On 7/2/07, Török Edvin <[EMAIL PROTECTED]> wrote: > > On 7/3/07, Ronald Cole <[EMAIL PROTECTED]> wrote: > > I've poked and prodded an rpm specfile to put all the directories and > files > > where system-config-selinux says it expects them to be... and it mostly > > works without complaint. > > > > However, selinux is still complaining about clamd trying to read() and > > getattr() /proc/meminfo. I don't see it directly in the clamav source, > so > > I'm making an educated guess that some libc function is making the call. > > Do you get this warning when you run the binary in > /usr/(local)/sbin/clamd, or when running clamd from your build > directory? > Running /usr/local/sbin/clamd with strace doesn't show references to > /proc/meminfo, but running the shell script from the build dir does > show /proc/meminfo being accessed.
clamd is installed in /usr/sbin where the clamav.pp file specification says it expects it to be. # file /usr/sbin/clamd /usr/sbin/clamd: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.9, dynamically linked (uses shared libs), for GNU/Linux 2.6.9, stripped # ldd /usr/sbin/clamd linux-gate.so.1 => (0x00bab000) libclamav.so.2 => /usr/lib/libclamav.so.2 (0x0057f000) libnsl.so.1 => /lib/libnsl.so.1 (0x49677000) libpthread.so.0 => /lib/libpthread.so.0 (0x49de1000) libc.so.6 => /lib/libc.so.6 (0x49c79000) libz.so.1 => /usr/lib/libz.so.1 (0x492d1000) libbz2.so.1 => /usr/lib/libbz2.so.1 (0x4b3a3000) libgmp.so.3 => /usr/lib/sse2/libgmp.so.3 (0x495fe000) /lib/ld-linux.so.2 (0x492aa000) I now have selinux running in permissive mode and here's what's in the audit.log file: # grep clamd_t /var/log/audit/audit.log type=AVC msg=audit(1183416656.152:2882): avc: denied { read } for pid=26938 comm="clamd" name="meminfo" dev=proc ino=-268435454 scontext=root:system_r:clamd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=SYSCALL msg=audit(1183416656.152:2882): arch=40000003 syscall=5 success=yes exit=11 a0=49d997d2 a1=0 a2=1b6 a3=abb03c0 items=0 ppid=1 pid=26938 auid=0 uid=46 gid=46 euid=46 suid=46 fsuid=46 egid=46 sgid=46 fsgid=46 tty=(none) comm="clamd" exe="/usr/sbin/clamd" subj=root:system_r:clamd_t:s0 key=(null) type=AVC msg=audit(1183416656.152:2883): avc: denied { getattr } for pid=26938 comm="clamd" name="meminfo" dev=proc ino=-268435454 scontext=root:system_r:clamd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=SYSCALL msg=audit(1183416656.152:2883): arch=40000003 syscall=197 success=yes exit=0 a0=b a1=bfc6bc1c a2=49db1ff4 a3=abb03c0 items=0 ppid=1 pid=26938 auid=0 uid=46 gid=46 euid=46 suid=46 fsuid=46 egid=46 sgid=46 fsgid=46 tty=(none) comm="clamd" exe="/usr/sbin/clamd" subj=root:system_r:clamd_t:s0 key=(null) > So, before I tell selinux not to complain about clamd reading > /proc/meminfo, > > I thought I'd ask the list for their opinions on the subject. > > > > Oh, selinux also complains about freshclam talking to my squid proxy, > but I > > think that's a real bug in the policy file. > > > > #define talking > Does it also refer to packets being transmitted via your proxy? Leaving it running overnight in daemon-mode, I get three distinct audit.logentries: 1. freshclam tries to access db.us.clamav.net via squid on port 3128: type=AVC msg=audit(1183481614.246:4976): avc: denied { name_connect } for pid=27010 comm="freshclam" dest=3128 scontext=root:system_r:freshclam_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1183481614.246:4976): arch=40000003 syscall=102 success=no exit=-115 a0=3 a1=bfcd8950 a2=97fc4c0 a3=6 items=0 ppid=1 pid=27010 auid=0 uid=46 gid=46 euid=46 suid=46 fsuid=46 egid=46 sgid=46 fsgid=46 tty=(none) comm="freshclam" exe="/usr/bin/freshclam" subj=root:system_r:freshclam_t:s0 key=(null) 2. freshclam tries to log to syslog because I enabled LogSyslog in freshclam.conf: type=AVC msg=audit(1183503218.331:5672): avc: denied { sendto } for pid=27010 comm="freshclam" name="log" scontext=root:system_r:freshclam_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket type=SYSCALL msg=audit(1183503218.331:5672): arch=40000003 syscall=102 success=yes exit=63 a0=9 a1=bfcdd39c a2=49db1ff4 a3=14 items=0 ppid=1 pid=27010 auid=0 uid=46 gid=46 euid=46 suid=46 fsuid=46 egid=46 sgid=46 fsgid=46 tty=(none) comm="freshclam" exe="/usr/bin/freshclam" subj=root:system_r:freshclam_t:s0 key=(null) 3. freshclam tries to search for something in /var/lib... not sure what: type=AVC msg=audit(1183503218.678:5673): avc: denied { search } for pid=27010 comm="freshclam" name="lib" dev=dm-5 ino=26804225 scontext=root:system_r:freshclam_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1183503218.678:5673): arch=40000003 syscall=5 success=yes exit=5 a0=97fc214 a1=242 a2=1fc a3=97fc210 items=0 ppid=1 pid=27010 auid=0 uid=46 gid=46 euid=46 suid=46 fsuid=46 egid=46 sgid=46 fsgid=46 tty=(none) comm="freshclam" exe="/usr/bin/freshclam" subj=root:system_r:freshclam_t:s0 key=(null) To me, #1 is just an oversite on the part of whomever wrote the clamav policy file at Red Hat. I suppose I could just turn off LogSyslog to get rid of #2, but it was nice to get a little something extra out of logwatch with minimal effort on my part. I'm not exactly sure what #3 is referring to without spending some quality time with the code. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html