Bug 1248785 - SELinux is preventing /usr/sbin/clamd from name_bind access on the tcp_socket
SELinux is preventing /usr/sbin/clamd from name_bind access on the tcp_socket
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
22
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Vit Mojzis
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-07-30 16:03 EDT by dan
Modified: 2016-05-10 13:57 EDT (History)
8 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-128.23.fc22 selinux-policy-3.13.1-128.28.fc22
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1039644
Environment:
Last Closed: 2016-05-10 13:57:31 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description dan 2015-07-30 16:03:52 EDT
This bug was initially created as a clone of Bug #1039644 +++

Description of problem:

SELinux is preventing /usr/sbin/clamd from name_bind access on the tcp_socket port 1533.  Since clamd tried to grab a random ephemeral port this is a bug.

This issue appears to have been resolved for the RHEL distro.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that clamd should be allowed name_bind access on the port 1533 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep clamd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:antivirus_t:s0
Target Context                system_u:object_r:virtual_places_port_t:s0
Target Objects                port 1533 [ tcp_socket ]
Source                        clamd
Source Path                   /usr/sbin/clamd
Port                          1533
Host                          ears.private
Source RPM Packages           clamav-server-0.98.7-1.fc22.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.6.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     xxxx
Platform                      Linux xxxx 4.1.2-200.fc22.x86_64 #1 SMP
                              Wed Jul 15 20:12:12 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-07-30 15:50:00 EDT
Last Seen                     2015-07-30 15:50:00 EDT
Local ID                      964a25a0-619c-4fa2-afa4-42f262f7e30d

Raw Audit Messages
type=AVC msg=audit(1438285800.346:29054): avc:  denied  { name_bind } for  pid=30042 comm="clamd" src=1533 scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:virtual_places_port_t:s0 tclass=tcp_socket permissive=0


type=SYSCALL msg=audit(1438285800.346:29054): arch=x86_64 syscall=bind success=no exit=EACCES a0=b a1=7f3237c36a90 a2=10 a3=834e0b5f items=0 ppid=1 pid=30042 auid=4294967295 uid=400 gid=289 euid=400 suid=400 fsuid=400 egid=289 sgid=289 fsgid=289 tty=(none) ses=4294967295 comm=clamd exe=/usr/sbin/clamd subj=system_u:system_r:antivirus_t:s0 key=(null)

Hash: clamd,antivirus_t,virtual_places_port_t,tcp_socket,name_bind
Comment 1 dan 2015-09-16 16:43:51 EDT
Checking to see if this will be addressed during the FC22 lifecycle?
Comment 2 Miroslav Grepl 2015-09-22 05:07:17 EDT
You can allow it for now using

# grep clamd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Comment 3 dan 2015-09-22 10:03:37 EDT
Every time clamd runs, it seeks to bind to a different ephemeral port.  Will running this allow for all > 1023 or just 1533 as is my understand?  Please advise.
Comment 4 Miroslav Grepl 2015-10-12 07:32:08 EDT
It will allow just 1533 as you wrote. We need to update the policy to allow all ephemeral ports.
Comment 5 Vit Mojzis 2015-11-19 09:10:53 EST
Did you mean all unreserved ports?
unreserved_port_t              tcp      1024-32767, 61001-65535
ephemeral_port_t               tcp      32768-61000
Comment 6 dan 2015-11-19 09:16:38 EST
It looks like unreserved would work...however, the answer may be more granular.  I found that there is a port range defined in /etc/clamd.d/scan.conf which defaults to 1024-2048.

StreamingMinPort 1024
StreamingMaxPort 2048

So I tried the following:

semanage port -a -t clamd_port_t -p tcp 1024-2048

I am still having some issues with clamd but it appears to have gotten rid of the selinux blocks.
Comment 7 dan 2015-11-21 22:50:01 EST
Some further info...in attempting to make use of the ClamAV.pm plugin for spamassassin with clamd, I have determined that there also needs to be a related policy change for spamassassin.

spamassassin tries to use /usr/bin/perl for a name_connect that is being denied.

I put both spamassassin and antivirus in permissive mode to get this all working.

