Moray Henderson (ICT) wrote:
> Hi List.
>
> Using CentOS 5, when clamd starts as part of the boot sequence, I get an
> audit log message
>
> type=AVC msg=audit(1213094476.199:1203): avc: denied { read } for
> pid=10661 comm="clamd" name="meminfo" dev=proc ino=-268435454
> scontext=system_u:system_r:clamd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:proc_t:s0 tclass=file
>
> Clamd still starts. I can either allow clamd_t to read proc_t, or I can get
> rid of the message with a "dontaudit" line in the policy: allowing would
> give clamd read access to most of /proc; blocking would prevent clamd from
> finding out the server's memory. Can anyone advise me of the implications of
> either approach?
>
> Further details: started during boot or with the "service" command, clamd
> transitions to clamd_t. Started manually using /usr/sbin/clamd, it stays in
> unconfined_t, and access to /proc/meminfo succeeds.
>
> Checking with strace, the access to /proc/meminfo occurs just before the
> process creates its socket and forks. Here is the trace when it fails:
>
> send(4, "<182>Jun 10 13:04:24 clamd[11219"..., 61, MSG_NOSIGNAL) = 61
> brk(0xc0f9000) = 0xc0f9000
> open("/proc/meminfo", O_RDONLY) = -1 EACCES (Permission denied)
> socket(PF_FILE, SOCK_STREAM, 0) = 5
> bind(5, {sa_family=AF_FILE, path="/var/spool/MIMEDefang/clamd.sock"}, 110) = 0
> time(NULL) = 1213099464
ClamAV doesn't need access to /proc/meminfo, glibc does.
Apparently qsort() reads /proc/meminfo, trying to determine if the
temporary storage needed for sorting can be allocated in physical memory.
If it can't determine how much memory is available it will always assume
there is enough.
See:
http://repo.or.cz/w/glibc-cvs.git?a=blob;f=stdlib/msort.c;h=35cd4d03117e211b50e2068a9898da46e3cb6fd5;hb=HEAD
"/* We should avoid allocating too much memory since this might
have to be backed up by swap space. */
static long int phys_pages;
static int pagesize;
if (phys_pages == 0)
{
phys_pages = __sysconf (_SC_PHYS_PAGES);"
Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
