Bug 1393878

Summary: clamav-milter fails to start with SELinux errors
Product: Red Hat Enterprise Linux 6 Reporter: Matt Domsch <matt>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED WONTFIX QA Contact: Milos Malik <mmalik>
Severity: low Docs Contact:
Priority: low    
Version: 6.8CC: dwalsh, janfrode, lvrabec, matt, mgrepl, mmalik, mstevens, nathanael, nb, orion, pekkas, plautrba, pvrabec, redhat-bugzilla, rhbugs, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1292223 Environment:
Last Closed: 2016-11-14 12:57:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1292223    
Bug Blocks:    

Description Matt Domsch 2016-11-10 14:24:07 UTC
+++ This bug was initially created as a clone of Bug #1292223 +++

Description of problem:

With 0.99-2, clamav-milter fails to start:

Dec 16 11:51:03 vmsl7 systemd: Starting SYSV: A virus scanning milter...
Dec 16 11:51:03 vmsl7 clamav-milter: Starting clamav-milter: ERROR: Cannot set milter socket permission to 660

type=AVC msg=audit(1450291863.719:321): avc:  denied  { fowner } for  pid=19044 comm="clamav-milter" capability=3  scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:system_r:antivirus_t:s0 tclass=capability

I'm not entirely sure if this is a clamav or selinux issue.  Works with 0.98.7-1.

Version-Release number of selected component (if applicable):
clamav-milter-0.99-2.el7.x86_64
clamav-milter-sysvinit-0.98.7-1.el7.noarch
selinux-policy-3.13.1-60.el7.noarch

--- Additional comment from Lukas Vrabec on 2016-03-19 18:42:07 EDT ---

Hi, 
Could you reproduce it, again? 

I tried it, and I cannot reproduce this issue.

--- Additional comment from Orion Poplawski on 2016-03-20 13:40:19 EDT ---

I do not appear to be able reproduce now as well.

--- Additional comment from Orion Poplawski on 2016-03-20 13:54:33 EDT ---

Note, however, that I do see bug #1293493 on EL7 as well.

--- Additional comment from Lukas Vrabec on 2016-03-21 11:01:15 EDT ---

Do you agree that we can close this issue for now?

--- Additional comment from Orion Poplawski on 2016-03-21 11:15:05 EDT ---

Yes, this one can be closed.

--- Additional comment from Lukas Vrabec on 2016-03-21 11:17:44 EDT ---

Thank you.

--- Additional comment from Matt Domsch on 2016-11-10 09:06:23 EST ---

I am seeing this on CentOS 6.

selinux-policy-3.7.19-292.el6.noarch
clamav-unofficial-sigs-3.7.1-7.el6.noarch
libselinux-2.0.94-7.el6.i686
libselinux-python-2.0.94-7.el6.i686
libselinux-devel-2.0.94-7.el6.i686
clamav-0.99.2-1.el6.i686
clamav-devel-0.99.2-1.el6.i686
clamav-milter-0.99.2-1.el6.i686
libselinux-utils-2.0.94-7.el6.i686
selinux-policy-targeted-3.7.19-292.el6.noarch
clamav-db-0.99.2-1.el6.i686


type=AVC msg=audit(1478785716.689:1006343): avc:  denied  { fowner } for  pid=19054 comm="clamav-milter" capability=3  scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=unconfined_u:system_r:antivirus_t:s0 tclass=capability
type=SYSCALL msg=audit(1478785716.689:1006343): arch=40000003 syscall=15 success=no exit=-1 a0=8620ca0 a1=1b0 a2=861fe98 a3=2c3c64 items=0 ppid=19053 pid=19054 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=6379 comm="clamav-milter" exe="/usr/sbin/clamav-milter" subj=unconfined_u:system_r:antivirus_t:s0 key=(null)


$ls -Z /usr/sbin/clamav-milter
-rwxr-xr-x. root root system_u:object_r:antivirus_exec_t:s0 /usr/sbin/clamav-milter



$ ls -ZR /var/run/clam*
/var/run/clamav:
-rw-rw-r--. clam clam unconfined_u:object_r:antivirus_var_run_t:s0 clamd.pid
srw-rw-rw-. clam clam unconfined_u:object_r:antivirus_var_run_t:s0 clamd.sock


# Default: no default
#MilterSocket /tmp/clamav-milter.socket
MilterSocket /var/run/clamav/clamav-milter.sock

# Define the group ownership for the (unix) milter socket.
# Default: disabled (the primary group of the user running clamd)
#MilterSocketGroup virusgroup

# Sets the permissions on the (unix) milter socket to the specified mode.
# Default: disabled (obey umask)
MilterSocketMode 660

# Remove stale socket after unclean shutdown.
#
# Default: yes
#FixStaleSocket yes

# Run as another user (clamav-milter must be started by root for this option to work)
#
# Default: unset (don't drop privileges)
User clam

Comment 3 Lukas Vrabec 2016-11-14 12:50:28 UTC
Hi, 
Clamav-milter is part of EPEL. 

Workaround:

# yum install selinux-policy-devel

# cat antivirus_fowner.te 
policy_module(antivirus_fowner, 1.0.0)
require {
	type antivirus_t;
}

#============= antivirus_t ==============
allow antivirus_t self:capability fowner;

# make -f /usr/share/selinux/devel/Makefile antivirus_fowner.pp

# semodule -i antivirus_fowner.pp

Comment 4 Lukas Vrabec 2016-11-14 12:57:10 UTC
Red Hat Enterprise Linux version 6 is entering the Production 2 phase of its
lifetime and this bug doesn't meet the criteria for it, i.e. only high severity
issues will be fixed. Please see
https://access.redhat.com/support/policy/updates/errata/ for further
information.

Feel free to clone this bug to RHEL-7 if it is still a problem for you.