On 7/3/07, Ronald Cole <[EMAIL PROTECTED]> wrote:
>
> On 7/2/07, Török Edvin <[EMAIL PROTECTED]> wrote:
> >
> > On 7/3/07, Ronald Cole <[EMAIL PROTECTED]> wrote:
> > > I've poked and prodded an rpm specfile to put all the directories and
> > files
> > > where system-config-selinux says it expects them to be... and it
> > mostly
> > > works without complaint.
> > >
> > > However, selinux is still complaining about clamd trying to read() and
> > > getattr() /proc/meminfo. I don't see it directly in the clamav
> > source, so
> > > I'm making an educated guess that some libc function is making the
> > call.
> >
> > Do you get this warning when you run the binary in
> > /usr/(local)/sbin/clamd, or when running clamd from your build
> > directory?
> > Running /usr/local/sbin/clamd with strace doesn't show references to
> > /proc/meminfo, but running the shell script from the build dir does
> > show /proc/meminfo being accessed.
>
>
> clamd is installed in /usr/sbin where the clamav.pp file specification
> says it expects it to be.
>
> # file /usr/sbin/clamd
> /usr/sbin/clamd: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV),
> for GNU/Linux 2.6.9, dynamically linked (uses shared libs), for GNU/Linux
> 2.6.9, stripped
> # ldd /usr/sbin/clamd
> linux-gate.so.1 => (0x00bab000)
> libclamav.so.2 => /usr/lib/libclamav.so.2 (0x0057f000)
> libnsl.so.1 => /lib/libnsl.so.1 (0x49677000)
> libpthread.so.0 => /lib/libpthread.so.0 (0x49de1000)
> libc.so.6 => /lib/libc.so.6 (0x49c79000)
> libz.so.1 => /usr/lib/libz.so.1 (0x492d1000)
> libbz2.so.1 => /usr/lib/libbz2.so.1 (0x4b3a3000)
> libgmp.so.3 => /usr/lib/sse2/libgmp.so.3 (0x495fe000)
> /lib/ld-linux.so.2 (0x492aa000)
>
> I now have selinux running in permissive mode and here's what's in the
> audit.log file:
>
> # grep clamd_t /var/log/audit/audit.log
> type=AVC msg=audit(1183416656.152:2882): avc: denied { read } for
> pid=26938 comm="clamd" name="meminfo" dev=proc ino=-268435454
> scontext=root:system_r:clamd_t:s0 tcontext=system_u:object_r:proc_t:s0
> tclass=file
> type=SYSCALL msg=audit(1183416656.152:2882): arch=40000003 syscall=5
> success=yes exit=11 a0=49d997d2 a1=0 a2=1b6 a3=abb03c0 items=0 ppid=1
> pid=26938 auid=0 uid=46 gid=46 euid=46 suid=46 fsuid=46 egid=46 sgid=46
> fsgid=46 tty=(none) comm="clamd" exe="/usr/sbin/clamd"
> subj=root:system_r:clamd_t:s0 key=(null)
> type=AVC msg=audit(1183416656.152:2883): avc: denied { getattr } for
> pid=26938 comm="clamd" name="meminfo" dev=proc ino=-268435454
> scontext=root:system_r:clamd_t:s0 tcontext=system_u:object_r:proc_t:s0
> tclass=file
> type=SYSCALL msg=audit(1183416656.152:2883): arch=40000003 syscall=197
> success=yes exit=0 a0=b a1=bfc6bc1c a2=49db1ff4 a3=abb03c0 items=0 ppid=1
> pid=26938 auid=0 uid=46 gid=46 euid=46 suid=46 fsuid=46 egid=46 sgid=46
> fsgid=46 tty=(none) comm="clamd" exe="/usr/sbin/clamd"
> subj=root:system_r:clamd_t:s0 key=(null)
>
> > So, before I tell selinux not to complain about clamd reading
> > /proc/meminfo,
> > > I thought I'd ask the list for their opinions on the subject.
> > >
> > > Oh, selinux also complains about freshclam talking to my squid proxy,
> > but I
> > > think that's a real bug in the policy file.
> > >
> >
> > #define talking
> > Does it also refer to packets being transmitted via your proxy?
>
>
> Leaving it running overnight in daemon-mode, I get three distinct
> audit.log entries:
>
> 1. freshclam tries to access db.us.clamav.net via squid on port 3128:
>
> type=AVC msg=audit(1183481614.246:4976): avc: denied { name_connect }
> for pid=27010 comm="freshclam" dest=3128
> scontext=root:system_r:freshclam_t:s0
> tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
> type=SYSCALL msg=audit(1183481614.246:4976): arch=40000003 syscall=102
> success=no exit=-115 a0=3 a1=bfcd8950 a2=97fc4c0 a3=6 items=0 ppid=1
> pid=27010 auid=0 uid=46 gid=46 euid=46 suid=46 fsuid=46 egid=46 sgid=46
> fsgid=46 tty=(none) comm="freshclam" exe="/usr/bin/freshclam"
> subj=root:system_r:freshclam_t:s0 key=(null)
>
> 2. freshclam tries to log to syslog because I enabled LogSyslog in
> freshclam.conf:
>
> type=AVC msg=audit(1183503218.331:5672): avc: denied { sendto } for
> pid=27010 comm="freshclam" name="log" scontext=root:system_r:freshclam_t:s0
> tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket
> type=SYSCALL msg=audit(1183503218.331:5672): arch=40000003 syscall=102
> success=yes exit=63 a0=9 a1=bfcdd39c a2=49db1ff4 a3=14 items=0 ppid=1
> pid=27010 auid=0 uid=46 gid=46 euid=46 suid=46 fsuid=46 egid=46 sgid=46
> fsgid=46 tty=(none) comm="freshclam" exe="/usr/bin/freshclam"
> subj=root:system_r:freshclam_t:s0 key=(null)
>
> 3. freshclam tries to search for something in /var/lib... not sure what:
>
> type=AVC msg=audit(1183503218.678:5673): avc: denied { search } for
> pid=27010 comm="freshclam" name="lib" dev=dm-5 ino=26804225
> scontext=root:system_r:freshclam_t:s0
> tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
> type=SYSCALL msg=audit(1183503218.678:5673): arch=40000003 syscall=5
> success=yes exit=5 a0=97fc214 a1=242 a2=1fc a3=97fc210 items=0 ppid=1
> pid=27010 auid=0 uid=46 gid=46 euid=46 suid=46 fsuid=46 egid=46 sgid=46
> fsgid=46 tty=(none) comm="freshclam" exe="/usr/bin/freshclam"
> subj=root:system_r:freshclam_t:s0 key=(null)
>
> To me, #1 is just an oversite on the part of whomever wrote the clamav
> policy file at Red Hat.
> I suppose I could just turn off LogSyslog to get rid of #2, but it was
> nice to get a little something extra out of logwatch with minimal effort on
> my part. I'm not exactly sure what #3 is referring to without spending some
> quality time with the code.
>
I just restarted freshclam and realized I forgot one. sealert says that
freshclam, in daemon mode, is trying to write to a tty:
type=AVC msg=audit(1183507108.724:5798): avc: denied { read write } for
pid=31892 comm="freshclam" name="2" dev=devpts ino=4
scontext=root:system_r:freshclam_t:s0 tcontext=root:object_r:devpts_t:s0
tclass=chr_file
type=SYSCALL msg=audit(1183507108.724:5798): arch=40000003 syscall=11
success=yes exit=0 a0=a00e6a0 a1=a00ec40 a2=a00eb98 a3=a00e610 items=0
ppid=31891 pid=31892 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts2 comm="freshclam" exe="/usr/bin/freshclam"
subj=root:system_r:freshclam_t:s0 key=(null)
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
