Bug 1434176

Summary: SELinux prohibits the normal operation of sendmail and clamav-milter
Product: [Fedora] Fedora EPEL Reporter: iav
Component: clamavAssignee: Robert Scheck <redhat-bugzilla>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: epel7CC: dwalsh, gary.tierney, iav, janfrode, mgrepl, mitko, orion, ralph, redhat-bugzilla, redhat, rhbugs, steve
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: clamav-0.99.2-8.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1293046 Environment:
Last Closed: 2017-07-19 05:48:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description iav 2017-03-20 21:53:35 UTC
Sendmail process prohibited by selinux to connect to clamav-milter unix socket

Clamav-milter daemon process rot in wrong selinux domain init_t instead antivirus_t


# ausearch -m AVC,USER_AVC,SELINUX_ERR -i -ts recent
----
type=SYSCALL msg=audit(03/20/2017 23:25:01.437:1324500) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xa a1=0x7ffc60b205e0 a2=0x6e a3=0x8 items=0 ppid=13778 pid=18844 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=smmsp sgid=smmsp fsgid=smmsp tty=(none) ses=unset comm=sendmail exe=/usr/sbin/sendmail.sendmail subj=system_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(03/20/2017 23:25:01.437:1324500) : avc:  denied  { connectto } for  pid=18844 comm=sendmail path=/run/clamav-milter/clamav-milter.socket scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
----
type=SYSCALL msg=audit(03/20/2017 23:31:39.402:1324504) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7f90a740bbb0 a1=0x7f90a73f2930 a2=0x7f90a73f2a60 a3=0x48 items=0 ppid=1 pid=19626 auid=unset uid=clamilt gid=clamilt euid=clamilt suid=clamilt fsuid=clamilt egid=clamilt sgid=clamilt fsgid=clamilt tty=(none) ses=unset comm=clamav-milter exe=/usr/sbin/clamav-milter subj=system_u:system_r:init_t:s0 key=(null)
type=SELINUX_ERR msg=audit(03/20/2017 23:31:39.402:1324504) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:antivirus_t:s0


# rpm -qa clam\*
clamav-data-0.99.2-1.el7.noarch
clamav-server-systemd-0.99.2-1.el7.noarch
clamav-update-0.99.2-1.el7.x86_64
clamav-filesystem-0.99.2-1.el7.noarch
clamav-lib-0.99.2-1.el7.x86_64
clamav-milter-0.99.2-1.el7.x86_64
clamav-0.99.2-1.el7.x86_64
clamav-server-0.99.2-1.el7.x86_64
clamav-milter-systemd-0.99.2-1.el7.noarch


 ls -lZ /run/clamav-milter/clamav-milter.socket
srw-r--r--. clamilt clamilt system_u:object_r:antivirus_var_run_t:s0 /run/clamav-milter/clamav-milter.socket


 ls -lZ /run |grep clam
drwx--x---. clamilt        clamilt        system_u:object_r:antivirus_var_run_t:s0 clamav-milter
drwx--x---. clamilt        clamilt        system_u:object_r:antivirus_var_run_t:s0 clamd.milter

--- clamav, and sendmail processes --
 ps axZ |egrep 'sendmail|clam'
system_u:system_r:antivirus_t:s0  894 ?        Ssl   25:30 /usr/sbin/clamd -c /etc/clamd.d/milter.conf --foreground=yes
system_u:system_r:sendmail_t:s0 13778 ?        Ss     0:17 sendmail: accepting connections
system_u:system_r:sendmail_t:s0 13791 ?        Ss     0:00 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue
system_u:system_r:init_t:s0     21131 ?        Ssl    0:00 /usr/sbin/clamav-milter -c /etc/mail/clamav-milter.conf --foreground=yes
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 21375 pts/0 R+   0:00 grep -E --color=auto sendmail|clam


--- clamd and clamav-milter executables ---
 ls -lZ  /usr/sbin/clam*
-rwxr-xr-x. root root system_u:object_r:antivirus_exec_t:s0 /usr/sbin/clamav-milter
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/sbin/clamav-notify-servers
-rwxr-xr-x. root root system_u:object_r:antivirus_exec_t:s0 /usr/sbin/clamd





+++ This bug was initially created as a clone of Bug #1293046 +++

Description of problem:
Dec 19 16:21:55  sendmail[4519]: ...: Milter (clamav): error connecting to filter: Permission denied
Dec 19 16:21:55  sendmail[4519]: ...: Milter (clamav): to error state

On permissive selinux state - no problems.

