As I have done a touch /.autorelabel;reboot yesterday.
The next suggestion is below. Is it safe to do it. clamd\clamav is used to /home
or do I click "ignore"
***** Plugin catchall_labels (23.2 confidence) suggests ********************
If you want to allow clamd to have search access on the selinux directory Then you need to change the label on /selinux Do # semanage fcontext -a -t FILE_TYPE '/selinux' where FILE_TYPE is one of the following: sysctl_crypto_t, samba_var_t, amavis_var_lib_t, avahi_var_run_t, clamd_var_log_t, setrans_var_run_t, net_conf_t, clamd_var_lib_t, clamd_var_run_t, sysctl_t, sysctl_kernel_t, abrt_t, bin_t, nscd_var_run_t, nslcd_var_run_t, clamd_etc_t, lib_t, mnt_t, sssd_var_lib_t, root_t, tmp_t, usr_t, var_t, device_t, etc_t, clamd_tmp_t, amavis_spool_t, proc_t, sysfs_t, var_lib_t, exim_spool_t, textrel_shlib_t, sysctl_t, bin_t, cert_t, clamd_t, tmp_t, rpm_script_tmp_t, usr_t, var_t, winbind_var_run_t, security_t, device_t, devpts_t, locale_t, sssd_public_t, etc_t, proc_t, default_t, etc_mail_t, sosreport_tmp_t, fail2ban_var_lib_t, likewise_var_lib_t, rpm_tmp_t, var_run_t, krb5_conf_t, httpd_sys_content_t, rpm_log_t, var_log_t, var_spool_t, var_lib_t, var_run_t, abrt_var_run_t, var_t, var_log_t, nscd_var_run_t, pcscd_var_run_t, var_t, var_t, cgroup_t, var_run_t, var_run_t, root_t, sysfs_t, tmpfs_t. Then execute: restorecon -v '/selinux'
On Sun, 2011-06-19 at 10:13 +0100, Frank Murphy wrote:
As I have done a touch /.autorelabel;reboot yesterday.
The next suggestion is below. Is it safe to do it. clamd\clamav is used to /home
or do I click "ignore"
***** Plugin catchall_labels (23.2 confidence) suggests
If you want to allow clamd to have search access on the selinux directory Then you need to change the label on /selinux Do # semanage fcontext -a -t FILE_TYPE '/selinux' where FILE_TYPE is one of the following: sysctl_crypto_t, samba_var_t, amavis_var_lib_t, avahi_var_run_t, clamd_var_log_t, setrans_var_run_t, net_conf_t, clamd_var_lib_t, clamd_var_run_t, sysctl_t, sysctl_kernel_t, abrt_t, bin_t, nscd_var_run_t, nslcd_var_run_t, clamd_etc_t, lib_t, mnt_t, sssd_var_lib_t, root_t, tmp_t, usr_t, var_t, device_t, etc_t, clamd_tmp_t, amavis_spool_t, proc_t, sysfs_t, var_lib_t, exim_spool_t, textrel_shlib_t, sysctl_t, bin_t, cert_t, clamd_t, tmp_t, rpm_script_tmp_t, usr_t, var_t, winbind_var_run_t, security_t, device_t, devpts_t, locale_t, sssd_public_t, etc_t, proc_t, default_t, etc_mail_t, sosreport_tmp_t, fail2ban_var_lib_t, likewise_var_lib_t, rpm_tmp_t, var_run_t, krb5_conf_t, httpd_sys_content_t, rpm_log_t, var_log_t, var_spool_t, var_lib_t, var_run_t, abrt_var_run_t, var_t, var_log_t, nscd_var_run_t, pcscd_var_run_t, var_t, var_t, cgroup_t, var_run_t, var_run_t, root_t, sysfs_t, tmpfs_t. Then execute: restorecon -v '/selinux'
ignore for now.
You have not enclosed the complete report so i cannot determine the issue. However it is very likely that the suggestion by setroubleshooter is not applicable here.
On 19/06/11 10:43, Dominick Grift wrote: <snip>
ignore for now.
You have not enclosed the complete report so i cannot determine the issue. However it is very likely that the suggestion by setroubleshooter is not applicable here.
Here's the full report:
SELinux is preventing /usr/sbin/clamd from search access on the directory /selinux.
