Bug 191869 - selinux denials of clamscan
selinux denials of clamscan
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2006-05-16 04:33 EDT by David Baron
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-03-28 16:02:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
log of AVCs (136.81 KB, text/plain; charset=utf-8)
2006-05-19 19:06 EDT, David Baron
no flags Details

  None (edit)
Description David Baron 2006-05-16 04:33:50 EDT
Description of problem:  Two minutes after the following upgrade:
May 14 22:13:00 Updated: selinux-policy.noarch 2.2.38-1.fc5
May 14 22:15:51 Updated: selinux-policy-targeted.noarch 2.2.38-1.fc5
I started seeing the following selinux denials for each incoming email, which I
run through clamscan (I use the targeted policy with the postfix option turned
off, which was required in the past to do this):

type=AVC msg=audit(1147768137.254:2381): avc:  denied  { search } for  pid=12865
comm="clamscan" name="tmp" dev=hda3 ino=244321
scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:tmp_t:s0
type=SYSCALL msg=audit(1147768137.254:2381): arch=40000003 syscall=39 success=no
exit=-13 a0=997c320 a1=1c0 a2=239938 a3=7 items=1 pid=12865 auid=4294967295
uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
comm="clamscan" exe="/usr/bin/clamscan"
type=CWD msg=audit(1147768137.254:2381):  cwd="/var/spool/postfix"
type=PATH msg=audit(1147768137.254:2381): item=0
name="/tmp/clamav-c1bb18d671f77129" flags=101

Version-Release number of selected component (if applicable):

How reproducible:
Always (for each incoming email, I think).

Steps to Reproduce:
1. Create a .forward that has:
|"/bin/bash ~/bin/forward-normal.sh"

where forward-normal.sh contains:

# My .forward calls this to deliver email.
# It requires that the postfix_disable_trans SELinux boolean be set.

TMPFILE=$(mktemp) || exit 1
cat >> $TMPFILE || exit 1

clamscan --quiet --no-summary --unrar --unarj --unzoo --lha --jar --deb --tar
--tgz $TMPFILE
if test $? -eq 1
    # Eek, a virus!
    cat $TMPFILE | /usr/bin/procmail ~/.procmailrc-virus
    cat $TMPFILE | /usr/bin/procmail

exit $RETVAL

2. receive an incoming email via fetchmail
Actual results:  selinux denial (although clamav scanning still seems to work),
and clamav scanning no longer works

Expected results:  no selinux denials, and viruses continue to appear in my
virus folder (where ~/.procmailrc-virus puts them)
Comment 1 Daniel Walsh 2006-05-16 08:38:10 EDT
Can you turn off enforcing mode and turn on postfix_disable_trans off.

Clear your log files
echo > /var/log/messages
setenforce 0
setsebool -P postfix_disable_trans=0

Then run some mail through your system.  Collect the AVC messages and attach
them here.  

They you can generate a loadable module

audit2allow -M clamav_fix -i /var/log/messages
semodule -i clamav_fix.pp

setenforce 1 

And see if it works.  I will attempt to fix the policy to work in your environment.
Comment 2 David Baron 2006-05-16 08:42:06 EDT
IIRC, I needed the postfix_disable_trans for spamassassin as well, but maybe
that's been fixed too.

I won't have time to mess with this for at least a week.
Comment 3 David Baron 2006-05-19 19:05:07 EDT
So I don't need postfix_disable_trans at all anymore (not needed for
spamassassin; doesn't help with clamscan); clamscan_disable_trans does work
around this problem.  I'll attach a log of the AVCs.
Comment 4 David Baron 2006-05-19 19:06:11 EDT
Created attachment 129652 [details]
log of AVCs
Comment 5 David Baron 2006-05-19 19:08:41 EDT
Note that I haven't tested the audit2allow / semodule stuff on the output of
that log; I just used clamscan_disable_trans instead.

And it's from /var/log/audit/audit.log, not /var/log/messages .
Comment 6 Daniel Walsh 2006-05-23 16:16:24 EDT
Some fixes are in selinux-policy-2.2.42-2.fc5
Comment 7 Daniel Walsh 2007-03-28 16:02:18 EDT
Closing bugs

Note You need to log in before you can comment on or make changes to this bug.