Version-Release number of selected component (if applicable):
sendmail-8.15.2-1.fc22.x86_64
clamav-0.99-2.fc22.x86_64
clamav-scanner-systemd-0.99-2.fc22.noarch
selinux-policy-targeted-3.13.1-128.21.fc22.noarch


Additional info:
audit2allow -al 
-----------------
type=AVC msg=audit(1450538112.582:5705): avc:  denied  { connectto } for  pid=31852 comm="sendmail" path="/run/clamav-milter/clamav-milter.socket" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=1
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1450538112.899:5712): avc:  denied  { write } for  pid=4897 comm="clamd" path=2F746D702F636C616D61762D63613037353266623939656361323834306539386663316137613030393830362E746D70202864656C6574656429 dev="tmpfs" ino=84106 scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=file permissive=1
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.
-----------------------------
ls -lZ /run/clamav-milter/clamav-milter.socket
srw-r--r--. 1 clamilt clamilt system_u:object_r:antivirus_var_run_t:s0 0 19 Dec 17,11 /run/clamav-milter/clamav-milter.socket

--------- clam socket directories  ------
ls -lZ /run |grep clam
drwx--x---.  2 clamilt  clamilt  system_u:object_r:antivirus_var_run_t:s0      60 19 Dec 17,11 clamav-milter
drwx--x--x.  2 clamscan clamscan system_u:object_r:antivirus_var_run_t:s0      60 19 Dec 16,31 clamd.scan

--- clamav, and sendmail processes --
ps axZ |egrep 'sendmail|clam'

system_u:system_r:antivirus_t:s0 4897 ?        Ssl    0:25 /usr/sbin/clamd -c /etc/clamd.d/scan.conf --nofork=yes
system_u:system_r:sendmail_t:s0  4953 ?        Ss     0:00 sendmail: accepting connections
system_u:system_r:sendmail_t:s0  4969 ?        Ss     0:00 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue
system_u:system_r:init_t:s0     32617 ?        Ssl    0:00 /usr/sbin/clamav-milter -c /etc/mail/clamav-milter.conf --nofork=yes

--- clamd and clamav-milter executables ---
ls -lZ  /usr/sbin/clam*
-rwxr-xr-x. 1 root root system_u:object_r:antivirus_exec_t:s0 197096  6 Dec 19,15 /usr/sbin/clamav-milter
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0              1967  6 Dec 19,06 /usr/sbin/clamav-notify-servers
-rwxr-xr-x. 1 root root system_u:object_r:antivirus_exec_t:s0 182336  6 Dec 19,15 /usr/sbin/clamd

--- Additional comment from bugzilla on 2016-01-01 10:35:24 EST ---

Same probleme here after upgrading from fc21 to fc22 (was working fine on fc21). 
When I generate the policy using audit2allow and then try to load it it fails with the following error:

semodule -v -i  sendmail.pp 
Attempting to install module 'sendmail.pp':
Ok: return value of 0.
Committing changes:
libsepol.print_missing_requirements: sendmail's global requirements were not met: type/attribute sendmail_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!


The generated policy is:
module sendmail 1.0;

require {
	type sendmail_t;
	type init_t;
	class unix_stream_socket connectto;
}

#============= sendmail_t ==============

#!!!! The file '/run/clamav-milter/clamav-milter.socket' is mislabeled on your system.  
#!!!! Fix with $ restorecon -R -v /run/clamav-milter/clamav-milter.socket
allow sendmail_t init_t:unix_stream_socket connectto;

--- Additional comment from Fedora End Of Life on 2016-07-19 14:36:53 EDT ---

Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 1 Gary Tierney 2017-03-20 22:15:20 UTC
Quick assessment on this BZ:

The clamav-milter.service systemd unit contains NoNewPrivileges=yes.  When this is enabled no_new_privs is set on the task and SELinux only allows bounded transitions (the child can have no more permissions than its parent, the child in this case being antivirus_t and the parent init_t).  So when init_t tries to change type to antivirus_t it fails because no_new_privs is set and antivirus_t isn't bound to init_t.

Since init_t is an unconfined domain on EL7 the problem could be fixed by adding typebounds to the SELinux policy.  Though on Fedora where init_t is a confined domain this would require allowing init_t to do everything antivirus_t does (as well as all the other domains that are bound to init_t).  Alternatively, NoNewPrivileges=yes can be removed from the systemd unit and typebounds won't be required.

Comment 2 Fedora Update System 2017-03-28 06:47:51 UTC
clamav-0.99.2-7.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-85d282a75d

Comment 3 Fedora Update System 2017-03-28 17:33:47 UTC
clamav-0.99.2-8.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-85d282a75d

Comment 4 Fedora Update System 2017-03-30 01:48:54 UTC
clamav-0.99.2-8.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-85d282a75d

Comment 5 Orion Poplawski 2017-04-18 17:53:54 UTC
*** Bug 1292227 has been marked as a duplicate of this bug. ***

Comment 6 Fedora Update System 2017-07-19 05:48:46 UTC
clamav-0.99.2-8.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.