Peter Lesterhuis wrote:
All the remaining audit messages are not SELinux-related.
Can you let me know if freshclam works OK in enforcing mode after doing
the "restorecon" above please (also look for any more AVC messages).
# ls -lZ /etc/freshclam.conf
-rw-r----- root root user_u:object_r:rpm_script_tmp_t /etc/freshclam.conf
# restorecon -v /etc/freshclam.conf
restorecon reset /etc/freshclam.conf context
user_u:object_r:rpm_script_tmp_t->system_u:object_r:etc_t
I am using the clamav-package from crash-hat:
There is a bug in the post-install script of the crash-hat clamav
package, which edits the freshclam.conf file to use a local database
mirror. It creates the new file in /tmp (resulting in the
rpm_script_tmp_t context type) and then moves it into place (which
doesn't change the context type), hence leaving the freshclam.conf file
with the wrong file context.
To fix this, it should do something like:
[ -x /sbin/restorecon ] && /sbin/restorecon
%{_sysconfdir}/freshclam.conf* &> /dev/null
Doing this just after the place where it does:
chmod 0640 %{_sysconfdir}/freshclam.conf*
would seem sensible.
I suggest you report this issue to the repo maintainer.
Freshclam works all right.
There are no new AVC messages.
Good. I'll add the ability to read generic kernel sysctls (there's no
interface for not auditing them), which should shut up the ones you had
earlier.
Replace the myfreshclam.te with this one:
policy_module(myfreshclam, 0.1.2)
require {
type freshclam_t;
};
# Allow freshclam to send syslog messages
logging_send_syslog_msg(freshclam_t)
# Allow freshclam to read generic kernel sysctls
kernel_read_kernel_sysctls(freshclam_t)
Re-run make and load the updated module:
# cd /root/selinux.local
# make
# semodule -i myfreshclam.pp
Paul.
