Bug 250330 - selinux denials of clamav pack 0.91.1-30.fc7 (from atrpms)
selinux denials of clamav pack 0.91.1-30.fc7 (from atrpms)
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
7
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
http://bugzilla.atrpms.net/show_bug.c...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-31 16:47 EDT by Axel Thimm
Modified: 2008-01-13 04:51 EST (History)
0 users

See Also:
Fixed In Version: selinux-policy-2.6.4-67.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-13 04:51:09 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Axel Thimm 2007-07-31 16:47:16 EDT
http://bugzilla.atrpms.net/show_bug.cgi?id=1253#c0
> Created an attachment (id=131) [details]
> audit log truncated
> 
> clamav-0.91.1-30.fc7
> selinux-policy-2.6.4-28.fc7
> selinux-policy-targeted-2.6.4-28.fc7
> 
> I have atached relevant portions of audit log.

The attached logs start with
http://bugzilla.atrpms.net/attachment.cgi?id=131:
type=AVC msg=audit(1185589492.161:53): avc:  denied  { search } for  pid=3819
comm="clamd" scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
type=AVC msg=audit(1185589492.161:53): avc:  denied  { read } for  pid=3819
comm="clamd" scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file
type=AVC msg=audit(1185589492.161:54): avc:  denied  { getattr } for  pid=3819
comm="clamd" name="clamd.log" dev=dm-1 ino=786502
scontext=system_u:system_r:clamd_t:s0 tcontext=user_u:object_r:var_log_t:s0
tclass=file

Can you please update the selinux sources to include these? Or otherwise advise
on how to manage this from the clamav package if that would be the better way
(note I'm a selinux newbie to selinux agnostic :)?

Thanks a lot!
Comment 1 Daniel Walsh 2007-08-01 11:25:37 EDT
Does restorecon -R -v /var/run fix the context of clamd.log?  It should be
clamd_var_run_t.  What is the full path to the file?

I will add the sysctl_kernel_t
Comment 2 Daniel Walsh 2007-08-14 08:03:05 EDT
FIxed in selinux-policy-2.6.4-38
Comment 3 Axel Thimm 2007-08-24 03:30:23 EDT
http://bugzilla.atrpms.net/show_bug.cgi?id=1253#c5

> (In reply to comment 3)
> > Did Dan's comment fix your issue?
> > 
> I am not sure if these comments are in the right direction:
> 
> > Does restorecon -R -v /var/run fix the context of clamd.log?  It should be
> > clamd_var_run_t.  What is the full path to the file?
> 
> since the clamd.log should be in /var/log/
> 
> The current permissions are:
> 
> [root@f7host ~]# ll -Z /var/log/clamd.log
> -rw-r-----  clamav clamav user_u:object_r:var_log_t        /var/log/clamd.log
> 
> This is after full FS relabel
> 
> The current packs are:
> 
> 1 } selinux-policy-2.6.4-33.fc7
> 2 } selinux-policy-targeted-2.6.4-33.fc7
> 3 } clamav-0.91.1-30.fc7
> 
> Thanks!
Comment 4 Axel Thimm 2007-12-30 02:38:37 EST
This issue still seems to remain open for the user - I asked him to directly
file the issues here, but maybe you would like to check the bugzilla entry at
http://bugzilla.atrpms.net/show_bug.cgi?id=1253? Thanks!
Comment 5 Daniel Walsh 2007-12-31 09:07:34 EST
Fixed in selinux-policy-2.6.4-67.fc7
Comment 6 Axel Thimm 2008-01-13 04:51:09 EST
Thanks Dan!

Note You need to log in before you can comment on or make changes to this bug.