Bug 500392 - Problems with clamav-milter 0.95.1
Problems with clamav-milter 0.95.1
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
low Severity medium
: rc
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2009-05-12 10:54 EDT by Orion Poplawski
Modified: 2012-10-15 10:07 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-09-02 04:00:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2009-05-12 10:54:46 EDT
Description of problem:

EPEL recently updated to 0.95.1.  I'm seeing the following denials which are definitely causing clamav-milter problems:

type=AVC msg=audit(1242139491.092:242): avc:  denied  { read write } for  pid=6179 comm="clamd" path=2F746D702F636C616D61762D6136383134306364613864343032653234303438333963333964336639633634202864656C6574656429 dev=tmpfs ino=46734 scontext=root:system_r:clamd_t:s0 tcontext=root:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(1242139766.899:323): avc:  denied  { getattr } for  pid=6706 comm="clamd" path=2F746D702F636C616D61762D3533316561633533373432366463333639363037343539656137336566643665202864656C6574656429 dev=tmpfs ino=57072 scontext=root:system_r:clamd_t:s0 tcontext=root:object_r:initrc_tmp_t:s0 tclass=file

I've added the following policy for now:

allow clamd_t initrc_tmp_t:file { read write getattr };

But I wonder if the clamav-milter process is running in the wrong domain:

root:system_r:clamd_t            6179 ?        00:00:07 clamd
root:system_r:initrc_t           6231 ?        00:05:56 clamav-milter

Version-Release number of selected component (if applicable):
Comment 1 Daniel Walsh 2009-05-12 11:17:50 EDT
If you change the clamav-milter context to clamd_exec_t does it work?
Comment 2 Orion Poplawski 2009-05-12 11:25:40 EDT
How do I do that?
Comment 3 Daniel Walsh 2009-05-12 14:02:38 EDT
chcon -t clamd_exec_t PATHTO/clamav-milter
Comment 4 Orion Poplawski 2009-05-12 16:50:06 EDT
The previous messages are gone.  Now I see:

type=AVC msg=audit(1242161212.356:7126): avc:  denied  { connectto } for  pid=6649 comm="clamav-milter" path="/var/run/clamd.clamd/clamd.socket" scontext=user_u:system_r:clamd_t:s0 tcontext=root:system_r:clamd_t:s0 tclass=unix_stream_socket
Comment 5 Daniel Walsh 2009-05-13 10:41:45 EDT

Fixed in selinux-policy-2.4.6-235.el5
Comment 11 errata-xmlrpc 2009-09-02 04:00:34 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.