On 7/2/07, Török Edvin <[EMAIL PROTECTED]> wrote:
>
> On 7/3/07, Ronald Cole <[EMAIL PROTECTED]> wrote:
> > I've poked and prodded an rpm specfile to put all the directories and
> files
> > where system-config-selinux says it expects them to be... and it mostly
> > works without complaint.
> >
> > However, selinux is still complaining about clamd trying to read() and
> > getattr() /proc/meminfo.  I don't see it directly in the clamav source,
> so
> > I'm making an educated guess that some libc function is making the call.
>
> Do you get this warning when you run the binary in
> /usr/(local)/sbin/clamd, or when running clamd from your build
> directory?
> Running /usr/local/sbin/clamd with strace doesn't show references to
> /proc/meminfo, but running the shell script from the build dir does
> show /proc/meminfo being accessed.


clamd is installed in /usr/sbin where the clamav.pp file specification says
it expects it to be.

# file /usr/sbin/clamd
/usr/sbin/clamd: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV),
for GNU/Linux 2.6.9, dynamically linked (uses shared libs), for GNU/Linux
2.6.9, stripped
# ldd /usr/sbin/clamd
        linux-gate.so.1 =>  (0x00bab000)
        libclamav.so.2 => /usr/lib/libclamav.so.2 (0x0057f000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x49677000)
        libpthread.so.0 => /lib/libpthread.so.0 (0x49de1000)
        libc.so.6 => /lib/libc.so.6 (0x49c79000)
        libz.so.1 => /usr/lib/libz.so.1 (0x492d1000)
        libbz2.so.1 => /usr/lib/libbz2.so.1 (0x4b3a3000)
        libgmp.so.3 => /usr/lib/sse2/libgmp.so.3 (0x495fe000)
        /lib/ld-linux.so.2 (0x492aa000)

I now have selinux running in permissive mode and here's what's in the
audit.log file:

# grep clamd_t /var/log/audit/audit.log
type=AVC msg=audit(1183416656.152:2882): avc:  denied  { read } for
pid=26938 comm="clamd" name="meminfo" dev=proc ino=-268435454
scontext=root:system_r:clamd_t:s0 tcontext=system_u:object_r:proc_t:s0
tclass=file
type=SYSCALL msg=audit(1183416656.152:2882): arch=40000003 syscall=5
success=yes exit=11 a0=49d997d2 a1=0 a2=1b6 a3=abb03c0 items=0 ppid=1
pid=26938 auid=0 uid=46 gid=46 euid=46 suid=46 fsuid=46 egid=46 sgid=46
fsgid=46 tty=(none) comm="clamd" exe="/usr/sbin/clamd"
subj=root:system_r:clamd_t:s0 key=(null)
type=AVC msg=audit(1183416656.152:2883): avc:  denied  { getattr } for
pid=26938 comm="clamd" name="meminfo" dev=proc ino=-268435454
scontext=root:system_r:clamd_t:s0 tcontext=system_u:object_r:proc_t:s0
tclass=file
type=SYSCALL msg=audit(1183416656.152:2883): arch=40000003 syscall=197
success=yes exit=0 a0=b a1=bfc6bc1c a2=49db1ff4 a3=abb03c0 items=0 ppid=1
pid=26938 auid=0 uid=46 gid=46 euid=46 suid=46 fsuid=46 egid=46 sgid=46
fsgid=46 tty=(none) comm="clamd" exe="/usr/sbin/clamd"
subj=root:system_r:clamd_t:s0 key=(null)

> So, before I tell selinux not to complain about clamd reading
> /proc/meminfo,
> > I thought I'd ask the list for their opinions on the subject.
> >
> > Oh, selinux also complains about freshclam talking to my squid proxy,
> but I
> > think that's a real bug in the policy file.
> >
>
> #define talking
> Does it also refer to packets being transmitted via your proxy?


 Leaving it running overnight in daemon-mode, I get three distinct
audit.logentries:

1.  freshclam tries to access db.us.clamav.net via squid on port 3128:

type=AVC msg=audit(1183481614.246:4976): avc:  denied  { name_connect } for
pid=27010 comm="freshclam" dest=3128 scontext=root:system_r:freshclam_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1183481614.246:4976): arch=40000003 syscall=102
success=no exit=-115 a0=3 a1=bfcd8950 a2=97fc4c0 a3=6 items=0 ppid=1
pid=27010 auid=0 uid=46 gid=46 euid=46 suid=46 fsuid=46 egid=46 sgid=46
fsgid=46 tty=(none) comm="freshclam" exe="/usr/bin/freshclam"
subj=root:system_r:freshclam_t:s0 key=(null)

2.  freshclam tries to log to syslog because I enabled LogSyslog in
freshclam.conf:

type=AVC msg=audit(1183503218.331:5672): avc:  denied  { sendto } for
pid=27010 comm="freshclam" name="log" scontext=root:system_r:freshclam_t:s0
tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1183503218.331:5672): arch=40000003 syscall=102
success=yes exit=63 a0=9 a1=bfcdd39c a2=49db1ff4 a3=14 items=0 ppid=1
pid=27010 auid=0 uid=46 gid=46 euid=46 suid=46 fsuid=46 egid=46 sgid=46
fsgid=46 tty=(none) comm="freshclam" exe="/usr/bin/freshclam"
subj=root:system_r:freshclam_t:s0 key=(null)

3.  freshclam tries to search for something in /var/lib... not sure what:

type=AVC msg=audit(1183503218.678:5673): avc:  denied  { search } for
pid=27010 comm="freshclam" name="lib" dev=dm-5 ino=26804225
scontext=root:system_r:freshclam_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1183503218.678:5673): arch=40000003 syscall=5
success=yes exit=5 a0=97fc214 a1=242 a2=1fc a3=97fc210 items=0 ppid=1
pid=27010 auid=0 uid=46 gid=46 euid=46 suid=46 fsuid=46 egid=46 sgid=46
fsgid=46 tty=(none) comm="freshclam" exe="/usr/bin/freshclam"
subj=root:system_r:freshclam_t:s0 key=(null)

To me, #1 is just an oversite on the part of whomever wrote the clamav
policy file at Red Hat.
I suppose I could just turn off LogSyslog to get rid of #2, but it was nice
to get a little something extra out of logwatch with minimal effort on my
part.  I'm not exactly sure what #3 is referring to without spending some
quality time with the code.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Reply via email to