Bug 860858 - RHEL5/RHEL6 selinux-policy needs clamscan_can_scan_system tunable
RHEL5/RHEL6 selinux-policy needs clamscan_can_scan_system tunable
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.5
All Linux
low Severity low
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-26 17:53 EDT by James Ralston
Modified: 2013-02-21 03:30 EST (History)
2 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-168.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 03:30:54 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description James Ralston 2012-09-26 17:53:25 EDT
Version-Release number of selected component (if applicable):

selinux-policy-2.4.6-327.el5
selinux-policy-3.7.19-155.el6_3.4
selinux-policy-3.10.0-91.fc16

Description of problem:

We call clamdscan from a sendmail milter, in order to scan incoming mail messages for viruses in real time (during the SMTP dialog).

All versions of selinux-policy for RHEL5 and RHEL6 break the ability of clamd to read arbitrary files on the system, such as files underneath /var/spool:

$ getenforce 
Permissive

$ clamdscan -c /etc/clamd.d/defang.conf /var/spool/mdspool/test 
/var/spool/mdspool/test: OK
----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.001 sec (0 m 0 s)

$ ausearch -m avc -ts recent
----
time->Wed Sep 26 16:17:57 2012
type=SYSCALL msg=audit(1348690677.657:2883): arch=c000003e syscall=6 success=yes exit=0 a0=79144c0 a1=42539db0 a2=42539db0 a3=1 items=0 ppid=1 pid=19899 auid=4294967295 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=4294967295 comm="clamd" exe="/usr/sbin/clamd" subj=system_u:system_r:clamd_t:s0 key=(null)
type=AVC msg=audit(1348690677.657:2883): avc:  denied  { getattr } for  pid=19899 comm="clamd" path="/var/spool/mdspool/test" dev=dm-1 ino=131117 scontext=system_u:system_r:clamd_t:s0 tcontext=user_u:object_r:var_spool_t:s0 tclass=file
----
time->Wed Sep 26 16:17:57 2012
type=SYSCALL msg=audit(1348690677.657:2884): arch=c000003e syscall=21 success=yes exit=0 a0=78d3c20 a1=4 a2=625d01 a3=0 items=0 ppid=1 pid=19899 auid=4294967295 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=4294967295 comm="clamd" exe="/usr/sbin/clamd" subj=system_u:system_r:clamd_t:s0 key=(null)
type=AVC msg=audit(1348690677.657:2884): avc:  denied  { read } for  pid=19899 comm="clamd" name="test" dev=dm-1 ino=131117 scontext=system_u:system_r:clamd_t:s0 tcontext=user_u:object_r:var_spool_t:s0 tclass=file

I can resort to implementing local policy to override this; e.g.:

$ ausearch -m avc -ts this-month | audit2allow
allow clamd_t var_spool_t:dir read;
allow clamd_t var_spool_t:file { read getattr };

However, more recent versions of selinux-policy (e.g., selinux-policy-3.10.0-91.fc16 and possibly earlier) include a tunable that permits clamd to scan non-security system files. From policy/modules/services/clamav.te:

## <desc>
##  <p>
##  Allow clamscan to non security files on a system
##  </p>
## </desc>
gen_tunable(clamscan_can_scan_system, false)

tunable_policy(`clamscan_can_scan_system',`
        files_read_non_security_files(clamscan_t)
')

This is a much cleaner approach. If added as above (default == false), it would represent no change to existing policy, and is only a tiny (4-line) addition.

Could this be added to RHEL5 and RHEL6 selinux-policy, please?
Comment 2 James Ralston 2012-10-10 15:13:07 EDT
Thanks for the RHEL6 add. Any chance of getting it added to RHEL5, too? Should I file a separate bug for that?
Comment 3 Miroslav Grepl 2012-10-11 02:01:40 EDT
(In reply to comment #2)
> Thanks for the RHEL6 add. Any chance of getting it added to RHEL5, too?
> Should I file a separate bug for that?

Yes, please.
Comment 7 errata-xmlrpc 2013-02-21 03:30:54 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html

Note You need to log in before you can comment on or make changes to this bug.