When an incoming email arrives, spamassassin attempts a connect to a local socket and the following is observed:

SELinux is preventing /usr/sbin/clamd from name_bind access on the tcp_socket port xxxx.  (unreserved)

SELinux is preventing /usr/bin/perl from name_connect access on the tcp_socket port xxxx.  (unreserved)

So now I see both sides of the connection.
Comment 8 Vit Mojzis 2015-11-25 05:55:47 EST
This should fix the issue for clamd. As for perl, please file a separate bug.

https://github.com/fedora-selinux/selinux-policy/pull/71

commit bf50440b673199148f9bc07d18db37e17e5e1d38
Author: Vit Mojzis <vmojzis@redhat.com>
Date:   Thu Nov 19 14:59:08 2015 +0100

    Allow antivirus_t to bind to all unreserved ports.
    Clamd binds to random unassigned port (by default in range 1024-2048).
Comment 9 dan 2015-11-26 17:56:11 EST
Seems to work, thank you.  Is there a way to display what is allowed for a process domain using sepolicy or some other command?
Comment 10 Milos Malik 2015-11-27 02:21:39 EST
sesearch -s antivirus_t -c tcp_socket -p name_bind -A -C

The sesearch tool comes from setools-console package.
Comment 11 dan 2015-11-27 08:59:09 EST
Confirm rule is installed and behavior is correct.  Bug report can be resolved.

Found 6 semantic av rules:
   allow antivirus_domain amavisd_recv_port_t : tcp_socket name_bind ;
   allow antivirus_t unreserved_port_type : tcp_socket name_bind ;
   allow antivirus_domain clamd_port_t : tcp_socket { name_bind name_connect } ;
DT allow nsswitch_domain port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ]
DT allow nsswitch_domain ephemeral_port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ]
DT allow nsswitch_domain unreserved_port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ]
Comment 12 dan 2015-12-01 08:55:46 EST
The occassional port is still being denied:

Additional Information:
Source Context                system_u:system_r:antivirus_t:s0
Target Context                system_u:object_r:flash_port_t:s0
Target Objects                port 1935 [ tcp_socket ]
Source                        clamd
Source Path                   /usr/sbin/clamd
Port                          1935
Host                          ears.private
Source RPM Packages           clamav-server-0.98.7-1.fc22.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.21.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ears.private
Platform                      Linux ears.private 4.2.6-200.fc22.x86_64 #1 SMP
                              Tue Nov 10 16:45:19 UTC 2015 x86_64 x86_64
Alert Count                   3
First Seen                    2015-11-27 00:00:43 EST
Last Seen                     2015-12-01 06:54:21 EST
Local ID                      e563e79c-7bbe-4895-991c-3f4f0406321c

Raw Audit Messages
type=AVC msg=audit(1448970861.756:7548): avc:  denied  { name_bind } for  pid=10411 comm="clamd" src=1935 scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:flash_port_t:s0 tclass=tcp_socket permissive=0


type=SYSCALL msg=audit(1448970861.756:7548): arch=x86_64 syscall=bind success=no exit=EACCES a0=b a1=7f5750b3da90 a2=10 a3=8 items=0 ppid=1 pid=10411 auid=4294967295 uid=400 gid=289 euid=400 suid=400 fsuid=400 egid=289 sgid=289 fsgid=289 tty=(none) ses=4294967295 comm=clamd exe=/usr/sbin/clamd subj=system_u:system_r:antivirus_t:s0 key=(null)

Hash: clamd,antivirus_t,flash_port_t,tcp_socket,name_bind

----------


Additional Information:
Source Context                system_u:system_r:antivirus_t:s0
Target Context                system_u:object_r:lmtp_port_t:s0
Target Objects                port 2003 [ tcp_socket ]
Source                        clamd
Source Path                   /usr/sbin/clamd
Port                          2003
Host                          ears.private
Source RPM Packages           clamav-server-0.98.7-1.fc22.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.21.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ears.private
Platform                      Linux ears.private 4.2.6-200.fc22.x86_64 #1 SMP
                              Tue Nov 10 16:45:19 UTC 2015 x86_64 x86_64
Alert Count                   2
First Seen                    2015-11-28 23:30:10 EST
Last Seen                     2015-11-29 20:34:37 EST
Local ID                      14c678c1-6092-4dd5-ae46-6a54cce610e2

Raw Audit Messages
type=AVC msg=audit(1448847277.766:5370): avc:  denied  { name_bind } for  pid=364 comm="clamd" src=2003 scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:lmtp_port_t:s0 tclass=tcp_socket permissive=0


type=SYSCALL msg=audit(1448847277.766:5370): arch=x86_64 syscall=bind success=no exit=EACCES a0=b a1=7f5750b3da90 a2=10 a3=8 items=0 ppid=1 pid=364 auid=4294967295 uid=400 gid=289 euid=400 suid=400 fsuid=400 egid=289 sgid=289 fsgid=289 tty=(none) ses=4294967295 comm=clamd exe=/usr/sbin/clamd subj=system_u:system_r:antivirus_t:s0 key=(null)

