A couple times a day (23 times in 10 days), I get the following AVC:
Summary SELinux is preventing /usr/sbin/clamav-milter (clamd_t) "search" to <Unknown> (bin_t).
Detailed Description SELinux denied access requested by /usr/sbin/clamav-milter. It is not expected that this access is required by /usr/sbin/clamav-milter and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for <Unknown>, restorecon -v <Unknown> If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Additional Information
Source Context system_u:system_r:clamd_t:s0 Target Context system_u:object_r:bin_t:s0 Target Objects None [ dir ] Affected RPM Packages clamav-milter-0.92.1-1.fc8 [application] Policy RPM selinux-policy-3.0.8-84.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name kilroy.chi.il.us Platform Linux kilroy.chi.il.us 2.6.23.15-137.fc8 #1 SMP Sun Feb 10 17:48:34 EST 2008 i686 i686 Alert Count 23 First Seen Wed 20 Feb 2008 12:25:16 PM CST Last Seen Thu 28 Feb 2008 09:11:28 PM CST Local ID 7eb02331-c2e4-4c65-a413-d283fbb7ca6f Line Numbers
Raw Audit Messages
avc: denied { search } for comm=clamav-milter dev=dm-0 egid=486 euid=492 exe=/usr/sbin/clamav-milter exit=-13 fsgid=486 fsuid=492 gid=486 items=0 name=bin pid=13663 scontext=system_u:system_r:clamd_t:s0 sgid=486 subj=system_u:system_r:clamd_t:s0 suid=492 tclass=dir tcontext=system_u:object_r:bin_t:s0 tty=(none) uid=492
I assume that we want to allow clamav to scan anything on the system, yes? If I follow the advice from an earlier Email and try the following:
grep clamav /var/log/audit/audit.log | audit2allow -M clamav
I get a file that contains:
module clamav 1.0;
require { type bin_t; type clamd_t; class dir search; }
#============= clamd_t ============== allow clamd_t bin_t:dir search;
Is this something that should be part of standard policy? Hmm, I try to install the above policy and get a complaint:
# semodule -i clamav.pp libsepol.print_missing_requirements: clamav's global requirements were not met: type/attribute clamd_t libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed!
Any thoughts?
Thanks
Eddie
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Edward Kuns wrote:
A couple times a day (23 times in 10 days), I get the following AVC:
Summary SELinux is preventing /usr/sbin/clamav-milter (clamd_t) "search" to <Unknown> (bin_t).
Detailed Description SELinux denied access requested by /usr/sbin/clamav-milter. It is not expected that this access is required by /usr/sbin/clamav-milter and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for <Unknown>, restorecon -v <Unknown> If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Additional Information
Source Context system_u:system_r:clamd_t:s0 Target Context system_u:object_r:bin_t:s0 Target Objects None [ dir ] Affected RPM Packages clamav-milter-0.92.1-1.fc8 [application] Policy RPM selinux-policy-3.0.8-84.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name kilroy.chi.il.us Platform Linux kilroy.chi.il.us 2.6.23.15-137.fc8 #1 SMP Sun Feb 10 17:48:34 EST 2008 i686 i686 Alert Count 23 First Seen Wed 20 Feb 2008 12:25:16 PM CST Last Seen Thu 28 Feb 2008 09:11:28 PM CST Local ID 7eb02331-c2e4-4c65-a413-d283fbb7ca6f Line Numbers
Raw Audit Messages
avc: denied { search } for comm=clamav-milter dev=dm-0 egid=486 euid=492 exe=/usr/sbin/clamav-milter exit=-13 fsgid=486 fsuid=492 gid=486 items=0 name=bin pid=13663 scontext=system_u:system_r:clamd_t:s0 sgid=486 subj=system_u:system_r:clamd_t:s0 suid=492 tclass=dir tcontext=system_u:object_r:bin_t:s0 tty=(none) uid=492
I assume that we want to allow clamav to scan anything on the system, yes? If I follow the advice from an earlier Email and try the following:
grep clamav /var/log/audit/audit.log | audit2allow -M clamav
I get a file that contains:
module clamav 1.0;
require { type bin_t; type clamd_t; class dir search; }
#============= clamd_t ============== allow clamd_t bin_t:dir search;
Is this something that should be part of standard policy? Hmm, I try to install the above policy and get a complaint:
# semodule -i clamav.pp libsepol.print_missing_requirements: clamav's global requirements were not met: type/attribute clamd_t libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed!
