Created attachment 1107754 [details] clamav-milter.service file Description of problem: Dec 19 16:21:55 sendmail[4519]: ...: Milter (clamav): error connecting to filter: Permission denied Dec 19 16:21:55 sendmail[4519]: ...: Milter (clamav): to error state On permissive selinux state - no problems. Version-Release number of selected component (if applicable): sendmail-8.15.2-1.fc22.x86_64 clamav-0.99-2.fc22.x86_64 clamav-scanner-systemd-0.99-2.fc22.noarch selinux-policy-targeted-3.13.1-128.21.fc22.noarch Additional info: audit2allow -al ----------------- type=AVC msg=audit(1450538112.582:5705): avc: denied { connectto } for pid=31852 comm="sendmail" path="/run/clamav-milter/clamav-milter.socket" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1450538112.899:5712): avc: denied { write } for pid=4897 comm="clamd" path=2F746D702F636C616D61762D63613037353266623939656361323834306539386663316137613030393830362E746D70202864656C6574656429 dev="tmpfs" ino=84106 scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. ----------------------------- ls -lZ /run/clamav-milter/clamav-milter.socket srw-r--r--. 1 clamilt clamilt system_u:object_r:antivirus_var_run_t:s0 0 19 Dec 17,11 /run/clamav-milter/clamav-milter.socket --------- clam socket directories ------ ls -lZ /run |grep clam drwx--x---. 2 clamilt clamilt system_u:object_r:antivirus_var_run_t:s0 60 19 Dec 17,11 clamav-milter drwx--x--x. 2 clamscan clamscan system_u:object_r:antivirus_var_run_t:s0 60 19 Dec 16,31 clamd.scan --- clamav, and sendmail processes -- ps axZ |egrep 'sendmail|clam' system_u:system_r:antivirus_t:s0 4897 ? Ssl 0:25 /usr/sbin/clamd -c /etc/clamd.d/scan.conf --nofork=yes system_u:system_r:sendmail_t:s0 4953 ? Ss 0:00 sendmail: accepting connections system_u:system_r:sendmail_t:s0 4969 ? Ss 0:00 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue system_u:system_r:init_t:s0 32617 ? Ssl 0:00 /usr/sbin/clamav-milter -c /etc/mail/clamav-milter.conf --nofork=yes --- clamd and clamav-milter executables --- ls -lZ /usr/sbin/clam* -rwxr-xr-x. 1 root root system_u:object_r:antivirus_exec_t:s0 197096 6 Dec 19,15 /usr/sbin/clamav-milter -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 1967 6 Dec 19,06 /usr/sbin/clamav-notify-servers -rwxr-xr-x. 1 root root system_u:object_r:antivirus_exec_t:s0 182336 6 Dec 19,15 /usr/sbin/clamd
Same probleme here after upgrading from fc21 to fc22 (was working fine on fc21). When I generate the policy using audit2allow and then try to load it it fails with the following error: semodule -v -i sendmail.pp Attempting to install module 'sendmail.pp': Ok: return value of 0. Committing changes: libsepol.print_missing_requirements: sendmail's global requirements were not met: type/attribute sendmail_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! The generated policy is: module sendmail 1.0; require { type sendmail_t; type init_t; class unix_stream_socket connectto; } #============= sendmail_t ============== #!!!! The file '/run/clamav-milter/clamav-milter.socket' is mislabeled on your system. #!!!! Fix with $ restorecon -R -v /run/clamav-milter/clamav-milter.socket allow sendmail_t init_t:unix_stream_socket connectto;
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.