Bug 1393878 - clamav-milter fails to start with SELinux errors
Summary: clamav-milter fails to start with SELinux errors
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.8
Hardware: All
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On: 1292223
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-10 14:24 UTC by Matt Domsch
Modified: 2016-11-14 12:57 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1292223
Environment:
Last Closed: 2016-11-14 12:57:10 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Matt Domsch 2016-11-10 14:24:07 UTC 
+++ This bug was initially created as a clone of Bug #1292223 +++

Description of problem:

With 0.99-2, clamav-milter fails to start:

Dec 16 11:51:03 vmsl7 systemd: Starting SYSV: A virus scanning milter...
Dec 16 11:51:03 vmsl7 clamav-milter: Starting clamav-milter: ERROR: Cannot set milter socket permission to 660

type=AVC msg=audit(1450291863.719:321): avc:  denied  { fowner } for  pid=19044 comm="clamav-milter" capability=3  scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:system_r:antivirus_t:s0 tclass=capability

I'm not entirely sure if this is a clamav or selinux issue.  Works with 0.98.7-1.

Version-Release number of selected component (if applicable):
clamav-milter-0.99-2.el7.x86_64
clamav-milter-sysvinit-0.98.7-1.el7.noarch
selinux-policy-3.13.1-60.el7.noarch

--- Additional comment from Lukas Vrabec on 2016-03-19 18:42:07 EDT ---

Hi, 
Could you reproduce it, again? 

I tried it, and I cannot reproduce this issue.

--- Additional comment from Orion Poplawski on 2016-03-20 13:40:19 EDT ---

I do not appear to be able reproduce now as well.

--- Additional comment from Orion Poplawski on 2016-03-20 13:54:33 EDT ---

Note, however, that I do see bug #1293493 on EL7 as well.

--- Additional comment from Lukas Vrabec on 2016-03-21 11:01:15 EDT ---

Do you agree that we can close this issue for now?

--- Additional comment from Orion Poplawski on 2016-03-21 11:15:05 EDT ---

Yes, this one can be closed.

--- Additional comment from Lukas Vrabec on 2016-03-21 11:17:44 EDT ---

Thank you.

--- Additional comment from Matt Domsch on 2016-11-10 09:06:23 EST ---

I am seeing this on CentOS 6.

selinux-policy-3.7.19-292.el6.noarch
clamav-unofficial-sigs-3.7.1-7.el6.noarch
libselinux-2.0.94-7.el6.i686
libselinux-python-2.0.94-7.el6.i686
libselinux-devel-2.0.94-7.el6.i686
clamav-0.99.2-1.el6.i686
clamav-devel-0.99.2-1.el6.i686
clamav-milter-0.99.2-1.el6.i686
libselinux-utils-2.0.94-7.el6.i686
selinux-policy-targeted-3.7.19-292.el6.noarch
clamav-db-0.99.2-1.el6.i686


type=AVC msg=audit(1478785716.689:1006343): avc:  denied  { fowner } for  pid=19054 comm="clamav-milter" capability=3  scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=unconfined_u:system_r:antivirus_t:s0 tclass=capability
type=SYSCALL msg=audit(1478785716.689:1006343): arch=40000003 syscall=15 success=no exit=-1 a0=8620ca0 a1=1b0 a2=861fe98 a3=2c3c64 items=0 ppid=19053 pid=19054 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=6379 comm="clamav-milter" exe="/usr/sbin/clamav-milter" subj=unconfined_u:system_r:antivirus_t:s0 key=(null)


$ls -Z /usr/sbin/clamav-milter
-rwxr-xr-x. root root system_u:object_r:antivirus_exec_t:s0 /usr/sbin/clamav-milter



$ ls -ZR /var/run/clam*
/var/run/clamav:
-rw-rw-r--. clam clam unconfined_u:object_r:antivirus_var_run_t:s0 clamd.pid
srw-rw-rw-. clam clam unconfined_u:object_r:antivirus_var_run_t:s0 clamd.sock


# Default: no default
#MilterSocket /tmp/clamav-milter.socket
MilterSocket /var/run/clamav/clamav-milter.sock

# Define the group ownership for the (unix) milter socket.
# Default: disabled (the primary group of the user running clamd)
#MilterSocketGroup virusgroup

# Sets the permissions on the (unix) milter socket to the specified mode.
# Default: disabled (obey umask)
MilterSocketMode 660

# Remove stale socket after unclean shutdown.
#
# Default: yes
#FixStaleSocket yes

# Run as another user (clamav-milter must be started by root for this option to work)
#
# Default: unset (don't drop privileges)
User clam
Comment 3 Lukas Vrabec 2016-11-14 12:50:28 UTC 
Hi, 
Clamav-milter is part of EPEL. 

Workaround:

# yum install selinux-policy-devel

# cat antivirus_fowner.te 
policy_module(antivirus_fowner, 1.0.0)
require {
	type antivirus_t;
}

#============= antivirus_t ==============
allow antivirus_t self:capability fowner;

# make -f /usr/share/selinux/devel/Makefile antivirus_fowner.pp

# semodule -i antivirus_fowner.pp
Comment 4 Lukas Vrabec 2016-11-14 12:57:10 UTC 
Red Hat Enterprise Linux version 6 is entering the Production 2 phase of its
lifetime and this bug doesn't meet the criteria for it, i.e. only high severity
issues will be fixed. Please see
https://access.redhat.com/support/policy/updates/errata/ for further
information.

Feel free to clone this bug to RHEL-7 if it is still a problem for you.
Note You need to log in before you can comment on or make changes to this bug.