Bug 1292227 - clamav-milter does not transition to antivirus_t
clamav-milter does not transition to antivirus_t
Status: CLOSED DUPLICATE of bug 1434176
Product: Fedora EPEL
Classification: Fedora
Component: clamav (Show other bugs)
epel7
All Linux
unspecified Severity high
: ---
: ---
Assigned To: Robert Scheck
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-16 14:11 EST by Orion Poplawski
Modified: 2017-04-18 13:53 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-04-18 13:53:54 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2015-12-16 14:11:56 EST
Description of problem:

With the update to 0.99-2, clamav-milter does not transition to antivirus_t:

system_u:system_r:init_t:s0     clamilt  14161     1  0 12:06 ?        00:00:00 /usr/sbin/clamav-milter -c /etc/mail/clamav-milter.conf --nofork=yes

this prevents other processes from connecting to it:

type=AVC msg=audit(1450284018.205:679866): avc:  denied  { connectto } for  pid=17106 comm="smtpd" path="/run/clamav-milter/clamav-milter.sock" scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket

and:

type=AVC msg=audit(1450284018.631:679867): avc:  denied  { write } for  pid=16668 comm="clamd" path=2F746D702F636C616D61762D36303133353663356363323062353764346432336464363838303262313466372E746D70202864656C6574656429 dev="md3" ino=3897 scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=file

This is probably triggered by recent changes to the systemd service file:

--- a/clamav-milter.systemd
+++ b/clamav-milter.systemd
@@ -9,5 +9,17 @@ Type = simple
 ExecStart = /usr/sbin/clamav-milter -c /etc/mail/clamav-milter.conf --nofork=yes
 Restart = on-failure

+User=clamilt
+Group=clamilt
+
+PrivateTmp=yes
+PrivateDevices=yes
+NoNewPrivileges=yes
+CapabilityBoundingSet=CAP_KILL
+
+ReadOnlyDirectories=/etc
+ReadOnlyDirectories=/usr
+ReadOnlyDirectories=/var/lib
+
 [Install]
 WantedBy = multi-user.target

Version-Release number of selected component (if applicable):
clamav-milter-systemd-0.99-2.el7.noarch
Comment 1 Pekka Savola 2015-12-27 17:06:31 EST
Got hit by this as well.

Also related to #1292223

Two other reports: #1293493 #1293046
Comment 2 Orion Poplawski 2017-04-18 13:53:54 EDT

*** This bug has been marked as a duplicate of bug 1434176 ***

Note You need to log in before you can comment on or make changes to this bug.