[CentOS-docs] SELinux, Amavis, Clamav

Harald Oehlmann harald.oehlmann at elmicron.de
Tue Oct 2 04:19:28 EDT 2012

Regarding the brilliant wiki site:


I faced the following issue on CentOS 6.2:

"Spamassind" saves each message and its attached part in a folder in
clamd accesses the folder, creates itself a temporary folder and deletes
it afterwards. This was stopped by SELinux and caused the virus scan to

This action causes SE-Linux issues like (this is a saved message while
already in the process, the first would cause a "permission denied" on
the "parts" folder):

	Sep 30 15:47:10 rose amavis[14709]: (14709-08) (!)run_av
(ClamAV-clamscan) FAILED - unexpected exit 2,
output="/var/amavis/tmp/amavis-20120930T154701-14709/parts/p002: Can't
create temporary directory
ERROR\n/var/amavis/tmp/amavis-20120930T154701-14709/parts/p001: OK"

Here is an SE Linux failure message:

Sep 30 15:54:53 (null) (null): audit(1349013293.978:90934): avc: denied
{ remove_name } for pid=19832 comm=clamscan
name=clamav-9e9d055254e79e18d8f8592eeee57a53 ino=655768 dev=dm-0
tcontext=system_u:object_r:amavis_var_lib_t:s0 tclass=dir

I had found two web pointer with this issue, but no solutions:

Here is my solution, which is proposed to be inserted in Chapter 5: SELinux:

	* create file:
# ***HaO 2012-09-30: add rule to allow clamav to access amavis files
# and writes back ok file and may create temp folder
module clamscanamavis 1.0;
require {
        type clamscan_t;
        type amavis_var_lib_t;
        class file {getattr read open write create unlink};
        class dir {search read getattr open write add_name create
setattr remove_name rmdir};
allow clamscan_t amavis_var_lib_t:file {getattr read open write create
allow clamscan_t amavis_var_lib_t:dir {search read getattr open write
add_name create setattr remove_name rmdir};
	* checkmodule -M -m -o se_clamav_amavis.mod se_clamav_amavis.te
	* semodule_package -o se_clamav_amavis.pp -m se_clamav_amavis.mod
	* semodule -i se_clamav_amavis.pp

N.B. I am just migrating from SuSE to CentOS and this is my first
contact with SELinux. I have *no idea* if this is the appropriate
approach to solve the issue. I have found out this by trial and error
and not by the audit method (which sounds incredible complicated as the
whole SELinux).

N.B. I was not able to edit the wiki nor leave something like a
discussion comment, strange wiki...

Thank you,

More information about the CentOS-docs mailing list