Bug 1351752

Summary: SELinux is preventing /usr/sbin/clamd from write access on a temporary file
Product: Red Hat Enterprise Linux 7 Reporter: Ugo Bellavance <ubellavance>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-12 12:17:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ugo Bellavance 2016-06-30 18:01:49 UTC 
Description of problem:

When sending an e-mail to clamv via clamav-milter, SELinux blocks clamd from writing a temp file in /tmp.


Version-Release number of selected component (if applicable):

clamav-server-0.99.1-1.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1.RHEL7 fresh install
2.Install and configure clamd (unix socket), clamav-milter (tcp socket), postfix
3.Send an email to posfix from another machine

Actual results:

A tempfail is returned. 

/var/log/message:

SELinux is preventing /usr/sbin/clamd from write access on the file /tmp/clamav-d0b6f19efb48b1991ec5d8cb854d5435.tmp (deleted).#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that clamd should be allowed write access on the clamav-d0b6f19efb48b1991ec5d8cb854d5435.tmp (deleted) file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep clamd /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012

Output of grep clamd /var/log/audit/audit.log | audit2allow

#============= antivirus_t ==============
allow antivirus_t init_tmp_t:file write;



Expected results:
Message is accepted


Additional info:

Someone wrote a post about the installation and configuration of clamav-milter on RHEL7 and there is a mention of a SELinux module to be able to use both:
http://www.alcancelibre.org/staticpages/index.php/como-clamav-milter
The module code is here:
http://www.alcancelibre.org/linux/secrets/clamav-milter.te

That would explain why I couldn't make it work with a UNIX socket (milter).
Comment 4 Lukas Vrabec 2017-10-12 12:17:42 UTC 
We're going to close this bug as WONTFIX because

 * of limited capacity of selinux-policy developers
 * the bug is related to EPEL component or 3rd party SW only
 * the bug appears in unsupported configuration 

We believe this bug can be fixed via a local policy module.
For more information please see: 

 * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow

If you disagree, please re-open the bug.
Comment 5 Lukas Vrabec 2017-10-12 12:20:50 UTC 
We're going to close this bug as WONTFIX because

 * of limited capacity of selinux-policy developers
 * the bug is related to EPEL component or 3rd party SW only
 * the bug appears in unsupported configuration 

We believe this bug can be fixed via a local policy module.
For more information please see: 

 * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow

If you disagree, please re-open the bug.