Description of problem: Version-Release number of selected component (if applicable): How reproducible: 100% of time Steps to Reproduce: 1. Install RHEL or CentOS 5.x 2. Install clamav, clamav-milter from rpmforge 3. Try to start clamav Actual results: Clamav-milter is unable to open a socket and dies because selinux is blocking it Expected results: Clamav-milter starts normally Additional info: Here's the messages log excerpt: May 23 22:30:56 skutter clamav-milter[18164]: Failed to create socket unix:/var/clamav/clmilter.socket May 23 22:30:56 skutter setroubleshoot: SELinux is preventing clamav-milter (clamd_t) "create" to clmilter.socket (clamd_var_lib_t). For complete SELinux messages. run sealert -l 97c4bc7c-9a5f-4dc0-b195-c8d74fdab56d And here's the output of sealert: Summary: SELinux is preventing clamav-milter (clamd_t) "create" to clmilter.socket (clamd_var_lib_t). Detailed Description: SELinux denied access requested by clamav-milter. It is not expected that this access is required by clamav-milter and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for clmilter.socket, restorecon -v 'clmilter.socket' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context user_u:system_r:clamd_t Target Context user_u:object_r:clamd_var_lib_t Target Objects clmilter.socket [ sock_file ] Source clamav-milter Source Path /usr/sbin/clamav-milter Port <Unknown> Host skutter.ncc.com Source RPM Packages clamav-milter-0.97-1.el5.rf Target RPM Packages Policy RPM selinux-policy-2.4.6-300.el5_6.1 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name skutter.ncc.com Platform Linux skutter.ncc.com 2.6.18-238.9.1.el5 #1 SMP Tue Apr 12 18:10:13 EDT 2011 x86_64 x86_64 Alert Count 1 First Seen Mon May 23 22:30:56 2011 Last Seen Mon May 23 22:30:56 2011 Local ID 97c4bc7c-9a5f-4dc0-b195-c8d74fdab56d Line Numbers Raw Audit Messages host=skutter.ncc.com type=AVC msg=audit(1306207856.548:1264): avc: denied { create } for pid=18164 comm="clamav-milter" name="clmilter.socket" scontext=user_u:system_r:clamd_t:s0 tcontext=user_u:object_r:clamd_var_lib_t:s0 tclass=sock_file host=skutter.ncc.com type=SYSCALL msg=audit(1306207856.548:1264): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7fffc9e791d0 a2=6e a3=7fffc9e791ed items=0 ppid=18163 pid=18164 auid=500 uid=101 gid=156 euid=101 suid=101 fsuid=101 egid=156 sgid=156 fsgid=156 tty=(none) ses=17 comm="clamav-milter" exe="/usr/sbin/clamav-milter" subj=user_u:system_r:clamd_t:s0 key=(null) I attempted to fix the problem using the method described in the above message but running "restorecon -v 'clmilter.socket'" produces this result: lstat(clmilter.socket) failed: No such file or directory So, I'm falling back to the alternate solution of filing this bug report and disabling selinux until the bug is fixed.
