[users] clamav/clamd selinux problems

Mon Jul 23 15:20:43 CEST 2007

On 7/20/07, Dag Wieers <dag at wieers.com> wrote:

> > > The more it is being discussed, the sooner I will have something that
> > > I'm confident in.

OK, some more data on what we needed to do to get amavisd-new clamav
and postfix working together on RHEL5 with selinux in default targeted
mode.

- In /etc/clamd.conf, set DatabaseDirectory /var/lib/clamav
- Move /var/clamav to /var/lib/clamav and make sure file context are
correct by "restorecon /var/lib/clamav
- In /etc/clamd.conf, set LocalSocketLocalSocket /var/spool/amavisd/clamd.sock
- Create the dir for this socket, writeable by group amavis (which
includes user clamav):
     mkdir /var/spool/amavisd/ ; chown amavis:amavis /var/spool/amavisd/
     chmod g+w /var/spool/amavisd/ ; restorecon /var/spool/amavisd

selinux mods for clamd:
-----------------------------------------------------------------------------------
module clamav_rf 1.0;

require {
        class dir search;
        class file { getattr read };
        type clamd_t;
        type proc_t;
        type sysctl_kernel_t;
        role system_r;
};

# Read /proc/meminfo
allow clamd_t proc_t:file {read getattr};
# Read /proc/sys/kernel/ngroups_max:
allow clamd_t sysctl_kernel_t:dir search;
allow clamd_t sysctl_kernel_t:file read;
-----------------------------------------------------------------------------------

amavisd-new falls back to clamscan, which needs the following selinux module:

-----------------------------------------------------------------------------------
module clamscan_rf 1.0;

require {
        class dir {search getattr read};
        class file {read getattr};
        type amavis_var_lib_t;
        type clamscan_t;
        type proc_t;
        role system_r;
};

# Read /proc/meminfo:
allow clamscan_t proc_t:file {read getattr};
# Read files under /var/amavis to scan them:
allow clamscan_t amavis_var_lib_t:dir {search getattr read };
allow clamscan_t amavis_var_lib_t:file {getattr read};
-----------------------------------------------------------------------------------

And finally a small module to let amavisd-new list /var/lib/ and bind
to 10024/tcp:
module amavis_rf 1.0;

-----------------------------------------------------------------------------------
require {
        class dir search;
        class netlink_route_socket {create bind getattr write nlmsg_read read};
        type amavis_t;
        type var_lib_t;
        role system_r;
};

# Silly, but amavisd wants this:
allow amavis_t var_lib_t:dir search;
# Bind to tcp socket:
allow amavis_t self:netlink_route_socket {create bind getattr write
nlmsg_read read};
-----------------------------------------------------------------------------------

And fix freshclam to use /var/lib/clamav instead of /var/clamav by
specifying "DatabaseDirectory /var/lib/clamav" in /etc/freshclam.conf
and "--datadir="/var/lib/clamav" in /etc/cron.*/freshclam.

  -jf