Checking to see if this will be addressed during the FC22 lifecycle?

You can allow it for now using

# grep clamd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Every time clamd runs, it seeks to bind to a different ephemeral port.  Will running this allow for all > 1023 or just 1533 as is my understand?  Please advise.

It will allow just 1533 as you wrote. We need to update the policy to allow all ephemeral ports.

Did you mean all unreserved ports?
unreserved_port_t              tcp      1024-32767, 61001-65535
ephemeral_port_t               tcp      32768-61000

It looks like unreserved would work...however, the answer may be more granular.  I found that there is a port range defined in /etc/clamd.d/scan.conf which defaults to 1024-2048.

StreamingMinPort 1024
StreamingMaxPort 2048

So I tried the following:

semanage port -a -t clamd_port_t -p tcp 1024-2048

I am still having some issues with clamd but it appears to have gotten rid of the selinux blocks.

Some further info...in attempting to make use of the ClamAV.pm plugin for spamassassin with clamd, I have determined that there also needs to be a related policy change for spamassassin.

spamassassin tries to use /usr/bin/perl for a name_connect that is being denied.

I put both spamassassin and antivirus in permissive mode to get this all working.

When an incoming email arrives, spamassassin attempts a connect to a local socket and the following is observed:

SELinux is preventing /usr/sbin/clamd from name_bind access on the tcp_socket port xxxx.  (unreserved)

SELinux is preventing /usr/bin/perl from name_connect access on the tcp_socket port xxxx.  (unreserved)

So now I see both sides of the connection.

This should fix the issue for clamd. As for perl, please file a separate bug.

https://github.com/fedora-selinux/selinux-policy/pull/71

commit bf50440b673199148f9bc07d18db37e17e5e1d38
Author: Vit Mojzis <vmojzis>
Date:   Thu Nov 19 14:59:08 2015 +0100

    Allow antivirus_t to bind to all unreserved ports.
    Clamd binds to random unassigned port (by default in range 1024-2048).

Seems to work, thank you.  Is there a way to display what is allowed for a process domain using sepolicy or some other command?

sesearch -s antivirus_t -c tcp_socket -p name_bind -A -C

The sesearch tool comes from setools-console package.

Confirm rule is installed and behavior is correct.  Bug report can be resolved.

Found 6 semantic av rules:
   allow antivirus_domain amavisd_recv_port_t : tcp_socket name_bind ;
   allow antivirus_t unreserved_port_type : tcp_socket name_bind ;
   allow antivirus_domain clamd_port_t : tcp_socket { name_bind name_connect } ;
DT allow nsswitch_domain port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ]
DT allow nsswitch_domain ephemeral_port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ]
DT allow nsswitch_domain unreserved_port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ]

The occassional port is still being denied:

Additional Information:
Source Context                system_u:system_r:antivirus_t:s0
Target Context                system_u:object_r:flash_port_t:s0
Target Objects                port 1935 [ tcp_socket ]
Source                        clamd
Source Path                   /usr/sbin/clamd
Port                          1935
Host                          ears.private
Source RPM Packages           clamav-server-0.98.7-1.fc22.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.21.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ears.private
Platform                      Linux ears.private 4.2.6-200.fc22.x86_64 #1 SMP
                              Tue Nov 10 16:45:19 UTC 2015 x86_64 x86_64
Alert Count                   3
First Seen                    2015-11-27 00:00:43 EST
Last Seen                     2015-12-01 06:54:21 EST
Local ID                      e563e79c-7bbe-4895-991c-3f4f0406321c

Raw Audit Messages
type=AVC msg=audit(1448970861.756:7548): avc:  denied  { name_bind } for  pid=10411 comm="clamd" src=1935 scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:flash_port_t:s0 tclass=tcp_socket permissive=0


type=SYSCALL msg=audit(1448970861.756:7548): arch=x86_64 syscall=bind success=no exit=EACCES a0=b a1=7f5750b3da90 a2=10 a3=8 items=0 ppid=1 pid=10411 auid=4294967295 uid=400 gid=289 euid=400 suid=400 fsuid=400 egid=289 sgid=289 fsgid=289 tty=(none) ses=4294967295 comm=clamd exe=/usr/sbin/clamd subj=system_u:system_r:antivirus_t:s0 key=(null)

Hash: clamd,antivirus_t,flash_port_t,tcp_socket,name_bind

----------


Additional Information:
Source Context                system_u:system_r:antivirus_t:s0
Target Context                system_u:object_r:lmtp_port_t:s0
Target Objects                port 2003 [ tcp_socket ]
Source                        clamd
Source Path                   /usr/sbin/clamd
Port                          2003
Host                          ears.private
Source RPM Packages           clamav-server-0.98.7-1.fc22.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.21.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ears.private
Platform                      Linux ears.private 4.2.6-200.fc22.x86_64 #1 SMP
                              Tue Nov 10 16:45:19 UTC 2015 x86_64 x86_64
Alert Count                   2
First Seen                    2015-11-28 23:30:10 EST
Last Seen                     2015-11-29 20:34:37 EST
Local ID                      14c678c1-6092-4dd5-ae46-6a54cce610e2

