Bug 637003

Summary: selinux prevents clamdscan from running
Product: [Fedora] Fedora Reporter: Bradley <bbaetz>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-76.fc13 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-17 08:43:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Bradley 2010-09-23 23:01:13 UTC 
Description of problem:

With selinux running, clamdscan fails to work.

Version-Release number of selected component (if applicable):

clamav-0.96.1-1300.fc13.x86_64
clamav-data-0.96.1-1300.fc13.noarch
clamav-filesystem-0.96.1-1300.fc13.noarch
clamav-lib-0.96.1-1300.fc13.x86_64
clamav-scanner-0.96.1-1300.fc13.noarch
clamav-scanner-sysvinit-0.96.1-1300.fc13.noarch
clamav-server-0.96.1-1300.fc13.x86_64
clamav-server-sysvinit-0.96.1-1300.fc13.noarch
clamav-update-0.96.1-1300.fc13.x86_64
selinux-policy-3.7.19-57.fc13.noarch
selinux-policy-targeted-3.7.19-57.fc13.noarch

How reproducible:

Always

Steps to Reproduce:
1. Create /tmp/eicar with the eicar text string in it
2. Make sure clamd is running
3. Either:
 a) clamdscan - < /tmp/eicar
OR
 b) clamdscan /tmp/eicar
  
Actual results:

a) STDIN: no reply from clamd
 and /var/log/messages has:
Sep 24 08:56:24 bradley clamd.scan[10801]: Control message truncated, no control data received, 9 bytes read(Is SELinux/AppArmor enabled, and blocking file descriptor passing?)
Sep 24 08:56:24 bradley clamd.scan[10801]: Error condition on fd 10

b) /tmp/eicar: Access denied. ERROR

Note - Those messages come from the daemon and are just printed by the client program.

Expected results:

Works just like 'spamc /tmp/eicar' manages to have a separate daemon do the scanning.

Additional info:

clamscan (ie local rather than using a daemon) works.

Works in permissive mode. Nothing in audit.log in either case.

If I do 'clamdscan ~/eicar' then I get:

type=AVC msg=audit(1285282659.495:34852): avc: denied { search } for pid=26569 comm="clamd" name="home" dev=dm-0 ino=278529 scontext=unconfined_u:system_r:clamd_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
Comment 1 Daniel Walsh 2010-09-24 12:56:43 UTC 
What is clamdscan labeled?

ls -lZ `which clamdscan`
Comment 2 Bradley 2010-09-25 10:39:40 UTC 
-rwxr-xr-x. root root system_u:object_r:clamscan_exec_t:s0 /usr/bin/clamdscan
-rwxr-xr-x. root root system_u:object_r:clamd_exec_t:s0 /usr/sbin/clamd

The RPM was installed just before I tested, FWIW
Comment 3 Daniel Walsh 2010-09-27 14:49:39 UTC 
clamdscan should be running as clamdscan_t and somehow this is getting clamd to search for ~/eicar, I guess.
Comment 4 Bradley 2010-09-28 00:01:35 UTC 
clamdscan ~/eicar sends to the daemon:

zCONTSCAN /tmp/eicar\0

(from strace) - ie just the filename is passed.

clamdscan - < ~/eicar

does fd passing:

connect(3, {sa_family=AF_FILE, path="/var/run/clamd.scan/clamd.sock"}, 110) = 0
sendto(3, "zFILDES\0", 8, 0, NULL, 0)   = 8
sendmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{"\0", 1}], msg_controllen=20, {cmsg_len=20, cmsg_level=SOL_SOCKET, cmsg_type=SCM_RIGHTS, {0}}, msg_flags=0}, 0) = 1
close(0)                                = 0

If I use TCP mode rather than socket mode then the second version works (it does read/sendto rather than anything clever) That causes selinux errors when I run it out of procmail, though:

.procmailrc:

:0fw: clamassassin.lock
|clamdscan --no-summary --stdout -

=>

type=AVC msg=audit(1285632008.428:81): avc:  denied  { write } for  pid=3247 comm="clamdscan" path="pipe:[23886]" dev=pipefs ino=23886 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=fifo_file
type=AVC msg=audit(1285632008.428:81): avc:  denied  { read } for  pid=3247 comm="clamdscan" path="/var/spool/mqueue/dfo8S0081f003243" dev=dm-0 ino=262728 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1285632008.428:81): arch=c000003e syscall=59 success=yes exit=0 a0=7fff8d257e54 a1=1f4f3b0 a2=1f4f2f0 a3=8 items=0 ppid=3246 pid=3247 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="clamdscan" exe="/usr/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0 key=(null)
type=AVC msg=audit(1285632008.431:82): avc:  denied  { read } for  pid=3247 comm="clamdscan" name="resolv.conf" dev=dm-0 ino=97 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
type=SYSCALL msg=audit(1285632008.431:82): arch=c000003e syscall=2 success=no exit=-13 a0=3f9594253f a1=0 a2=1b6 a3=2 items=0 ppid=3246 pid=3247 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="clamdscan" exe="/usr/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0 key=(null)
type=AVC msg=audit(1285632008.431:83): avc:  denied  { node_bind } for  pid=3247 comm="clamdscan" saddr=127.0.0.1 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1285632008.431:83): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=61fdd0 a2=10 a3=1999999999999999 items=0 ppid=3246 pid=3247 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="clamdscan" exe="/usr/bin/clamdscan" subj=system_u:system_r:clamscan_t:s0 key=(null)
Comment 5 Miroslav Grepl 2010-12-09 11:43:58 UTC 
Fixed in selinux-policy-3.7.19-76.fc13
Comment 6 Fedora Update System 2010-12-10 13:48:13 UTC 
selinux-policy-3.7.19-76.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-76.fc13
Comment 7 Fedora Update System 2010-12-10 20:29:40 UTC 
selinux-policy-3.7.19-76.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-76.fc13
Comment 8 Fedora Update System 2010-12-17 08:42:19 UTC 
selinux-policy-3.7.19-76.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.