Bug 999471 - AVC denials caused by amavisd-snmp service start/restart
Summary: AVC denials caused by amavisd-snmp service start/restart
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.5
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Michal Trunecka
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-08-21 11:28 UTC by Michal Trunecka
Modified: 2014-09-30 23:35 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.7.19-212.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-11-21 10:49:51 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1598 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-11-20 21:39:24 UTC

Description Michal Trunecka 2013-08-21 11:28:30 UTC
Description of problem:

There are some AVCs during amavisd-snmp start/restart, because of these missing rules:
allow antivirus_t snmpd_var_lib_t:dir write;
allow antivirus_t snmpd_var_lib_t:sock_file write;

These rules were added among others because of the Bug 839250 (originaly with amavis_t).


Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-211.el6.noarch

How reproducible:
always

Steps to Reproduce:
1. service amavisd-snmp start
2. service amavisd-snmp restart
3.


Additional info:

----
type=SYSCALL msg=audit(08/21/2013 11:41:21.506:129739) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=8 a1=7fffc55cc0d0 a2=6e a3=12 items=0 ppid=1 pid=31884 auid=mtruneck uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=amavisd-snmp-su exe=/usr/bin/perl subj=unconfined_u:system_r:antivirus_t:s0 key=(null) 
type=AVC msg=audit(08/21/2013 11:41:21.506:129739) : avc:  denied  { write } for  pid=31884 comm=amavisd-snmp-su name=master dev=dm-5 ino=1310722 scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=sock_file 
----
type=SYSCALL msg=audit(08/21/2013 11:41:22.911:129740) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=7fffc55cb5f0 a1=441 a2=1b6 a3=0 items=0 ppid=1 pid=31884 auid=mtruneck uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=amavisd-snmp-su exe=/usr/bin/perl subj=unconfined_u:system_r:antivirus_t:s0 key=(null) 
type=AVC msg=audit(08/21/2013 11:41:22.911:129740) : avc:  denied  { write } for  pid=31884 comm=amavisd-snmp-su name=net-snmp dev=dm-5 ino=131123 scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(08/21/2013 11:41:22.911:129741) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=7fffc55cbe20 a1=441 a2=1b6 a3=0 items=0 ppid=1 pid=31884 auid=mtruneck uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=amavisd-snmp-su exe=/usr/bin/perl subj=unconfined_u:system_r:antivirus_t:s0 key=(null) 
type=AVC msg=audit(08/21/2013 11:41:22.911:129741) : avc:  denied  { write } for  pid=31884 comm=amavisd-snmp-su name=net-snmp dev=dm-5 ino=131123 scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(08/21/2013 11:41:22.911:129742) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=7fffc55cbe20 a1=441 a2=1b6 a3=0 items=0 ppid=1 pid=31884 auid=mtruneck uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=amavisd-snmp-su exe=/usr/bin/perl subj=unconfined_u:system_r:antivirus_t:s0 key=(null) 
type=AVC msg=audit(08/21/2013 11:41:22.911:129742) : avc:  denied  { write } for  pid=31884 comm=amavisd-snmp-su name=net-snmp dev=dm-5 ino=131123 scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(08/21/2013 11:41:25.370:129744) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=7fff3facdab0 a1=441 a2=1b6 a3=0 items=0 ppid=1 pid=31936 auid=mtruneck uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=amavisd-snmp-su exe=/usr/bin/perl subj=unconfined_u:system_r:antivirus_t:s0 key=(null) 
type=AVC msg=audit(08/21/2013 11:41:25.370:129744) : avc:  denied  { write } for  pid=31936 comm=amavisd-snmp-su name=net-snmp dev=dm-5 ino=131123 scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(08/21/2013 11:41:25.370:129745) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=7fff3face2e0 a1=441 a2=1b6 a3=0 items=0 ppid=1 pid=31936 auid=mtruneck uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=amavisd-snmp-su exe=/usr/bin/perl subj=unconfined_u:system_r:antivirus_t:s0 key=(null) 
type=AVC msg=audit(08/21/2013 11:41:25.370:129745) : avc:  denied  { write } for  pid=31936 comm=amavisd-snmp-su name=net-snmp dev=dm-5 ino=131123 scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(08/21/2013 11:41:25.370:129746) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=7fff3face2e0 a1=441 a2=1b6 a3=0 items=0 ppid=1 pid=31936 auid=mtruneck uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=amavisd-snmp-su exe=/usr/bin/perl subj=unconfined_u:system_r:antivirus_t:s0 key=(null) 
type=AVC msg=audit(08/21/2013 11:41:25.370:129746) : avc:  denied  { write } for  pid=31936 comm=amavisd-snmp-su name=net-snmp dev=dm-5 ino=131123 scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(08/21/2013 11:41:24.023:129743) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=8 a1=7fff3face590 a2=6e a3=12 items=0 ppid=1 pid=31936 auid=mtruneck uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=amavisd-snmp-su exe=/usr/bin/perl subj=unconfined_u:system_r:antivirus_t:s0 key=(null) 
type=AVC msg=audit(08/21/2013 11:41:24.023:129743) : avc:  denied  { write } for  pid=31936 comm=amavisd-snmp-su name=master dev=dm-5 ino=1310722 scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=sock_file

Comment 1 Michal Trunecka 2013-08-21 12:12:40 UTC
These are rules which are missing for clamav service:

From test:
/CoreOS/selinux-policy/Regression/bz500392-problems-with-clamav-milter


allow antivirus_t antivirus_log_t:dir { write add_name };
allow antivirus_t antivirus_log_t:file create;


----
time->Wed Aug 21 14:07:14 2013
type=SYSCALL msg=audit(1377086834.299:130868): arch=c000003e syscall=2 success=yes exit=3 a0=abc4d0 a1=441 a2=1b6 a3=0 items=0 ppid=8782 pid=8783 auid=500 uid=491 gid=486 euid=491 suid=491 fsuid=491 egid=486 sgid=486 fsgid=486 tty=pts20 ses=2 comm="clamd" exe="/usr/sbin/clamd" subj=unconfined_u:system_r:antivirus_t:s0 key=(null)
type=AVC msg=audit(1377086834.299:130868): avc:  denied  { create } for  pid=8783 comm="clamd" name="clamd.log" scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=unconfined_u:object_r:antivirus_log_t:s0 tclass=file
type=AVC msg=audit(1377086834.299:130868): avc:  denied  { add_name } for  pid=8783 comm="clamd" name="clamd.log" scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:antivirus_log_t:s0 tclass=dir
type=AVC msg=audit(1377086834.299:130868): avc:  denied  { write } for  pid=8783 comm="clamd" name="clamav" dev=dm-5 ino=1703948 scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:antivirus_log_t:s0 tclass=dir

Comment 4 errata-xmlrpc 2013-11-21 10:49:51 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html


Note You need to log in before you can comment on or make changes to this bug.