[ZendTo] Re: clamdscan selinux httpd error

Jules Jules at Zend.To
Tue Oct 11 09:18:34 BST 2011 

That's usually caused by not adding the line to SELinux that allows 
clamd to read all the files under /var/zendto.

But SELinux is a bit of a mystery to me :-) so don't ask me how you tell 
it to do that! In Ubuntu it's easy, and in my docs, but on RedHat it's a 
different matter altogether!

Jules.

On 10/10/2011 12:07, John Cooper wrote:
> I've created a local policy to fix all the SELinux errors so I don't see
> any AVCs now, however when I switch from permissive to enforcing I see
> in the /var/log/httpd/error_log
>
> sh: /usr/bin/clamdscan: Permission denied
>
> I am using https so not sure when it is showing up in the error_log.
> Zendto still works perfectly.
>
> clam and apache are in /etc/group as subgroups of each other, though the
> permissions should allow apache to run  /usr/bin/clamdscan anyway.
>
> The original error I fixed was
>
> type=AVC msg=audit(1318242954.339:32): avc:  denied  { getattr } for
> pid=1773 comm="sh" path="/usr/bin/clamdscan" dev=dm-0 ino=176910
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:clamscan_exec_t:s0 tclass=file
>
> and the local policy
>
> module testpol 1.1;
>
> require {
>           type clamscan_exec_t;
>           type clamd_var_run_t;
>           type httpd_sys_rw_content_t;
>           type clamd_t;
>           type httpd_t;
>           type default_t;
>           class sock_file write;
>           class unix_stream_socket connectto;
>           class dir { search getattr };
>           class file { read getattr open };
> }
>
> #============= clamd_t ==============
> allow clamd_t default_t:dir search;
> allow clamd_t httpd_sys_rw_content_t:file { read getattr open };
>
> #============= httpd_t ==============
> allow httpd_t clamd_t:unix_stream_socket connectto;
> allow httpd_t clamd_var_run_t:dir search;
> allow httpd_t clamd_var_run_t:sock_file write;
> allow httpd_t clamscan_exec_t:file { read getattr open };
> allow httpd_t default_t:dir { search getattr };
>
> I've looked at the booleans but can't see anything
>
> # getsebool -a | grep http
> allow_httpd_anon_write -->  off
> allow_httpd_mod_auth_ntlm_winbind -->  off
> allow_httpd_mod_auth_pam -->  off
> allow_httpd_sys_script_anon_write -->  off
> httpd_builtin_scripting -->  on
> httpd_can_check_spam -->  off
> httpd_can_network_connect -->  off
> httpd_can_network_connect_cobbler -->  off
> httpd_can_network_connect_db -->  off
> httpd_can_network_memcache -->  off
> httpd_can_network_relay -->  off
> httpd_can_sendmail -->  on
> httpd_dbus_avahi -->  on
> httpd_enable_cgi -->  on
> httpd_enable_ftp_server -->  off
> httpd_enable_homedirs -->  off
> httpd_execmem -->  off
> httpd_read_user_content -->  off
> httpd_setrlimit -->  off
> httpd_ssi_exec -->  off
> httpd_tmp_exec -->  off
> httpd_tty_comm -->  on
> httpd_unified -->  on
> httpd_use_cifs -->  off
> httpd_use_gpg -->  off
> httpd_use_nfs -->  off
>
> This is driving me nuts! Any ideas?
>
> Thanks, John.
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

Jules

-- 
Julian Field MEng CITP CEng
www.Zend.To

Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

'It's okay to live without all the answers' - Charlie Eppes, 2011
'All programs have a desire to be useful' - Tron, 1982
'That is the land of lost content,
  I see it shining plain,
  The happy highways where I went,
  And cannot come again.' - A.E. Houseman

More information about the ZendTo mailing list