Bug 191869 - selinux denials of clamscan
Summary: selinux denials of clamscan
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 5
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2006-05-16 08:33 UTC by David Baron
Modified: 2007-11-30 22:11 UTC (History)
0 users

Clone Of:
Last Closed: 2007-03-28 20:02:18 UTC

Attachments (Terms of Use)
log of AVCs (136.81 KB, text/plain; charset=utf-8)
2006-05-19 23:06 UTC, David Baron
no flags Details

Description David Baron 2006-05-16 08:33:50 UTC
Description of problem:  Two minutes after the following upgrade:
May 14 22:13:00 Updated: selinux-policy.noarch 2.2.38-1.fc5
May 14 22:15:51 Updated: selinux-policy-targeted.noarch 2.2.38-1.fc5
I started seeing the following selinux denials for each incoming email, which I
run through clamscan (I use the targeted policy with the postfix option turned
off, which was required in the past to do this):

type=AVC msg=audit(1147768137.254:2381): avc:  denied  { search } for  pid=12865
comm="clamscan" name="tmp" dev=hda3 ino=244321
scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:tmp_t:s0
type=SYSCALL msg=audit(1147768137.254:2381): arch=40000003 syscall=39 success=no
exit=-13 a0=997c320 a1=1c0 a2=239938 a3=7 items=1 pid=12865 auid=4294967295
uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
comm="clamscan" exe="/usr/bin/clamscan"
type=CWD msg=audit(1147768137.254:2381):  cwd="/var/spool/postfix"
type=PATH msg=audit(1147768137.254:2381): item=0
name="/tmp/clamav-c1bb18d671f77129" flags=101

Version-Release number of selected component (if applicable):

How reproducible:
Always (for each incoming email, I think).

Steps to Reproduce:
1. Create a .forward that has:
|"/bin/bash ~/bin/forward-normal.sh"

where forward-normal.sh contains:

# My .forward calls this to deliver email.
# It requires that the postfix_disable_trans SELinux boolean be set.

TMPFILE=$(mktemp) || exit 1
cat >> $TMPFILE || exit 1

clamscan --quiet --no-summary --unrar --unarj --unzoo --lha --jar --deb --tar
--tgz $TMPFILE
if test $? -eq 1
    # Eek, a virus!
    cat $TMPFILE | /usr/bin/procmail ~/.procmailrc-virus
    cat $TMPFILE | /usr/bin/procmail

exit $RETVAL

2. receive an incoming email via fetchmail
Actual results:  selinux denial (although clamav scanning still seems to work),
and clamav scanning no longer works

Expected results:  no selinux denials, and viruses continue to appear in my
virus folder (where ~/.procmailrc-virus puts them)

Comment 1 Daniel Walsh 2006-05-16 12:38:10 UTC
Can you turn off enforcing mode and turn on postfix_disable_trans off.

Clear your log files
echo > /var/log/messages
setenforce 0
setsebool -P postfix_disable_trans=0

Then run some mail through your system.  Collect the AVC messages and attach
them here.  

They you can generate a loadable module

audit2allow -M clamav_fix -i /var/log/messages
semodule -i clamav_fix.pp

setenforce 1 

And see if it works.  I will attempt to fix the policy to work in your environment.

Comment 2 David Baron 2006-05-16 12:42:06 UTC
IIRC, I needed the postfix_disable_trans for spamassassin as well, but maybe
that's been fixed too.

I won't have time to mess with this for at least a week.

Comment 3 David Baron 2006-05-19 23:05:07 UTC
So I don't need postfix_disable_trans at all anymore (not needed for
spamassassin; doesn't help with clamscan); clamscan_disable_trans does work
around this problem.  I'll attach a log of the AVCs.

Comment 4 David Baron 2006-05-19 23:06:11 UTC
Created attachment 129652 [details]
log of AVCs

Comment 5 David Baron 2006-05-19 23:08:41 UTC
Note that I haven't tested the audit2allow / semodule stuff on the output of
that log; I just used clamscan_disable_trans instead.

And it's from /var/log/audit/audit.log, not /var/log/messages .

Comment 6 Daniel Walsh 2006-05-23 20:16:24 UTC
Some fixes are in selinux-policy-2.2.42-2.fc5

Comment 7 Daniel Walsh 2007-03-28 20:02:18 UTC
Closing bugs

Note You need to log in before you can comment on or make changes to this bug.