abc683 selinux-policy-3.13.1-128.25.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-825869e1a4 selinux-policy-3.13.1-128.25.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-825869e1a4 selinux-policy-3.13.1-128.27.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab selinux-policy-3.13.1-128.27.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab selinux-policy-3.13.1-128.28.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab selinux-policy-3.13.1-128.28.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab selinux-policy-3.13.1-128.28.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. |