Bug 381531 - SELinux is preventing /usr/sbin/clamd (clamd_t) "append" to /var/log/clamav/clamd.log (var_log_t).
SELinux is preventing /usr/sbin/clamd (clamd_t) "append" to /var/log/clamav/c...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
7
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-13 23:35 EST by Malcolm Guthrie
Modified: 2008-01-30 14:18 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 14:18:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Malcolm Guthrie 2007-11-13 23:35:43 EST
Summary
SELinux is preventing /usr/sbin/clamd (clamd_t) "append" to
/var/log/clamav/clamd.log (var_log_t).

Detailed Description
SELinux is preventing /usr/sbin/clamd (clamd_t) "append" to
/var/log/clamav/clamd.log (var_log_t). The SELinux type %TARGET_TYPE, is a
generic type for all files in the directory and very few processes (SELinux
Domains) are allowed to write to this SELinux type. This type of denial usual
indicates a mislabeled file. By default a file created in a directory has the
gets the context of the parent directory, but SELinux policy has rules about the
creation of directories, that say if a process running in one SELinux Domain
(D1) creates a file in a directory with a particular SELinux File Context (F1)
the file gets a different File Context (F2). The policy usually allows the
SELinux Domain (D1) the ability to write or append on (F2). But if for some
reason a file (/var/log/clamav/clamd.log) was created with the wrong context,
this domain will be denied. The usual solution to this problem is to reset the
file context on the target file, restorecon -v /var/log/clamav/clamd.log. If the
file context does not change from var_log_t, then this is probably a bug in
policy. Please file a bug report against the selinux-policy package. If it does
change, you can try your application again to see if it works. The file context
could have been mislabeled by editing the file or moving the file from a
different directory, if the file keeps getting mislabeled, check the init
scripts to see if they are doing something to mislabel the file.

Allowing Access (Neither of these has any effect)
You can attempt to fix file context by executing restorecon -v
/var/log/clamav/clamd.log
The following command will allow this access:
restorecon /var/log/clamav/clamd.log

Additional Information
Source Context:  system_u:system_r:clamd_tTarget
Context:  system_u:object_r:var_log_tTarget Objects:  /var/log/clamav/clamd.log
[ file ]Affected RPM Packages:  clamav-server-0.91.2-3.fc7 [application]Policy
RPM:  selinux-policy-2.6.4-49.fc7Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  PermissivePlugin Name:  plugins.mislabeled_file
Host Name:  venus.xman.com
Platform:  Linux venus.xman.com 2.6.23.1-21.fc7 #1 SMP Thu Nov 1 20:28:15 EDT
2007 x86_64 x86_64
Alert Count:  4
First Seen:  Tue 13 Nov 2007 05:47:07 PM PST
Last Seen:  Tue 13 Nov 2007 08:17:25 PM PST
Local ID:  65d30d4d-8660-40d0-b555-d81ca3e7451f
Line Numbers:  
Raw Audit Messages :
avc: denied { append } for comm="clamd" dev=dm-0 egid=497 euid=498
exe="/usr/sbin/clamd" exit=59 fsgid=497 fsuid=498 gid=497 items=0
path="/var/log/clamav/clamd.log" pid=2830 scontext=system_u:system_r:clamd_t:s0
sgid=497 subj=system_u:system_r:clamd_t:s0 suid=498 tclass=file
tcontext=system_u:object_r:var_log_t:s0 tty=(none) uid=498
Comment 1 Daniel Walsh 2007-11-14 10:35:01 EST
chcon -t clamd_var_log_t /var/log/clamav/clamd.log

Should fix it 

Fixed in selinux-policy-3.0.8-54.fc8
Comment 2 Daniel Walsh 2008-01-30 14:18:31 EST
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.

Note You need to log in before you can comment on or make changes to this bug.