***** Plugin file (36.8 confidence) suggests *******************************
If you think this is caused by a badly mislabeled machine. Then you need to fully relabel. Do touch /.autorelabel; reboot
***** Plugin file (36.8 confidence) suggests *******************************
If you think this is caused by a badly mislabeled machine. Then you need to fully relabel. Do touch /.autorelabel; reboot
***** Plugin catchall_labels (23.2 confidence) suggests ********************
If you want to allow clamd to have search access on the selinux directory Then you need to change the label on /selinux Do # semanage fcontext -a -t FILE_TYPE '/selinux' where FILE_TYPE is one of the following: sysctl_crypto_t, samba_var_t, amavis_var_lib_t, avahi_var_run_t, clamd_var_log_t, setrans_var_run_t, net_conf_t, clamd_var_lib_t, clamd_var_run_t, sysctl_t, sysctl_kernel_t, abrt_t, bin_t, nscd_var_run_t, nslcd_var_run_t, clamd_etc_t, lib_t, mnt_t, sssd_var_lib_t, root_t, tmp_t, usr_t, var_t, device_t, etc_t, clamd_tmp_t, amavis_spool_t, proc_t, sysfs_t, var_lib_t, exim_spool_t, textrel_shlib_t, sysctl_t, bin_t, cert_t, clamd_t, tmp_t, rpm_script_tmp_t, usr_t, var_t, winbind_var_run_t, security_t, device_t, devpts_t, locale_t, sssd_public_t, etc_t, proc_t, default_t, etc_mail_t, sosreport_tmp_t, fail2ban_var_lib_t, likewise_var_lib_t, rpm_tmp_t, var_run_t, krb5_conf_t, httpd_sys_content_t, rpm_log_t, var_log_t, var_spool_t, var_lib_t, var_run_t, abrt_var_run_t, var_t, var_log_t, nscd_var_run_t, pcscd_var_run_t, var_t, var_t, cgroup_t, var_run_t, var_run_t, root_t, sysfs_t, tmpfs_t. Then execute: restorecon -v '/selinux'
***** Plugin catchall (5.04 confidence) suggests ***************************
If you believe that clamd should be allowed search access on the selinux directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep clamd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context system_u:system_r:clamd_t:s0 Target Context system_u:object_r:file_t:s0 Target Objects /selinux [ dir ] Source clamd Source Path /usr/sbin/clamd Port <Unknown> Host test08................... Source RPM Packages clamav-server-0.97.1-1600.fc16 Target RPM Packages filesystem-2.4.42-1.fc16 Policy RPM selinux-policy-3.9.16-29.1.fc16 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name test08................... Platform Linux test08............... 3.0-0.rc3.git5.1.fc16.x86_64 #1 SMP Fri Jun 17 16:21:59 UTC 2011 x86_64 x86_64 Alert Count 13 First Seen Sat 18 Jun 2011 13:49:32 IST Last Seen Mon 20 Jun 2011 10:43:22 IST Local ID 3220d418-bbfb-4955-a14c-8b7e99e55f91
Raw Audit Messages type=AVC msg=audit(1308563002.180:97): avc: denied { search } for pid=1536 comm="clamd" name="selinux" dev=dm-3 ino=25 scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=SYSCALL msg=audit(1308563002.180:97): arch=x86_64 syscall=open success=no exit=EACCES a0=309376440a a1=0 a2=1b6 a3=9 items=0 ppid=1 pid=1536 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm=clamd exe=/usr/sbin/clamd subj=system_u:system_r:clamd_t:s0 key=(null)
Hash: clamd,clamd_t,file_t,dir,search
audit2allow
#============= clamd_t ============== allow clamd_t file_t:dir search;
audit2allow -R
#============= clamd_t ============== allow clamd_t file_t:dir search;
On Mon, 2011-06-20 at 10:52 +0100, Frank Murphy wrote:
Raw Audit Messages type=AVC msg=audit(1308563002.180:97): avc: denied { search } for pid=1536 comm="clamd" name="selinux" dev=dm-3 ino=25 scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=SYSCALL msg=audit(1308563002.180:97): arch=x86_64 syscall=open success=no exit=EACCES a0=309376440a a1=0 a2=1b6 a3=9 items=0 ppid=1 pid=1536 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm=clamd exe=/usr/sbin/clamd subj=system_u:system_r:clamd_t:s0 key=(null)
Looks like somehow the /selinux directory is unlabelled. I have it currently labelled root_t here.
selinuxfs, the pseudo fs that was previously mounted on /selinux has moved to /sys/fs/selinux.
Programs should not be looking for selinuxfs in /selinux anymore and instead look in /sys/fs/selinux.
But besides that clamd does not need to be able to search it anyways. The reason that it does is because of libselinux and that can be ignored.
