[CentOS] permission problems with avamis and Centos 6.3
Daniel J Walsh
dwalsh at redhat.com
Mon Jan 28 18:15:52 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/28/2013 11:29 AM, Robert Moskowitz wrote:
>
> On 01/24/2013 02:48 PM, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> On 01/24/2013 01:15 PM, Robert Moskowitz wrote:
>>> Thank you for your suggestion, but it did not fix the permissions
>>> problem.
>>>
>>> On 01/24/2013 10:13 AM, Rob wrote:
>>>> usermod -a -G amavis clam
>>> How is this different from:
>>>
>>> gpasswd -a clam amavis
>>>
>>> And I am still getting the permissions error.
>>>
>>>> service clamd restart
>>>>
>>>> be happy
>>>>
>>>> On 24.01.2013, at 04:16, Robert Moskowitz <rgm at htt-consult.com>
>>>> wrote:
>>>>
>>>>> I am trying to follow:
>>>>>
>>>>> http://wiki.centos.org/HowTos/Amavisd
>>>>>
>>>>> Which seems to really be written for Centos 5, with just some
>>>>> selinux references for Centos 6. There are real problems here for
>>>>> Centos 6 with the userids section.
>>>>>
>>>>> It gives the following command and result:
>>>>>
>>>>> cat /etc/passwd | grep "amavis\|clamav" clamav:x:101:102:Clam Anti
>>>>> Virus Checker:/var/clamav:/sbin/nologin amavis:x:102:103:Amavis
>>>>> email scan user:/var/amavis:/bin/sh
>>>>>
>>>>> But my Centos 6.3 has:
>>>>>
>>>>> clam:x:494:490:Clam Anti Virus
>>>>> Checker:/var/lib/clamav:/sbin/nologin
>>>>> amavis:x:493:489::/var/spool/amavisd:/sbin/nologin
>>>>>
>>>>> Note the difference in userid clam instead of clamav. So this
>>>>> causes problems with the group recommendation:
>>>>>
>>>>> In addition, the clamav user should automatically have been added
>>>>> to the amavis group:
>>>>>
>>>>> # groups clamav clamav : clamav amavis
>>>>>
>>>>> If not, you can manually add clamav to the amavis group:
>>>>>
>>>>> gpasswd -a clamav amavis
>>>>>
>>>>>
>>>>> so I did:
>>>>>
>>>>> gpasswd -a clam amavis
>>>>>
>>>>>
>>>>> So far, it seems just changing what userid is now used by
>>>>> clamav...
>>>>>
>>>>> But in testing for spam I see the following in /var/log/maillog
>>>>>
>>>>> Jan 23 15:56:17 test1 amavis[25669]: (25669-01) (!)run_av
>>>>> (ClamAV-clamd) FAILED - unexpected ,
>>>>> output="/var/spool/amavisd/tmp/amavis-20130123T155617-25669/parts:
>>>>> lstat() failed: Permission denied. ERROR\n"
>>>>>
>>>>> I checked this directory tree and all along the tree the
>>>>> permissions are to amavis:amavis
>>>>>
>>>>> So where is my permission problem?
>>>>>
>>>>>
>>>>> _______________________________________________ CentOS mailing
>>>>> list CentOS at centos.org
>>>>> http://lists.centos.org/mailman/listinfo/centos
>>>> _______________________________________________ CentOS mailing list
>>>> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
>>>>
>>> _______________________________________________ CentOS mailing list
>>> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
>>>
>> Can you attach the AVC messages from audit log.
