[users] clamav/clamd selinux problems

Rodrigo Barbosa rodrigob at darkover.org
Thu Jul 19 23:45:57 CEST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, Jul 19, 2007 at 10:54:03PM +0200, Jan-Frode Myklebust wrote:
> A little late follow-up.. but I think you're attacking this problem the wrong
> way. Your clamd selinux module opens up for clamd to access a lot of files it
> shouldn't need to access:
> 
> These two are probably no danger, but clamd starts fine without:
> 
>          allow clamd_t sysctl_kernel_t:dir search;
>          allow clamd_t sysctl_kernel_t:file read;
> 
> These seems very strange:
> 
>          allow semanage_t auditd_log_t:dir search;
>          allow useradd_t var_log_t:file { read write };
> 
> And these opens up clamd to read/write/delete a lot it shouldn't need to.
> 
>          allow clamd_t var_t:file { create getattr lock write read unlink };
>          allow clamd_t var_t:dir { read write add_name remove_name};
>          allow clamd_t tmp_t:sock_file { create unlink write };
> 
> Instead of modifying the selinux policy, I think it would be much better to fix
> the clamd (and the RPM) to use /var/lib/clamav as it's DatabaseDirectory
> (instead of /var/clamav), and use /var/spool/amavisd/clamd.sock as LocalSocket
> (instead of /tmp/clamd.socket). Then the clamd process would be properly
> contained by the RHEL5 selinux policy.
> 
> Quoted in full since it's over a month old :-)

Yes, it's been over a month, but I have been facing these issues frequently.

Changing the way clamd is built (the package), or maybe even making some
small patches (if needed) is the right way to go, without a double. Maybe
even creating a new selinux type group, although I have not found out how
to do it (didn't look very hard, to tell the truth).

My solution is mostly a workaround, nothing definitive. It is a way to
enable you to rum clamd without turning selinux off. Actually, I find
it amazing how often people simply turn selinux off. Specially now.
I could understand it on CentOS 4, but not on 5. Selinux modules really
make life easier.

Anyway, I might get back to this on the future. Anyone else reading
this, take Jan-Frode words and what I wrote as a warning. My rules
are simply a WORKAROUND. Not a solution. Nothing definitive.

[]s

> On 6/14/07, Rodrigo Barbosa < rodrigob at darkover.org> wrote:
> 
>     -----BEGIN PGP SIGNED MESSAGE-----
>     Hash: SHA1
> 
>     On Thu, Jun 14, 2007 at 01:52:07PM -0300, Rodrigo Barbosa wrote:
>     > While trying to use rf's packages for clamav/clamd on a CentOS 5
>     > box with selinux (targeted) enabled, I ran into several problems.
>     >
>     > These problems where solved with the following type enforcement file.
>     > Hope you find it useful.
>     >
>     > ===CUT===
>     > module clamd 1.0.2;
> 
>     Ok, sorry about that. That te file still didn't solve all the problems
>     (freshclam this time). New one:
> 
>     module clamd 1.0.5;
> 
>     require {
>             class dir { read search write add_name remove_name};
>             class file { read write create getattr lock unlink };
>             class sock_file { create unlink write };
>             type auditd_log_t;
>             type clamd_t;
>             type semanage_t;
>             type sysctl_kernel_t;
>             type useradd_t;
>             type var_log_t;
>             type var_t;
>             type tmp_t;
>             role system_r;
>     };
> 
>     allow clamd_t sysctl_kernel_t:dir search;
>     allow clamd_t sysctl_kernel_t:file read;
>     allow semanage_t auditd_log_t:dir search;
>     allow useradd_t var_log_t:file { read write };
>     allow clamd_t var_t:file { create getattr lock write read unlink };
>     allow clamd_t var_t:dir { read write add_name remove_name};
>     allow clamd_t tmp_t:sock_file { create unlink write };
> 
>     - --
>     Rodrigo Barbosa
>     "Quid quid Latine dictum sit, altum viditur"
>     "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
> 
>     -----BEGIN PGP SIGNATURE-----
>     Version: GnuPG v1.4.5 (GNU/Linux)
> 
>     iD8DBQFGcXOZpdyWzQ5b5ckRAo5aAJ9eie8c013mYILRTR0b7+G3JtnveACgmBkt
>     vCNdauWBoeYrsOQQBpVS3JI=
>     =zQ6t
>     -----END PGP SIGNATURE-----
>     _______________________________________________
>     users mailing list
>     users at lists.rpmforge.net
>     http://lists.rpmforge.net/mailman/listinfo/users
> 
> 

- -- 
Rodrigo Barbosa
"Quid quid Latine dictum sit, altum viditur"
"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFGn9uVpdyWzQ5b5ckRAq74AJ9LHtvPPKPoJoe9oVAz3zYpXSupfACfRPU2
Z95zEgrwAy1bfWexo8P2LBo=
=f+/u
-----END PGP SIGNATURE-----

More information about the users mailing list