Raw Audit Messages
type=AVC msg=audit(1448847277.766:5370): avc:  denied  { name_bind } for  pid=364 comm="clamd" src=2003 scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:lmtp_port_t:s0 tclass=tcp_socket permissive=0


type=SYSCALL msg=audit(1448847277.766:5370): arch=x86_64 syscall=bind success=no exit=EACCES a0=b a1=7f5750b3da90 a2=10 a3=8 items=0 ppid=1 pid=364 auid=4294967295 uid=400 gid=289 euid=400 suid=400 fsuid=400 egid=289 sgid=289 fsgid=289 tty=(none) ses=4294967295 comm=clamd exe=/usr/sbin/clamd subj=system_u:system_r:antivirus_t:s0 key=(null)

Hash: clamd,antivirus_t,lmtp_port_t,tcp_socket,name_bind

-------


Additional Information:
Source Context                system_u:system_r:antivirus_t:s0
Target Context                system_u:object_r:pop_port_t:s0
Target Objects                port 1109 [ tcp_socket ]
Source                        clamd
Source Path                   /usr/sbin/clamd
Port                          1109
Host                          ears.private
Source RPM Packages           clamav-server-0.98.7-1.fc22.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.21.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ears.private
Platform                      Linux ears.private 4.2.6-200.fc22.x86_64 #1 SMP
                              Tue Nov 10 16:45:19 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-11-28 08:06:23 EST
Last Seen                     2015-11-28 08:06:23 EST
Local ID                      0bbc22a3-a665-4170-ac3c-0840f10cd1da

Raw Audit Messages
type=AVC msg=audit(1448715983.858:3206): avc:  denied  { name_bind } for  pid=30861 comm="clamd" src=1109 scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:pop_port_t:s0 tclass=tcp_socket permissive=0


type=SYSCALL msg=audit(1448715983.858:3206): arch=x86_64 syscall=bind success=no exit=EACCES a0=b a1=7f5750b3da90 a2=10 a3=8 items=0 ppid=1 pid=30861 auid=4294967295 uid=400 gid=289 euid=400 suid=400 fsuid=400 egid=289 sgid=289 fsgid=289 tty=(none) ses=4294967295 comm=clamd exe=/usr/sbin/clamd subj=system_u:system_r:antivirus_t:s0 key=(null)

Hash: clamd,antivirus_t,pop_port_t,tcp_socket,name_bind

Does the occasional deny cause clamd to crash, or does it simply choose different port? If it's the latter case, we could just stop auditing the failed attempts. Remote clients such as spam assassin would then only need access to unreserved ports.

Good question, if you (or someone) can suggest a way to verify I will assist.

I checked the system logs and there is no sign of a clamd crash.  I would have to try to match up a particular piece of email received at the time of the selinux block to see if it was actually scanned by examining the message headers.  I will try this unless someone has a more straightforward debugging suggestion.

I did match up one incoming email that was flagged as spam with no virus with a date/time match to the AVC.  The email appears to have been properly scanned so I surmise (but cannot confirm) that the client tried an alternate tcpopen when the first one failed.

selinux-policy-3.13.1-128.22.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-8083abc683

My idea was to narrow down the range of available ports by changing values of 
StreamingMinPort and StreamingMaxPort, so as to increase the chance of deny by SELinux. The range would obviously have to contain an "assigned" port.
Following values should do (documentation doesn't specify any limit for the range size, hopefully there isn't any)
StreamingMinPort 1935 (assuming the range is inclusive)
StreamingMaxPort 1936
as 1935 is labeled flash_port_t.

You could then try sending yourself a fake email (eg. using https://emkei.cz/) containing key words (or source address) that would cause it to be flagged as spam.

However, I believe that the absence of clamd crash reports (and your following analysis) should suffice as a confirmation. 

commit 55ab92e1aff5af3acc22c9c34fdac442e34ae5ca
Author: Vit Mojzis <vmojzis>
Date:   Wed Dec 9 15:49:21 2015 +0100

    Dontaudit attempts of antivirus_t to bind to reserved ports. #1248785
    It randomly chooses port in range 1024-2048 (by default), some of which are assigned.

selinux-policy-3.13.1-128.22.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update selinux-policy'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-8083abc683

selinux-policy-3.13.1-128.25.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-825869e1a4

selinux-policy-3.13.1-128.25.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-825869e1a4

selinux-policy-3.13.1-128.27.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab

selinux-policy-3.13.1-128.27.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab

selinux-policy-3.13.1-128.28.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab

selinux-policy-3.13.1-128.28.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab

selinux-policy-3.13.1-128.28.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.