Bug 840667
| Summary: | SELinux policy denies clamd(1) usage in amavisd-new | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Robert Scheck <redhat-bugzilla> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.3 | CC: | dwalsh, mmalik, mtruneck, robert.scheck |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-159.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-02-21 08:25:34 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 782183 | ||
|
Description
Robert Scheck
2012-07-16 21:00:55 UTC
type=AVC msg=audit(1342472223.255:159942): avc: denied { search } for pid=21227 comm="clamd" name="amavisd" dev=vda1 ino=132318 scontext=unconfined_u:system_r:clamd_t:s0 tcontext=system_u:object_r:amavis_var_run_t:s0 tclass=dir
type=AVC msg=audit(1342472223.255:159942): avc: denied { write } for pid=21227 comm="clamd" name="amavisd" dev=vda1 ino=132318 scontext=unconfined_u:system_r:clamd_t:s0 tcontext=system_u:object_r:amavis_var_run_t:s0 tclass=dir
type=AVC msg=audit(1342472223.255:159942): avc: denied { add_name } for pid=21227 comm="clamd" name="clamd.pid" scontext=unconfined_u:system_r:clamd_t:s0 tcontext=system_u:object_r:amavis_var_run_t:s0 tclass=dir
type=AVC msg=audit(1342472223.255:159942): avc: denied { write } for pid=21227 comm="clamd" name="clamd.pid" dev=vda1 ino=130809 scontext=unconfined_u:system_r:clamd_t:s0 tcontext=unconfined_u:object_r:amavis_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1342472223.255:159942): arch=c000003e syscall=2 success=yes exit=5 a0=1d272a0 a1=241 a2=1b6 a3=0 items=0 ppid=21226 pid=21227 auid=0 uid=497 gid=497 euid=497 suid=497 fsuid=497 egid=497 sgid=497 fsgid=497 tty=(none) ses=840 comm="clamd" exe="/usr/sbin/clamd" subj=unconfined_u:system_r:clamd_t:s0 key=(null)
type=AVC msg=audit(1342472228.153:159953): avc: denied { search } for pid=21290 comm="fsav" name="21227" dev=proc ino=907289 scontext=system_u:system_r:amavis_t:s0 tcontext=unconfined_u:system_r:clamd_t:s0 tclass=dir
type=AVC msg=audit(1342472228.153:159953): avc: denied { read } for pid=21290 comm="fsav" name="stat" dev=proc ino=907295 scontext=system_u:system_r:amavis_t:s0 tcontext=unconfined_u:system_r:clamd_t:s0 tclass=file
type=AVC msg=audit(1342472228.153:159953): avc: denied { open } for pid=21290 comm="fsav" name="stat" dev=proc ino=907295 scontext=system_u:system_r:amavis_t:s0 tcontext=unconfined_u:system_r:clamd_t:s0 tclass=file
Cross-filed case 00678438 in the Red Hat Customer Portal. Please note, that clamscan != clamd. First is a command line scanner, while the second is a daemon that can be queried (less overhead than loading all the signatures each time into memory while the daemon simply keeps them)... We added some fixes to Fedora to fix this issue. We need to backport it. Nice, selinux-policy-3.7.19-156 seems to solve this issue. Can we get this at latest for 6.4 or even FasTrack, please? It is in 6.4 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html |