Description of problem: EPEL recently updated to 0.95.1. I'm seeing the following denials which are definitely causing clamav-milter problems: type=AVC msg=audit(1242139491.092:242): avc: denied { read write } for pid=6179 comm="clamd" path=2F746D702F636C616D61762D6136383134306364613864343032653234303438333963333964336639633634202864656C6574656429 dev=tmpfs ino=46734 scontext=root:system_r:clamd_t:s0 tcontext=root:object_r:initrc_tmp_t:s0 tclass=file type=AVC msg=audit(1242139766.899:323): avc: denied { getattr } for pid=6706 comm="clamd" path=2F746D702F636C616D61762D3533316561633533373432366463333639363037343539656137336566643665202864656C6574656429 dev=tmpfs ino=57072 scontext=root:system_r:clamd_t:s0 tcontext=root:object_r:initrc_tmp_t:s0 tclass=file I've added the following policy for now: allow clamd_t initrc_tmp_t:file { read write getattr }; But I wonder if the clamav-milter process is running in the wrong domain: root:system_r:clamd_t 6179 ? 00:00:07 clamd root:system_r:initrc_t 6231 ? 00:05:56 clamav-milter Version-Release number of selected component (if applicable): selinux-policy-2.4.6-229.el5
If you change the clamav-milter context to clamd_exec_t does it work?
How do I do that?
chcon -t clamd_exec_t PATHTO/clamav-milter
The previous messages are gone. Now I see: type=AVC msg=audit(1242161212.356:7126): avc: denied { connectto } for pid=6649 comm="clamav-milter" path="/var/run/clamd.clamd/clamd.socket" scontext=user_u:system_r:clamd_t:s0 tcontext=root:system_r:clamd_t:s0 tclass=unix_stream_socket
Fixed in selinux-policy-2.4.6-235.el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-1242.html