Hash: clamd,antivirus_t,lmtp_port_t,tcp_socket,name_bind

-------


Additional Information:
Source Context                system_u:system_r:antivirus_t:s0
Target Context                system_u:object_r:pop_port_t:s0
Target Objects                port 1109 [ tcp_socket ]
Source                        clamd
Source Path                   /usr/sbin/clamd
Port                          1109
Host                          ears.private
Source RPM Packages           clamav-server-0.98.7-1.fc22.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.21.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ears.private
Platform                      Linux ears.private 4.2.6-200.fc22.x86_64 #1 SMP
                              Tue Nov 10 16:45:19 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-11-28 08:06:23 EST
Last Seen                     2015-11-28 08:06:23 EST
Local ID                      0bbc22a3-a665-4170-ac3c-0840f10cd1da

Raw Audit Messages
type=AVC msg=audit(1448715983.858:3206): avc:  denied  { name_bind } for  pid=30861 comm="clamd" src=1109 scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:pop_port_t:s0 tclass=tcp_socket permissive=0


type=SYSCALL msg=audit(1448715983.858:3206): arch=x86_64 syscall=bind success=no exit=EACCES a0=b a1=7f5750b3da90 a2=10 a3=8 items=0 ppid=1 pid=30861 auid=4294967295 uid=400 gid=289 euid=400 suid=400 fsuid=400 egid=289 sgid=289 fsgid=289 tty=(none) ses=4294967295 comm=clamd exe=/usr/sbin/clamd subj=system_u:system_r:antivirus_t:s0 key=(null)

Hash: clamd,antivirus_t,pop_port_t,tcp_socket,name_bind
Comment 13 Vit Mojzis 2015-12-03 11:15:31 EST
Does the occasional deny cause clamd to crash, or does it simply choose different port? If it's the latter case, we could just stop auditing the failed attempts. Remote clients such as spam assassin would then only need access to unreserved ports.
Comment 14 dan 2015-12-03 12:56:07 EST
Good question, if you (or someone) can suggest a way to verify I will assist.

I checked the system logs and there is no sign of a clamd crash.  I would have to try to match up a particular piece of email received at the time of the selinux block to see if it was actually scanned by examining the message headers.  I will try this unless someone has a more straightforward debugging suggestion.
Comment 15 dan 2015-12-03 13:47:31 EST
I did match up one incoming email that was flagged as spam with no virus with a date/time match to the AVC.  The email appears to have been properly scanned so I surmise (but cannot confirm) that the client tried an alternate tcpopen when the first one failed.
Comment 16 Fedora Update System 2015-12-09 08:56:03 EST
selinux-policy-3.13.1-128.22.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-8083abc683
Comment 17 Vit Mojzis 2015-12-09 11:44:44 EST
My idea was to narrow down the range of available ports by changing values of 
StreamingMinPort and StreamingMaxPort, so as to increase the chance of deny by SELinux. The range would obviously have to contain an "assigned" port.
Following values should do (documentation doesn't specify any limit for the range size, hopefully there isn't any)
StreamingMinPort 1935 (assuming the range is inclusive)
StreamingMaxPort 1936
as 1935 is labeled flash_port_t.

You could then try sending yourself a fake email (eg. using https://emkei.cz/) containing key words (or source address) that would cause it to be flagged as spam.

However, I believe that the absence of clamd crash reports (and your following analysis) should suffice as a confirmation. 

commit 55ab92e1aff5af3acc22c9c34fdac442e34ae5ca
Author: Vit Mojzis <vmojzis@redhat.com>
Date:   Wed Dec 9 15:49:21 2015 +0100

    Dontaudit attempts of antivirus_t to bind to reserved ports. #1248785
    It randomly chooses port in range 1024-2048 (by default), some of which are assigned.
Comment 18 Fedora Update System 2015-12-09 18:22:43 EST
selinux-policy-3.13.1-128.22.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update selinux-policy'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-8083abc683
Comment 19 Fedora Update System 2016-01-18 08:20:27 EST
selinux-policy-3.13.1-128.25.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-825869e1a4
Comment 20 Fedora Update System 2016-01-19 22:53:44 EST
selinux-policy-3.13.1-128.25.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-825869e1a4
Comment 21 Fedora Update System 2016-02-15 12:47:29 EST
selinux-policy-3.13.1-128.27.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
Comment 22 Fedora Update System 2016-02-17 01:26:31 EST
selinux-policy-3.13.1-128.27.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
Comment 23 Fedora Update System 2016-02-18 07:28:29 EST
selinux-policy-3.13.1-128.28.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
Comment 24 Fedora Update System 2016-02-21 13:29:24 EST
selinux-policy-3.13.1-128.28.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
Comment 25 Fedora Update System 2016-05-10 13:56:10 EDT
selinux-policy-3.13.1-128.28.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.