[CentOS] How to build clamav SRPM and RPM with calmav tarbal - CentOS 5

Daniel de Kok danieldk at pobox.com
Mon Jun 25 14:00:34 UTC 2007

On Mon, 2007-06-25 at 09:16 -0400, Jim Perrin wrote:
> Rebuilding the code won't solve the problem. You'll have to modify the
> selinux rules so that these actions are allowed. For Centos5 and rhel5
> this is pretty easy.
> 1. Enable selinux in permissive mode, and capture the selinux error
> messages. They'll likely be in /var/log/audit/audit.log or
> /var/log/messages
> 2. Run audit2allow -i selinux.log -M localpolicy
> 3. Next you load the module you just created with 'semodule -i localpolicy.pp'
> Lather, rinse, repeat.

Actually, I don't think this is a very good idea (I know it is suggested
in upstream documentation). For instance, suppose that clamav is tagged
as, say 'bin_t', and executing clamav was rejected. The above will
usually add a allow rule for executing bin_t binaries for the context of
the caller. This obviously punches a big hole in a policy if it does not
allow such thing.

Make your own policy modules for local policy (you could create a start
with command (2)), but add and check rules and contexts manually.
audit2allow is a nice tool to see what was denied, but its output should
not be copied verbatim.

-- Daniel

More information about the CentOS mailing list