Sendmail process prohibited by selinux to connect to clamav-milter unix socket Clamav-milter daemon process rot in wrong selinux domain init_t instead antivirus_t # ausearch -m AVC,USER_AVC,SELINUX_ERR -i -ts recent ---- type=SYSCALL msg=audit(03/20/2017 23:25:01.437:1324500) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xa a1=0x7ffc60b205e0 a2=0x6e a3=0x8 items=0 ppid=13778 pid=18844 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=smmsp sgid=smmsp fsgid=smmsp tty=(none) ses=unset comm=sendmail exe=/usr/sbin/sendmail.sendmail subj=system_u:system_r:sendmail_t:s0 key=(null) type=AVC msg=audit(03/20/2017 23:25:01.437:1324500) : avc: denied { connectto } for pid=18844 comm=sendmail path=/run/clamav-milter/clamav-milter.socket scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket ---- type=SYSCALL msg=audit(03/20/2017 23:31:39.402:1324504) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7f90a740bbb0 a1=0x7f90a73f2930 a2=0x7f90a73f2a60 a3=0x48 items=0 ppid=1 pid=19626 auid=unset uid=clamilt gid=clamilt euid=clamilt suid=clamilt fsuid=clamilt egid=clamilt sgid=clamilt fsgid=clamilt tty=(none) ses=unset comm=clamav-milter exe=/usr/sbin/clamav-milter subj=system_u:system_r:init_t:s0 key=(null) type=SELINUX_ERR msg=audit(03/20/2017 23:31:39.402:1324504) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:antivirus_t:s0 # rpm -qa clam\* clamav-data-0.99.2-1.el7.noarch clamav-server-systemd-0.99.2-1.el7.noarch clamav-update-0.99.2-1.el7.x86_64 clamav-filesystem-0.99.2-1.el7.noarch clamav-lib-0.99.2-1.el7.x86_64 clamav-milter-0.99.2-1.el7.x86_64 clamav-0.99.2-1.el7.x86_64 clamav-server-0.99.2-1.el7.x86_64 clamav-milter-systemd-0.99.2-1.el7.noarch ls -lZ /run/clamav-milter/clamav-milter.socket srw-r--r--. clamilt clamilt system_u:object_r:antivirus_var_run_t:s0 /run/clamav-milter/clamav-milter.socket ls -lZ /run |grep clam drwx--x---. clamilt clamilt system_u:object_r:antivirus_var_run_t:s0 clamav-milter drwx--x---. clamilt clamilt system_u:object_r:antivirus_var_run_t:s0 clamd.milter --- clamav, and sendmail processes -- ps axZ |egrep 'sendmail|clam' system_u:system_r:antivirus_t:s0 894 ? Ssl 25:30 /usr/sbin/clamd -c /etc/clamd.d/milter.conf --foreground=yes system_u:system_r:sendmail_t:s0 13778 ? Ss 0:17 sendmail: accepting connections system_u:system_r:sendmail_t:s0 13791 ? Ss 0:00 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue system_u:system_r:init_t:s0 21131 ? Ssl 0:00 /usr/sbin/clamav-milter -c /etc/mail/clamav-milter.conf --foreground=yes unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 21375 pts/0 R+ 0:00 grep -E --color=auto sendmail|clam --- clamd and clamav-milter executables --- ls -lZ /usr/sbin/clam* -rwxr-xr-x. root root system_u:object_r:antivirus_exec_t:s0 /usr/sbin/clamav-milter -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/sbin/clamav-notify-servers -rwxr-xr-x. root root system_u:object_r:antivirus_exec_t:s0 /usr/sbin/clamd +++ This bug was initially created as a clone of Bug #1293046 +++ Description of problem: Dec 19 16:21:55 sendmail[4519]: ...: Milter (clamav): error connecting to filter: Permission denied Dec 19 16:21:55 sendmail[4519]: ...: Milter (clamav): to error state On permissive selinux state - no problems. Version-Release number of selected component (if applicable): sendmail-8.15.2-1.fc22.x86_64 clamav-0.99-2.fc22.x86_64 clamav-scanner-systemd-0.99-2.fc22.noarch selinux-policy-targeted-3.13.1-128.21.fc22.noarch Additional info: audit2allow -al ----------------- type=AVC msg=audit(1450538112.582:5705): avc: denied { connectto } for pid=31852 comm="sendmail" path="/run/clamav-milter/clamav-milter.socket" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1450538112.899:5712): avc: denied { write } for pid=4897 comm="clamd" path=2F746D702F636C616D61762D63613037353266623939656361323834306539386663316137613030393830362E746D70202864656C6574656429 dev="tmpfs" ino=84106 scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. ----------------------------- ls -lZ /run/clamav-milter/clamav-milter.socket srw-r--r--. 