Bug 510655
Summary: | clamav-milter blocked | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | David Highley <david.m.highley> |
Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 11 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-04-27 17:39:58 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
David Highley
2009-07-10 04:36:08 UTC
More information: ---- time->Tue Jul 7 08:05:27 2009 type=SYSCALL msg=audit(1246979127.943:772): arch=c000003e syscall=2 success=no exit=-13 a0=7fffe659d780 a1=0 a2=7fffe659d7a9 a3=7fffe659d530 items=0 ppid=12469 pid=12470 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=84 comm="clamav-milter" exe="/usr/sbin/clamav-milter" subj=unconfined_u:system_r:clamd_t:s0 key=(null) type=AVC msg=audit(1246979127.943:772): avc: denied { read } for pid=12470 comm="clamav-milter" name="highley-recommended.com.2" dev=dm-0 ino=138934 scontext=unconfined_u:system_r:clamd_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=file Is this an ypbind service? Do you have the allow_ypbind boolean turned on ? setsebool -P allow_ypbind=1 Yes, this bool is set. I see that were still having issues. It is getting blocked from connecting to its socket so it is dying. Thought we had it fixed. What avc are you seeing? Still getting this avc: time->Fri Jul 10 05:57:47 2009 type=SYSCALL msg=audit(1247230667.998:2200): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7fff3718a840 a2=10 a3=4560 items=0 ppid=16727 pid=16728 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=201 comm="clamav-milter" exe="/usr/sbin/clamav-milter" subj=unconfined_u:system_r:clamd_t:s0 key=(null) type=AVC msg=audit(1247230667.998:2200): avc: denied { name_bind } for pid=16728 comm="clamav-milter" src=793 scontext=unconfined_u:system_r:clamd_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket Now we are seeing this show up: time->Fri Jul 10 06:02:49 2009 type=SYSCALL msg=audit(1247230969.042:2222): arch=c000003e syscall=59 success=no exit=-13 a0=4bb7e78 a1=2acab68 a2=7fff4f5dcf38 a3=7fff4f5dc960 items=0 ppid=16945 pid=16946 auid=0 uid=1001 gid=1000 euid=1001 suid=1001 fsuid=1001 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=84 comm="spamassassin" exe="/usr/bin/perl" subj=unconfined_u:system_r:spamc_t:s0 key=(null) type=AVC msg=audit(1247230969.042:2222): avc: denied { execute_no_trans } for pid=16946 comm="spamassassin" path="/usr/bin/pyzor" dev=dm-0 ino=179268 scontext=unconfined_u:system_r:spamc_t:s0 tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file Miroslav can you add can_exec(spamc_t, spamc_exec_t) to spamassassin.te Add auth_use_nsswitch(clamd_t) auth_use_nsswitch(freshclam_t) to clamav.te Fixed in selinux-policy-3.6.12-66.fc11 Yes, I have it working now. Retested with selinux-policy-3.6.12-72.fc11.noarch. Note, it did require adding the user clamilt to the group clamscan in the /etc/group file. This whole distribution has package install issues. You need to comment out lines in configuration files and it has been split into more pieces and configuration files. It now fills the system log file with message, Aug 9 03:20:01 douglas clamd.scan[3120]: SelfCheck: Database status OK. Everyday you get a message in the root email about it not being up to date. I'm considering not using the application any more as it does not seem to be improving in its installation configuration issues. This message is a reminder that Fedora 11 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 11. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '11'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 11's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 11 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping |