[CentOS-docs] SELinux, Amavis, Clamav

Tue Oct 2 08:19:28 UTC 2012
Harald Oehlmann <harald.oehlmann at elmicron.de>

Regarding the brilliant wiki site:

http://wiki.centos.org/HowTos/Amavisd?highlight=%28Amavis%29

I faced the following issue on CentOS 6.2:

"Spamassind" saves each message and its attached part in a folder in
clamd accesses the folder, creates itself a temporary folder and deletes
it afterwards. This was stopped by SELinux and caused the virus scan to
fail.

This action causes SE-Linux issues like (this is a saved message while
already in the process, the first would cause a "permission denied" on
the "parts" folder):

	Sep 30 15:47:10 rose amavis[14709]: (14709-08) (!)run_av
(ClamAV-clamscan) FAILED - unexpected exit 2,
output="/var/amavis/tmp/amavis-20120930T154701-14709/parts/p002: Can't
create temporary directory
ERROR\n/var/amavis/tmp/amavis-20120930T154701-14709/parts/p001: OK"

Here is an SE Linux failure message:

Sep 30 15:54:53 (null) (null): audit(1349013293.978:90934): avc: denied
{ remove_name } for pid=19832 comm=clamscan
name=clamav-9e9d055254e79e18d8f8592eeee57a53 ino=655768 dev=dm-0
scontext=system_u:system_r:clamscan_t:s0
tcontext=system_u:object_r:amavis_var_lib_t:s0 tclass=dir

I had found two web pointer with this issue, but no solutions:

Here is my solution, which is proposed to be inserted in Chapter 5: SELinux:

	* create file:
--se_clamav_amavis.te--
# ***HaO 2012-09-30: add rule to allow clamav to access amavis files
# and writes back ok file and may create temp folder
module clamscanamavis 1.0;
require {
        type clamscan_t;
        type amavis_var_lib_t;
        class file {getattr read open write create unlink};
        class dir {search read getattr open write add_name create
setattr remove_name rmdir};
}
allow clamscan_t amavis_var_lib_t:file {getattr read open write create
unlink};
allow clamscan_t amavis_var_lib_t:dir {search read getattr open write
add_name create setattr remove_name rmdir};
-EOF-
	* checkmodule -M -m -o se_clamav_amavis.mod se_clamav_amavis.te
	* semodule_package -o se_clamav_amavis.pp -m se_clamav_amavis.mod
	* semodule -i se_clamav_amavis.pp

---
N.B. I am just migrating from SuSE to CentOS and this is my first
contact with SELinux. I have *no idea* if this is the appropriate
approach to solve the issue. I have found out this by trial and error
and not by the audit method (which sounds incredible complicated as the
whole SELinux).

---
N.B. I was not able to edit the wiki nor leave something like a
discussion comment, strange wiki...

Thank you,
Harald