So in short: Fedora is aware of this issue. I believe you can for now safely ignore it (run restorecon -R -v /selinux so that it actually has a label). Heck i will probably remove the selinux directory from my / pretty soon altogether.
dwalsh may know more about the current status of this issue, but as far as i am concerned it is not worth adding a rule for.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/20/2011 05:52 AM, Frank Murphy wrote:
On 19/06/11 10:43, Dominick Grift wrote:
<snip> > > ignore for now. > > You have not enclosed the complete report so i cannot determine the > issue. However it is very likely that the suggestion by setroubleshooter > is not applicable here. > >
Here's the full report:
SELinux is preventing /usr/sbin/clamd from search access on the directory /selinux.
***** Plugin file (36.8 confidence) suggests
If you think this is caused by a badly mislabeled machine. Then you need to fully relabel. Do touch /.autorelabel; reboot
***** Plugin file (36.8 confidence) suggests
If you think this is caused by a badly mislabeled machine. Then you need to fully relabel. Do touch /.autorelabel; reboot
***** Plugin catchall_labels (23.2 confidence) suggests
If you want to allow clamd to have search access on the selinux directory Then you need to change the label on /selinux Do # semanage fcontext -a -t FILE_TYPE '/selinux' where FILE_TYPE is one of the following: sysctl_crypto_t, samba_var_t, amavis_var_lib_t, avahi_var_run_t, clamd_var_log_t, setrans_var_run_t, net_conf_t, clamd_var_lib_t, clamd_var_run_t, sysctl_t, sysctl_kernel_t, abrt_t, bin_t, nscd_var_run_t, nslcd_var_run_t, clamd_etc_t, lib_t, mnt_t, sssd_var_lib_t, root_t, tmp_t, usr_t, var_t, device_t, etc_t, clamd_tmp_t, amavis_spool_t, proc_t, sysfs_t, var_lib_t, exim_spool_t, textrel_shlib_t, sysctl_t, bin_t, cert_t, clamd_t, tmp_t, rpm_script_tmp_t, usr_t, var_t, winbind_var_run_t, security_t, device_t, devpts_t, locale_t, sssd_public_t, etc_t, proc_t, default_t, etc_mail_t, sosreport_tmp_t, fail2ban_var_lib_t, likewise_var_lib_t, rpm_tmp_t, var_run_t, krb5_conf_t, httpd_sys_content_t, rpm_log_t, var_log_t, var_spool_t, var_lib_t, var_run_t, abrt_var_run_t, var_t, var_log_t, nscd_var_run_t, pcscd_var_run_t, var_t, var_t, cgroup_t, var_run_t, var_run_t, root_t, sysfs_t, tmpfs_t. Then execute: restorecon -v '/selinux'
***** Plugin catchall (5.04 confidence) suggests
If you believe that clamd should be allowed search access on the selinux directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep clamd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context system_u:system_r:clamd_t:s0 Target Context system_u:object_r:file_t:s0 Target Objects /selinux [ dir ] Source clamd Source Path /usr/sbin/clamd Port <Unknown> Host test08................... Source RPM Packages clamav-server-0.97.1-1600.fc16 Target RPM Packages filesystem-2.4.42-1.fc16 Policy RPM selinux-policy-3.9.16-29.1.fc16 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name test08................... Platform Linux test08............... 3.0-0.rc3.git5.1.fc16.x86_64 #1 SMP Fri Jun 17 16:21:59 UTC 2011 x86_64 x86_64 Alert Count 13 First Seen Sat 18 Jun 2011 13:49:32 IST Last Seen Mon 20 Jun 2011 10:43:22 IST Local ID 3220d418-bbfb-4955-a14c-8b7e99e55f91
Raw Audit Messages type=AVC msg=audit(1308563002.180:97): avc: denied { search } for pid=1536 comm="clamd" name="selinux" dev=dm-3 ino=25 scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=SYSCALL msg=audit(1308563002.180:97): arch=x86_64 syscall=open success=no exit=EACCES a0=309376440a a1=0 a2=1b6 a3=9 items=0 ppid=1 pid=1536 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm=clamd exe=/usr/sbin/clamd subj=system_u:system_r:clamd_t:s0 key=(null)
Hash: clamd,clamd_t,file_t,dir,search
audit2allow
#============= clamd_t ============== allow clamd_t file_t:dir search;
audit2allow -R
#============= clamd_t ============== allow clamd_t file_t:dir search;
file_t means you have a mislabeled file system. any app that loads libselinux will do a search on /selinux which is probably causing this problem. If you just run restorecon on /selinux it might solve the problem. But if you see other file_t files on your disk, then you need to relabel the system.
selinux@lists.fedoraproject.org