Bug 707101

Summary: selinux prevents clamav-milter from running
Product: Red Hat Enterprise Linux 5 Reporter: Steevithak <steevithak>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.6CC: dwalsh, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-2.4.6-309.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-07-21 09:20:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Steevithak 2011-05-24 04:10:57 UTC 
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:
100% of time

Steps to Reproduce:
1. Install RHEL or CentOS 5.x
2. Install clamav, clamav-milter from rpmforge
3. Try to start clamav
  
Actual results:
Clamav-milter is unable to open a socket and dies because selinux is blocking it

Expected results:
Clamav-milter starts normally

Additional info:

Here's the messages log excerpt:

May 23 22:30:56 skutter clamav-milter[18164]: Failed to create socket unix:/var/clamav/clmilter.socket 
May 23 22:30:56 skutter setroubleshoot: SELinux is preventing clamav-milter (clamd_t) "create" to clmilter.socket (clamd_var_lib_t). For complete SELinux messages. run sealert -l 97c4bc7c-9a5f-4dc0-b195-c8d74fdab56d

And here's the output of sealert:

Summary:

SELinux is preventing clamav-milter (clamd_t) "create" to clmilter.socket
(clamd_var_lib_t).

Detailed Description:

SELinux denied access requested by clamav-milter. It is not expected that this
access is required by clamav-milter and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for clmilter.socket,

restorecon -v 'clmilter.socket'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                user_u:system_r:clamd_t
Target Context                user_u:object_r:clamd_var_lib_t
Target Objects                clmilter.socket [ sock_file ]
Source                        clamav-milter
Source Path                   /usr/sbin/clamav-milter
Port                          <Unknown>
Host                          skutter.ncc.com
Source RPM Packages           clamav-milter-0.97-1.el5.rf
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-300.el5_6.1
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     skutter.ncc.com
Platform                      Linux skutter.ncc.com 2.6.18-238.9.1.el5 #1 SMP
                              Tue Apr 12 18:10:13 EDT 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Mon May 23 22:30:56 2011
Last Seen                     Mon May 23 22:30:56 2011
Local ID                      97c4bc7c-9a5f-4dc0-b195-c8d74fdab56d
Line Numbers                  

Raw Audit Messages            

host=skutter.ncc.com type=AVC msg=audit(1306207856.548:1264): avc:  denied  { create } for  pid=18164 comm="clamav-milter" name="clmilter.socket" scontext=user_u:system_r:clamd_t:s0 tcontext=user_u:object_r:clamd_var_lib_t:s0 tclass=sock_file

host=skutter.ncc.com type=SYSCALL msg=audit(1306207856.548:1264): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7fffc9e791d0 a2=6e a3=7fffc9e791ed items=0 ppid=18163 pid=18164 auid=500 uid=101 gid=156 euid=101 suid=101 fsuid=101 egid=156 sgid=156 fsgid=156 tty=(none) ses=17 comm="clamav-milter" exe="/usr/sbin/clamav-milter" subj=user_u:system_r:clamd_t:s0 key=(null)


I attempted to fix the problem using the method described in the above message but running "restorecon -v 'clmilter.socket'" produces this result:

lstat(clmilter.socket) failed: No such file or directory

So, I'm falling back to the alternate solution of filing this bug report and disabling selinux until the bug is fixed.
Comment 1 Milos Malik 2011-05-24 08:05:15 UTC 
I'm not sure which location is the right one for clamav-milter.socket, so I tested more of them.

1) If /etc/clamav-milter.conf contains following line then clamav-milter does not work, error messages appear in /var/log/messages but no AVCs appear:
  MilterSocket unix:/var/clamav/clamav-milter.socket

2) If /etc/clamav-milter.conf contains following line then clamav-milter does not work, error messages appear in /var/log/messages and AVCs appear too:
MilterSocket unix:/var/lib/clamav/clamav-milter.socket

3) If /etc/clamav-milter.conf contains following line then clamav-milter works well, no error messages appear in /var/log/messages, no AVCs appear:
  MilterSocket unix:/var/run/clamav/clamav-milter.socket

Here are error messages for cases 1 and 2:
May 24 03:37:56 auto-x86-64-002 clamav-milter: ClamAV: Unable to create listening socket on conn unix:/var/clamav/clamav-milter.socket
May 24 03:46:13 auto-x86-64-002 clamav-milter: ClamAV: Unable to bind to port unix:/var/lib/clamav/clamav-milter.socket: Permission denied

