[users] clamav/clamd selinux problems

Jan-Frode Myklebust janfrode at tanso.net
Thu Jul 19 22:54:03 CEST 2007


A little late follow-up.. but I think you're attacking this problem the
wrong way. Your clamd selinux module opens up for clamd to access a lot of
files it shouldn't need to access:

These two are probably no danger, but clamd starts fine without:

         allow clamd_t sysctl_kernel_t:dir search;
         allow clamd_t sysctl_kernel_t:file read;

These seems very strange:

         allow semanage_t auditd_log_t:dir search;
         allow useradd_t var_log_t:file { read write };

And these opens up clamd to read/write/delete a lot it shouldn't need to.

         allow clamd_t var_t:file { create getattr lock write read unlink };
         allow clamd_t var_t:dir { read write add_name remove_name};
         allow clamd_t tmp_t:sock_file { create unlink write };

Instead of modifying the selinux policy, I think it would be much better to
fix the clamd (and the RPM) to use /var/lib/clamav as it's DatabaseDirectory
(instead of /var/clamav), and use /var/spool/amavisd/clamd.sock as
LocalSocket (instead of /tmp/clamd.socket). Then the clamd process would be
properly contained by the RHEL5 selinux policy.


  -jf


Quoted in full since it's over a month old :-)

On 6/14/07, Rodrigo Barbosa <rodrigob at darkover.org> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Thu, Jun 14, 2007 at 01:52:07PM -0300, Rodrigo Barbosa wrote:
> > While trying to use rf's packages for clamav/clamd on a CentOS 5
> > box with selinux (targeted) enabled, I ran into several problems.
> >
> > These problems where solved with the following type enforcement file.
> > Hope you find it useful.
> >
> > ===CUT===
> > module clamd 1.0.2;
>
> Ok, sorry about that. That te file still didn't solve all the problems
> (freshclam this time). New one:
>
> module clamd 1.0.5;
>
> require {
>         class dir { read search write add_name remove_name};
>         class file { read write create getattr lock unlink };
>         class sock_file { create unlink write };
>         type auditd_log_t;
>         type clamd_t;
>         type semanage_t;
>         type sysctl_kernel_t;
>         type useradd_t;
>         type var_log_t;
>         type var_t;
>         type tmp_t;
>         role system_r;
> };
>
> allow clamd_t sysctl_kernel_t:dir search;
> allow clamd_t sysctl_kernel_t:file read;
> allow semanage_t auditd_log_t:dir search;
> allow useradd_t var_log_t:file { read write };
> allow clamd_t var_t:file { create getattr lock write read unlink };
> allow clamd_t var_t:dir { read write add_name remove_name};
> allow clamd_t tmp_t:sock_file { create unlink write };
>
> - --
> Rodrigo Barbosa
> "Quid quid Latine dictum sit, altum viditur"
> "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
>
> iD8DBQFGcXOZpdyWzQ5b5ckRAo5aAJ9eie8c013mYILRTR0b7+G3JtnveACgmBkt
> vCNdauWBoeYrsOQQBpVS3JI=
> =zQ6t
> -----END PGP SIGNATURE-----
> _______________________________________________
> users mailing list
> users at lists.rpmforge.net
> http://lists.rpmforge.net/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.repoforge.org/pipermail/users/attachments/20070719/c2f6c083/attachment-0004.html>


More information about the users mailing list