Package: selinux-policy-refpolicy-targeted
Version: 0.0.20061018-2
Severity: normal
The current refpolicy doesn't allow clamd (in clamd_t) to search var_lib_t.
This yields audit errors like this one when clamd starts:
Dec 28 06:48:39 atlantic5 kernel: audit(1167317319.154:167): avc: denied {
search } for pid=2818 comm="clamd" name="lib" dev=dm-3 ino=1245185
scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:var_lib_t:s0
tclass=dir
I think the issue is just that clamd needs to pass through /var/lib to reach
/var/lib/clamav. The refpolicy has a line "files_search_var_lib(clamscan_t)"
granting access to clamscan, but does not have a corresponding one for clamd.
Adding this allow to local policy seems to fix the problem:
allow clamd_t var_lib_t:dir search;
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-amd64
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages selinux-policy-refpolicy-targeted depends on:
ii libpam-modules 0.79-4 Pluggable Authentication Modules f
ii libselinux1 1.32-3 SELinux shared libraries
ii policycoreutils 1.32-1 SELinux core policy utilities
ii python 2.4.4-2 An interactive high-level object-o
Versions of packages selinux-policy-refpolicy-targeted recommends:
ii checkpolicy 1.32-1 SELinux policy compiler
pn setools <none> (no description available)
-- debconf-show failed
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
