Description of problem:SELinux is preventing /usr/bin/clamdscan (clamscan_t) "write" access to /var/webmin/sessiondb.pag (var_t) Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Install ClamAV 2. Use ClamAV 3. Denial appears in sealert /var/log/audit/audit.log Actual results: Expected results: Additional info: avc: denied { write } for comm="clamdscan" dev=dm-0 egid=0 euid=0 exe="/usr/bin/clamdscan" exit=0 fsgid=0 fsuid=0 gid=0 items=0 path="/var/webmin/sessiondb.pag" pid=31759 scontext=system_u:system_r:clamscan_t:s0 sgid=0 subj=system_u:system_r:clamscan_t:s0 suid=0 tclass=file tcontext=user_u:object_r:var_t:s0 tty=(none) uid=0
Not sure what /var/webmin/sessiondb.pag is, but this is either a leaked file descriptor or a log file which clamdscan has its output redirected to. If you want the avc to go away you can use grep clan /var/log/audit/audit.log | audit2allow -M mywebmin semodule -i mywebmin.pp Please open a bugzilla with webmin and report that they should close their file descriptor on exec fcntl(fd, F_SETFD, FD_CLOEXEC)