[prev in list] [next in list] [prev in thread] [next in thread]
List: fedora-selinux-list
Subject: Re: Selinux denial on clamd
From: Daniel J Walsh <dwalsh () redhat ! com>
Date: 2014-09-14 10:55:35
Message-ID: 54157427.80806 () redhat ! com
[Download RAW message or body]
I would just allow the access, using audit2allow -M myclamd
On 09/13/2014 07:57 AM, Watts M.R. wrote:
> Data flow is: Squid -> c-icap (via TCP) -> c-icap virus_scan module -> c-icap \
> clamd_mod module
> c-icap's TmpDir is set to /var/tmp so my guess is that its c-icap which is writing \
> the object to scan to the CI_TMP file which it then passes to its virus_scan module \
> which ultimately gets passed to clamd through the clamd_mod c-icap module. I can't \
> tell this explicitly from the documentation at [1] though so this is just an \
> educated guess.
> Mark.
>
> [1] http://c-icap.sourceforge.net/c-icap-modules.conf-0.3.x.html
>
>
> --
> Mark Watts
> Infrastructure Engineer, iSolutions
> University of Southampton
> Tel: (02380) 595788 Int: 25788
> ________________________________
> From: Daniel J Walsh [dwalsh@redhat.com]
> Sent: 13 September 2014 11:07
> To: Watts M.R.; selinux@lists.fedoraproject.org
> Subject: Re: Selinux denial on clamd
>
> Does it not work without permissive mode?
>
> Looks like a stdout redirection or leaked file descriptor.
>
> Do you have something like
>
> script << _EOF
> command
> command
> comand
> _EOF
>
> Where clamd is running as one of the commands?
>
> Or some other tmp file being created in /var/tmp/CI_TMP
>
> Which is being passed on to clamd
>
> On 09/12/2014 11:11 AM, Watts M.R. wrote:
> I'm currently trying to integrate Squid, c-icap and clamd together to get A/V \
> scanning of objects through squid on a CentOS 6.5 server.
> I have things working but every time I try and download the eicar.com test virus, I \
> see the following in the logs:
> type=AVC msg=audit(1410534437.751:227204): avc: denied { write } for pid=22480 \
> comm="clamd" path="/var/tmp/CI_TMP_DaewkQ" dev=dm-1 ino=182 \
> scontext=unconfined_u:system_r:antivirus_t:s0 \
> tcontext=unconfined_u:object_r:initrc_tmp_t:s0 tclass=file
> For the record, this server has been hardened according to the CIS CentOS 6.5 \
> benchmark document.
> /tmp and /var/tmp are mounted as so, if this matters:
>
> /dev/mapper/VolGroup00-tmp on /tmp type ext4 (rw,noexec,nosuid,nodev)
> /tmp on /var/tmp type none (rw,noexec,nosuid,nodev,bind)
>
> If I set "semanage permissive -a clamd_t" then everything works.
>
>
> Audit2allow suggests I need the following, but I'm not really understanding why:
>
> allow antivirus_t initrc_tmp_t:file write;
>
>
> Any guidance?
>
> Mark.
>
> --
> Mark Watts
> Infrastructure Engineer, iSolutions
> University of Southampton
> Tel: (02380) 595788 Int: 25788
>
>
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org<mailto:selinux@lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic