Created attachment 377950 [details, diff] Patch for sec-policy/selinux-clamav to fix the issue starting clamd with selinux enabled in enforcing throws the following error: ERROR: LOCAL: Socket file /var/run/clamav/clamd.sock could not be bound: Permission denied * start-stop-daemon: failed to start `/usr/sbin/clamd' * Failed to start clamd [ !! ] * Starting freshclam ... The following access is blocked by selinux: May 31 17:32:48 gentoo kernel: type=1400 audit(1401550368.590:156): avc: denied { search } for pid=3425 comm="freshclam" name="clamav" dev="tmpfs" ino=25651 scontext=system_u:system_r:freshclam_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir This is caused by the wrong type of the /var/run/clamav directory: # ls -aldZ /var/run/clamav/ drwxr-xr-x. 2 clamav clamav system_u:object_r:initrc_var_run_t 100 31. Mai 17:43 /var/run/clamav/ Running "restorecon -R /var/run/clamav" fixes the issue, a service restart will work after that till the system is started. The correct way to fix that seems to be to use "init_daemon_run_dir" to tell init to set the correct domain type for the directory /var/run/clamav. The attached patch is fixing the issue for me (applied via the epatch_user system).
Thanks. That's indeed the right fix for the problem. Is in the hardened-refpolicy repository, will be in rev 4.
r4 is in the tree
r5 is stable