Bug 510655

Summary: clamav-milter blocked
Product: [Fedora] Fedora Reporter: David Highley <david.m.highley>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: low    
Version: 11   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-04-27 17:39:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Highley 2009-07-10 04:36:08 UTC 
Description of problem:
The clamav-milter filter use with sendmail gets blocked.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.6.12-53.fc11.noarch

How reproducible:
Every time it rejects an email.

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
time->Mon Jul  6 20:52:50 2009
type=SYSCALL msg=audit(1246938770.270:619): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fffdcb162e0 a2=10 a3=98 items=0 ppid=3969 pid=3970 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="clamav-milter" exe="/usr/sbin/clamav-milter" subj=unconfined_u:system_r:clamd_t:s0 key=(null)
type=AVC msg=audit(1246938770.270:619): avc:  denied  { name_connect } for  pid=3970 comm="clamav-milter" dest=111 scontext=unconfined_u:system_r:clamd_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
----
time->Mon Jul  6 20:52:50 2009
type=SYSCALL msg=audit(1246938770.270:618): arch=c000003e syscall=2 success=no exit=-13 a0=7fffdcb16290 a1=0 a2=7fffdcb162b9 a3=7fffdcb16040 items=0 ppid=3969 pid=3970 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="clamav-milter" exe="/usr/sbin/clamav-milter" subj=unconfined_u:system_r:clamd_t:s0 key=(null)
type=AVC msg=audit(1246938770.270:618): avc:  denied  { search } for  pid=3970 comm="clamav-milter" name="yp" dev=dm-0 ino=3544 scontext=unconfined_u:system_r:clamd_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir
----
time->Mon Jul  6 20:52:50 2009
type=SYSCALL msg=audit(1246938770.270:620): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fffdcb162e0 a2=10 a3=98 items=0 ppid=3969 pid=3970 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="clamav-milter" exe="/usr/sbin/clamav-milter" subj=unconfined_u:system_r:clamd_t:s0 key=(null)
type=AVC msg=audit(1246938770.270:620): avc:  denied  { name_connect } for  pid=3970 comm="clamav-milter" dest=111 scontext=unconfined_u:system_r:clamd_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
Comment 1 David Highley 2009-07-10 04:37:45 UTC 
More information:
----
time->Tue Jul  7 08:05:27 2009
type=SYSCALL msg=audit(1246979127.943:772): arch=c000003e syscall=2 success=no exit=-13 a0=7fffe659d780 a1=0 a2=7fffe659d7a9 a3=7fffe659d530 items=0 ppid=12469 pid=12470 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=84 comm="clamav-milter" exe="/usr/sbin/clamav-milter" subj=unconfined_u:system_r:clamd_t:s0 key=(null)
type=AVC msg=audit(1246979127.943:772): avc:  denied  { read } for  pid=12470 comm="clamav-milter" name="highley-recommended.com.2" dev=dm-0 ino=138934 scontext=unconfined_u:system_r:clamd_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=file
Comment 2 Daniel Walsh 2009-07-10 12:17:05 UTC 
Is this an ypbind service?

Do you have the allow_ypbind boolean turned on ?

setsebool -P allow_ypbind=1
Comment 3 David Highley 2009-07-10 13:39:52 UTC 
Yes, this bool is set. I see that were still having issues. It is getting blocked from connecting to its socket so it is dying. Thought we had it fixed.
Comment 4 Daniel Walsh 2009-07-10 14:34:08 UTC 
What avc are you seeing?
Comment 5 David Highley 2009-07-10 16:40:04 UTC 
Still getting this avc:
time->Fri Jul 10 05:57:47 2009
type=SYSCALL msg=audit(1247230667.998:2200): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7fff3718a840 a2=10 a3=4560 items=0 ppid=16727 pid=16728 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=201 comm="clamav-milter" exe="/usr/sbin/clamav-milter" subj=unconfined_u:system_r:clamd_t:s0 key=(null)
type=AVC msg=audit(1247230667.998:2200): avc:  denied  { name_bind } for  pid=16728 comm="clamav-milter" src=793 scontext=unconfined_u:system_r:clamd_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket


Now we are seeing this show up:
time->Fri Jul 10 06:02:49 2009
type=SYSCALL msg=audit(1247230969.042:2222): arch=c000003e syscall=59 success=no exit=-13 a0=4bb7e78 a1=2acab68 a2=7fff4f5dcf38 a3=7fff4f5dc960 items=0 ppid=16945 pid=16946 auid=0 uid=1001 gid=1000 euid=1001 suid=1001 fsuid=1001 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=84 comm="spamassassin" exe="/usr/bin/perl" subj=unconfined_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1247230969.042:2222): avc:  denied  { execute_no_trans } for  pid=16946 comm="spamassassin" path="/usr/bin/pyzor" dev=dm-0 ino=179268 scontext=unconfined_u:system_r:spamc_t:s0 tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
Comment 6 Daniel Walsh 2009-07-10 19:47:59 UTC 
Miroslav can you add

can_exec(spamc_t, spamc_exec_t)

to spamassassin.te


Add 

auth_use_nsswitch(clamd_t) 
auth_use_nsswitch(freshclam_t) 

to clamav.te
Comment 7 Miroslav Grepl 2009-07-15 11:17:11 UTC 
Fixed in selinux-policy-3.6.12-66.fc11
Comment 8 David Highley 2009-08-12 04:53:42 UTC 
Yes, I have it working now. Retested with selinux-policy-3.6.12-72.fc11.noarch. Note, it did require adding the user clamilt to the group clamscan in the /etc/group file.

This whole distribution has package install issues. You need to comment out lines in configuration files and it has been split into more pieces and configuration files. It now fills the system log file with message, Aug  9 03:20:01 douglas clamd.scan[3120]: SelfCheck: Database status OK. Everyday you get a message in the root email about it not being up to date. I'm considering not using the application any more as it does not seem to be improving in its installation configuration issues.
Comment 9 Bug Zapper 2010-04-27 15:35:08 UTC 
This message is a reminder that Fedora 11 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 11.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '11'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 11's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 11 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping