Creating an SELINUX allow rule for sockets error with clamd

James White asked:

I’ve got a CentOS 7 box configured as a Squid proxy, with clamav and Squidclamav. Normally I would just disable SELINUX, but I am attempting to understand and setup allow rules properly. I’ve managed to create several to fix issues identified with squid however, one error related to sockets with clamd is causing problems.

type=AVC msg=audit(1436899859.808:9282): avc: denied { unlink } for pid=22802 comm=”clamd” name=”clamd.sock” dev=”tmpfs” ino=729382 scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file

What module/allow rule do I need to fix this entry being reported in the audit.log?

My answer:

The clamd socket file /var/run/clamd.scan/clamd.sock has somehow gotten mislabeled. It has the type var_run_t, but it should be antivirus_var_run_t in current SELinux policy. Anything matching /var/run/clamd.* should be labeled antivirus_var_run_t.

This could be because the socket was created while an older version of the policy was installed, or a program or user could have manually mislabeled it.

Since you say the system is up to date, I would recommend relabeling the file (and, for that matter, the entire system, just to be sure), to correct any mislabeled files, and then restarting.

restorecon -r -v /

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.