Red Hat Bugzilla – Bug 999471
AVC denials caused by amavisd-snmp service start/restart
Last modified: 2014-09-30 19:35:22 EDT
Description of problem: There are some AVCs during amavisd-snmp start/restart, because of these missing rules: allow antivirus_t snmpd_var_lib_t:dir write; allow antivirus_t snmpd_var_lib_t:sock_file write; These rules were added among others because of the Bug 839250 (originaly with amavis_t). Version-Release number of selected component (if applicable): selinux-policy-3.7.19-211.el6.noarch How reproducible: always Steps to Reproduce: 1. service amavisd-snmp start 2. service amavisd-snmp restart 3. Additional info: ---- type=SYSCALL msg=audit(08/21/2013 11:41:21.506:129739) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=8 a1=7fffc55cc0d0 a2=6e a3=12 items=0 ppid=1 pid=31884 auid=mtruneck uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=amavisd-snmp-su exe=/usr/bin/perl subj=unconfined_u:system_r:antivirus_t:s0 key=(null) type=AVC msg=audit(08/21/2013 11:41:21.506:129739) : avc: denied { write } for pid=31884 comm=amavisd-snmp-su name=master dev=dm-5 ino=1310722 scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=sock_file ---- type=SYSCALL msg=audit(08/21/2013 11:41:22.911:129740) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=7fffc55cb5f0 a1=441 a2=1b6 a3=0 items=0 ppid=1 pid=31884 auid=mtruneck uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=amavisd-snmp-su exe=/usr/bin/perl subj=unconfined_u:system_r:antivirus_t:s0 key=(null) type=AVC msg=audit(08/21/2013 11:41:22.911:129740) : avc: denied { write } for pid=31884 comm=amavisd-snmp-su name=net-snmp dev=dm-5 ino=131123 scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir ---- type=SYSCALL msg=audit(08/21/2013 11:41:22.911:129741) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=7fffc55cbe20 a1=441 a2=1b6 a3=0 items=0 ppid=1 pid=31884 auid=mtruneck uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=amavisd-snmp-su exe=/usr/bin/perl subj=unconfined_u:system_r:antivirus_t:s0 key=(null) type=AVC msg=audit(08/21/2013 11:41:22.911:129741) : avc: denied { write } for pid=31884 comm=amavisd-snmp-su name=net-snmp dev=dm-5 ino=131123 scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir ---- type=SYSCALL msg=audit(08/21/2013 11:41:22.911:129742) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=7fffc55cbe20 a1=441 a2=1b6 a3=0 items=0 ppid=1 pid=31884 auid=mtruneck uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=amavisd-snmp-su exe=/usr/bin/perl subj=unconfined_u:system_r:antivirus_t:s0 key=(null) type=AVC msg=audit(08/21/2013 11:41:22.911:129742) : avc: denied { write } for pid=31884 comm=amavisd-snmp-su name=net-snmp dev=dm-5 ino=131123 scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir ---- type=SYSCALL msg=audit(08/21/2013 11:41:25.370:129744) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=7fff3facdab0 a1=441 a2=1b6 a3=0 items=0 ppid=1 pid=31936 auid=mtruneck uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=amavisd-snmp-su exe=/usr/bin/perl subj=unconfined_u:system_r:antivirus_t:s0 key=(null) type=AVC msg=audit(08/21/2013 11:41:25.370:129744) : avc: denied { write } for pid=31936 comm=amavisd-snmp-su name=net-snmp dev=dm-5 ino=131123 scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir ---- type=SYSCALL msg=audit(08/21/2013 11:41:25.370:129745) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=7fff3face2e0 a1=441 a2=1b6 a3=0 items=0 ppid=1 pid=31936 auid=mtruneck uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=amavisd-snmp-su exe=/usr/bin/perl subj=unconfined_u:system_r:antivirus_t:s0 key=(null) type=AVC msg=audit(08/21/2013 11:41:25.370:129745) : avc: denied { write } for pid=31936 comm=amavisd-snmp-su name=net-snmp dev=dm-5 ino=131123 scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir ---- type=SYSCALL msg=audit(08/21/2013 11:41:25.370:129746) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=7fff3face2e0 a1=441 a2=1b6 a3=0 items=0 ppid=1 pid=31936 auid=mtruneck uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=amavisd-snmp-su exe=/usr/bin/perl subj=unconfined_u:system_r:antivirus_t:s0 key=(null) type=AVC msg=audit(08/21/2013 11:41:25.370:129746) : avc: denied { write } for pid=31936 comm=amavisd-snmp-su name=net-snmp dev=dm-5 ino=131123 scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir ---- type=SYSCALL msg=audit(08/21/2013 11:41:24.023:129743) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=8 a1=7fff3face590 a2=6e a3=12 items=0 ppid=1 pid=31936 auid=mtruneck uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=amavisd-snmp-su exe=/usr/bin/perl subj=unconfined_u:system_r:antivirus_t:s0 key=(null) type=AVC msg=audit(08/21/2013 11:41:24.023:129743) : avc: denied { write } for pid=31936 comm=amavisd-snmp-su name=master dev=dm-5 ino=1310722 scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=sock_file
These are rules which are missing for clamav service: From test: /CoreOS/selinux-policy/Regression/bz500392-problems-with-clamav-milter allow antivirus_t antivirus_log_t:dir { write add_name }; allow antivirus_t antivirus_log_t:file create; ---- time->Wed Aug 21 14:07:14 2013 type=SYSCALL msg=audit(1377086834.299:130868): arch=c000003e syscall=2 success=yes exit=3 a0=abc4d0 a1=441 a2=1b6 a3=0 items=0 ppid=8782 pid=8783 auid=500 uid=491 gid=486 euid=491 suid=491 fsuid=491 egid=486 sgid=486 fsgid=486 tty=pts20 ses=2 comm="clamd" exe="/usr/sbin/clamd" subj=unconfined_u:system_r:antivirus_t:s0 key=(null) type=AVC msg=audit(1377086834.299:130868): avc: denied { create } for pid=8783 comm="clamd" name="clamd.log" scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=unconfined_u:object_r:antivirus_log_t:s0 tclass=file type=AVC msg=audit(1377086834.299:130868): avc: denied { add_name } for pid=8783 comm="clamd" name="clamd.log" scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:antivirus_log_t:s0 tclass=dir type=AVC msg=audit(1377086834.299:130868): avc: denied { write } for pid=8783 comm="clamd" name="clamav" dev=dm-5 ino=1703948 scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:antivirus_log_t:s0 tclass=dir
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1598.html