1434176 – SELinux prohibits the normal operation of sendmail and clamav-milter

Bug 1434176 - SELinux prohibits the normal operation of sendmail and clamav-milter

Summary: SELinux prohibits the normal operation of sendmail and clamav-milter

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	clamav
Sub Component:
Version:	epel7
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Robert Scheck
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1292227 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-03-20 21:53 UTC by iav
Modified:	2017-07-19 05:48 UTC (History)
CC List:	12 users (show)
Fixed In Version:	clamav-0.99.2-8.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1293046
Environment:
Last Closed:	2017-07-19 05:48:46 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1293046	0	unspecified	CLOSED	SELinux prohibits the normal operation of sendmail and clamav-milter	2021-02-22 00:41:40 UTC

Description iav 2017-03-20 21:53:35 UTC

Sendmail process prohibited by selinux to connect to clamav-milter unix socket

Clamav-milter daemon process rot in wrong selinux domain init_t instead antivirus_t


# ausearch -m AVC,USER_AVC,SELINUX_ERR -i -ts recent
----
type=SYSCALL msg=audit(03/20/2017 23:25:01.437:1324500) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xa a1=0x7ffc60b205e0 a2=0x6e a3=0x8 items=0 ppid=13778 pid=18844 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=smmsp sgid=smmsp fsgid=smmsp tty=(none) ses=unset comm=sendmail exe=/usr/sbin/sendmail.sendmail subj=system_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(03/20/2017 23:25:01.437:1324500) : avc:  denied  { connectto } for  pid=18844 comm=sendmail path=/run/clamav-milter/clamav-milter.socket scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
----
type=SYSCALL msg=audit(03/20/2017 23:31:39.402:1324504) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7f90a740bbb0 a1=0x7f90a73f2930 a2=0x7f90a73f2a60 a3=0x48 items=0 ppid=1 pid=19626 auid=unset uid=clamilt gid=clamilt euid=clamilt suid=clamilt fsuid=clamilt egid=clamilt sgid=clamilt fsgid=clamilt tty=(none) ses=unset comm=clamav-milter exe=/usr/sbin/clamav-milter subj=system_u:system_r:init_t:s0 key=(null)
type=SELINUX_ERR msg=audit(03/20/2017 23:31:39.402:1324504) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:antivirus_t:s0


# rpm -qa clam\*
clamav-data-0.99.2-1.el7.noarch
clamav-server-systemd-0.99.2-1.el7.noarch
clamav-update-0.99.2-1.el7.x86_64
clamav-filesystem-0.99.2-1.el7.noarch
clamav-lib-0.99.2-1.el7.x86_64
clamav-milter-0.99.2-1.el7.x86_64
clamav-0.99.2-1.el7.x86_64
clamav-server-0.99.2-1.el7.x86_64
clamav-milter-systemd-0.99.2-1.el7.noarch


 ls -lZ /run/clamav-milter/clamav-milter.socket
srw-r--r--. clamilt clamilt system_u:object_r:antivirus_var_run_t:s0 /run/clamav-milter/clamav-milter.socket


 ls -lZ /run |grep clam
drwx--x---. clamilt        clamilt        system_u:object_r:antivirus_var_run_t:s0 clamav-milter
drwx--x---. clamilt        clamilt        system_u:object_r:antivirus_var_run_t:s0 clamd.milter

--- clamav, and sendmail processes --
 ps axZ |egrep 'sendmail|clam'
system_u:system_r:antivirus_t:s0  894 ?        Ssl   25:30 /usr/sbin/clamd -c /etc/clamd.d/milter.conf --foreground=yes
system_u:system_r:sendmail_t:s0 13778 ?        Ss     0:17 sendmail: accepting connections
system_u:system_r:sendmail_t:s0 13791 ?        Ss     0:00 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue
system_u:system_r:init_t:s0     21131 ?        Ssl    0:00 /usr/sbin/clamav-milter -c /etc/mail/clamav-milter.conf --foreground=yes
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 21375 pts/0 R+   0:00 grep -E --color=auto sendmail|clam


--- clamd and clamav-milter executables ---
 ls -lZ  /usr/sbin/clam*
-rwxr-xr-x. root root system_u:object_r:antivirus_exec_t:s0 /usr/sbin/clamav-milter
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/sbin/clamav-notify-servers
-rwxr-xr-x. root root system_u:object_r:antivirus_exec_t:s0 /usr/sbin/clamd





+++ This bug was initially created as a clone of Bug #1293046 +++

Description of problem:
Dec 19 16:21:55  sendmail[4519]: ...: Milter (clamav): error connecting to filter: Permission denied
Dec 19 16:21:55  sendmail[4519]: ...: Milter (clamav): to error state

On permissive selinux state - no problems.