I'm not sure which location is the right one for clamav-milter.socket, so I tested more of them. 1) If /etc/clamav-milter.conf contains following line then clamav-milter does not work, error messages appear in /var/log/messages but no AVCs appear: MilterSocket unix:/var/clamav/clamav-milter.socket 2) If /etc/clamav-milter.conf contains following line then clamav-milter does not work, error messages appear in /var/log/messages and AVCs appear too: MilterSocket unix:/var/lib/clamav/clamav-milter.socket 3) If /etc/clamav-milter.conf contains following line then clamav-milter works well, no error messages appear in /var/log/messages, no AVCs appear: MilterSocket unix:/var/run/clamav/clamav-milter.socket Here are error messages for cases 1 and 2: May 24 03:37:56 auto-x86-64-002 clamav-milter: ClamAV: Unable to create listening socket on conn unix:/var/clamav/clamav-milter.socket May 24 03:46:13 auto-x86-64-002 clamav-milter: ClamAV: Unable to bind to port unix:/var/lib/clamav/clamav-milter.socket: Permission denied Here are AVCs for case 2: ---- time->Tue May 24 04:03:08 2011 type=SYSCALL msg=audit(1306224188.651:1703): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7fff80d9c7b0 a2=6e a3=0 items=0 ppid=1401 pid=1402 auid=0 uid=102 gid=158 euid=102 suid=102 fsuid=102 egid=158 sgid=158 fsgid=158 tty=(none) ses=243 comm="clamav-milter" exe="/usr/sbin/clamav-milter" subj=root:system_r:clamd_t:s0 key=(null) type=AVC msg=audit(1306224188.651:1703): avc: denied { create } for pid=1402 comm="clamav-milter" name="clamav-milter.socket" scontext=root:system_r:clamd_t:s0 tcontext=root:object_r:clamd_var_lib_t:s0 tclass=sock_file ---- time->Tue May 24 04:03:11 2011 type=SYSCALL msg=audit(1306224191.097:1704): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7fff0ebda210 a2=6e a3=0 items=0 ppid=1450 pid=1451 auid=0 uid=102 gid=158 euid=102 suid=102 fsuid=102 egid=158 sgid=158 fsgid=158 tty=(none) ses=243 comm="clamav-milter" exe="/usr/sbin/clamav-milter" subj=root:system_r:clamd_t:s0 key=(null) type=AVC msg=audit(1306224191.097:1704): avc: denied { create } for pid=1451 comm="clamav-milter" name="clamav-milter.socket" scontext=root:system_r:clamd_t:s0 tcontext=root:object_r:clamd_var_lib_t:s0 tclass=sock_file ----
Thank you for the bug report. If you are willing to help us identify and solve the problem, please follow these steps: 1. Run the following two commands as root. Note that the first command is a multiline command. # cat > policy_bz707101.te << _EOF policy_module(policy_bz707101, 1.0) require{ type clamd_t; type clamd_var_lib_t; } manage_sock_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) _EOF # make -f /usr/share/selinux/devel/Makefile # semodule -i policy_bz707101.pp 2. Re-run your actions. If the problem persists, or you experience other problems related to this topic, please add sealert/AVCs to this bug report.
>> I'm not sure which location is the right one for clamav-milter.socket, >> so I tested more of them. >> MilterSocket unix:/var/clamav/clamav-milter.socket >> MilterSocket unix:/var/lib/clamav/clamav-milter.socket >> MilterSocket unix:/var/run/clamav/clamav-milter.socket If by "right" you mean the one configured in the RPM file and used upon normal installation by yum, then it's the first one: MilterSocket unix:/var/clamav/clamav-milter.socket That's the one I've used on previous RHEL/CentOS installs where I wasn't running selinux. If that one is not correct in some sense, then maybe a bug needs to be filed against the clamav-milter RPM package instead of selinux? I tried reconfiguring clamav-milter.conf and sendmail.mc to use /var/run/clamav/clamav-milter.socket and this successfully got the milter running without selinux problems. So that's a good enough work around until selinux and the clamav-milter rpm package can get on the same page. :) Unfortunately, I moved on to spamass-milter next and it has the same problem with selinux - it wants to create its socket in /var/run/spamass.sock, which selinux doesn't like at all. I tried the same basic idea (e.g. reconfigure spamassassin and sendmail to use /var/run/spamassassin/spamass.sock instead of the default path) but it didn't work in this case and selinux still won't let spamass-milter start... Guess I should file a separate bug on that one? I'm really surprised no one has tried setting up clamav and spamassassin with sendmail on RHEL/CentOS using the defaults in the RPMs before! I would have thought this was standard enough stuff that someone else would have stumbled onto these bugs before me. :)
Fixed in selinux-policy-2.4.6-309.el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html