Página inicial Explorar Ajuda
Registrar Entrar
AFS
/
infrastructure-notes
2
0
Fork 0
Arquivos Issues 0 Pull Requests 0 Wiki
Tree: b96146e0b2
Branches Tags
infrastructure-...
/
SELinux Notes.md

SELinux Notes.md 2.8 KB
Histórico Raw

Random SELinux notes

Duane's clamd logfile mystery

I was trying to figure out why this error kept happening while testing salt states for ClamAV:

Mar 26 16:00:43 salt-master clamd: Fri Mar 26 16:00:43 2021 -> ^lchown to user 'root' failed on log file '/var/log/clamd.scan'.  Error was 'Permission denied'
Mar 26 16:00:43 salt-master clamd: Fri Mar 26 16:00:43 2021 -> !daemonize() failed: Permission denied

The message itself was being written into the clamd.scan file so ... weird. Of course, a getenforce 0 made the error stop, so we were clearly dealing with something selinux-y.

Check the fcontext

SELinux fcontext rules should specify the type assigned to files when they are created or when restorcon is run. This looks "right" on first inspection...

[root@jerry ~]# semanage fcontext -l | egrep /var/log/clam
/var/log/clamd.*                                   all files          system_u:object_r:antivirus_log_t:s0
/var/log/clamav.*                                  all files          system_u:object_r:antivirus_log_t:s0
/var/log/clamav/freshclam.*                        regular file       system_u:object_r:antivirus_log_t:s0

OK. So the file should be antivirus_log_t, but it's not:

[root@jerry ~]# ls -lZ /var/log/clamd.scan
-rw-r--r--. root root unconfined_u:object_r:var_log_t:s0 /var/log/clamd.scan

Salt minion vs clamd

The var_log_t type is what the file gets when we make the file using a salt state before the ClamAV daemon starts up. If we remove the file and then systemctl start clamd@scan then the file gets the "right" antivirus_log_t type.

Unconfined processes vs confined processes

Turns out, clamd isn't DOING anything special. It's just making the file. The difference is how clamd gets started.

Clamd running under systemd, as seen by ps -Z:

system_u:system_r:antivirus_t:s0 29945 ?       Ssl    0:17 /usr/sbin/clamd -c /etc/clamd.d/scan.conf

Clamd running in the foreground started by me in the shell:

unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 28639 pts/7 Sl+   0:24 /usr/sbin/clamd --foreground

As a test:

[root@jerry ~]# rm -f /var/log/clamd.scan && touch /var/log/clamd.scan && ls -lZ /var/log/clamd.scan
-rw-r--r--. root root unconfined_u:object_r:var_log_t:s0 /var/log/clamd.scan

OK, touch doesn't set the type on the file properly. Let's run touch under a more restricted SELinux scope:

[root@jerry ~]# setenforce 0
[root@jerry ~]# rm -rf /var/log/clamd.scan
[root@jerry ~]# runcon -c -u system_u -r system_r -t antivirus_t /bin/touch /var/log/clamd.scan
[root@jerry ~]# ls -Z /var/log/clamd.scan
-rw-r--r--. root root system_u:object_r:antivirus_log_t:s0 /var/log/clamd.scan

The setenforce is necessary because normally SELinux won't allow /bin/touch to transition into the antivirus_t type.