[ZendTo] clamdscan selinux httpd error

John Cooper johnpcooper at yahoo.com
Mon Oct 10 12:07:01 BST 2011 

I've created a local policy to fix all the SELinux errors so I don't see 
any AVCs now, however when I switch from permissive to enforcing I see 
in the /var/log/httpd/error_log

sh: /usr/bin/clamdscan: Permission denied

I am using https so not sure when it is showing up in the error_log. 
Zendto still works perfectly.

clam and apache are in /etc/group as subgroups of each other, though the 
permissions should allow apache to run  /usr/bin/clamdscan anyway.

The original error I fixed was

type=AVC msg=audit(1318242954.339:32): avc:  denied  { getattr } for  
pid=1773 comm="sh" path="/usr/bin/clamdscan" dev=dm-0 ino=176910 
scontext=system_u:system_r:httpd_t:s0 
tcontext=system_u:object_r:clamscan_exec_t:s0 tclass=file

and the local policy

module testpol 1.1;

require {
         type clamscan_exec_t;
         type clamd_var_run_t;
         type httpd_sys_rw_content_t;
         type clamd_t;
         type httpd_t;
         type default_t;
         class sock_file write;
         class unix_stream_socket connectto;
         class dir { search getattr };
         class file { read getattr open };
}

#============= clamd_t ==============
allow clamd_t default_t:dir search;
allow clamd_t httpd_sys_rw_content_t:file { read getattr open };

#============= httpd_t ==============
allow httpd_t clamd_t:unix_stream_socket connectto;
allow httpd_t clamd_var_run_t:dir search;
allow httpd_t clamd_var_run_t:sock_file write;
allow httpd_t clamscan_exec_t:file { read getattr open };
allow httpd_t default_t:dir { search getattr };

I've looked at the booleans but can't see anything

# getsebool -a | grep http
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> on
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_read_user_content --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off

This is driving me nuts! Any ideas?

Thanks, John.

More information about the ZendTo mailing list