928020 – SELinux forbids freshclam cronjob to notify Clamd instance for Amavisd-New

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 928020 - SELinux forbids freshclam cronjob to notify Clamd instance for Amavisd-New

Summary: SELinux forbids freshclam cronjob to notify Clamd instance for Amavisd-New

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.4
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-03-26 17:30 UTC by Robert Scheck
Modified:	2018-12-03 18:33 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.7.19-228.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-11-21 10:22:17 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:1598	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2013-11-20 21:39:24 UTC

Description Robert Scheck 2013-03-26 17:30:47 UTC

Description of problem:
type=AVC msg=audit(1364317635.042:85663): avc:  denied  { search } for  pid=15803 comm="freshclam" name="spool" dev=sda2 ino=1835534 scontext=system_u:system_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
type=AVC msg=audit(1364317635.042:85663): avc:  denied  { search } for  pid=15803 comm="freshclam" name="amavisd" dev=sda2 ino=1835258 scontext=system_u:system_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir
type=SYSCALL msg=audit(1364317635.042:85663): arch=c000003e syscall=42 success=yes exit=0 a0=5 a1=7fff34f77a40 a2=6e a3=10 items=0 ppid=15800 pid=15803 auid=0 uid=498 gid=498 euid=498 suid=498 fsuid=498 egid=498 sgid=498 fsgid=498 tty=(none) ses=10394 comm="freshclam" exe="/usr/bin/freshclam" subj=system_u:system_r:freshclam_t:s0-s0:c0.c1023 key=(null)

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-195.el6_4.3.noarch
clamav-0.97.7-1.el6.x86_64
amavisd-new-2.8.0-4.el6.noarch

How reproducible:
Everytime, see above.

Actual results:
If you run an e-mail setup where Amavisd-New shall use Clamd for anti-virus
scanning, this causes freshclam (which updates the clamav signature databases)
to notify the clamd instance for amavisd-new via socket. And exactly this is
forbidden due to the SELinux policy:

system_u:system_r:clamd_t:s0    amavis    2150  0.0  1.6 372516 271168 ?       Ssl  Mar20   1:52 clamd.amavisd -c /etc/clamd.d/amavisd.conf --pid /var/run/amavisd/clamd.pid
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 16064 0.0  0.0 103248 836 pts/1 S+ 18:12   0:00 grep clam

-rw-r-----. amavis amavis unconfined_u:object_r:amavis_var_run_t:s0 /var/run/amavisd/amavisd.lock
-rw-r-----. amavis amavis system_u:object_r:amavis_var_run_t:s0 /var/run/amavisd/amavisd.pid
-rw-rw-r--. amavis amavis system_u:object_r:amavis_var_run_t:s0 /var/run/amavisd/clamd.pid

The separate clamd instance is shipped with the amavisd-new package from EPEL.

Expected results:
No AVC denied.

Comment 1 Robert Scheck 2013-03-26 17:32:48 UTC

Note that clamd is not trying to scan the filesystem (as the setroubleshoot
utility guesses) but freshclam tries to notify the clamav daemon process if
the pid has been gathered (sorry, above was wrong, not socket, but it looks
for the PID to signal it that way then).

Comment 2 Robert Scheck 2013-03-26 17:34:08 UTC

Cross-filed case 00811010 in the Red Hat customer portal

Comment 3 Miroslav Grepl 2013-03-27 11:52:52 UTC

We allow it in Fedora where we switched to antivirus_domain at all. I believe we can back port all antivirus changes to RHEL6.5.

Comment 4 Robert Scheck 2013-03-27 11:56:09 UTC

What does antivirus_domain exactly do?

Comment 5 Miroslav Grepl 2013-03-27 17:28:58 UTC

http://git.fedorahosted.org/cgit/selinux-policy.git/tree/antivirus.te?h=master_contrib

Comment 6 Robert Scheck 2013-03-27 18:45:51 UTC

Hum? selinux-policy-targeted-3.7.19-195.el6_4.3.noarch ships antivirus 1.0.0
as per "semodule -l", however we still have the issue mentioned in description.

Comment 7 Robert Scheck 2013-03-27 18:48:10 UTC

If I get you right, we should use boolean antivirus_can_scan_system, even if
we do not want to allow scanning of whole system, but only want to achieve that 
notification of a specific clamd instance for amavisd-new works?! Is there no
more fine granulation? Or did I misget you?

Comment 8 Miroslav Grepl 2013-03-28 06:24:47 UTC

(In reply to comment #6)
> Hum? selinux-policy-targeted-3.7.19-195.el6_4.3.noarch ships antivirus 1.0.0
> as per "semodule -l", however we still have the issue mentioned in
> description.

Right, but it just contains labeling for 

/var/opt/f-secure(/.*)?                 gen_context(system_u:object_r:antivirus_db_t,s0)

and allows all antivirus domains to access this dir.

Comment 9 Robert Scheck 2013-03-28 11:23:50 UTC

I agree that the boolean antivirus_can_scan_system solves the initial issue
for ClamAV - but it grants a bit more than least privilege in this case.

Even F-Secure works as expected (because you mentioned it in comment #8, but
you need to enable the boolean amavis_use_jit due to execmem in fsav(d).

Okay. I personally can deal with relatively loose antivirus_can_scan_system
boolean even I expected something more tight/fine granulated.

Comment 10 Daniel Walsh 2013-03-28 13:37:09 UTC

After examining all of the policy the difference in Access was not considered that great and the number of AVC's being generated from people combining different technologies was just getting in the way of people using SELinux.  Some times we get too fine grained of controls and it causes more problems then the security it actually provides.  Handling of spam was consolodated a few years ago also.

Comment 11 Robert Scheck 2013-03-28 15:32:49 UTC

Daniel, thanks for the explanation.

For me the issue would be solved hereby, but I would ask for a more proper
documentation, which clearly states that boolean antivirus_can_scan_system
does not only do what the name says, but also might be needed in case that
the anti-virus components need to access other parts of the filesystem for
non-scanning (!) actions.

The current antivirus.te in a fully up-to-date RHEL 6.5 works fine here.

You also might add to the boolean documentation of amavis_use_jit, that it
might be used in conjunction if the anti-virus software in general uses a
execmem call and is called in the context of amavisd-new. To make it even
more perfect, you could add that for running the "F-Secure Linux Security"
together with amavisd-new, you must use booleans antivirus_can_scan_system
and amavis_use_jit. But this also could go into a knowledgebase (KB) entry.

I guess this needs to be done by another team, not by you technical guys;
shall I copy this also into the regular ticket or will somebody pick it up?

Comment 12 Daniel Walsh 2013-04-01 14:35:56 UTC

Miroslav can you add this documentation.

Comment 17 Miroslav Grepl 2013-08-06 10:42:46 UTC

I merged all antivirus domains to antivirus_t. Basically it will be a part of errata doc.

Comment 21 errata-xmlrpc 2013-11-21 10:22:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html

Note You need to log in before you can comment on or make changes to this bug.