Description of problem: Two minutes after the following upgrade: May 14 22:13:00 Updated: selinux-policy.noarch 2.2.38-1.fc5 May 14 22:15:51 Updated: selinux-policy-targeted.noarch 2.2.38-1.fc5 I started seeing the following selinux denials for each incoming email, which I run through clamscan (I use the targeted policy with the postfix option turned off, which was required in the past to do this): type=AVC msg=audit(1147768137.254:2381): avc: denied { search } for pid=12865 comm="clamscan" name="tmp" dev=hda3 ino=244321 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=SYSCALL msg=audit(1147768137.254:2381): arch=40000003 syscall=39 success=no exit=-13 a0=997c320 a1=1c0 a2=239938 a3=7 items=1 pid=12865 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="clamscan" exe="/usr/bin/clamscan" type=CWD msg=audit(1147768137.254:2381): cwd="/var/spool/postfix" type=PATH msg=audit(1147768137.254:2381): item=0 name="/tmp/clamav-c1bb18d671f77129" flags=101 Version-Release number of selected component (if applicable): selinux-policy-2.2.38-1.fc5 selinux-policy-targeted-2.2.38-1.fc5 clamav-data-0.88.2-1.fc5 clamav-update-0.88.2-1.fc5 clamav-lib-0.88.2-1.fc5 clamav-0.88.2-1.fc5 How reproducible: Always (for each incoming email, I think). Steps to Reproduce: 1. Create a .forward that has: |"/bin/bash ~/bin/forward-normal.sh" where forward-normal.sh contains: #!/bin/bash # My .forward calls this to deliver email. # It requires that the postfix_disable_trans SELinux boolean be set. TMPFILE=$(mktemp) || exit 1 cat >> $TMPFILE || exit 1 clamscan --quiet --no-summary --unrar --unarj --unzoo --lha --jar --deb --tar --tgz $TMPFILE if test $? -eq 1 then # Eek, a virus! cat $TMPFILE | /usr/bin/procmail ~/.procmailrc-virus RETVAL=$? else cat $TMPFILE | /usr/bin/procmail RETVAL=$? fi "rm" $TMPFILE exit $RETVAL 2. receive an incoming email via fetchmail Actual results: selinux denial (although clamav scanning still seems to work), and clamav scanning no longer works Expected results: no selinux denials, and viruses continue to appear in my virus folder (where ~/.procmailrc-virus puts them)
Can you turn off enforcing mode and turn on postfix_disable_trans off. Clear your log files echo > /var/log/messages setenforce 0 setsebool -P postfix_disable_trans=0 Then run some mail through your system. Collect the AVC messages and attach them here. They you can generate a loadable module audit2allow -M clamav_fix -i /var/log/messages semodule -i clamav_fix.pp setenforce 1 And see if it works. I will attempt to fix the policy to work in your environment.
IIRC, I needed the postfix_disable_trans for spamassassin as well, but maybe that's been fixed too. I won't have time to mess with this for at least a week.
So I don't need postfix_disable_trans at all anymore (not needed for spamassassin; doesn't help with clamscan); clamscan_disable_trans does work around this problem. I'll attach a log of the AVCs.
Created attachment 129652 [details] log of AVCs
Note that I haven't tested the audit2allow / semodule stuff on the output of that log; I just used clamscan_disable_trans instead. And it's from /var/log/audit/audit.log, not /var/log/messages .
Some fixes are in selinux-policy-2.2.42-2.fc5
Closing bugs