[CentOS] permission problems with avamis and Centos 6.3

Daniel J Walsh dwalsh at redhat.com
Mon Jan 28 19:46:49 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/28/2013 02:39 PM, Robert Moskowitz wrote:
> 
> On 01/28/2013 01:15 PM, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> On 01/28/2013 11:29 AM, Robert Moskowitz wrote:
>>> On 01/24/2013 02:48 PM, Daniel J Walsh wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>> 
>>>> On 01/24/2013 01:15 PM, Robert Moskowitz wrote:
>>>>> Thank you for your suggestion, but it did not fix the permissions 
>>>>> problem.
>>>>> 
>>>>> On 01/24/2013 10:13 AM, Rob wrote:
>>>>>> usermod -a -G amavis clam
>>>>> How is this different from:
>>>>> 
>>>>> gpasswd -a clam amavis
>>>>> 
>>>>> And I am still getting the permissions error.
>>>>> 
>>>>>> service clamd restart
>>>>>> 
>>>>>> be happy
>>>>>> 
>>>>>> On 24.01.2013, at 04:16, Robert Moskowitz <rgm at htt-consult.com> 
>>>>>> wrote:
>>>>>> 
>>>>>>> I am trying to follow:
>>>>>>> 
>>>>>>> http://wiki.centos.org/HowTos/Amavisd
>>>>>>> 
>>>>>>> Which seems to really be written for Centos 5, with just some 
>>>>>>> selinux references for Centos 6.  There are real problems here
>>>>>>> for Centos 6 with the userids section.
>>>>>>> 
>>>>>>> It gives the following command and result:
>>>>>>> 
>>>>>>> cat /etc/passwd | grep "amavis\|clamav" clamav:x:101:102:Clam
>>>>>>> Anti Virus Checker:/var/clamav:/sbin/nologin
>>>>>>> amavis:x:102:103:Amavis email scan user:/var/amavis:/bin/sh
>>>>>>> 
>>>>>>> But my Centos 6.3 has:
>>>>>>> 
>>>>>>> clam:x:494:490:Clam Anti Virus 
>>>>>>> Checker:/var/lib/clamav:/sbin/nologin 
>>>>>>> amavis:x:493:489::/var/spool/amavisd:/sbin/nologin
>>>>>>> 
>>>>>>> Note the difference in userid clam instead of clamav.  So this 
>>>>>>> causes problems with the group recommendation:
>>>>>>> 
>>>>>>> In addition, the clamav user should automatically have been
>>>>>>> added to the amavis group:
>>>>>>> 
>>>>>>> # groups clamav clamav : clamav amavis
>>>>>>> 
>>>>>>> If not, you can manually add clamav to the amavis group:
>>>>>>> 
>>>>>>> gpasswd -a clamav amavis
>>>>>>> 
>>>>>>> 
>>>>>>> so I did:
>>>>>>> 
>>>>>>> gpasswd -a clam amavis
>>>>>>> 
>>>>>>> 
>>>>>>> So far, it seems just changing what userid is now used by 
>>>>>>> clamav...
>>>>>>> 
>>>>>>> But in testing for spam I see the following in
>>>>>>> /var/log/maillog
>>>>>>> 
>>>>>>> Jan 23 15:56:17 test1 amavis[25669]: (25669-01) (!)run_av 
>>>>>>> (ClamAV-clamd) FAILED - unexpected , 
>>>>>>> output="/var/spool/amavisd/tmp/amavis-20130123T155617-25669/parts:
>>>>>>>
>>>>>>> 
lstat() failed: Permission denied. ERROR\n"
>>>>>>> 
>>>>>>> I checked this directory tree and all along the tree the 
>>>>>>> permissions are to amavis:amavis
>>>>>>> 
>>>>>>> So where is my permission problem?
>>>>>>> 
>>>>>>> 
>>>>>>> _______________________________________________ CentOS mailing 
>>>>>>> list CentOS at centos.org 
>>>>>>> http://lists.centos.org/mailman/listinfo/centos
>>>>>> _______________________________________________ CentOS mailing
>>>>>> list CentOS at centos.org
>>>>>> http://lists.centos.org/mailman/listinfo/centos
>>>>>> 
>>>>> _______________________________________________ CentOS mailing
>>>>> list CentOS at centos.org
>>>>> http://lists.centos.org/mailman/listinfo/centos
>>>>> 
>>>> Can you attach the AVC messages from audit log.
>>>> 
>>>> ausearch -m avc -ts recent
>>> Back home and booted up test system (thus no questions about clamav 
>>> state):
>>> 
>>> ---- time->Mon Jan 28 11:18:26 2013 type=SYSCALL 
>>> msg=audit(1359389906.446:25): arch=40000003 syscall=5 success=yes
>>> exit=3 a0=92de9d8 a1=98800 a2=92de9d8 a3=92ba620 items=0 ppid=2211
>>> pid=3045 auid=4294967295 uid=493 gid=489 euid=493 suid=493 fsuid=493
>>> egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 comm="clamscan" 
>>> exe="/usr/bin/clamscan" subj=system_u:system_r:clamscan_t:s0
>>> key=(null) type=AVC msg=audit(1359389906.446:25): avc:  denied  { read
>>> } for pid=3045 comm="clamscan" name="parts" dev=dm-0 ino=2624185 
>>> scontext=system_u:system_r:clamscan_t:s0 
>>> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir ---- time->Mon
>>> Jan 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.490:26):
>>> arch=40000003 syscall=39 success=yes exit=0 a0=92e64f8 a1=1c0 a2=a36cd8
>>> a3=92e64f8 items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489
>>> euid=493 suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none)
>>> ses=4294967295 comm="clamscan" exe="/usr/bin/clamscan" 
>>> subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC 
>>> msg=audit(1359389906.490:26): avc:  denied  { create } for pid=3045 