>>
>> ausearch -m avc -ts recent
>
> Back home and booted up test system (thus no questions about clamav
> state):
>
> ---- time->Mon Jan 28 11:18:26 2013 type=SYSCALL
> msg=audit(1359389906.446:25): arch=40000003 syscall=5 success=yes exit=3
> a0=92de9d8 a1=98800 a2=92de9d8 a3=92ba620 items=0 ppid=2211 pid=3045
> auid=4294967295 uid=493 gid=489 euid=493 suid=493 fsuid=493 egid=489
> sgid=489 fsgid=489 tty=(none) ses=4294967295 comm="clamscan"
> exe="/usr/bin/clamscan" subj=system_u:system_r:clamscan_t:s0 key=(null)
> type=AVC msg=audit(1359389906.446:25): avc: denied { read } for pid=3045
> comm="clamscan" name="parts" dev=dm-0 ino=2624185
> scontext=system_u:system_r:clamscan_t:s0
> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir ---- time->Mon Jan
> 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.490:26): arch=40000003
> syscall=39 success=yes exit=0 a0=92e64f8 a1=1c0 a2=a36cd8 a3=92e64f8
> items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489 euid=493
> suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295
> comm="clamscan" exe="/usr/bin/clamscan"
> subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC
> msg=audit(1359389906.490:26): avc: denied { create } for pid=3045
> comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9"
> scontext=system_u:system_r:clamscan_t:s0
> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir type=AVC
> msg=audit(1359389906.490:26): avc: denied { add_name } for pid=3045
> comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9"
> scontext=system_u:system_r:clamscan_t:s0
> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir type=AVC
> msg=audit(1359389906.490:26): avc: denied { write } for pid=3045
> comm="clamscan" name="tmp" dev=dm-0 ino=2624119
> scontext=system_u:system_r:clamscan_t:s0
> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir ---- time->Mon Jan
> 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.528:27): arch=40000003
> syscall=5 success=yes exit=5 a0=92f1810 a1=2c2 a2=1c0 a3=bfdb5d2c items=0
> ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489 euid=493 suid=493
> fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295
> comm="clamscan" exe="/usr/bin/clamscan"
> subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC
> msg=audit(1359389906.528:27): avc: denied { write } for pid=3045
> comm="clamscan" name="clamav-308541af5e7a69c500ba0757a9644b91" dev=dm-0
> ino=2753728 scontext=system_u:system_r:clamscan_t:s0
> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=file type=AVC
> msg=audit(1359389906.528:27): avc: denied { create } for pid=3045
> comm="clamscan" name="clamav-308541af5e7a69c500ba0757a9644b91"
> scontext=system_u:system_r:clamscan_t:s0
> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=file ---- time->Mon Jan
> 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.529:28): arch=40000003
> syscall=15 success=yes exit=0 a0=92e64f8 a1=1c0 a2=a36cd8 a3=92e64f8
> items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489 euid=493
> suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295
> comm="clamscan" exe="/usr/bin/clamscan"
> subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC
> msg=audit(1359389906.529:28): avc: denied { setattr } for pid=3045
> comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" dev=dm-0
> ino=2753586 scontext=system_u:system_r:clamscan_t:s0
> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir ---- time->Mon Jan
> 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.529:29): arch=40000003
> syscall=40 success=no exit=-39 a0=92e64f8 a1=5106a4d2 a2=a36cd8 a3=92fee08
> items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489 euid=493
> suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295
> comm="clamscan" exe="/usr/bin/clamscan"
> subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC
> msg=audit(1359389906.529:29): avc: denied { rmdir } for pid=3045
> comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" dev=dm-0
> ino=2753586 scontext=system_u:system_r:clamscan_t:s0
> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir type=AVC
> msg=audit(1359389906.529:29): avc: denied { remove_name } for pid=3045
> comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" dev=dm-0
> ino=2753586 scontext=system_u:system_r:clamscan_t:s0
> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir ---- time->Mon Jan
> 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.529:30): arch=40000003
> syscall=10 success=yes exit=0 a0=92f1910 a1=5106a4d2 a2=a36cd8 a3=92fee08
> items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489 euid=493
> suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295
> comm="clamscan" exe="/usr/bin/clamscan"
> subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC
> msg=audit(1359389906.529:30): avc: denied { unlink } for pid=3045
> comm="clamscan" name="clamav-fcdca25df759de4e1da6dab82a8439a5" dev=dm-0
> ino=2753729 scontext=system_u:system_r:clamscan_t:s0
> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=file
>
> Hope this helps!
>
>
Try policy on people.redhat.com/dwalsh/SELinux/RHEL6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlEGwFgACgkQrlYvE4MpobNuAgCgkc5n8hf985N8GgOqvqQi1kgw
VNkAoJWW0Kphua8vZXziHZRGNjiUWadE
=ZWMG
-----END PGP SIGNATURE-----
More information about the CentOS
mailing list