FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 12-01-2007, 06:49 AM
John Griffiths
 
Default selinux preventing clamd and amavisd even in Permissive

I am getting numerous AVCs from selinixtrobleshoot when clamd and
amavisd try to operate even with selinux in Permissive mode the actions
are still prevented.


I did a touch /.autorelabel before reporting this. The problem still occurs.

An example:

Summary
SELinux is preventing /usr/bin/clamscan (clamscan_t) "read" to <Unknown>
(amavis_spool_t).

Detailed Description
SELinux denied access requested by /usr/bin/clamscan. It is not expected
that this access is required by /usr/bin/clamscan and this access
may signal

an intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional
access.


Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for <Unknown>, restorecon -v
<Unknown> If this does not work, there is currently no automatic way to
allow this access. Instead, you can generate a local policy module
to allow
this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385

Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information


Source Context system_u:system_r:clamscan_t
Target Context system_ubject_r:amavis_spool_t
Target Objects None [ dir ]
Affected RPM Packages clamav-0.91.2-3.fc8 [application]
Policy RPM selinux-policy-3.0.8-56.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.catchall_file
Host Name joe
Platform Linux joe 2.6.23.1-49.fc8 #1
SMP Thu Nov 8 21:41:26 EST 2007 i686 i686
Alert Count 7
First Seen Sat 01 Dec 2007 02:13:33 AM EST
Last Seen Sat 01 Dec 2007 02:23:33 AM EST
Local ID d41e6d82-4a90-48ee-a554-3c557f6cfe61
Line Numbers

Raw Audit Messages


avc: denied { read } for comm=clamscan dev=dm-0 egid=490 euid=495
exe=/usr/bin/clamscan exit=6 fsgid=490 fsuid=495 gid=490 items=0
name=clamav-

f1269664cac0bef43a67b3a6dbae41b8 pid=2785
scontext=system_u:system_r:clamscan_t:s0 sgid=490
subj=system_u:system_r:clamscan_t:s0 suid=495 tclass=dir
tcontext=system_ubject_r:amavis_spool_t:s0 tty=(none) uid=495

There are others, but selinux should only log the AVCs in Permissive.
Right? But the selinux system is actually doing denials. The email
system will not work since the emails cannot be virus checked. Glad this
is a test installation.


There was a problem in Fedora Core 6 with Postfix, amavisd, and clamd as
I remember it, but it would run in Permissive.


I will post all the the AVCs later, but I thought this was important.

Regards,
John

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-01-2007, 01:51 PM
John Dennis
 
Default selinux preventing clamd and amavisd even in Permissive

There are others, but selinux should only log the AVCs in Permissive.
Right? But the selinux system is actually doing denials.


Just for clarification, setroubleshoot will still report a denial in
permissive mode because it is logged as a denial by the audit system,
however the action should still be permitted.


There is an open bug report requesting the text in the setroubleshoot
message to be modified when the system is in permissive mode to say
"SELinux would have denied" instead of denied. We're going to be fixing
that, it's not quite as trivial as it seems because all the messages
have been translated into other languages so you can't just do a simple
string substitution and retain correct grammar in another language, but
we will be fixing this one way or another.


In theory if you're spam filtering is not working it shouldn't be
because SELinux is actually denying anything because you're in
permissive mode. I would first look elsewhere. I'm not saying it's
impossible it's SELinux, but because you're in permissive mode it's very
unlikely.

--
John Dennis <jdennis@redhat.com>

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-01-2007, 03:57 PM
John Griffiths
 
Default selinux preventing clamd and amavisd even in Permissive

John Dennis wrote:

There are others, but selinux should only log
the AVCs in Permissive. Right? But the selinux system is actually doing
denials.





Just for clarification, setroubleshoot will still report a denial in
permissive mode because it is logged as a denial by the audit system,
however the action should still be permitted.



I am aware of that. The problem is the action IS being denied even in
Permissive mode.



