SELinux prevent connection clamd_port_t:tcp_socket

Question

We have API Server (tomcat) which has clamAV configuration to scan any uploaded file to the system.

clamAV configuration will require the API server to connect to clamAV server.

SELinux is enabled on both servers and whenever we try to upload files we get the following error/exception:

tomcat: java.net.socketexception permission denied (connect failed)

This error is related to SELinux, and here the audit log for this denial:

type=AVC msg=audit(1632293242.892:403): avc:  denied  { name_connect } for  pid=2663 comm="http-nio-8780-e" dest=3310 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_uSmiley Surprisedbject_r:clamd_port_t:s0 tclass=tcp_socket permissive=0

    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

We solved this by creating SELinux custom policy using Audit2Allow command.

But, we need to know if there is any other way to solve this using SELinux Booleans or any label change we can apply.

Could you please advise ?

Thanks

score 0 · Answer 1 · answered Sep 22 '21 at 13:23

0

If there was another way then audit2why would have told you about it.

You can also try the sealert tool which will show recent SELinux denials and provide detailed information.

answered Sep 22 '21 at 13:23

Michael Hampton

244,070
43
506
972

audit2why told that: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. – MAAN SHARBAJI Sep 22 '21 at 15:03

SELinux prevent connection clamd_port_t:tcp_socket

1 Answers1