Red Hat Bugzilla – Bug 439860
wrong logfile name in clamav policy
Last modified: 2012-10-15 10:07:45 EDT
Description of problem:
restorecon -R /var/log/clamav doesn't restore the appropriate context for the
clamd server logs.
# strings /etc/selinux/targeted/modules/active/modules/clamav.pp
/var/log/clamav -d system_u:object_r:clamd_var_log_t:s0
/var/log/clamav/clamav.* -- system_u:object_r:clamd_var_log_t:s0
The default daemon logfile name is actually clamd.log, not clamav.log (in 0.92.1
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. install clamav
2. restorecon -R /var/log/clamav
3. service clamd restart
Daemon refuses to start using init script due to avc denial.
Daemon starts as normal.
I'm using the clamd from RPMforge (clamd-0.92.1-1.el5.rf, clamav-0.92.1-1.el5.rf).
Fixed in U2 policy
Fixed in selinux-policy-2.4.6-126.el5
You can get a preview at
Would it be possible to include:
/var/clamav as clamd_var_lib_t
In the updated policy as well? I'm not sure why this change was made in the
package I'm using, and I realize it doesn't follow the FHS, so I understand if
you don't think it would be a good idea.
No but you can
semanage fcontext -a -t clamd_var_lib_t '/var/clamav(/.*)?'
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.