Description of problem: With the update to 0.99-2, clamav-milter does not transition to antivirus_t: system_u:system_r:init_t:s0 clamilt 14161 1 0 12:06 ? 00:00:00 /usr/sbin/clamav-milter -c /etc/mail/clamav-milter.conf --nofork=yes this prevents other processes from connecting to it: type=AVC msg=audit(1450284018.205:679866): avc: denied { connectto } for pid=17106 comm="smtpd" path="/run/clamav-milter/clamav-milter.sock" scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket and: type=AVC msg=audit(1450284018.631:679867): avc: denied { write } for pid=16668 comm="clamd" path=2F746D702F636C616D61762D36303133353663356363323062353764346432336464363838303262313466372E746D70202864656C6574656429 dev="md3" ino=3897 scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=file This is probably triggered by recent changes to the systemd service file: --- a/clamav-milter.systemd +++ b/clamav-milter.systemd @@ -9,5 +9,17 @@ Type = simple ExecStart = /usr/sbin/clamav-milter -c /etc/mail/clamav-milter.conf --nofork=yes Restart = on-failure +User=clamilt +Group=clamilt + +PrivateTmp=yes +PrivateDevices=yes +NoNewPrivileges=yes +CapabilityBoundingSet=CAP_KILL + +ReadOnlyDirectories=/etc +ReadOnlyDirectories=/usr +ReadOnlyDirectories=/var/lib + [Install] WantedBy = multi-user.target Version-Release number of selected component (if applicable): clamav-milter-systemd-0.99-2.el7.noarch
Got hit by this as well. Also related to #1292223 Two other reports: #1293493 #1293046
*** This bug has been marked as a duplicate of bug 1434176 ***