Bug 1002593 - Antiviruses' policy comparison regarding the move to antivirus_t
Antiviruses' policy comparison regarding the move to antivirus_t
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.5
All Linux
unspecified Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Michal Trunecka
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-29 09:49 EDT by Michal Trunecka
Modified: 2014-09-30 19:35 EDT (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-214.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-21 05:50:15 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michal Trunecka 2013-08-29 09:49:06 EDT
Description of problem:
I compared policies of antiviruses' types (amavis_t, clamd_t, clamscan_t and freshclam_t) with the current policy with single antivirus_t type.

The comparison was performed between following policy versions:

selinux-policy-3.7.19-212.el6
selinux-policy-3.7.19-195.el6_4.12

Basicaly I reviewed what access was granted before and was removed by the move to antivirus_t.


=== ALLOW RULES ===

Following rules were allowed in the RHEL6.4 policy, but don't have equivalent rules in 6.5.0 policy:

allow freshclam_t user_tmp_t : sock_file { write append open }
allow freshclam_t proc_net_t : file { ioctl read getattr lock open }
allow freshclam_t proc_net_t : dir { ioctl read getattr lock search open }
allow freshclam_t proc_net_t : lnk_file { read getattr }
allow freshclam_t http_cache_port_t : tcp_socket { name_connect }
allow freshclam_t userdomain : unix_stream_socket { connectto }


Following rules was not found in the new policy, because the target types are not marked as aliases of the new ones. It won't block access but it might cause some backward compatibility problems:

allow clamd_t clamd_var_log_t : dir { create unlink link rename reparent rmdir }
allow amavis_t amavis_etc_t : file { ioctl read getattr lock open }
allow amavis_t amavis_etc_t : dir { ioctl read getattr lock open search }
allow amavis_t amavis_etc_t : lnk_file {  read getattr  }


=== DONTAUDIT RULES ===

A lot of tcp_socket name_bind dontaudit rules were removed:

e.g.:
dontaudit clamd_t ftp_data_port_t : tcp_socket name_bind


And here is the rest of dontaudit rules which are no longer in RHEL6.5 policy:

dontaudit clamscan_t initrc_var_run_t : file { write lock }
dontaudit amavis_t clamscan_t : process { noatsecure siginh rlimitinh }
dontaudit amavis_t proc_t : file { ioctl read getattr lock open }
dontaudit clamscan_t clamscan_t : process execmem
dontaudit freshclam_t freshclam_t : process execmem
dontaudit amavis_t amavis_t : process execmem
dontaudit clamd_t clamd_t : process execmem
Comment 1 Daniel Walsh 2013-08-29 10:32:47 EDT
Nice work Michal.
Comment 2 Miroslav Grepl 2013-09-02 10:13:28 EDT
Yeap.

Michal,
I see

typealias antivirus_log_t alias { amavis_var_log_t clamd_var_log_t freshclam_var_log_t }
Comment 3 Miroslav Grepl 2013-09-06 06:20:26 EDT
dontaudit clamscan_t initrc_var_run_t : file { write lock }

Fixed.

dontaudit amavis_t proc_t : file { ioctl read getattr lock open }

we allow it now.

dontaudit clamscan_t clamscan_t : process execmem
dontaudit freshclam_t freshclam_t : process execmem
dontaudit amavis_t amavis_t : process execmem
dontaudit clamd_t clamd_t : process execmem

these are a part of the antivirus_use_jit boolean boolean.
Comment 6 errata-xmlrpc 2013-11-21 05:50:15 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html

Note You need to log in before you can comment on or make changes to this bug.