Any thoughts?
Thanks Eddie
Always add a user specify front end to your policy.
grep clamav /var/log/audit/audit.log | audit2allow -M MYclamav semodule -i MYclamav.pp
Otherwise you are trying to replace the clamav.pp installed as part of selinux-policy.
This policy seems reasonable but most likely clamav-milter is going to /usr/bin to execute something. So you might end up needing either
corecmd_exec_bin(clamd_t)
Or some transition to another domain.
If you have an idea what app it is looking for, we can correct the policy.
On Fri, 2008-02-29 at 09:16 -0500, Daniel J Walsh wrote:
Always add a user specify front end to your policy.
D'oh! That fixed it. Thanks.
This policy seems reasonable but most likely clamav-milter is going to /usr/bin to execute something. So you might end up needing either
corecmd_exec_bin(clamd_t)
Or some transition to another domain.
If you have an idea what app it is looking for, we can correct the policy.
How can I find out what it's looking for? As a test, I just added the policy:
module myclamav 1.0;
require { type bin_t; type clamd_t; class dir search; }
#============= clamd_t ============== allow clamd_t bin_t:dir search;
so if I understand this, you expect that I should later today get an AVC that clamav is trying to execute something that is bin_t? Assuming that's the case, I'll see what is there when I get home from work later and I'll post that. But if there's something else I can do to find out, let me know.
Thanks
Eddie
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Edward Kuns wrote:
On Fri, 2008-02-29 at 09:16 -0500, Daniel J Walsh wrote:
Always add a user specify front end to your policy.
D'oh! That fixed it. Thanks.
This policy seems reasonable but most likely clamav-milter is going to /usr/bin to execute something. So you might end up needing either
corecmd_exec_bin(clamd_t)
Or some transition to another domain.
If you have an idea what app it is looking for, we can correct the policy.
How can I find out what it's looking for? As a test, I just added the policy:
module myclamav 1.0;
require { type bin_t; type clamd_t; class dir search; }
#============= clamd_t ============== allow clamd_t bin_t:dir search;
so if I understand this, you expect that I should later today get an AVC that clamav is trying to execute something that is bin_t? Assuming that's the case, I'll see what is there when I get home from work later and I'll post that. But if there's something else I can do to find out, let me know.
Thanks Eddie
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Nope, that is the best you can do. You could put your machine in permissive mode to get all of the AVC's but that could be dangerous. We hope to have permissive domains eventually, were we could allow clamd_t only to do it's thing, but we don't have it yet.
THanks for your help diagnosing this.
Interesting. After I enabled the last policy, I get one new AVC about lnk files. I make a new policy using the same method as before and now I get this policy:
module myclamav 1.0;
require { type bin_t; type clamd_t; class lnk_file read; class dir search; }
#============= clamd_t ============== allow clamd_t bin_t:dir search; allow clamd_t bin_t:lnk_file read;
I'll let you know if more show up with the modified policy above applied. Here is the AVC:
Summary SELinux is preventing /usr/sbin/clamav-milter (clamd_t) "read" to <Unknown> (bin_t).
