[Clamav-users] SELinux blocks meminfo access

Tue, 10 Jun 2008 07:16:41 -0700 

Hi List.

Using CentOS 5, when clamd starts as part of the boot sequence, I get an audit 
log message

type=AVC msg=audit(1213094476.199:1203): avc:  denied  { read } for  pid=10661 
comm="clamd" name="meminfo" dev=proc ino=-268435454 
scontext=system_u:system_r:clamd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:proc_t:s0 tclass=file

Clamd still starts.  I can either allow clamd_t to read proc_t, or I can get 
rid of the message with a "dontaudit" line in the policy:  allowing would give 
clamd read access to most of /proc; blocking would prevent clamd from finding 
out the server's memory.  Can anyone advise me of the implications of either 
approach?

Further details: started during boot or with the "service" command, clamd 
transitions to clamd_t.  Started manually using /usr/sbin/clamd, it stays in 
unconfined_t, and access to /proc/meminfo succeeds.

Checking with strace, the access to /proc/meminfo occurs just before the 
process creates its socket and forks.  Here is the trace when it fails:

send(4, "<182>Jun 10 13:04:24 clamd[11219"..., 61, MSG_NOSIGNAL) = 61
brk(0xc0f9000)                          = 0xc0f9000
open("/proc/meminfo", O_RDONLY)         = -1 EACCES (Permission denied)
socket(PF_FILE, SOCK_STREAM, 0)         = 5
bind(5, {sa_family=AF_FILE, path="/var/spool/MIMEDefang/clamd.sock"}, 110) = 0
time(NULL)                              = 1213099464

and here is one that succeeds:

send(4, "<182>Jun 10 13:37:25 clamd[11677"..., 61, MSG_NOSIGNAL) = 61
brk(0xc519000)                          = 0xc519000
open("/proc/meminfo", O_RDONLY)         = 5
fstat64(5, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0xb7f37000
read(5, "MemTotal:       255628 kB\nMemFre"..., 4096) = 771
close(5)                                = 0
munmap(0xb7f37000, 4096)                = 0
socket(PF_FILE, SOCK_STREAM, 0)         = 5
bind(5, {sa_family=AF_FILE, path="/var/spool/MIMEDefang/clamd.sock"}, 110) = 0
time(NULL)                              = 1213101445



Moray.
"To err is human.  To purr, feline"
http://members.aol.com/edgwddirk 

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Reply via email to