Bug 999471 - AVC denials caused by amavisd-snmp service start/restart
AVC denials caused by amavisd-snmp service start/restart
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.5
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Michal Trunecka
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-21 07:28 EDT by Michal Trunecka
Modified: 2014-09-30 19:35 EDT (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-212.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-21 05:49:51 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michal Trunecka 2013-08-21 07:28:30 EDT
Description of problem:

There are some AVCs during amavisd-snmp start/restart, because of these missing rules:
allow antivirus_t snmpd_var_lib_t:dir write;
allow antivirus_t snmpd_var_lib_t:sock_file write;

These rules were added among others because of the Bug 839250 (originaly with amavis_t).


Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-211.el6.noarch

How reproducible:
always

Steps to Reproduce:
1. service amavisd-snmp start
2. service amavisd-snmp restart
3.


Additional info:

----
type=SYSCALL msg=audit(08/21/2013 11:41:21.506:129739) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=8 a1=7fffc55cc0d0 a2=6e a3=12 items=0 ppid=1 pid=31884 auid=mtruneck uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=amavisd-snmp-su exe=/usr/bin/perl subj=unconfined_u:system_r:antivirus_t:s0 key=(null) 
type=AVC msg=audit(08/21/2013 11:41:21.506:129739) : avc:  denied  { write } for  pid=31884 comm=amavisd-snmp-su name=master dev=dm-5 ino=1310722 scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=sock_file 
----
type=SYSCALL msg=audit(08/21/2013 11:41:22.911:129740) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=7fffc55cb5f0 a1=441 a2=1b6 a3=0 items=0 ppid=1 pid=31884 auid=mtruneck uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=amavisd-snmp-su exe=/usr/bin/perl subj=unconfined_u:system_r:antivirus_t:s0 key=(null) 
type=AVC msg=audit(08/21/2013 11:41:22.911:129740) : avc:  denied  { write } for  pid=31884 comm=amavisd-snmp-su name=net-snmp dev=dm-5 ino=131123 scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(08/21/2013 11:41:22.911:129741) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=7fffc55cbe20 a1=441 a2=1b6 a3=0 items=0 ppid=1 pid=31884 auid=mtruneck uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=amavisd-snmp-su exe=/usr/bin/perl subj=unconfined_u:system_r:antivirus_t:s0 key=(null) 
type=AVC msg=audit(08/21/2013 11:41:22.911:129741) : avc:  denied  { write } for  pid=31884 comm=amavisd-snmp-su name=net-snmp dev=dm-5 ino=131123 scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(08/21/2013 11:41:22.911:129742) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=7fffc55cbe20 a1=441 a2=1b6 a3=0 items=0 ppid=1 pid=31884 auid=mtruneck uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=amavisd-snmp-su exe=/usr/bin/perl subj=unconfined_u:system_r:antivirus_t:s0 key=(null) 
type=AVC msg=audit(08/21/2013 11:41:22.911:129742) : avc:  denied  { write } for  pid=31884 comm=amavisd-snmp-su name=net-snmp dev=dm-5 ino=131123 scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(08/21/2013 11:41:25.370:129744) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=7fff3facdab0 a1=441 a2=1b6 a3=0 items=0 ppid=1 pid=31936 auid=mtruneck uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=amavisd-snmp-su exe=/usr/bin/perl subj=unconfined_u:system_r:antivirus_t:s0 key=(null) 
type=AVC msg=audit(08/21/2013 11:41:25.370:129744) : avc:  denied  { write } for  pid=31936 comm=amavisd-snmp-su name=net-snmp dev=dm-5 ino=131123 scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(08/21/2013 11:41:25.370:129745) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=7fff3face2e0 a1=441 a2=1b6 a3=0 items=0 ppid=1 pid=31936 auid=mtruneck uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=amavisd-snmp-su exe=/usr/bin/perl subj=unconfined_u:system_r:antivirus_t:s0 key=(null) 
type=AVC msg=audit(08/21/2013 11:41:25.370:129745) : avc:  denied  { write } for  pid=31936 comm=amavisd-snmp-su name=net-snmp dev=dm-5 ino=131123 scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(08/21/2013 11:41:25.370:129746) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=7fff3face2e0 a1=441 a2=1b6 a3=0 items=0 ppid=1 pid=31936 auid=mtruneck uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=amavisd-snmp-su exe=/usr/bin/perl subj=unconfined_u:system_r:antivirus_t:s0 key=(null) 
type=AVC msg=audit(08/21/2013 11:41:25.370:129746) : avc:  denied  { write } for  pid=31936 comm=amavisd-snmp-su name=net-snmp dev=dm-5 ino=131123 scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(08/21/2013 11:41:24.023:129743) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=8 a1=7fff3face590 a2=6e a3=12 items=0 ppid=1 pid=31936 auid=mtruneck uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=amavisd-snmp-su exe=/usr/bin/perl subj=unconfined_u:system_r:antivirus_t:s0 key=(null) 
type=AVC msg=audit(08/21/2013 11:41:24.023:129743) : avc:  denied  { write } for  pid=31936 comm=amavisd-snmp-su name=master dev=dm-5 ino=1310722 scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=sock_file
Comment 1 Michal Trunecka 2013-08-21 08:12:40 EDT
These are rules which are missing for clamav service:

From test:
/CoreOS/selinux-policy/Regression/bz500392-problems-with-clamav-milter


allow antivirus_t antivirus_log_t:dir { write add_name };
allow antivirus_t antivirus_log_t:file create;


----
time->Wed Aug 21 14:07:14 2013
type=SYSCALL msg=audit(1377086834.299:130868): arch=c000003e syscall=2 success=yes exit=3 a0=abc4d0 a1=441 a2=1b6 a3=0 items=0 ppid=8782 pid=8783 auid=500 uid=491 gid=486 euid=491 suid=491 fsuid=491 egid=486 sgid=486 fsgid=486 tty=pts20 ses=2 comm="clamd" exe="/usr/sbin/clamd" subj=unconfined_u:system_r:antivirus_t:s0 key=(null)
type=AVC msg=audit(1377086834.299:130868): avc:  denied  { create } for  pid=8783 comm="clamd" name="clamd.log" scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=unconfined_u:object_r:antivirus_log_t:s0 tclass=file
type=AVC msg=audit(1377086834.299:130868): avc:  denied  { add_name } for  pid=8783 comm="clamd" name="clamd.log" scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:antivirus_log_t:s0 tclass=dir
type=AVC msg=audit(1377086834.299:130868): avc:  denied  { write } for  pid=8783 comm="clamd" name="clamav" dev=dm-5 ino=1703948 scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:antivirus_log_t:s0 tclass=dir
Comment 4 errata-xmlrpc 2013-11-21 05:49:51 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html

Note You need to log in before you can comment on or make changes to this bug.