Bug 928020 - SELinux forbids freshclam cronjob to notify Clamd instance for Amavisd-New
Summary: SELinux forbids freshclam cronjob to notify Clamd instance for Amavisd-New
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.4
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-03-26 17:30 UTC by Robert Scheck
Modified: 2018-12-03 18:33 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.7.19-228.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-11-21 10:22:17 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1598 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-11-20 21:39:24 UTC

Description Robert Scheck 2013-03-26 17:30:47 UTC
Description of problem:
type=AVC msg=audit(1364317635.042:85663): avc:  denied  { search } for  pid=15803 comm="freshclam" name="spool" dev=sda2 ino=1835534 scontext=system_u:system_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
type=AVC msg=audit(1364317635.042:85663): avc:  denied  { search } for  pid=15803 comm="freshclam" name="amavisd" dev=sda2 ino=1835258 scontext=system_u:system_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir
type=SYSCALL msg=audit(1364317635.042:85663): arch=c000003e syscall=42 success=yes exit=0 a0=5 a1=7fff34f77a40 a2=6e a3=10 items=0 ppid=15800 pid=15803 auid=0 uid=498 gid=498 euid=498 suid=498 fsuid=498 egid=498 sgid=498 fsgid=498 tty=(none) ses=10394 comm="freshclam" exe="/usr/bin/freshclam" subj=system_u:system_r:freshclam_t:s0-s0:c0.c1023 key=(null)

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-195.el6_4.3.noarch
clamav-0.97.7-1.el6.x86_64
amavisd-new-2.8.0-4.el6.noarch

How reproducible:
Everytime, see above.

Actual results:
If you run an e-mail setup where Amavisd-New shall use Clamd for anti-virus
scanning, this causes freshclam (which updates the clamav signature databases)
to notify the clamd instance for amavisd-new via socket. And exactly this is
forbidden due to the SELinux policy:

system_u:system_r:clamd_t:s0    amavis    2150  0.0  1.6 372516 271168 ?       Ssl  Mar20   1:52 clamd.amavisd -c /etc/clamd.d/amavisd.conf --pid /var/run/amavisd/clamd.pid
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 16064 0.0  0.0 103248 836 pts/1 S+ 18:12   0:00 grep clam

-rw-r-----. amavis amavis unconfined_u:object_r:amavis_var_run_t:s0 /var/run/amavisd/amavisd.lock
-rw-r-----. amavis amavis system_u:object_r:amavis_var_run_t:s0 /var/run/amavisd/amavisd.pid
-rw-rw-r--. amavis amavis system_u:object_r:amavis_var_run_t:s0 /var/run/amavisd/clamd.pid

The separate clamd instance is shipped with the amavisd-new package from EPEL.

Expected results:
No AVC denied.

Comment 1 Robert Scheck 2013-03-26 17:32:48 UTC
Note that clamd is not trying to scan the filesystem (as the setroubleshoot
utility guesses) but freshclam tries to notify the clamav daemon process if
the pid has been gathered (sorry, above was wrong, not socket, but it looks
for the PID to signal it that way then).

Comment 2 Robert Scheck 2013-03-26 17:34:08 UTC
Cross-filed case 00811010 in the Red Hat customer portal

Comment 3 Miroslav Grepl 2013-03-27 11:52:52 UTC
We allow it in Fedora where we switched to antivirus_domain at all. I believe we can back port all antivirus changes to RHEL6.5.

Comment 4 Robert Scheck 2013-03-27 11:56:09 UTC
What does antivirus_domain exactly do?

Comment 6 Robert Scheck 2013-03-27 18:45:51 UTC
Hum? selinux-policy-targeted-3.7.19-195.el6_4.3.noarch ships antivirus 1.0.0
as per "semodule -l", however we still have the issue mentioned in description.

Comment 7 Robert Scheck 2013-03-27 18:48:10 UTC
If I get you right, we should use boolean antivirus_can_scan_system, even if
we do not want to allow scanning of whole system, but only want to achieve that 
notification of a specific clamd instance for amavisd-new works?! Is there no
more fine granulation? Or did I misget you?

Comment 8 Miroslav Grepl 2013-03-28 06:24:47 UTC
(In reply to comment #6)
> Hum? selinux-policy-targeted-3.7.19-195.el6_4.3.noarch ships antivirus 1.0.0
> as per "semodule -l", however we still have the issue mentioned in
> description.

Right, but it just contains labeling for 

/var/opt/f-secure(/.*)?                 gen_context(system_u:object_r:antivirus_db_t,s0)

and allows all antivirus domains to access this dir.

Comment 9 Robert Scheck 2013-03-28 11:23:50 UTC
I agree that the boolean antivirus_can_scan_system solves the initial issue
for ClamAV - but it grants a bit more than least privilege in this case.

Even F-Secure works as expected (because you mentioned it in comment #8, but
you need to enable the boolean amavis_use_jit due to execmem in fsav(d).

Okay. I personally can deal with relatively loose antivirus_can_scan_system
boolean even I expected something more tight/fine granulated.

Comment 10 Daniel Walsh 2013-03-28 13:37:09 UTC
After examining all of the policy the difference in Access was not considered that great and the number of AVC's being generated from people combining different technologies was just getting in the way of people using SELinux.  Some times we get too fine grained of controls and it causes more problems then the security it actually provides.  Handling of spam was consolodated a few years ago also.

Comment 11 Robert Scheck 2013-03-28 15:32:49 UTC
Daniel, thanks for the explanation.

For me the issue would be solved hereby, but I would ask for a more proper
documentation, which clearly states that boolean antivirus_can_scan_system
does not only do what the name says, but also might be needed in case that
the anti-virus components need to access other parts of the filesystem for
non-scanning (!) actions.

The current antivirus.te in a fully up-to-date RHEL 6.5 works fine here.

You also might add to the boolean documentation of amavis_use_jit, that it
might be used in conjunction if the anti-virus software in general uses a
execmem call and is called in the context of amavisd-new. To make it even
more perfect, you could add that for running the "F-Secure Linux Security"
together with amavisd-new, you must use booleans antivirus_can_scan_system
and amavis_use_jit. But this also could go into a knowledgebase (KB) entry.

I guess this needs to be done by another team, not by you technical guys;
shall I copy this also into the regular ticket or will somebody pick it up?

Comment 12 Daniel Walsh 2013-04-01 14:35:56 UTC
Miroslav can you add this documentation.

Comment 17 Miroslav Grepl 2013-08-06 10:42:46 UTC
I merged all antivirus domains to antivirus_t. Basically it will be a part of errata doc.

Comment 21 errata-xmlrpc 2013-11-21 10:22:17 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html


Note You need to log in before you can comment on or make changes to this bug.