Bug 607897 - ClamAV freshclam leaked fd
Summary: ClamAV freshclam leaked fd
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
(Show other bugs)
Version: 13
Hardware: x86_64 Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords: Reopened
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-06-25 06:33 UTC by tlhackque
Modified: 2010-09-22 00:38 UTC (History)
2 users (show)

Fixed In Version: selinux-policy-3.7.19-57.fc13
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-09-22 00:38:06 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description tlhackque 2010-06-25 06:33:44 UTC
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Install clamav-update.x86_64
2. Wait
3.
  
Actual results:

Summary:

SELinux is preventing /usr/bin/freshclam access to a leaked /bin/sh file
descriptor.

Detailed Description:

SELinux denied access requested by the freshclam command. It looks like this is
either a leaked descriptor or freshclam output was redirected to a file it is
not allowed to access. Leaks usually can be ignored since SELinux is just
closing the leak and reporting the error. The application does not use the
descriptor, so it will run properly. If this is a redirection, you will not get
output in the /bin/sh. You should generate a bugzilla on selinux-policy, and it
will get routed to the appropriate package. You can safely ignore this avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

Additional Information:

Source Context                system_u:system_r:freshclam_t:s0-s0:c0.c1023
Target Context                system_u:object_r:bin_t:s0
Target Objects                /bin/sh [ lnk_file ]
Source                        freshclam
Source Path                   /usr/bin/freshclam
Port                          <Unknown>
Host                          hagrid.sb.litts.net
Source RPM Packages           clamav-update-0.95.3-1301.fc13
Target RPM Packages           bash-4.1.7-1.fc13
Policy RPM                    selinux-policy-3.7.19-23.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   leaks
Host Name                     hagrid.sb.litts.net
Platform                      Linux hagrid.sb.litts.net 2.6.33.5-124.fc13.x86_64
                              #1 SMP Fri Jun 11 09:38:12 UTC 2010 x86_64 x86_64
Alert Count                   9
First Seen                    Wed 23 Jun 2010 11:02:12 PM EDT
Last Seen                     Fri 25 Jun 2010 02:02:10 AM EDT
Local ID                      81f0c3cd-a249-4587-8a36-144c4bb4f46c
Line Numbers                  

Raw Audit Messages            

node=hagrid.sb.litts.net type=AVC msg=audit(1277445730.948:224): avc:  denied  { read } for  pid=28153 comm="freshclam" name="sh" dev=dm-0 ino=131076 scontext=system_u:system_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file

node=hagrid.sb.litts.net type=SYSCALL msg=audit(1277445730.948:224): arch=c000003e syscall=59 success=no exit=-13 a0=3e8c940da3 a1=7fffed988b70 a2=7fffed989100 a3=8 items=0 ppid=28152 pid=28153 auid=0 uid=487 gid=470 euid=487 suid=487 fsuid=487 egid=470 sgid=470 fsgid=470 tty=(none) ses=24 comm="freshclam" exe="/usr/bin/freshclam" subj=system_u:system_r:freshclam_t:s0-s0:c0.c1023 key=(null)




Expected results:


Additional info:

Comment 1 Daniel Walsh 2010-06-25 19:41:13 UTC
Looks like we need

corecmd_exec_shell(freshclam_t)

Comment 2 Miroslav Grepl 2010-06-28 14:22:25 UTC
Fixed in selinux-policy-3.7.19-32.fc13

Comment 3 Fedora Update System 2010-06-30 19:55:14 UTC
selinux-policy-3.7.19-33.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13

Comment 4 Fedora Update System 2010-07-01 18:49:11 UTC
selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13

Comment 5 Fedora Update System 2010-07-06 17:07:30 UTC
selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 tlhackque 2010-09-07 10:35:59 UTC
I'm not sure what your exact fix was, but it took me several iterations to get freshclam working.  One complication is that I have several OnxxExecute statements in freshclam.conf - e.g.: 

OnErrorExecute /usr/bin/logger -is -p mail.warning "database update failed, see /var/log/clamav/freshclam.log"

Anyhow, the (so far) final policy tweaks that I'm using are:

# Freshclam bug (https://bugzilla.redhat.com/show_bug.cgi?id=607897)

#============= freshclam_t ==============
corecmd_exec_shell(freshclam_t);

allow freshclam_t bin_t:file { execute getattr };
allow freshclam_t bin_t:lnk_file read;
allow freshclam_t proc_t:file { open read getattr };
allow freshclam_t clamd_var_log_t:file read;
allow freshclam_t bin_t:file { read open execute_no_trans };

Note that any arbitrary command can be specified here - I don't know whether what I came up with covers commands other than the ones I currently use.

I'm currently running policy 3.7.19-51.fc13, so while I might have been able to remove some of my local tweaks, I did have to add to them as recently as last night....

So someone with expert knowledge of selinux needs to revist the policy.

Thanks.

Comment 7 tlhackque 2010-09-07 10:38:59 UTC
Oh, I should have mentioned that the clamd_var_log_t is because freshclam reads the clamd log file to submit detection statistics - see 

SubmitDetectionStats /etc/clamd.d/scan.conf

in the freshclam.conf file...

Comment 8 Daniel Walsh 2010-09-07 15:56:28 UTC
Those look good to me.

Comment 9 Miroslav Grepl 2010-09-09 09:18:43 UTC
Fixed in selinux-policy-3.7.19-55.fc13

Comment 10 Fedora Update System 2010-09-13 16:08:19 UTC
selinux-policy-3.7.19-57.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-57.fc13

Comment 11 Fedora Update System 2010-09-15 05:29:37 UTC
selinux-policy-3.7.19-57.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-57.fc13

Comment 12 Fedora Update System 2010-09-22 00:37:04 UTC
selinux-policy-3.7.19-57.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.