1 clamilt clamilt system_u:object_r:antivirus_var_run_t:s0 0 19 Dec 17,11 /run/clamav-milter/clamav-milter.socket --------- clam socket directories ------ ls -lZ /run |grep clam drwx--x---. 2 clamilt clamilt system_u:object_r:antivirus_var_run_t:s0 60 19 Dec 17,11 clamav-milter drwx--x--x. 2 clamscan clamscan system_u:object_r:antivirus_var_run_t:s0 60 19 Dec 16,31 clamd.scan --- clamav, and sendmail processes -- ps axZ |egrep 'sendmail|clam' system_u:system_r:antivirus_t:s0 4897 ? Ssl 0:25 /usr/sbin/clamd -c /etc/clamd.d/scan.conf --nofork=yes system_u:system_r:sendmail_t:s0 4953 ? Ss 0:00 sendmail: accepting connections system_u:system_r:sendmail_t:s0 4969 ? Ss 0:00 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue system_u:system_r:init_t:s0 32617 ? Ssl 0:00 /usr/sbin/clamav-milter -c /etc/mail/clamav-milter.conf --nofork=yes --- clamd and clamav-milter executables --- ls -lZ /usr/sbin/clam* -rwxr-xr-x. 1 root root system_u:object_r:antivirus_exec_t:s0 197096 6 Dec 19,15 /usr/sbin/clamav-milter -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 1967 6 Dec 19,06 /usr/sbin/clamav-notify-servers -rwxr-xr-x. 1 root root system_u:object_r:antivirus_exec_t:s0 182336 6 Dec 19,15 /usr/sbin/clamd --- Additional comment from bugzilla on 2016-01-01 10:35:24 EST --- Same probleme here after upgrading from fc21 to fc22 (was working fine on fc21). When I generate the policy using audit2allow and then try to load it it fails with the following error: semodule -v -i sendmail.pp Attempting to install module 'sendmail.pp': Ok: return value of 0. Committing changes: libsepol.print_missing_requirements: sendmail's global requirements were not met: type/attribute sendmail_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! The generated policy is: module sendmail 1.0; require { type sendmail_t; type init_t; class unix_stream_socket connectto; } #============= sendmail_t ============== #!!!! The file '/run/clamav-milter/clamav-milter.socket' is mislabeled on your system. #!!!! Fix with $ restorecon -R -v /run/clamav-milter/clamav-milter.socket allow sendmail_t init_t:unix_stream_socket connectto; --- Additional comment from Fedora End Of Life on 2016-07-19 14:36:53 EDT --- Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
Quick assessment on this BZ: The clamav-milter.service systemd unit contains NoNewPrivileges=yes. When this is enabled no_new_privs is set on the task and SELinux only allows bounded transitions (the child can have no more permissions than its parent, the child in this case being antivirus_t and the parent init_t). So when init_t tries to change type to antivirus_t it fails because no_new_privs is set and antivirus_t isn't bound to init_t. Since init_t is an unconfined domain on EL7 the problem could be fixed by adding typebounds to the SELinux policy. Though on Fedora where init_t is a confined domain this would require allowing init_t to do everything antivirus_t does (as well as all the other domains that are bound to init_t). Alternatively, NoNewPrivileges=yes can be removed from the systemd unit and typebounds won't be required.
clamav-0.99.2-7.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-85d282a75d
clamav-0.99.2-8.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-85d282a75d
clamav-0.99.2-8.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-85d282a75d
*** Bug 1292227 has been marked as a duplicate of this bug. ***
clamav-0.99.2-8.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.