Bug 840667 - SELinux policy denies clamd(1) usage in amavisd-new
SELinux policy denies clamd(1) usage in amavisd-new
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.3
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks: 782183
  Show dependency treegraph
 
Reported: 2012-07-16 17:00 EDT by Robert Scheck
Modified: 2013-02-21 03:25 EST (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-159.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 03:25:34 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Robert Scheck 2012-07-16 17:00:55 EDT
Description of problem:
SELinux policy denies clamd(1) usage in amavisd-new. Basically, that's clamd(1)
as one of the primary scanners in amavisd-new.

Version-Release number of selected component (if applicable):
clamd-0.97.5-1.el6.x86_64
selinux-policy-3.7.19-155.el6_3.noarch
selinux-policy-targeted-3.7.19-155.el6_3.noarch

How reproducible:
Everytime, see above and below. Simply enable EPEL, "yum install amavisd-new
clamd" and start clamd.
  
Actual results:
SELinux policy denies clamd(1) usage in amavisd-new.

Expected results:
No AVC denieds for clamd(1) usage in amavisd-new.
Comment 1 Robert Scheck 2012-07-16 17:02:15 EDT
type=AVC msg=audit(1342472223.255:159942): avc:  denied  { search } for  pid=21227 comm="clamd" name="amavisd" dev=vda1 ino=132318 scontext=unconfined_u:system_r:clamd_t:s0 tcontext=system_u:object_r:amavis_var_run_t:s0 tclass=dir
type=AVC msg=audit(1342472223.255:159942): avc:  denied  { write } for  pid=21227 comm="clamd" name="amavisd" dev=vda1 ino=132318 scontext=unconfined_u:system_r:clamd_t:s0 tcontext=system_u:object_r:amavis_var_run_t:s0 tclass=dir
type=AVC msg=audit(1342472223.255:159942): avc:  denied  { add_name } for  pid=21227 comm="clamd" name="clamd.pid" scontext=unconfined_u:system_r:clamd_t:s0 tcontext=system_u:object_r:amavis_var_run_t:s0 tclass=dir
type=AVC msg=audit(1342472223.255:159942): avc:  denied  { write } for  pid=21227 comm="clamd" name="clamd.pid" dev=vda1 ino=130809 scontext=unconfined_u:system_r:clamd_t:s0 tcontext=unconfined_u:object_r:amavis_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1342472223.255:159942): arch=c000003e syscall=2 success=yes exit=5 a0=1d272a0 a1=241 a2=1b6 a3=0 items=0 ppid=21226 pid=21227 auid=0 uid=497 gid=497 euid=497 suid=497 fsuid=497 egid=497 sgid=497 fsgid=497 tty=(none) ses=840 comm="clamd" exe="/usr/sbin/clamd" subj=unconfined_u:system_r:clamd_t:s0 key=(null)
type=AVC msg=audit(1342472228.153:159953): avc:  denied  { search } for  pid=21290 comm="fsav" name="21227" dev=proc ino=907289 scontext=system_u:system_r:amavis_t:s0 tcontext=unconfined_u:system_r:clamd_t:s0 tclass=dir
type=AVC msg=audit(1342472228.153:159953): avc:  denied  { read } for  pid=21290 comm="fsav" name="stat" dev=proc ino=907295 scontext=system_u:system_r:amavis_t:s0 tcontext=unconfined_u:system_r:clamd_t:s0 tclass=file
type=AVC msg=audit(1342472228.153:159953): avc:  denied  { open } for  pid=21290 comm="fsav" name="stat" dev=proc ino=907295 scontext=system_u:system_r:amavis_t:s0 tcontext=unconfined_u:system_r:clamd_t:s0 tclass=file
Comment 3 Robert Scheck 2012-07-16 17:07:54 EDT
Cross-filed case 00678438 in the Red Hat Customer Portal.

Please note, that clamscan != clamd. First is a command line scanner, while
the second is a daemon that can be queried (less overhead than loading all
the signatures each time into memory while the daemon simply keeps them)...
Comment 4 Miroslav Grepl 2012-07-16 17:20:27 EDT
We added some fixes to Fedora to fix this issue. We need to backport it.
Comment 5 Robert Scheck 2012-07-18 16:54:30 EDT
Nice, selinux-policy-3.7.19-156 seems to solve this issue. Can we get this at
latest for 6.4 or even FasTrack, please?
Comment 6 Daniel Walsh 2012-07-19 11:52:32 EDT
It is in 6.4
Comment 11 errata-xmlrpc 2013-02-21 03:25:34 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html

Note You need to log in before you can comment on or make changes to this bug.