FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 09-28-2008, 08:37 AM
Sebastian Hennebrueder
 
Default cron_t freshclam

Hello,
the freshclam daemon tries to download the updated virus definition to
/var/clamav


The directory has the context
drwxr-xr-x clamav clamav system_ubject_r:clamd_t clamav

I get the following error message
type=AVC msg=audit(1222221728.847:3043): avc: denied { write } for
pid=10192 comm="freshclam" name="clamav" dev=dm-1 ino=522241
scontext=user_u:system_r:unconfined_t:s0
tcontext=system_ubject_r:clamd_t:s0 tclass=dir
type=AVC msg=audit(1222304223.589:82): avc: denied { write } for
pid=6100 comm="freshclam" name="clamav" dev=dm-1 ino=522241
scontext=system_u:system_r:crond_t:s0-s0:c0.c1023
tcontext=system_ubject_r:clamd_t:s0 tclass=dir
type=AVC msg=audit(1222304223.666:83): avc: denied { write } for
pid=6100 comm="freshclam" name="clamav" dev=dm-1 ino=522241
scontext=system_u:system_r:crond_t:s0-s0:c0.c1023
tcontext=system_ubject_r:clamd_t:s0 tclass=dir
type=AVC msg=audit(1222308125.673:100): avc: denied { write } for
pid=7622 comm="freshclam" name="clamav" dev=dm-1 ino=522241
scontext=user_u:system_r:unconfined_t:s0
tcontext=system_ubject_r:clamd_t:s0 tclass=dir
type=AVC msg=audit(1222308125.911:101): avc: denied { write } for
pid=7622 comm="freshclam" name="clamav" dev=dm-1 ino=522241
scontext=user_u:system_r:unconfined_t:s0
tcontext=system_ubject_r:clamd_t:s0 tclass=dir


Using audit2allow I get
module dummy 1.0;

require {
type unconfined_t;
type crond_t;
type clamd_t;
class dir write;
}

#============= crond_t ==============
allow crond_t clamd_t:dir write;

#============= unconfined_t ==============
allow unconfined_t clamd_t:dir write;


My impression was that unconfined_ access allows a quite wide access but
some testing showed me that without even root cannot create files in
that directory.
type=AVC msg=audit(1222590942.079:771): avc: denied { write } for
pid=27753 comm="touch" name="clamav" dev=dm-1 ino=522241
scontext=user_u:system_r:unconfined_t:s0
tcontext=system_ubject_r:clamd_t:s0 tclass=dir
type=SYSCALL msg=audit(1222590942.079:771): arch=c000003e syscall=2
success=no exit=-13 a0=7fffc9188c93 a1=941 a2=1b6 a3=3ff8d4e0ec items=0
ppid=25482 pid=27753 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts0 ses=96 comm="touch" exe="/bin/touch"
subj=user_u:system_r:unconfined_t:s0 key=(null)


So my question, can I allow unconfined access and to which extend will
this open the directory?


Best Regards

Sebastian Hennebrueder

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-29-2008, 02:54 PM
Daniel J Walsh
 
Default cron_t freshclam

Sebastian Hennebrueder wrote:
> Hello,
> the freshclam daemon tries to download the updated virus definition to
> /var/clamav
>
> The directory has the context
> drwxr-xr-x clamav clamav system_ubject_r:clamd_t clamav
>
A directory should not have a type of clamd_t, This is a processes
type. You probably want to label this clamd_var_lib_t. Then everything
should work.

You must have put this label on in permissive mode.

chcon -t clamd_var_lib_t /var/clamav

will fix the problem. Is this a standard directory for this? My policy
expects you to use /var/lib/clamav? Although I just saw mention of this
directory in debian policy.


> I get the following error message
> type=AVC msg=audit(1222221728.847:3043): avc: denied { write } for
> pid=10192 comm="freshclam" name="clamav" dev=dm-1 ino=522241
> scontext=user_u:system_r:unconfined_t:s0
> tcontext=system_ubject_r:clamd_t:s0 tclass=dir
> type=AVC msg=audit(1222304223.589:82): avc: denied { write } for
> pid=6100 comm="freshclam" name="clamav" dev=dm-1 ino=522241
> scontext=system_u:system_r:crond_t:s0-s0:c0.c1023
> tcontext=system_ubject_r:clamd_t:s0 tclass=dir
> type=AVC msg=audit(1222304223.666:83): avc: denied { write } for
> pid=6100 comm="freshclam" name="clamav" dev=dm-1 ino=522241
> scontext=system_u:system_r:crond_t:s0-s0:c0.c1023
> tcontext=system_ubject_r:clamd_t:s0 tclass=dir
> type=AVC msg=audit(1222308125.673:100): avc: denied { write } for
> pid=7622 comm="freshclam" name="clamav" dev=dm-1 ino=522241
> scontext=user_u:system_r:unconfined_t:s0
> tcontext=system_ubject_r:clamd_t:s0 tclass=dir
> type=AVC msg=audit(1222308125.911:101): avc: denied { write } for
> pid=7622 comm="freshclam" name="clamav" dev=dm-1 ino=522241
> scontext=user_u:system_r:unconfined_t:s0
> tcontext=system_ubject_r:clamd_t:s0 tclass=dir
>
> Using audit2allow I get
> module dummy 1.0;
>
> require {
> type unconfined_t;
> type crond_t;
> type clamd_t;
> class dir write;
> }
>
> #============= crond_t ==============
> allow crond_t clamd_t:dir write;
>
> #============= unconfined_t ==============
> allow unconfined_t clamd_t:dir write;
>
>
> My impression was that unconfined_ access allows a quite wide access but
> some testing showed me that without even root cannot create files in
> that directory.
> type=AVC msg=audit(1222590942.079:771): avc: denied { write } for
> pid=27753 comm="touch" name="clamav" dev=dm-1 ino=522241
> scontext=user_u:system_r:unconfined_t:s0
> tcontext=system_ubject_r:clamd_t:s0 tclass=dir
> type=SYSCALL msg=audit(1222590942.079:771): arch=c000003e syscall=2
> success=no exit=-13 a0=7fffc9188c93 a1=941 a2=1b6 a3=3ff8d4e0ec items=0
> ppid=25482 pid=27753 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts0 ses=96 comm="touch" exe="/bin/touch"
> subj=user_u:system_r:unconfined_t:s0 key=(null)
>
> So my question, can I allow unconfined access and to which extend will
> this open the directory?
>
> Best Regards
>
> Sebastian Hennebrueder
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 06:12 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org