Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Install clamav-update.x86_64 2. Wait 3. Actual results: Summary: SELinux is preventing /usr/bin/freshclam access to a leaked /bin/sh file descriptor. Detailed Description: SELinux denied access requested by the freshclam command. It looks like this is either a leaked descriptor or freshclam output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the /bin/sh. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Additional Information: Source Context system_u:system_r:freshclam_t:s0-s0:c0.c1023 Target Context system_u:object_r:bin_t:s0 Target Objects /bin/sh [ lnk_file ] Source freshclam Source Path /usr/bin/freshclam Port <Unknown> Host hagrid.sb.litts.net Source RPM Packages clamav-update-0.95.3-1301.fc13 Target RPM Packages bash-4.1.7-1.fc13 Policy RPM selinux-policy-3.7.19-23.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name leaks Host Name hagrid.sb.litts.net Platform Linux hagrid.sb.litts.net 2.6.33.5-124.fc13.x86_64 #1 SMP Fri Jun 11 09:38:12 UTC 2010 x86_64 x86_64 Alert Count 9 First Seen Wed 23 Jun 2010 11:02:12 PM EDT Last Seen Fri 25 Jun 2010 02:02:10 AM EDT Local ID 81f0c3cd-a249-4587-8a36-144c4bb4f46c Line Numbers Raw Audit Messages node=hagrid.sb.litts.net type=AVC msg=audit(1277445730.948:224): avc: denied { read } for pid=28153 comm="freshclam" name="sh" dev=dm-0 ino=131076 scontext=system_u:system_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file node=hagrid.sb.litts.net type=SYSCALL msg=audit(1277445730.948:224): arch=c000003e syscall=59 success=no exit=-13 a0=3e8c940da3 a1=7fffed988b70 a2=7fffed989100 a3=8 items=0 ppid=28152 pid=28153 auid=0 uid=487 gid=470 euid=487 suid=487 fsuid=487 egid=470 sgid=470 fsgid=470 tty=(none) ses=24 comm="freshclam" exe="/usr/bin/freshclam" subj=system_u:system_r:freshclam_t:s0-s0:c0.c1023 key=(null) Expected results: Additional info:
Looks like we need corecmd_exec_shell(freshclam_t)
Fixed in selinux-policy-3.7.19-32.fc13
selinux-policy-3.7.19-33.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13
selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13
selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
I'm not sure what your exact fix was, but it took me several iterations to get freshclam working. One complication is that I have several OnxxExecute statements in freshclam.conf - e.g.: OnErrorExecute /usr/bin/logger -is -p mail.warning "database update failed, see /var/log/clamav/freshclam.log" Anyhow, the (so far) final policy tweaks that I'm using are: # Freshclam bug (https://bugzilla.redhat.com/show_bug.cgi?id=607897) #============= freshclam_t ============== corecmd_exec_shell(freshclam_t); allow freshclam_t bin_t:file { execute getattr }; allow freshclam_t bin_t:lnk_file read; allow freshclam_t proc_t:file { open read getattr }; allow freshclam_t clamd_var_log_t:file read; allow freshclam_t bin_t:file { read open execute_no_trans }; Note that any arbitrary command can be specified here - I don't know whether what I came up with covers commands other than the ones I currently use. I'm currently running policy 3.7.19-51.fc13, so while I might have been able to remove some of my local tweaks, I did have to add to them as recently as last night.... So someone with expert knowledge of selinux needs to revist the policy. Thanks.
Oh, I should have mentioned that the clamd_var_log_t is because freshclam reads the clamd log file to submit detection statistics - see SubmitDetectionStats /etc/clamd.d/scan.conf in the freshclam.conf file...
Those look good to me.
Fixed in selinux-policy-3.7.19-55.fc13
selinux-policy-3.7.19-57.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-57.fc13
selinux-policy-3.7.19-57.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-57.fc13
selinux-policy-3.7.19-57.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.