[CentOS] permission problems with avamis and Centos 6.3
Daniel J Walsh
dwalsh at redhat.com
Mon Jan 28 19:46:49 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/28/2013 02:39 PM, Robert Moskowitz wrote:
>
> On 01/28/2013 01:15 PM, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> On 01/28/2013 11:29 AM, Robert Moskowitz wrote:
>>> On 01/24/2013 02:48 PM, Daniel J Walsh wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>>
>>>> On 01/24/2013 01:15 PM, Robert Moskowitz wrote:
>>>>> Thank you for your suggestion, but it did not fix the permissions
>>>>> problem.
>>>>>
>>>>> On 01/24/2013 10:13 AM, Rob wrote:
>>>>>> usermod -a -G amavis clam
>>>>> How is this different from:
>>>>>
>>>>> gpasswd -a clam amavis
>>>>>
>>>>> And I am still getting the permissions error.
>>>>>
>>>>>> service clamd restart
>>>>>>
>>>>>> be happy
>>>>>>
>>>>>> On 24.01.2013, at 04:16, Robert Moskowitz <rgm at htt-consult.com>
>>>>>> wrote:
>>>>>>
>>>>>>> I am trying to follow:
>>>>>>>
>>>>>>> http://wiki.centos.org/HowTos/Amavisd
>>>>>>>
>>>>>>> Which seems to really be written for Centos 5, with just some
>>>>>>> selinux references for Centos 6. There are real problems here
>>>>>>> for Centos 6 with the userids section.
>>>>>>>
>>>>>>> It gives the following command and result:
>>>>>>>
>>>>>>> cat /etc/passwd | grep "amavis\|clamav" clamav:x:101:102:Clam
>>>>>>> Anti Virus Checker:/var/clamav:/sbin/nologin
>>>>>>> amavis:x:102:103:Amavis email scan user:/var/amavis:/bin/sh
>>>>>>>
>>>>>>> But my Centos 6.3 has:
>>>>>>>
>>>>>>> clam:x:494:490:Clam Anti Virus
>>>>>>> Checker:/var/lib/clamav:/sbin/nologin
>>>>>>> amavis:x:493:489::/var/spool/amavisd:/sbin/nologin
>>>>>>>
>>>>>>> Note the difference in userid clam instead of clamav. So this
>>>>>>> causes problems with the group recommendation:
>>>>>>>
>>>>>>> In addition, the clamav user should automatically have been
>>>>>>> added to the amavis group:
>>>>>>>
>>>>>>> # groups clamav clamav : clamav amavis
>>>>>>>
>>>>>>> If not, you can manually add clamav to the amavis group:
>>>>>>>
>>>>>>> gpasswd -a clamav amavis
>>>>>>>
>>>>>>>
>>>>>>> so I did:
>>>>>>>
>>>>>>> gpasswd -a clam amavis
>>>>>>>
>>>>>>>
>>>>>>> So far, it seems just changing what userid is now used by
>>>>>>> clamav...
>>>>>>>
>>>>>>> But in testing for spam I see the following in
>>>>>>> /var/log/maillog
>>>>>>>
>>>>>>> Jan 23 15:56:17 test1 amavis[25669]: (25669-01) (!)run_av
>>>>>>> (ClamAV-clamd) FAILED - unexpected ,
>>>>>>> output="/var/spool/amavisd/tmp/amavis-20130123T155617-25669/parts:
>>>>>>>
>>>>>>>
lstat() failed: Permission denied. ERROR\n"
>>>>>>>
>>>>>>> I checked this directory tree and all along the tree the
>>>>>>> permissions are to amavis:amavis
>>>>>>>
>>>>>>> So where is my permission problem?
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________ CentOS mailing
>>>>>>> list CentOS at centos.org
>>>>>>> http://lists.centos.org/mailman/listinfo/centos
>>>>>> _______________________________________________ CentOS mailing
>>>>>> list CentOS at centos.org
>>>>>> http://lists.centos.org/mailman/listinfo/centos
>>>>>>
>>>>> _______________________________________________ CentOS mailing
>>>>> list CentOS at centos.org
>>>>> http://lists.centos.org/mailman/listinfo/centos
>>>>>
>>>> Can you attach the AVC messages from audit log.
