[users] clamav/clamd selinux problems

Wed Sep 26 22:38:07 CEST 2007

On 7/23/07, Jan-Frode Myklebust <janfrode at tanso.net> wrote:
> OK, some more data on what we needed to do to get amavisd-new clamav
> and postfix working together on RHEL5 with selinux in default targeted
> mode.
> 
> - In /etc/clamd.conf, set DatabaseDirectory /var/lib/clamav
> - Move /var/clamav to /var/lib/clamav and make sure file context are
> correct by "restorecon /var/lib/clamav
> - In /etc/clamd.conf, set LocalSocketLocalSocket /var/spool/amavisd/clamd.sock
> - Create the dir for this socket, writeable by group amavis (which
> includes user clamav):
>      mkdir /var/spool/amavisd/ ; chown amavis:amavis /var/spool/amavisd/
>      chmod g+w /var/spool/amavisd/ ; restorecon /var/spool/amavisd
> 

Jan-Frode,

I followed your instructions this far, but where do I add/modify the mods you mention in the next section?

I am trying to get the clamd package from rpmforge to run on CentOS 5 with SELinux enabled.

If a more complete answer to this has already been given, please forgive me. I am new to the list and I spotted this in the archive.

Bob

> selinux mods for clamd:
> -----------------------------------------------------------------------------------
> module clamav_rf 1.0;
> 
> require {
>         class dir search;
>         class file { getattr read };
>         type clamd_t;
>         type proc_t;
>         type sysctl_kernel_t;
>         role system_r;
> };
> 
> # Read /proc/meminfo
> allow clamd_t proc_t:file {read getattr};
> # Read /proc/sys/kernel/ngroups_max:
> allow clamd_t sysctl_kernel_t:dir search;
> allow clamd_t sysctl_kernel_t:file read;
> -----------------------------------------------------------------------------------
> 
> amavisd-new falls back to clamscan, which needs the following selinux module:
> 
> -----------------------------------------------------------------------------------
> module clamscan_rf 1.0;
> 
> require {
>         class dir {search getattr read};
>         class file {read getattr};
>         type amavis_var_lib_t;
>         type clamscan_t;
>         type proc_t;
>         role system_r;
> };
> 
> # Read /proc/meminfo:
> allow clamscan_t proc_t:file {read getattr};
> # Read files under /var/amavis to scan them:
> allow clamscan_t amavis_var_lib_t:dir {search getattr read };
> allow clamscan_t amavis_var_lib_t:file {getattr read};
> -----------------------------------------------------------------------------------
> 
> And finally a small module to let amavisd-new list /var/lib/ and bind
> to 10024/tcp:
> module amavis_rf 1.0;
> 
> -----------------------------------------------------------------------------------
> require {
>         class dir search;
>         class netlink_route_socket {create bind getattr write nlmsg_read read};
>         type amavis_t;
>         type var_lib_t;
>         role system_r;
> };
> 
> # Silly, but amavisd wants this:
> allow amavis_t var_lib_t:dir search;
> # Bind to tcp socket:
> allow amavis_t self:netlink_route_socket {create bind getattr write
> nlmsg_read read};
> -----------------------------------------------------------------------------------
> 
> And fix freshclam to use /var/lib/clamav instead of /var/clamav by
> specifying "DatabaseDirectory /var/lib/clamav" in /etc/freshclam.conf
> and "--datadir="/var/lib/clamav" in /etc/cron.*/freshclam.
> 