Detailed Description SELinux denied access requested by /usr/sbin/clamav-milter. It is not expected that this access is required by /usr/sbin/clamav-milter and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for <Unknown>, restorecon -v <Unknown> If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Additional Information
Source Context system_u:system_r:clamd_t:s0 Target Context system_u:object_r:bin_t:s0 Target Objects None [ lnk_file ] Affected RPM Packages clamav-milter-0.92.1-1.fc8 [application] Policy RPM selinux-policy-3.0.8-84.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name kilroy.chi.il.us Platform Linux kilroy.chi.il.us 2.6.23.15-137.fc8 #1 SMP Sun Feb 10 17:48:34 EST 2008 i686 i686 Alert Count 4 First Seen Fri 29 Feb 2008 12:22:44 PM CST Last Seen Fri 29 Feb 2008 07:56:45 PM CST Local ID c5169662-b069-4270-84f8-a7aa4aa38100 Line Numbers
Raw Audit Messages
avc: denied { read } for comm=clamav-milter dev=dm-0 egid=486 euid=492 exe=/usr/sbin/clamav-milter exit=-13 fsgid=486 fsuid=492 gid=486 items=0 name=sh pid=2928 scontext=system_u:system_r:clamd_t:s0 sgid=486 subj=system_u:system_r:clamd_t:s0 suid=492 tclass=lnk_file tcontext=system_u:object_r:bin_t:s0 tty=(none) uid=492
Well what do you know! Allowing bin_t dir search and lnk read, today I get the following AVC (cleaned up a bit). It looks like the clamav milter is trying to run a script. I am making the assumption that this script execution is valid.
Summary SELinux is preventing /usr/sbin/clamav-milter (clamd_t) "execute" to <Unknown> (shell_exec_t).
Additional Information
Source Context system_u:system_r:clamd_t:s0 Target Context system_u:object_r:shell_exec_t:s0 Target Objects None [ file ] Affected RPM Packages clamav-milter-0.92.1-1.fc8 [application] Policy RPM selinux-policy-3.0.8-84.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name kilroy.chi.il.us Platform Linux kilroy.chi.il.us 2.6.23.15-137.fc8 #1 SMP Sun Feb 10 17:48:34 EST 2008 i686 i686 Alert Count 1 First Seen Sat 01 Mar 2008 03:13:03 PM CST Last Seen Sat 01 Mar 2008 03:13:03 PM CST Local ID e5f2cc68-acf3-4cc6-8c75-c73e0863d49a Line Numbers
Raw Audit Messages
avc: denied { execute } for comm=clamav-milter dev=dm-0 egid=486 euid=492 exe=/usr/sbin/clamav-milter exit=-13 fsgid=486 fsuid=492 gid=486 items=0 name=bash pid=22644 scontext=system_u:system_r:clamd_t:s0 sgid=486 subj=system_u:system_r:clamd_t:s0 suid=492 tclass=file tcontext=system_u:object_r:shell_exec_t:s0 tty=(none) uid=492
The now current policy with all changes mentioned before is:
module myclamav 1.0;
require { type shell_exec_t; type bin_t; type clamd_t; class lnk_file read; class file execute; class dir search; }
#============= clamd_t ============== allow clamd_t bin_t:dir search; allow clamd_t bin_t:lnk_file read; allow clamd_t shell_exec_t:file execute;
If I get anything new I will send another EMail. I'll also upgrade to the latest Fedora 8 selinux policy and setroubleshoot soon. :)
Eddie
On Sat, 2008-03-01 at 15:22 -0600, Edward Kuns wrote:
It looks like the clamav milter is trying to run a script. I am making the assumption that this script execution is valid.
Yes. Looking further into logs, I get this AVC when clamav-milter detects an incoming virus, which explains why the timing of my getting these AVCs is so intermittent.
Eddie
It's taking a while to track down the full policy needed for clamav-milter to be able to detect a virus and react fully, as I have to wait until I receive a virus (sending out outgoing doesn't trigger the same results). Here is my current policy after a few rounds of adding another incremental rule:
module myclamav 1.0;
require { type shell_exec_t; type sendmail_exec_t; type clamd_t; class file { execute getattr }; }
#============= clamd_t ============== allow clamd_t sendmail_exec_t:file { execute getattr }; allow clamd_t shell_exec_t:file getattr;
It looks like clamav-milter is running /usr/sbin/sendmail.sendmail via a bash script, but I haven't looked into the workings to really be sure.
Eddie
selinux@lists.fedoraproject.org