>>>>
>>>> ausearch -m avc -ts recent
>>> Back home and booted up test system (thus no questions about clamav
>>> state):
>>>
>>> ---- time->Mon Jan 28 11:18:26 2013 type=SYSCALL
>>> msg=audit(1359389906.446:25): arch=40000003 syscall=5 success=yes
>>> exit=3 a0=92de9d8 a1=98800 a2=92de9d8 a3=92ba620 items=0 ppid=2211
>>> pid=3045 auid=4294967295 uid=493 gid=489 euid=493 suid=493 fsuid=493
>>> egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 comm="clamscan"
>>> exe="/usr/bin/clamscan" subj=system_u:system_r:clamscan_t:s0
>>> key=(null) type=AVC msg=audit(1359389906.446:25): avc: denied { read
>>> } for pid=3045 comm="clamscan" name="parts" dev=dm-0 ino=2624185
>>> scontext=system_u:system_r:clamscan_t:s0
>>> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir ---- time->Mon
>>> Jan 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.490:26):
>>> arch=40000003 syscall=39 success=yes exit=0 a0=92e64f8 a1=1c0 a2=a36cd8
>>> a3=92e64f8 items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489
>>> euid=493 suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none)
>>> ses=4294967295 comm="clamscan" exe="/usr/bin/clamscan"
>>> subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC
>>> msg=audit(1359389906.490:26): avc: denied { create } for pid=3045
>>> comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9"
>>> scontext=system_u:system_r:clamscan_t:s0
>>> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir type=AVC
>>> msg=audit(1359389906.490:26): avc: denied { add_name } for pid=3045
>>> comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9"
>>> scontext=system_u:system_r:clamscan_t:s0
>>> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir type=AVC
>>> msg=audit(1359389906.490:26): avc: denied { write } for pid=3045
>>> comm="clamscan" name="tmp" dev=dm-0 ino=2624119
>>> scontext=system_u:system_r:clamscan_t:s0
>>> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir ---- time->Mon
>>> Jan 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.528:27):
>>> arch=40000003 syscall=5 success=yes exit=5 a0=92f1810 a1=2c2 a2=1c0
>>> a3=bfdb5d2c items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489
>>> euid=493 suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none)
>>> ses=4294967295 comm="clamscan" exe="/usr/bin/clamscan"
>>> subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC
>>> msg=audit(1359389906.528:27): avc: denied { write } for pid=3045
>>> comm="clamscan" name="clamav-308541af5e7a69c500ba0757a9644b91"
>>> dev=dm-0 ino=2753728 scontext=system_u:system_r:clamscan_t:s0
>>> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=file type=AVC
>>> msg=audit(1359389906.528:27): avc: denied { create } for pid=3045
>>> comm="clamscan" name="clamav-308541af5e7a69c500ba0757a9644b91"
>>> scontext=system_u:system_r:clamscan_t:s0
>>> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=file ---- time->Mon
>>> Jan 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.529:28):
>>> arch=40000003 syscall=15 success=yes exit=0 a0=92e64f8 a1=1c0 a2=a36cd8
>>> a3=92e64f8 items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489
>>> euid=493 suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none)
>>> ses=4294967295 comm="clamscan" exe="/usr/bin/clamscan"
>>> subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC
>>> msg=audit(1359389906.529:28): avc: denied { setattr } for pid=3045
>>> comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9"
>>> dev=dm-0 ino=2753586 scontext=system_u:system_r:clamscan_t:s0
>>> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir ---- time->Mon
>>> Jan 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.529:29):
>>> arch=40000003 syscall=40 success=no exit=-39 a0=92e64f8 a1=5106a4d2
>>> a2=a36cd8 a3=92fee08 items=0 ppid=2211 pid=3045 auid=4294967295 uid=493
>>> gid=489 euid=493 suid=493 fsuid=493 egid=489 sgid=489 fsgid=489
>>> tty=(none) ses=4294967295 comm="clamscan" exe="/usr/bin/clamscan"
>>> subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC
>>> msg=audit(1359389906.529:29): avc: denied { rmdir } for pid=3045
>>> comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9"
>>> dev=dm-0 ino=2753586 scontext=system_u:system_r:clamscan_t:s0
>>> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir type=AVC
>>> msg=audit(1359389906.529:29): avc: denied { remove_name } for
>>> pid=3045 comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9"
>>> dev=dm-0 ino=2753586 scontext=system_u:system_r:clamscan_t:s0
>>> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir ---- time->Mon
>>> Jan 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.529:30):
>>> arch=40000003 syscall=10 success=yes exit=0 a0=92f1910 a1=5106a4d2
>>> a2=a36cd8 a3=92fee08 items=0 ppid=2211 pid=3045 auid=4294967295 uid=493
>>> gid=489 euid=493 suid=493 fsuid=493 egid=489 sgid=489 fsgid=489
>>> tty=(none) ses=4294967295 comm="clamscan" exe="/usr/bin/clamscan"
>>> subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC
>>> msg=audit(1359389906.529:30): avc: denied { unlink } for pid=3045
>>> comm="clamscan" name="clamav-fcdca25df759de4e1da6dab82a8439a5"
>>> dev=dm-0 ino=2753729 scontext=system_u:system_r:clamscan_t:s0
>>> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=file
>>>
>>> Hope this helps!
>>>
>>>
>> Try policy on people.redhat.com/dwalsh/SELinux/RHEL6
>
> This is a little too cryptic for me. I went to this url and since my
> system is i386 architecture, I went to the i686 directory. There I find a
> number of RPMs and a number that start with policy. I assume I can add
> this to my yum.repo over whatever I normally get for Centos, but what do I
> install or update?
>
>
You want the selinux-policy packes from the noarch directory.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlEG1akACgkQrlYvE4MpobNKRgCg12KRkQdjwugmCKai9zXPBKuZ
NmAAoMTwoGQjmun22cWZYfqWIz64Wo1V
=Xjr4
-----END PGP SIGNATURE-----
More information about the CentOS
mailing list