Here are AVCs for case 2:
----
time->Tue May 24 04:03:08 2011
type=SYSCALL msg=audit(1306224188.651:1703): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7fff80d9c7b0 a2=6e a3=0 items=0 ppid=1401 pid=1402 auid=0 uid=102 gid=158 euid=102 suid=102 fsuid=102 egid=158 sgid=158 fsgid=158 tty=(none) ses=243 comm="clamav-milter" exe="/usr/sbin/clamav-milter" subj=root:system_r:clamd_t:s0 key=(null)
type=AVC msg=audit(1306224188.651:1703): avc:  denied  { create } for  pid=1402 comm="clamav-milter" name="clamav-milter.socket" scontext=root:system_r:clamd_t:s0 tcontext=root:object_r:clamd_var_lib_t:s0 tclass=sock_file
----
time->Tue May 24 04:03:11 2011
type=SYSCALL msg=audit(1306224191.097:1704): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7fff0ebda210 a2=6e a3=0 items=0 ppid=1450 pid=1451 auid=0 uid=102 gid=158 euid=102 suid=102 fsuid=102 egid=158 sgid=158 fsgid=158 tty=(none) ses=243 comm="clamav-milter" exe="/usr/sbin/clamav-milter" subj=root:system_r:clamd_t:s0 key=(null)
type=AVC msg=audit(1306224191.097:1704): avc:  denied  { create } for  pid=1451 comm="clamav-milter" name="clamav-milter.socket" scontext=root:system_r:clamd_t:s0 tcontext=root:object_r:clamd_var_lib_t:s0 tclass=sock_file
----
Comment 2 Miroslav Grepl 2011-05-24 10:11:04 UTC 
Thank you for the bug report.

If you are willing to help us identify and solve the problem, please follow these steps:

1. Run the following two commands as root. Note that the first command is a multiline command.

# cat > policy_bz707101.te << _EOF
policy_module(policy_bz707101, 1.0)

require{
 type clamd_t;
 type clamd_var_lib_t;
}

manage_sock_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)

_EOF

# make -f /usr/share/selinux/devel/Makefile
# semodule -i policy_bz707101.pp

2. Re-run your actions.

If the problem persists, or you experience other problems related to this topic, please add sealert/AVCs to this bug report.
Comment 3 Steevithak 2011-05-24 15:38:34 UTC 
>> I'm not sure which location is the right one for clamav-milter.socket,
>> so I tested more of them.
>>  MilterSocket unix:/var/clamav/clamav-milter.socket
>>  MilterSocket unix:/var/lib/clamav/clamav-milter.socket
>>  MilterSocket unix:/var/run/clamav/clamav-milter.socket

If by "right" you mean the one configured in the RPM file and used upon normal installation by yum, then it's the first one:

 MilterSocket unix:/var/clamav/clamav-milter.socket

That's the one I've used on previous RHEL/CentOS installs where I wasn't running selinux. If that one is not correct in some sense, then maybe a bug needs to be filed against the clamav-milter RPM package instead of selinux?

I tried reconfiguring clamav-milter.conf and sendmail.mc to use /var/run/clamav/clamav-milter.socket and this successfully got the milter running without selinux problems. So that's a good enough work around until selinux and the clamav-milter rpm package can get on the same page. :)

Unfortunately, I moved on to spamass-milter next and it has the same problem with selinux - it wants to create its socket in /var/run/spamass.sock, which selinux doesn't like at all. I tried the same basic idea (e.g. reconfigure spamassassin and sendmail to use /var/run/spamassassin/spamass.sock instead of the default path) but it didn't work in this case and selinux still won't let spamass-milter start... Guess I should file a separate bug on that one?  

I'm really surprised no one has tried setting up clamav and spamassassin with sendmail on RHEL/CentOS using the defaults in the RPMs before! I would have thought this was standard enough stuff that someone else would have stumbled onto these bugs before me. :)
Comment 4 Miroslav Grepl 2011-06-06 15:14:59 UTC 
Fixed in selinux-policy-2.4.6-309.el5
Comment 7 errata-xmlrpc 2011-07-21 09:20:34 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html
Comment 8 errata-xmlrpc 2011-07-21 11:57:00 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html