There is an open bug report requesting the text in the setroubleshoot
message to be modified when the system is in permissive mode to say
"SELinux would have denied" instead of denied. We're going to be fixing
that, it's not quite as trivial as it seems because all the messages
have been translated into other languages so you can't just do a simple
string substitution and retain correct grammar in another language, but
we will be fixing this one way or another.




In theory if you're spam filtering is not working it shouldn't be
because SELinux is actually denying anything because you're in
permissive mode. I would first look elsewhere. I'm not saying it's
impossible it's SELinux, but because you're in permissive mode it's
very unlikely.



Again, I truly believe it is selinux.



For example, clamd tries to open a socket in /var/spool/amavisd. On my
Fedora 7 system I get:

root@gei ~]# l -Z /var/spool/amavisd/

drwx------* amavis amavis system_ubject_r:amavis_spool_t ./

drwxr-xr-x* root** root** system_ubject_r:var_spool_t*** ../

srwxr-x---* amavis amavis system_ubject_r:amavis_var_run_t
amavisd.sock=

srwxrwxrwx* amavis amavis
system_ubject_r:clamd_var_run_t clamd.sock=

drwx------* amavis amavis system_ubject_r:amavis_spool_t db/

drwx------* amavis amavis system_ubject_r:amavis_spool_t quarantine/

drwxr-x---* amavis amavis system_ubject_r:amavis_spool_t .razor/

drwx------* amavis amavis system_ubject_r:amavis_spool_t
.spamassassin/

drwx------* amavis amavis system_ubject_r:amavis_spool_t tmp/

[root@gei ~]# uname -a

Linux gei 2.6.23.1-21.fc7 #1 SMP Thu Nov 1 21:09:24 EDT 2007 i686 i686
i386 GNU/Linux

[root@gei ~]# getenforce

Enforcing

[root@gei ~]#***


On the Fedora 8 system, I get:

[root@joe ~]# getenforce

Permissive

[root@joe ~]# l -Z /var/spool/amavisd/

drwx------* amavis amavis system_ubject_r:amavis_spool_t ./

drwxr-xr-x* root** root** system_ubject_r:var_spool_t*** ../

srwxr-x---* amavis amavis system_ubject_r:amavis_var_run_t
amavisd.sock=

drwx------* amavis amavis system_ubject_r:amavis_spool_t db/

drwx------* amavis amavis system_ubject_r:amavis_spool_t quarantine/

drwxr-x---* amavis amavis system_ubject_r:amavis_spool_t .razor/

drwx------* amavis amavis system_ubject_r:amavis_spool_t
.spamassassin/

drwx------* amavis amavis system_ubject_r:amavis_spool_t tmp/

[root@joe ~]# uname -a

Linux joe 2.6.23.1-49.fc8 #1 SMP Thu Nov 8 21:41:26 EST 2007 i686 i686
i386 GNU/Linux




Notice that there is no socket created by clamd even in permissive
mode. The following is from the maillog:

Dec* 1 11:49:45 joe postfix/smtp[8576]: 2523B38687C:
to=<root@grifent.com>, orig_to=<root>,
relay=127.0.0.1[127.0.0.1]:10024, conn_use=2, delay=34207,
delays=34175/23/0/9, dsn=4.5.0, status=deferred (host
127.0.0.1[127.0.0.1] said: 451-4.5.0 Error in processing,
id=08570-02-2, virus_scan FAILED: virus_scan: ALL VIRUS SCANNERS
FAILED: ClamAV-clamd av-scanner FAILED: CODE(0x80de630) Too many retries to talk to
/var/spool/amavisd/clamd.sock (Can't connect to UNIX socket
/var/spool/amavisd/clamd.sock: No such file or directory) at
(eval 55) line 310. at (eval 55) line 511.; ClamAV-clamscan av-scanner
FAILED: /usr/bin/clamscan unexpected exit 50, output="LibClamAV Error:
cli_loaddb(): No supported database files found in /var/lib/clamav/
451-4.5.0 daily.inc 451 4.5.0 ERROR: Not supported data format" at
(eval 55) line 511. (in reply to end of DATA command))


Notice it cannot connect to the socket because it does not exist. That
confirms that the creation of the socket is being denied in my opinion.



