Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   CentOS Docs (http://www.linux-archive.org/centos-docs/)
-   -   SELinux, Amavis, Clamav (http://www.linux-archive.org/centos-docs/708982-selinux-amavis-clamav.html)

Harald Oehlmann 10-02-2012 08:19 AM

SELinux, Amavis, Clamav
 
Regarding the brilliant wiki site:

http://wiki.centos.org/HowTos/Amavisd?highlight=%28Amavis%29

I faced the following issue on CentOS 6.2:

"Spamassind" saves each message and its attached part in a folder in
clamd accesses the folder, creates itself a temporary folder and deletes
it afterwards. This was stopped by SELinux and caused the virus scan to
fail.

This action causes SE-Linux issues like (this is a saved message while
already in the process, the first would cause a "permission denied" on
the "parts" folder):

Sep 30 15:47:10 rose amavis[14709]: (14709-08) (!)run_av
(ClamAV-clamscan) FAILED - unexpected exit 2,
output="/var/amavis/tmp/amavis-20120930T154701-14709/parts/p002: Can't
create temporary directory
ERROR
/var/amavis/tmp/amavis-20120930T154701-14709/parts/p001: OK"

Here is an SE Linux failure message:

Sep 30 15:54:53 (null) (null): audit(1349013293.978:90934): avc: denied
{ remove_name } for pid=19832 comm=clamscan
name=clamav-9e9d055254e79e18d8f8592eeee57a53 ino=655768 dev=dm-0
scontext=system_u:system_r:clamscan_t:s0
tcontext=system_u:object_r:amavis_var_lib_t:s0 tclass=dir

I had found two web pointer with this issue, but no solutions:

Here is my solution, which is proposed to be inserted in Chapter 5: SELinux:

* create file:
--se_clamav_amavis.te--
# ***HaO 2012-09-30: add rule to allow clamav to access amavis files
# and writes back ok file and may create temp folder
module clamscanamavis 1.0;
require {
type clamscan_t;
type amavis_var_lib_t;
class file {getattr read open write create unlink};
class dir {search read getattr open write add_name create
setattr remove_name rmdir};
}
allow clamscan_t amavis_var_lib_t:file {getattr read open write create
unlink};
allow clamscan_t amavis_var_lib_t:dir {search read getattr open write
add_name create setattr remove_name rmdir};
-EOF-
* checkmodule -M -m -o se_clamav_amavis.mod se_clamav_amavis.te
* semodule_package -o se_clamav_amavis.pp -m se_clamav_amavis.mod
* semodule -i se_clamav_amavis.pp

---
N.B. I am just migrating from SuSE to CentOS and this is my first
contact with SELinux. I have *no idea* if this is the appropriate
approach to solve the issue. I have found out this by trial and error
and not by the audit method (which sounds incredible complicated as the
whole SELinux).

---
N.B. I was not able to edit the wiki nor leave something like a
discussion comment, strange wiki...

Thank you,
Harald
_______________________________________________
CentOS-docs mailing list
CentOS-docs@centos.org
http://lists.centos.org/mailman/listinfo/centos-docs


All times are GMT. The time now is 10:29 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.