Bug 849671
Summary: | SELinux doesn't allow /etc/init.d/clamd.amavisd to write PID file | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Robert Scheck <redhat-bugzilla> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6.3 | CC: | dwalsh, mmalik, robert.scheck, williama_lovaton |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.7.19-160.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-02-21 08:27:54 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 782183 |
Description
Robert Scheck
2012-08-20 14:07:40 UTC
# matchpathcon /var/run/amavisd/clamd.pid /var/run/amavisd/clamd.pid system_u:object_r:clamd_var_run_t:s0 # What does "restorecon -v /var/run/amavisd" on your machine? $ matchpathcon /var/run/amavisd/clamd.pid /var/run/amavisd/clamd.pid system_u:object_r:clamd_var_run_t:s0 $ $ restorecon -v /var/run/amavisd $ Please keep in mind that /etc/init.d/clamd.amavisd calls the wrapper script /etc/init.d/clamd.amavisd which finally starts the clamd process. *gna* the wrapper script is of course /usr/share/clamav/clamd-wrapper We have some fixes in Fedora for this issue. Yes, but this is unfortunately RHEL. When will these fixes be merged into RHEL selinux-policy? Will these get part (at latest) of RHEL 6.4 GA? It will be part of a new RHEL6.4 build which will be available on http://people.redhat.com/dwalsh/ (as usual) next week. Great, let's hope it gets fixed in the next update of RHEL. In the meantime I just loaded this policy and it seems to be working fine: [nalwalovaton@CDPLIN80 ~]$ cat amavis-mypol.te module amavis-mypol 1.0; require { type amavis_var_run_t; type clamd_t; class dir { write remove_name search add_name }; class file { write unlink }; } #============= clamd_t ============== #!!!! The source type 'clamd_t' can write to a 'dir' of the following types: # var_run_t, var_log_t, clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t, clamd_tmp_t, amavis_spool_t, tmp_t, root_t allow clamd_t amavis_var_run_t:dir { write remove_name search add_name }; allow clamd_t amavis_var_run_t:file { write unlink }; Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html |