511966 – sec-policy/selinux-clamav is preventing clamav from starting: directory /var/run/clamav has wrong domain type

Bug 511966 - sec-policy/selinux-clamav is preventing clamav from starting: directory /var/run/clamav has wrong domain type

Summary: sec-policy/selinux-clamav is preventing clamav from starting: directory /var/...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Sven Vermeulen (RETIRED)

URL:
Whiteboard:	sec-policy r4
Keywords:

Depends on:
Blocks:

Reported:	2014-05-31 15:58 UTC by Alexander Wetzel
Modified:	2014-08-22 17:51 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Patch for sec-policy/selinux-clamav to fix the issue (0002-clamav-rundir.patch,433 bytes, patch) 2014-05-31 15:58 UTC, Alexander Wetzel	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Wetzel 2014-05-31 15:58:08 UTC

Created attachment 377950 [details, diff]
Patch for sec-policy/selinux-clamav to fix the issue

starting clamd with selinux enabled in enforcing throws the following error:

ERROR: LOCAL: Socket file /var/run/clamav/clamd.sock could not be bound: Permission denied
 * start-stop-daemon: failed to start `/usr/sbin/clamd'
 * Failed to start clamd                                                                                                                                                     [ !! ]
 * Starting freshclam ...                          

The following access is blocked by selinux:

May 31 17:32:48 gentoo kernel: type=1400 audit(1401550368.590:156): avc:  denied  { search } for  pid=3425 comm="freshclam" name="clamav" dev="tmpfs" ino=25651 scontext=system_u:system_r:freshclam_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir

This is caused by the wrong type of the /var/run/clamav directory:
# ls -aldZ /var/run/clamav/
drwxr-xr-x. 2 clamav clamav system_u:object_r:initrc_var_run_t 100 31. Mai 17:43 /var/run/clamav/

Running "restorecon -R /var/run/clamav" fixes the issue, a service restart will work after that till the system is started. 

The correct way to fix that seems to be to use "init_daemon_run_dir" to tell init to set the correct domain type for the directory /var/run/clamav.

The attached patch is fixing the issue for me (applied via the epatch_user system).

Comment 1 Sven Vermeulen (RETIRED) gentoo-dev

2014-06-08 18:08:38 UTC

Thanks. That's indeed the right fix for the problem.

Is in the hardened-refpolicy repository, will be in rev 4.

Comment 2 Sven Vermeulen (RETIRED) gentoo-dev

2014-08-01 21:16:45 UTC

r4 is in the tree

Comment 3 Sven Vermeulen (RETIRED) gentoo-dev

2014-08-22 17:51:43 UTC

r5 is stable