That is why I didn't bother with the rest of the AVCs yet, since I
probably don't have them all without being able to successfully run in
Permissive mode to collect them for startup and shutdown.



Regards,

John




--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-02-2007, 12:47 AM
John Griffiths
 
Default selinux preventing clamd and amavisd even in Permissive

OK. I am baffled. I went out to do some shopping and when I came back,
everything was working. And no one else was working on the system
either. There are a couple of AVCs but they don't seem to affect anything.

Oh well. I must remind myself; computers only do what they are
programmed to do ... computers only do what they are programmed to do
... computers only do what they are programmed to do ... computers only
do what they are programmed to do ...

Sorry for the alarm.

Regards,
John



--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-02-2007, 10:01 PM
John Griffiths
 
Default selinux preventing clamd and amavisd even in Permissive

I think I figured it out.

I had not configured freshclam yet. Even though clamav had the default
virus databases from clamav-data.i386, clamav system would not start
until freshclam had updated the databases. I configured freshclam before
I went out. Apparently, when cron updated the virus databases, clamav
started normally and opened the missing socket and the email system
started working properly.


At least this is my best deduction.

I don't remember having to have freshclam configured for updates prior
to email working in Fedora 7. Guess this is a question for a different
list, but I just wanted to put things to rest.


Regards,
John

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-03-2007, 03:22 PM
Daniel J Walsh
 
Default selinux preventing clamd and amavisd even in Permissive

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John Griffiths wrote:
> I think I figured it out.
>
> I had not configured freshclam yet. Even though clamav had the default
> virus databases from clamav-data.i386, clamav system would not start
> until freshclam had updated the databases. I configured freshclam before
> I went out. Apparently, when cron updated the virus databases, clamav
> started normally and opened the missing socket and the email system
> started working properly.
>
> At least this is my best deduction.
>
> I don't remember having to have freshclam configured for updates prior
> to email working in Fedora 7. Guess this is a question for a different
> list, but I just wanted to put things to rest.
>
> Regards,
> John
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
In permissive mode, SELinux will not prevent anything from happening
although it will report avc messages like it did. setroubleshoot will
still interpret these messages like SELinux had prevented the access.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHVC01rlYvE4MpobMRAvrYAKC4lf8rCHTT5lsHMONHV2 ZABoubVACgtl5z
kZ62NmqbIuUdAIncJJNG/NY=
=Vca9
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-03-2007, 03:56 PM
John Griffiths
 
Default selinux preventing clamd and amavisd even in Permissive

I realize now that it was not selinux preventing the socket from being
created. The combination of symptoms seemed to indicate that selinux was
the culprit when in reality, it was clamav and freshclam.


Thanks for the reply.

Regards,
John

Daniel J Walsh wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John Griffiths wrote:


I think I figured it out.

I had not configured freshclam yet. Even though clamav had the default
virus databases from clamav-data.i386, clamav system would not start
until freshclam had updated the databases. I configured freshclam before
I went out. Apparently, when cron updated the virus databases, clamav
started normally and opened the missing socket and the email system
started working properly.

At least this is my best deduction.

I don't remember having to have freshclam configured for updates prior
to email working in Fedora 7. Guess this is a question for a different
list, but I just wanted to put things to rest.

Regards,
John

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


In permissive mode, SELinux will not prevent anything from happening
although it will report avc messages like it did. setroubleshoot will
still interpret these messages like SELinux had prevented the access.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHVC01rlYvE4MpobMRAvrYAKC4lf8rCHTT5lsHMONHV2 ZABoubVACgtl5z
kZ62NmqbIuUdAIncJJNG/NY=
=Vca9
-----END PGP SIGNATURE-----



--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 11:15 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org