Hello, the freshclam daemon tries to download the updated virus definition to /var/clamav
The directory has the context drwxr-xr-x clamav clamav system_u:object_r:clamd_t clamav
I get the following error message type=AVC msg=audit(1222221728.847:3043): avc: denied { write } for pid=10192 comm="freshclam" name="clamav" dev=dm-1 ino=522241 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:clamd_t:s0 tclass=dir type=AVC msg=audit(1222304223.589:82): avc: denied { write } for pid=6100 comm="freshclam" name="clamav" dev=dm-1 ino=522241 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:clamd_t:s0 tclass=dir type=AVC msg=audit(1222304223.666:83): avc: denied { write } for pid=6100 comm="freshclam" name="clamav" dev=dm-1 ino=522241 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:clamd_t:s0 tclass=dir type=AVC msg=audit(1222308125.673:100): avc: denied { write } for pid=7622 comm="freshclam" name="clamav" dev=dm-1 ino=522241 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:clamd_t:s0 tclass=dir type=AVC msg=audit(1222308125.911:101): avc: denied { write } for pid=7622 comm="freshclam" name="clamav" dev=dm-1 ino=522241 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:clamd_t:s0 tclass=dir
Using audit2allow I get module dummy 1.0;
require { type unconfined_t; type crond_t; type clamd_t; class dir write; }
#============= crond_t ============== allow crond_t clamd_t:dir write;
#============= unconfined_t ============== allow unconfined_t clamd_t:dir write;
My impression was that unconfined_ access allows a quite wide access but some testing showed me that without even root cannot create files in that directory. type=AVC msg=audit(1222590942.079:771): avc: denied { write } for pid=27753 comm="touch" name="clamav" dev=dm-1 ino=522241 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:clamd_t:s0 tclass=dir type=SYSCALL msg=audit(1222590942.079:771): arch=c000003e syscall=2 success=no exit=-13 a0=7fffc9188c93 a1=941 a2=1b6 a3=3ff8d4e0ec items=0 ppid=25482 pid=27753 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=96 comm="touch" exe="/bin/touch" subj=user_u:system_r:unconfined_t:s0 key=(null)
So my question, can I allow unconfined access and to which extend will this open the directory?
Best Regards
Sebastian Hennebrueder
Sebastian Hennebrueder wrote:
Hello, the freshclam daemon tries to download the updated virus definition to /var/clamav
The directory has the context drwxr-xr-x clamav clamav system_u:object_r:clamd_t clamav
A directory should not have a type of clamd_t, This is a processes type. You probably want to label this clamd_var_lib_t. Then everything should work.
You must have put this label on in permissive mode.
chcon -t clamd_var_lib_t /var/clamav
will fix the problem. Is this a standard directory for this? My policy expects you to use /var/lib/clamav? Although I just saw mention of this directory in debian policy.
I get the following error message type=AVC msg=audit(1222221728.847:3043): avc: denied { write } for pid=10192 comm="freshclam" name="clamav" dev=dm-1 ino=522241 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:clamd_t:s0 tclass=dir type=AVC msg=audit(1222304223.589:82): avc: denied { write } for pid=6100 comm="freshclam" name="clamav" dev=dm-1 ino=522241 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:clamd_t:s0 tclass=dir type=AVC msg=audit(1222304223.666:83): avc: denied { write } for pid=6100 comm="freshclam" name="clamav" dev=dm-1 ino=522241 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:clamd_t:s0 tclass=dir type=AVC msg=audit(1222308125.673:100): avc: denied { write } for pid=7622 comm="freshclam" name="clamav" dev=dm-1 ino=522241 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:clamd_t:s0 tclass=dir type=AVC msg=audit(1222308125.911:101): avc: denied { write } for pid=7622 comm="freshclam" name="clamav" dev=dm-1 ino=522241 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:clamd_t:s0 tclass=dir
Using audit2allow I get module dummy 1.0;
require { type unconfined_t; type crond_t; type clamd_t; class dir write; }
#============= crond_t ============== allow crond_t clamd_t:dir write;
#============= unconfined_t ============== allow unconfined_t clamd_t:dir write;
My impression was that unconfined_ access allows a quite wide access but some testing showed me that without even root cannot create files in that directory. type=AVC msg=audit(1222590942.079:771): avc: denied { write } for pid=27753 comm="touch" name="clamav" dev=dm-1 ino=522241 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:clamd_t:s0 tclass=dir type=SYSCALL msg=audit(1222590942.079:771): arch=c000003e syscall=2 success=no exit=-13 a0=7fffc9188c93 a1=941 a2=1b6 a3=3ff8d4e0ec items=0 ppid=25482 pid=27753 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=96 comm="touch" exe="/bin/touch" subj=user_u:system_r:unconfined_t:s0 key=(null)
So my question, can I allow unconfined access and to which extend will this open the directory?
Best Regards
Sebastian Hennebrueder
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org