after cleaning up a bunch or selinux alerts, I update and wham, clamav/clamd/clamav-db make me assert contexts again to /var/clamav like...
chcon -t clamd_t clamav -R
which temporarily solves the problem but it would be better if it were policy and not file contexts. So I search and see for some reason, /var/clamav is ignored...
# grep clam /etc/selinux/targeted/contexts/files/file_contexts /etc/clamav(/.*)? system_u:object_r:clamd_etc_t:s0 /var/run/clamd.* system_u:object_r:clamd_var_run_t:s0 /var/run/clamav.* system_u:object_r:clamd_var_run_t:s0 /var/lib/clamav(/.*)? system_u:object_r:clamd_var_lib_t:s0 /var/log/clamav(/.*)? system_u:object_r:clamd_var_log_t:s0 /var/run/amavis(d)?/clamd.pid -- system_u:object_r:clamd_var_run_t:s0 /var/log/clamav/freshclam.* -- system_u:object_r:freshclam_var_log_t:s0 /usr/sbin/clamd -- system_u:object_r:clamd_exec_t:s0 /usr/bin/clamscan -- system_u:object_r:clamscan_exec_t:s0 /usr/bin/clamdscan -- system_u:object_r:clamscan_exec_t:s0 /usr/bin/freshclam -- system_u:object_r:freshclam_exec_t:s0 /usr/share/clamav/clamd-gen -- system_u:object_r:bin_t:s0 /var/spool/amavisd/clamd.sock -s system_u:object_r:clamd_var_run_t:s0 /usr/share/clamav/freshclam-sleep -- system_u:object_r:bin_t:s0
Is there something I don't understand or does this need to be bugzilla'd? Upstream?
Craig
Craig White wrote:
after cleaning up a bunch or selinux alerts, I update and wham, clamav/clamd/clamav-db make me assert contexts again to /var/clamav like...
chcon -t clamd_t clamav -R
which temporarily solves the problem but it would be better if it were policy and not file contexts. So I search and see for some reason, /var/clamav is ignored...
Is there something I don't understand or does this need to be bugzilla'd? Upstream?
No, rpmforge. They package clamd to use /var/clamav and not /var/lib/clamav. There already have been discussions on their list in the last month/this months. See lists.rpmforge.net.
Ralph
On Sat, 2009-04-04 at 14:08 +0200, Ralph Angenendt wrote:
Craig White wrote:
after cleaning up a bunch or selinux alerts, I update and wham, clamav/clamd/clamav-db make me assert contexts again to /var/clamav like...
chcon -t clamd_t clamav -R
which temporarily solves the problem but it would be better if it were policy and not file contexts. So I search and see for some reason, /var/clamav is ignored...
Is there something I don't understand or does this need to be bugzilla'd? Upstream?
No, rpmforge. They package clamd to use /var/clamav and not /var/lib/clamav. There already have been discussions on their list in the last month/this months. See lists.rpmforge.net.
---- yeah, I'm even on that list too...
I was thinking that since /etc/selinux/.../file_contexts was part of the distribution, and it already contained all but one context for the various clam packages, that amendments to that file would come from upstream. ;-(
As for the rpmforge list, there was a request to use a modified spec file to generate rpm's for clamav for this very same problem but it isn't getting done.
I suppose if nothing else, someone who searches the CentOS list will have the appropriate command to clean it up each time a new clamav is released...
chcon -t clamd_t /var/clamav -R
Thanks
Craig
On Sat, 2009-04-04 at 06:00 -0700, Craig White wrote:
On Sat, 2009-04-04 at 14:08 +0200, Ralph Angenendt wrote:
Craig White wrote:
after cleaning up a bunch or selinux alerts, I update and wham, clamav/clamd/clamav-db make me assert contexts again to /var/clamav like...
chcon -t clamd_t clamav -R
which temporarily solves the problem but it would be better if it were policy and not file contexts. So I search and see for some reason, /var/clamav is ignored...
Is there something I don't understand or does this need to be bugzilla'd? Upstream?
No, rpmforge. They package clamd to use /var/clamav and not /var/lib/clamav. There already have been discussions on their list in the last month/this months. See lists.rpmforge.net.
yeah, I'm even on that list too...
I was thinking that since /etc/selinux/.../file_contexts was part of the distribution, and it already contained all but one context for the various clam packages, that amendments to that file would come from upstream. ;-(
As for the rpmforge list, there was a request to use a modified spec file to generate rpm's for clamav for this very same problem but it isn't getting done.
I suppose if nothing else, someone who searches the CentOS list will have the appropriate command to clean it up each time a new clamav is released...
chcon -t clamd_t /var/clamav -R
---- this might prove to be more durable through upgrades (time will tell).
semanage fcontext -a -t clamd_t "/var/clamav(/.*)?"
Craig
-
Craig White -
Ralph Angenendt