Date: Tue, 10 Jun 2008 14:03:35 -0000 From: "Moray Henderson (ICT)" Subject: [Clamav-users] SELinux blocks meminfo access To: Message-ID: Content-Type: text/plain; charset="iso-8859-1" Hi List. Using CentOS 5, when clamd starts as part of the boot sequence, I get an audit log message type=AVC msg=audit(1213094476.199:1203): avc: denied { read } for pid=10661 comm="clamd" name="meminfo" dev=proc ino=-268435454 scontext=system_u:system_r:clamd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file Clamd still starts. I can either allow clamd_t to read proc_t, or I can get rid of the message with a "dontaudit" line in the policy: allowing would give clamd read access to most of /proc; blocking would prevent clamd from finding out the server's memory. Can anyone advise me of the implications of either approach? Further details: started during boot or with the "service" command, clamd transitions to clamd_t. Started manually using /usr/sbin/clamd, it stays in unconfined_t, and access to /proc/meminfo succeeds. Checking with strace, the access to /proc/meminfo occurs just before the process creates its socket and forks. Here is the trace when it fails: send(4, "<182>Jun 10 13:04:24 clamd[11219"..., 61, MSG_NOSIGNAL) = 61 brk(0xc0f9000) = 0xc0f9000 open("/proc/meminfo", O_RDONLY) = -1 EACCES (Permission denied) socket(PF_FILE, SOCK_STREAM, 0) = 5 bind(5, {sa_family=AF_FILE, path="/var/spool/MIMEDefang/clamd.sock"}, 110) = 0 time(NULL) = 1213099464 and here is one that succeeds: send(4, "<182>Jun 10 13:37:25 clamd[11677"..., 61, MSG_NOSIGNAL) = 61 brk(0xc519000) = 0xc519000 open("/proc/meminfo", O_RDONLY) = 5 fstat64(5, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f37000 read(5, "MemTotal: 255628 kB\nMemFre"..., 4096) = 771 close(5) = 0 munmap(0xb7f37000, 4096) = 0 socket(PF_FILE, SOCK_STREAM, 0) = 5 bind(5, {sa_family=AF_FILE, path="/var/spool/MIMEDefang/clamd.sock"}, 110) = 0 time(NULL) = 1213101445 Moray. "To err is human. To purr, feline" http://members.aol.com/edgwddirk