>>> comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" 
>>> scontext=system_u:system_r:clamscan_t:s0 
>>> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir type=AVC 
>>> msg=audit(1359389906.490:26): avc:  denied  { add_name } for  pid=3045 
>>> comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" 
>>> scontext=system_u:system_r:clamscan_t:s0 
>>> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir type=AVC 
>>> msg=audit(1359389906.490:26): avc:  denied  { write } for pid=3045 
>>> comm="clamscan" name="tmp" dev=dm-0 ino=2624119 
>>> scontext=system_u:system_r:clamscan_t:s0 
>>> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir ---- time->Mon
>>> Jan 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.528:27):
>>> arch=40000003 syscall=5 success=yes exit=5 a0=92f1810 a1=2c2 a2=1c0
>>> a3=bfdb5d2c items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489
>>> euid=493 suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none)
>>> ses=4294967295 comm="clamscan" exe="/usr/bin/clamscan" 
>>> subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC 
>>> msg=audit(1359389906.528:27): avc:  denied  { write } for pid=3045 
>>> comm="clamscan" name="clamav-308541af5e7a69c500ba0757a9644b91"
>>> dev=dm-0 ino=2753728 scontext=system_u:system_r:clamscan_t:s0 
>>> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=file type=AVC 
>>> msg=audit(1359389906.528:27): avc:  denied  { create } for pid=3045 
>>> comm="clamscan" name="clamav-308541af5e7a69c500ba0757a9644b91" 
>>> scontext=system_u:system_r:clamscan_t:s0 
>>> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=file ---- time->Mon
>>> Jan 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.529:28):
>>> arch=40000003 syscall=15 success=yes exit=0 a0=92e64f8 a1=1c0 a2=a36cd8
>>> a3=92e64f8 items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489
>>> euid=493 suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none)
>>> ses=4294967295 comm="clamscan" exe="/usr/bin/clamscan" 
>>> subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC 
>>> msg=audit(1359389906.529:28): avc:  denied  { setattr } for  pid=3045 
>>> comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9"
>>> dev=dm-0 ino=2753586 scontext=system_u:system_r:clamscan_t:s0 
>>> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir ---- time->Mon
>>> Jan 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.529:29):
>>> arch=40000003 syscall=40 success=no exit=-39 a0=92e64f8 a1=5106a4d2
>>> a2=a36cd8 a3=92fee08 items=0 ppid=2211 pid=3045 auid=4294967295 uid=493
>>> gid=489 euid=493 suid=493 fsuid=493 egid=489 sgid=489 fsgid=489
>>> tty=(none) ses=4294967295 comm="clamscan" exe="/usr/bin/clamscan" 
>>> subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC 
>>> msg=audit(1359389906.529:29): avc:  denied  { rmdir } for pid=3045 
>>> comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9"
>>> dev=dm-0 ino=2753586 scontext=system_u:system_r:clamscan_t:s0 
>>> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir type=AVC 
>>> msg=audit(1359389906.529:29): avc:  denied  { remove_name } for
>>> pid=3045 comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9"
>>> dev=dm-0 ino=2753586 scontext=system_u:system_r:clamscan_t:s0 
>>> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir ---- time->Mon
>>> Jan 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.529:30):
>>> arch=40000003 syscall=10 success=yes exit=0 a0=92f1910 a1=5106a4d2
>>> a2=a36cd8 a3=92fee08 items=0 ppid=2211 pid=3045 auid=4294967295 uid=493
>>> gid=489 euid=493 suid=493 fsuid=493 egid=489 sgid=489 fsgid=489
>>> tty=(none) ses=4294967295 comm="clamscan" exe="/usr/bin/clamscan" 
>>> subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC 
>>> msg=audit(1359389906.529:30): avc:  denied  { unlink } for pid=3045 
>>> comm="clamscan" name="clamav-fcdca25df759de4e1da6dab82a8439a5"
>>> dev=dm-0 ino=2753729 scontext=system_u:system_r:clamscan_t:s0 
>>> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=file
>>> 
>>> Hope this helps!
>>> 
>>> 
>> Try policy on people.redhat.com/dwalsh/SELinux/RHEL6
> 
> This is a little too cryptic for me.  I went to this url and since my
> system is i386 architecture, I went to the i686 directory.  There I find a
> number of RPMs and a number that start with policy.  I assume I can add
> this to my yum.repo over whatever I normally get for Centos, but what do I
> install or update?
> 
> 


You want the selinux-policy packes from the noarch directory.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlEG1akACgkQrlYvE4MpobNKRgCg12KRkQdjwugmCKai9zXPBKuZ
NmAAoMTwoGQjmun22cWZYfqWIz64Wo1V
=Xjr4
-----END PGP SIGNATURE-----

More information about the CentOS mailing list