Just in the past few days I've received seven of this AVC complaint, and I haven't seen any of this complaint before that. On 11 July, I updated selinux to 3.6.12-62.fc11. I currently have clamav-0.95.1-2.fc11.i586, installed on 1 July. I am not aware of anything that changed on or just before the 17th. Any ideas?
Here's the sealert:
Thanks
Eddie
Summary:
SELinux is preventing clamd.scan (system_cronjob_t) "write" crond_t.
Detailed Description:
SELinux denied access requested by clamd.scan. It is not expected that this access is required by clamd.scan and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context system_u:system_r:system_cronjob_t:s0 Target Context system_u:system_r:crond_t:s0-s0:c0.c1023 Target Objects pipe [ fifo_file ] Source clamd.scan Source Path /bin/bash Port <Unknown> Host kilroy.chi.il.us Source RPM Packages bash-4.0-6.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.12-62.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name kilroy.chi.il.us Platform Linux kilroy.chi.il.us 2.6.29.5-191.fc11.i686.PAE #1 SMP Tue Jun 16 23:19:53 EDT 2009 i686 i686 Alert Count 7 First Seen Fri Jul 17 10:36:13 2009 Last Seen Mon Jul 20 16:36:12 2009 Local ID 39c625f5-4b31-49f2-bb14-57835e8afc61 Line Numbers
Raw Audit Messages
node=kilroy.chi.il.us type=AVC msg=audit(1248125772.619:80082): avc: denied { write } for pid=3642 comm="clamd.scan" path="pipe:[8230868]" dev=pipefs ino=8230868 scontext=system_u:system_r:system_cronjob_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
node=kilroy.chi.il.us type=SYSCALL msg=audit(1248125772.619:80082): arch=40000003 syscall=11 success=yes exit=0 a0=9ef08f0 a1=9ef0910 a2=9eeecb8 a3=9ef0910 items=0 ppid=509 pid=3642 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2000 comm="clamd.scan" exe="/bin/bash" subj=system_u:system_r:system_cronjob_t:s0 key=(null)
On 07/21/2009 12:18 AM, Edward Kuns wrote:
Just in the past few days I've received seven of this AVC complaint, and I haven't seen any of this complaint before that. On 11 July, I updated selinux to 3.6.12-62.fc11. I currently have clamav-0.95.1-2.fc11.i586, installed on 1 July. I am not aware of anything that changed on or just before the 17th. Any ideas?
Here's the sealert:
Thanks
Eddie
Summary:
SELinux is preventing clamd.scan (system_cronjob_t) "write" crond_t.
Detailed Description:
SELinux denied access requested by clamd.scan. It is not expected that this access is required by clamd.scan and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context system_u:system_r:system_cronjob_t:s0 Target Context system_u:system_r:crond_t:s0-s0:c0.c1023 Target Objects pipe [ fifo_file ] Source clamd.scan Source Path /bin/bash Port <Unknown> Host kilroy.chi.il.us Source RPM Packages bash-4.0-6.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.12-62.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name kilroy.chi.il.us Platform Linux kilroy.chi.il.us 2.6.29.5-191.fc11.i686.PAE #1 SMP Tue Jun 16 23:19:53 EDT 2009 i686 i686 Alert Count 7 First Seen Fri Jul 17 10:36:13 2009 Last Seen Mon Jul 20 16:36:12 2009 Local ID 39c625f5-4b31-49f2-bb14-57835e8afc61 Line Numbers
Raw Audit Messages
node=kilroy.chi.il.us type=AVC msg=audit(1248125772.619:80082): avc: denied { write } for pid=3642 comm="clamd.scan" path="pipe:[8230868]" dev=pipefs ino=8230868 scontext=system_u:system_r:system_cronjob_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
node=kilroy.chi.il.us type=SYSCALL msg=audit(1248125772.619:80082): arch=40000003 syscall=11 success=yes exit=0 a0=9ef08f0 a1=9ef0910 a2=9eeecb8 a3=9ef0910 items=0 ppid=509 pid=3642 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2000 comm="clamd.scan" exe="/bin/bash" subj=system_u:system_r:system_cronjob_t:s0 key=(null)
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This looks like a MCS constraint problem. And looking at current selinux policy it should be fixed.
Can you upgrade to the latest selinux policy in testing?
yum upgrade --enablerepo=updates-testing selinux-policy-targeted
On Tue, 2009-07-21 at 07:57 -0400, Daniel J Walsh wrote:
On 07/21/2009 12:18 AM, Edward Kuns wrote:
Just in the past few days I've received seven of this AVC complaint,
SELinux is preventing clamd.scan (system_cronjob_t) "write" crond_t.
This looks like a MCS constraint problem. And looking at current selinux policy it should be fixed.
Can you upgrade to the latest selinux policy in testing?
yum upgrade --enablerepo=updates-testing selinux-policy-targeted
I tried this and got "No Packages marked for Update" ... does this depend on mirrors being up-to-date? I tried several times in case it would try different mirrors, but no luck.
Eddie
On 07/22/2009 02:46 PM, Edward Kuns wrote:
On Tue, 2009-07-21 at 07:57 -0400, Daniel J Walsh wrote:
On 07/21/2009 12:18 AM, Edward Kuns wrote:
Just in the past few days I've received seven of this AVC complaint,
SELinux is preventing clamd.scan (system_cronjob_t) "write" crond_t.
This looks like a MCS constraint problem. And looking at current selinux policy it should be fixed.
Can you upgrade to the latest selinux policy in testing?
yum upgrade --enablerepo=updates-testing selinux-policy-targeted
I tried this and got "No Packages marked for Update" ... does this depend on mirrors being up-to-date? I tried several times in case it would try different mirrors, but no luck.
Eddie
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
For now you can download selinux-policy and selinux-policy-targeted rpms from koji.
Look at: http://koji.fedoraproject.org/koji/buildinfo?buildID=115151
And install using "rpm -Uvh selinux-policy-3.6.12-69.fc11.noarch.rpm selinux-policy-targeted-3.6.12-69.fc11.noarch.rpm"
On Wed, Jul 22, 2009 at 07:46:15 -0500, Edward Kuns ekuns@kilroy.chi.il.us wrote:
On Tue, 2009-07-21 at 07:57 -0400, Daniel J Walsh wrote:
On 07/21/2009 12:18 AM, Edward Kuns wrote:
Just in the past few days I've received seven of this AVC complaint,
SELinux is preventing clamd.scan (system_cronjob_t) "write" crond_t.
This looks like a MCS constraint problem. And looking at current selinux policy it should be fixed.
Can you upgrade to the latest selinux policy in testing?
yum upgrade --enablerepo=updates-testing selinux-policy-targeted
I tried this and got "No Packages marked for Update" ... does this depend on mirrors being up-to-date? I tried several times in case it would try different mirrors, but no luck.
Yes. You can get it directly from koji as a work around. Also mirrors2.kernel.org is currently up to date.
On 07/21/2009 12:18 AM, Edward Kuns wrote:
Just in the past few days I've received seven of this AVC complaint, and I haven't seen any of this complaint before that.
On Tue, 2009-07-21 at 07:57 -0400, Daniel J Walsh wrote:
This looks like a MCS constraint problem. And looking at current selinux policy it should be fixed.
Can you upgrade to the latest selinux policy in testing?
I was able to apply this upgrade. I currently have
selinux-policy-3.6.12-69.fc11.noarch selinux-policy-targeted-3.6.12-69.fc11.noarch
if I don't see this AVC for a week, then I can be sure that the problem was fixed. Thanks.
Eddie
selinux@lists.fedoraproject.org