Bug 1292223 - clamav-milter fails to start with SELinux errors
clamav-milter fails to start with SELinux errors
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.2
All Linux
unspecified Severity high
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
:
Depends On:
Blocks: 1393878
  Show dependency treegraph
 
Reported: 2015-12-16 13:58 EST by Orion Poplawski
Modified: 2016-11-10 09:24 EST (History)
15 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1393878 (view as bug list)
Environment:
Last Closed: 2016-03-21 11:17:44 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2015-12-16 13:58:05 EST
Description of problem:

With 0.99-2, clamav-milter fails to start:

Dec 16 11:51:03 vmsl7 systemd: Starting SYSV: A virus scanning milter...
Dec 16 11:51:03 vmsl7 clamav-milter: Starting clamav-milter: ERROR: Cannot set milter socket permission to 660

type=AVC msg=audit(1450291863.719:321): avc:  denied  { fowner } for  pid=19044 comm="clamav-milter" capability=3  scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:system_r:antivirus_t:s0 tclass=capability

I'm not entirely sure if this is a clamav or selinux issue.  Works with 0.98.7-1.

Version-Release number of selected component (if applicable):
clamav-milter-0.99-2.el7.x86_64
clamav-milter-sysvinit-0.98.7-1.el7.noarch
selinux-policy-3.13.1-60.el7.noarch
Comment 2 Lukas Vrabec 2016-03-19 18:42:07 EDT
Hi, 
Could you reproduce it, again? 

I tried it, and I cannot reproduce this issue.
Comment 3 Orion Poplawski 2016-03-20 13:40:19 EDT
I do not appear to be able reproduce now as well.
Comment 4 Orion Poplawski 2016-03-20 13:54:33 EDT
Note, however, that I do see bug #1293493 on EL7 as well.
Comment 5 Lukas Vrabec 2016-03-21 11:01:15 EDT
Do you agree that we can close this issue for now?
Comment 6 Orion Poplawski 2016-03-21 11:15:05 EDT
Yes, this one can be closed.
Comment 7 Lukas Vrabec 2016-03-21 11:17:44 EDT
Thank you.
Comment 8 Matt Domsch 2016-11-10 09:06:23 EST
I am seeing this on CentOS 6.

selinux-policy-3.7.19-292.el6.noarch
clamav-unofficial-sigs-3.7.1-7.el6.noarch
libselinux-2.0.94-7.el6.i686
libselinux-python-2.0.94-7.el6.i686
libselinux-devel-2.0.94-7.el6.i686
clamav-0.99.2-1.el6.i686
clamav-devel-0.99.2-1.el6.i686
clamav-milter-0.99.2-1.el6.i686
libselinux-utils-2.0.94-7.el6.i686
selinux-policy-targeted-3.7.19-292.el6.noarch
clamav-db-0.99.2-1.el6.i686


type=AVC msg=audit(1478785716.689:1006343): avc:  denied  { fowner } for  pid=19054 comm="clamav-milter" capability=3  scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=unconfined_u:system_r:antivirus_t:s0 tclass=capability
type=SYSCALL msg=audit(1478785716.689:1006343): arch=40000003 syscall=15 success=no exit=-1 a0=8620ca0 a1=1b0 a2=861fe98 a3=2c3c64 items=0 ppid=19053 pid=19054 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=6379 comm="clamav-milter" exe="/usr/sbin/clamav-milter" subj=unconfined_u:system_r:antivirus_t:s0 key=(null)


$ls -Z /usr/sbin/clamav-milter
-rwxr-xr-x. root root system_u:object_r:antivirus_exec_t:s0 /usr/sbin/clamav-milter



$ ls -ZR /var/run/clam*
/var/run/clamav:
-rw-rw-r--. clam clam unconfined_u:object_r:antivirus_var_run_t:s0 clamd.pid
srw-rw-rw-. clam clam unconfined_u:object_r:antivirus_var_run_t:s0 clamd.sock


# Default: no default
#MilterSocket /tmp/clamav-milter.socket
MilterSocket /var/run/clamav/clamav-milter.sock

# Define the group ownership for the (unix) milter socket.
# Default: disabled (the primary group of the user running clamd)
#MilterSocketGroup virusgroup

# Sets the permissions on the (unix) milter socket to the specified mode.
# Default: disabled (obey umask)
MilterSocketMode 660

# Remove stale socket after unclean shutdown.
#
# Default: yes
#FixStaleSocket yes

# Run as another user (clamav-milter must be started by root for this option to work)
#
# Default: unset (don't drop privileges)
User clam

Note You need to log in before you can comment on or make changes to this bug.