Version-Release number of selected component (if applicable):
sendmail-8.15.2-1.fc22.x86_64
clamav-0.99-2.fc22.x86_64
clamav-scanner-systemd-0.99-2.fc22.noarch
selinux-policy-targeted-3.13.1-128.21.fc22.noarch


Additional info:
audit2allow -al 
-----------------
type=AVC msg=audit(1450538112.582:5705): avc:  denied  { connectto } for  pid=31852 comm="sendmail" path="/run/clamav-milter/clamav-milter.socket" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=1
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1450538112.899:5712): avc:  denied  { write } for  pid=4897 comm="clamd" path=2F746D702F636C616D61762D63613037353266623939656361323834306539386663316137613030393830362E746D70202864656C6574656429 dev="tmpfs" ino=84106 scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=file permissive=1
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.
-----------------------------
ls -lZ /run/clamav-milter/clamav-milter.socket
srw-r--r--. 1 clamilt clamilt system_u:object_r:antivirus_var_run_t:s0 0 19 Dec 17,11 /run/clamav-milter/clamav-milter.socket

--------- clam socket directories  ------
ls -lZ /run |grep clam
drwx--x---.  2 clamilt  clamilt  system_u:object_r:antivirus_var_run_t:s0      60 19 Dec 17,11 clamav-milter
drwx--x--x.  2 clamscan clamscan system_u:object_r:antivirus_var_run_t:s0      60 19 Dec 16,31 clamd.scan

--- clamav, and sendmail processes --
ps axZ |egrep 'sendmail|clam'

system_u:system_r:antivirus_t:s0 4897 ?        Ssl    0:25 /usr/sbin/clamd -c /etc/clamd.d/scan.conf --nofork=yes
system_u:system_r:sendmail_t:s0  4953 ?        Ss     0:00 sendmail: accepting connections
system_u:system_r:sendmail_t:s0  4969 ?        Ss     0:00 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue
system_u:system_r:init_t:s0     32617 ?        Ssl    0:00 /usr/sbin/clamav-milter -c /etc/mail/clamav-milter.conf --nofork=yes

--- clamd and clamav-milter executables ---
ls -lZ  /usr/sbin/clam*
-rwxr-xr-x. 1 root root system_u:object_r:antivirus_exec_t:s0 197096  6 Dec 19,15 /usr/sbin/clamav-milter
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0              1967  6 Dec 19,06 /usr/sbin/clamav-notify-servers
-rwxr-xr-x. 1 root root system_u:object_r:antivirus_exec_t:s0 182336  6 Dec 19,15 /usr/sbin/clamd

--- Additional comment from bugzilla on 2016-01-01 10:35:24 EST ---

Same probleme here after upgrading from fc21 to fc22 (was working fine on fc21). 
When I generate the policy using audit2allow and then try to load it it fails with the following error:

semodule -v -i  sendmail.pp 
Attempting to install module 'sendmail.pp':
Ok: return value of 0.
Committing changes:
libsepol.print_missing_requirements: sendmail's global requirements were not met: type/attribute sendmail_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!


The generated policy is:
module sendmail 1.0;

require {
	type sendmail_t;
	type init_t;
	class unix_stream_socket connectto;
}

#============= sendmail_t ==============

#!!!! The file '/run/clamav-milter/clamav-milter.socket' is mislabeled on your system.  
#!!!! Fix with $ restorecon -R -v /run/clamav-milter/clamav-milter.socket
allow sendmail_t init_t:unix_stream_socket connectto;

--- Additional comment from Fedora End Of Life on 2016-07-19 14:36:53 EDT ---

Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 1 Gary Tierney 2017-03-20 22:15:20 UTC

Quick assessment on this BZ:

The clamav-milter.service systemd unit contains NoNewPrivileges=yes.  When this is enabled no_new_privs is set on the task and SELinux only allows bounded transitions (the child can have no more permissions than its parent, the child in this case being antivirus_t and the parent init_t).  So when init_t tries to change type to antivirus_t it fails because no_new_privs is set and antivirus_t isn't bound to init_t.

Since init_t is an unconfined domain on EL7 the problem could be fixed by adding typebounds to the SELinux policy.  Though on Fedora where init_t is a confined domain this would require allowing init_t to do everything antivirus_t does (as well as all the other domains that are bound to init_t).  Alternatively, NoNewPrivileges=yes can be removed from the systemd unit and typebounds won't be required.

Comment 2 Fedora Update System 2017-03-28 06:47:51 UTC

clamav-0.99.2-7.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-85d282a75d

Comment 3 Fedora Update System 2017-03-28 17:33:47 UTC

clamav-0.99.2-8.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-85d282a75d

Comment 4 Fedora Update System 2017-03-30 01:48:54 UTC

clamav-0.99.2-8.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-85d282a75d

Comment 5 Orion Poplawski 2017-04-18 17:53:54 UTC

*** Bug 1292227 has been marked as a duplicate of this bug. ***

Comment 6 Fedora Update System 2017-07-19 05:48:46 UTC

clamav-0.99.2-8.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.