Bug 860858
| Summary: | RHEL5/RHEL6 selinux-policy needs clamscan_can_scan_system tunable | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | James Ralston <ralston> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 6.5 | CC: | dwalsh, mmalik |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-168.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-02-21 08:30:54 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Thanks for the RHEL6 add. Any chance of getting it added to RHEL5, too? Should I file a separate bug for that? (In reply to comment #2) > Thanks for the RHEL6 add. Any chance of getting it added to RHEL5, too? > Should I file a separate bug for that? Yes, please. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html |
Version-Release number of selected component (if applicable): selinux-policy-2.4.6-327.el5 selinux-policy-3.7.19-155.el6_3.4 selinux-policy-3.10.0-91.fc16 Description of problem: We call clamdscan from a sendmail milter, in order to scan incoming mail messages for viruses in real time (during the SMTP dialog). All versions of selinux-policy for RHEL5 and RHEL6 break the ability of clamd to read arbitrary files on the system, such as files underneath /var/spool: $ getenforce Permissive $ clamdscan -c /etc/clamd.d/defang.conf /var/spool/mdspool/test /var/spool/mdspool/test: OK ----------- SCAN SUMMARY ----------- Infected files: 0 Time: 0.001 sec (0 m 0 s) $ ausearch -m avc -ts recent ---- time->Wed Sep 26 16:17:57 2012 type=SYSCALL msg=audit(1348690677.657:2883): arch=c000003e syscall=6 success=yes exit=0 a0=79144c0 a1=42539db0 a2=42539db0 a3=1 items=0 ppid=1 pid=19899 auid=4294967295 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=4294967295 comm="clamd" exe="/usr/sbin/clamd" subj=system_u:system_r:clamd_t:s0 key=(null) type=AVC msg=audit(1348690677.657:2883): avc: denied { getattr } for pid=19899 comm="clamd" path="/var/spool/mdspool/test" dev=dm-1 ino=131117 scontext=system_u:system_r:clamd_t:s0 tcontext=user_u:object_r:var_spool_t:s0 tclass=file ---- time->Wed Sep 26 16:17:57 2012 type=SYSCALL msg=audit(1348690677.657:2884): arch=c000003e syscall=21 success=yes exit=0 a0=78d3c20 a1=4 a2=625d01 a3=0 items=0 ppid=1 pid=19899 auid=4294967295 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=4294967295 comm="clamd" exe="/usr/sbin/clamd" subj=system_u:system_r:clamd_t:s0 key=(null) type=AVC msg=audit(1348690677.657:2884): avc: denied { read } for pid=19899 comm="clamd" name="test" dev=dm-1 ino=131117 scontext=system_u:system_r:clamd_t:s0 tcontext=user_u:object_r:var_spool_t:s0 tclass=file I can resort to implementing local policy to override this; e.g.: $ ausearch -m avc -ts this-month | audit2allow allow clamd_t var_spool_t:dir read; allow clamd_t var_spool_t:file { read getattr }; However, more recent versions of selinux-policy (e.g., selinux-policy-3.10.0-91.fc16 and possibly earlier) include a tunable that permits clamd to scan non-security system files. From policy/modules/services/clamav.te: ## <desc> ## <p> ## Allow clamscan to non security files on a system ## </p> ## </desc> gen_tunable(clamscan_can_scan_system, false) tunable_policy(`clamscan_can_scan_system',` files_read_non_security_files(clamscan_t) ') This is a much cleaner approach. If added as above (default == false), it would represent no change to existing policy, and is only a tiny (4-line) addition. Could this be added to RHEL5 and RHEL6 selinux-policy, please?