Bug 1292227 - clamav-milter does not transition to antivirus_t
Summary: clamav-milter does not transition to antivirus_t
Keywords:
Status: CLOSED DUPLICATE of bug 1434176
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: clamav
Version: epel7
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Robert Scheck
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-12-16 19:11 UTC by Orion Poplawski
Modified: 2017-04-18 17:53 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2017-04-18 17:53:54 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1293493 0 low CLOSED SELinux is preventing sendmail from 'connectto' accesses on the unix_stream_socket /run/clamav-milter/clamav-milter.sock... 2021-02-22 00:41:40 UTC

Internal Links: 1293493

Description Orion Poplawski 2015-12-16 19:11:56 UTC 
Description of problem:

With the update to 0.99-2, clamav-milter does not transition to antivirus_t:

system_u:system_r:init_t:s0     clamilt  14161     1  0 12:06 ?        00:00:00 /usr/sbin/clamav-milter -c /etc/mail/clamav-milter.conf --nofork=yes

this prevents other processes from connecting to it:

type=AVC msg=audit(1450284018.205:679866): avc:  denied  { connectto } for  pid=17106 comm="smtpd" path="/run/clamav-milter/clamav-milter.sock" scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket

and:

type=AVC msg=audit(1450284018.631:679867): avc:  denied  { write } for  pid=16668 comm="clamd" path=2F746D702F636C616D61762D36303133353663356363323062353764346432336464363838303262313466372E746D70202864656C6574656429 dev="md3" ino=3897 scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=file

This is probably triggered by recent changes to the systemd service file:

--- a/clamav-milter.systemd
+++ b/clamav-milter.systemd
@@ -9,5 +9,17 @@ Type = simple
 ExecStart = /usr/sbin/clamav-milter -c /etc/mail/clamav-milter.conf --nofork=yes
 Restart = on-failure

+User=clamilt
+Group=clamilt
+
+PrivateTmp=yes
+PrivateDevices=yes
+NoNewPrivileges=yes
+CapabilityBoundingSet=CAP_KILL
+
+ReadOnlyDirectories=/etc
+ReadOnlyDirectories=/usr
+ReadOnlyDirectories=/var/lib
+
 [Install]
 WantedBy = multi-user.target

Version-Release number of selected component (if applicable):
clamav-milter-systemd-0.99-2.el7.noarch
Comment 1 Pekka Savola 2015-12-27 22:06:31 UTC 
Got hit by this as well.

Also related to #1292223

Two other reports: #1293493 #1293046
Comment 2 Orion Poplawski 2017-04-18 17:53:54 UTC 

*** This bug has been marked as a duplicate of bug 1434176 ***
Note You need to log in before you can comment on or make changes to this bug.