1

I've got a CentOS 7 box configured as a Squid proxy, with clamav and Squidclamav. Normally I would just disable SELINUX, but I am attempting to understand and setup allow rules properly. I've managed to create several to fix issues identified with squid however, one error related to sockets with clamd is causing problems.

type=AVC msg=audit(1436899859.808:9282): avc: denied { unlink } for pid=22802 comm="clamd" name="clamd.sock" dev="tmpfs" ino=729382 scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file

What module/allow rule do I need to fix this entry being reported in the audit.log?

James White
  • 674
  • 3
  • 18
  • 32
  • Have you read [the documentation](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/chap-Security-Enhanced_Linux-Troubleshooting.html)? – Michael Hampton Jul 14 '15 at 19:01
  • Yes, I've been using audit2allow to build several custom policies. This is the one entry in my audit log that I cannot fix through any allow rule I generated – James White Jul 14 '15 at 19:03
  • This should already be allowed. But that socket appears to be mislabeled. Have you applied the relevant updates? (i.e. to `selinux-policy*` packages) If so, delete `/var/run/clamd.sock` manually and restart the computer. – Michael Hampton Jul 14 '15 at 19:05
  • According to yum all packages are up to date – James White Jul 14 '15 at 19:06
  • I don't have a sock at that locations instead I have /var/run/clamd.scan/clamd.sock, as I have a clamd@scan.service in systemd. – James White Jul 14 '15 at 19:10
  • Even those should be correctly labeled, but they aren't. Anything matching `/var/run/clamd.*` should be labeled `antivirus_var_run_t`. – Michael Hampton Jul 14 '15 at 19:14

1 Answers1

4

The clamd socket file /var/run/clamd.scan/clamd.sock has somehow gotten mislabeled. It has the type var_run_t, but it should be antivirus_var_run_t in current SELinux policy. Anything matching /var/run/clamd.* should be labeled antivirus_var_run_t.

This could be because the socket was created while an older version of the policy was installed, or a program or user could have manually mislabeled it.

Since you say the system is up to date, I would recommend relabeling the file (and, for that matter, the entire system, just to be sure), to correct any mislabeled files, and then restarting.

restorecon -r -v /
reboot
Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • Thanks, this appears to have fixed it! You are correct, I have did install clamd before applying the proper SELINUX rules for squid and such, so it looks like mislabelling is the issue here. – James White Jul 14 '15 at 19:18