[ZendTo] Re: clamdscan selinux httpd error
John Cooper
johnpcooper at yahoo.com
Tue Oct 11 09:48:15 BST 2011
As I found out later, the boolean
httpd_ssi_exec --> off
was off and it needs to be on. This was difficult to diagnose as no AVC
messages where shown and it was only because I run OSSEC it reported the
httpd error_log entry
sh: /usr/bin/clamdscan: Permission denied
OSSEC is a brilliant tool, I run it on all my production machines.
http://www.ossec.net/
John.
On 11/10/11 09:18, Jules wrote:
> That's usually caused by not adding the line to SELinux that allows
> clamd to read all the files under /var/zendto.
>
> But SELinux is a bit of a mystery to me :-) so don't ask me how you tell
> it to do that! In Ubuntu it's easy, and in my docs, but on RedHat it's a
> different matter altogether!
>
> Jules.
>
> On 10/10/2011 12:07, John Cooper wrote:
>> I've created a local policy to fix all the SELinux errors so I don't see
>> any AVCs now, however when I switch from permissive to enforcing I see
>> in the /var/log/httpd/error_log
>>
>> sh: /usr/bin/clamdscan: Permission denied
>>
>> I am using https so not sure when it is showing up in the error_log.
>> Zendto still works perfectly.
>>
>> clam and apache are in /etc/group as subgroups of each other, though the
>> permissions should allow apache to run /usr/bin/clamdscan anyway.
>>
>> The original error I fixed was
>>
>> type=AVC msg=audit(1318242954.339:32): avc: denied { getattr } for
>> pid=1773 comm="sh" path="/usr/bin/clamdscan" dev=dm-0 ino=176910
>> scontext=system_u:system_r:httpd_t:s0
>> tcontext=system_u:object_r:clamscan_exec_t:s0 tclass=file
>>
>> and the local policy
>>
>> module testpol 1.1;
>>
>> require {
>> type clamscan_exec_t;
>> type clamd_var_run_t;
>> type httpd_sys_rw_content_t;
>> type clamd_t;
>> type httpd_t;
>> type default_t;
>> class sock_file write;
>> class unix_stream_socket connectto;
>> class dir { search getattr };
>> class file { read getattr open };
>> }
>>
>> #============= clamd_t ==============
>> allow clamd_t default_t:dir search;
>> allow clamd_t httpd_sys_rw_content_t:file { read getattr open };
>>
>> #============= httpd_t ==============
>> allow httpd_t clamd_t:unix_stream_socket connectto;
>> allow httpd_t clamd_var_run_t:dir search;
>> allow httpd_t clamd_var_run_t:sock_file write;
>> allow httpd_t clamscan_exec_t:file { read getattr open };
>> allow httpd_t default_t:dir { search getattr };
>>
>> I've looked at the booleans but can't see anything
>>
>> # getsebool -a | grep http
>> allow_httpd_anon_write --> off
>> allow_httpd_mod_auth_ntlm_winbind --> off
>> allow_httpd_mod_auth_pam --> off
>> allow_httpd_sys_script_anon_write --> off
>> httpd_builtin_scripting --> on
>> httpd_can_check_spam --> off
>> httpd_can_network_connect --> off
>> httpd_can_network_connect_cobbler --> off
>> httpd_can_network_connect_db --> off
>> httpd_can_network_memcache --> off
>> httpd_can_network_relay --> off
>> httpd_can_sendmail --> on
>> httpd_dbus_avahi --> on
>> httpd_enable_cgi --> on
>> httpd_enable_ftp_server --> off
>> httpd_enable_homedirs --> off
>> httpd_execmem --> off
>> httpd_read_user_content --> off
>> httpd_setrlimit --> off
>> httpd_ssi_exec --> off
>> httpd_tmp_exec --> off
>> httpd_tty_comm --> on
>> httpd_unified --> on
>> httpd_use_cifs --> off
>> httpd_use_gpg --> off
>> httpd_use_nfs --> off
>>
>> This is driving me nuts! Any ideas?
>>
>> Thanks, John.
>> _______________________________________________
>> ZendTo mailing list
>> ZendTo at zend.to
>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
> Jules
>
More information about the ZendTo
mailing list